![]() |
The HIPAA Privacy and Security Rules apply to all employers who sponsor group health plans. However, the compliance burden is much lighter on employers that sponsor only fully insured plans.
Employers that have fully insured health plans may also sponsor any number of self-insured health plans. These may include programs such as:
An employer with any of these benefits should review their compliance obligations under the standards applicable to self-insured plans.
Employers may receive certain information regarding their health plan and still maintain their limited obligation under the Privacy Rule. Employers who obtain PHI in addition to or for purposes other than those noted below will need to fully comply on the same basis as employers with self-insured plans.
Employers with fully insured health plans may receive enrollment information even if it is Protected Health Information (PHI). In addition, they can receive “summary health information” for the limited purposes of obtaining bids for health insurance coverage and modifying, amending or terminating a health plan.
Employers may also receive PHI pursuant to a HIPAA-compliant authorization. For example, an employer may discuss a claim issue with the insurance company if the employer obtains a written authorization from the Plan participant.
If employers do not receive PHI other than enrollment and summary health information or pursuant to a HIPAA-compliant authorization what parts of the Rules apply?
The only parts of the Privacy Rule that apply are those related to prohibiting retaliation against individuals who exercise their HIPAA Privacy rights and prohibiting a plan from requiring an individual to waive his or her privacy rights as a condition of health plan enrollment or eligibility for payment of benefits.
Technically, the Security Rule does apply to fully insured plans. This includes matters such as adoption of a Security Policy and appointment of a security official. However, the most significant burden under the Security Rule is risk assessment and management and its documentation. In the case of a plan whose electronic PHI (“ePHI”) is solely in the hands of an insurer, those tasks are vastly simplified. For example, it might determine, after due inquiry, that the security measures adopted by the insurer are adequate to protect the ePHI of the plan. In addition, plan documents do not have to be amended to provide that the employer will appropriately safeguard any ePHI received from the plan.
A fully insured group health plan has a limited obligation to provide a Privacy Notice, depending on the plan’s access to PHI.
Insured plans that do not have access to PHI, except for summary health information and enrollment information, are not required to provide a notice. The notice requirement is imposed upon the plan’s insurer.
Fully insured plans with access to PHI (other than summary health information and enrollment information), must maintain a notice and provide it upon request, although the insurer still has the primary notice obligation.
Material contained in ComplianceDashboard is a compilation of generally published information by the Department of Labor and other public agencies regulating employee benefit plans and employee benefit issues. It is not legal advice, and should not be construed as legal advice. If legal advice or other professional assistance is or may be required with regard to any issues referenced in this website, the services of a competent legal or tax professional should be immediately sought. The inclusion of links within the ComplianceDashboard website is for informational purposes only. ComplianceDashboard does not warrant the accuracy of information outside this website that is found as a result of following links contained herein, nor does the inclusion of those links herein constitute endorsement of the content of any other website. If you have questions regarding this disclaimer, please contact us at 877-328-7880.