Privacy (Limited Access to PHI)

The HIPAA Privacy and Security Rules apply to all employers who sponsor group health plans. However, the compliance burden is much lighter on employers that sponsor only fully insured plans.

Are All Your Health Plans Fully Insured?

Employers that have fully insured health plans may also sponsor any number of self-insured health plans. These may include programs such as:

• Health Flexible Spending Account (FSA)
• Health Reimbursement Account (HRA)
• Wellness program that includes medical screenings
• Employee Assistance Program (EAP) that provides counseling for mental health and substance abuse issues

An employer with any of these benefits should review their compliance obligations under the standards applicable to self-insured plans.

What Information Do You Receive From Your Insurer?

Employers may receive certain information regarding their health plan and still maintain their limited obligation under the Privacy Rule. Employers who obtain PHI in addition to or for purposes other than those noted below will need to fully comply on the same basis as employers with self-insured plans.

Enrollment and Summary Health Information

Employers with fully insured health plans may receive enrollment information even if it is Protected Health Information (PHI). In addition, they can receive “summary health information” for the limited purposes of obtaining bids for health insurance coverage and modifying, amending or terminating a health plan.

HIPAA-Compliant Authorization

Employers may also receive PHI pursuant to a HIPAA-compliant authorization. For example, an employer may discuss a claim issue with the insurance company if the employer obtains a written authorization from the Plan participant.

What Are Your Obligations?

If employers do not receive PHI other than enrollment and summary health information or pursuant to a HIPAA-compliant authorization what parts of the Rules apply?

Privacy Rule

The only parts of the Privacy Rule that apply are those related to prohibiting retaliation against individuals who exercise their HIPAA Privacy rights and prohibiting a plan from requiring an individual to waive his or her privacy rights as a condition of health plan enrollment or eligibility for payment of benefits.

Security Rule

Technically, the Security Rule does apply to fully insured plans. This includes matters such as adoption of a Security Policy and appointment of a security official. However, the most significant burden under the Security Rule is risk assessment and management and its documentation. In the case of a plan whose electronic PHI (“ePHI”) is solely in the hands of an insurer, those tasks are vastly simplified. For example, it might determine, after due inquiry, that the security measures adopted by the insurer are adequate to protect the ePHI of the plan. In addition, plan documents do not have to be amended to provide that the employer will appropriately safeguard any ePHI received from the plan.

Privacy Notice

A fully insured group health plan has a limited obligation to provide a Privacy Notice, depending on the plan’s access to PHI.

Insured plans that do not have access to PHI, except for summary health information and enrollment information, are not required to provide a notice. The notice requirement is imposed upon the plan’s insurer.

Fully insured plans with access to PHI (other than summary health information and enrollment information), must maintain a notice and provide it upon request, although the insurer still has the primary notice obligation.