Self-Insured Group Health Plans and their sponsors:
The self insured group plan is required:
• To comply with the use and disclosure rules;
• Adopt and implement policies and procedures to safeguard PHI;
• Provide individuals with the rights to access, amend, and receive an accounting of PHI;
• Prepare and provide a privacy notice; and
• Comply with the administrative requirements under HIPAA.
The administration obligations are not clearly addressed in the privacy standards. In many cases, the plan sponsor’s obligation as an ERISA plan administrator requires the plan sponsor itself to perform these functions on behalf of the plan. (In many cases the plan sponsor is the same as the plan).
A plan may contract with its TPA to perform the required functions of the HIPAA regulations. However, few TPAs will assume complete responsibility and few plans would want to give up complete control over to the TPA.
Fully Insured Group Health Plan: Plan is “hands-on” PHI:
If an employer sponsors a fully insured plan and wants to have access to PHI, then additional requirements apply to both the plan and the plan sponsor. The plan will need to:
• Comply with the use and disclosure rules;
• Adopt and implement policies and procedures to safeguard PHI;
• Provide individuals with the rights to access, amend, and receive an accounting of their PHI;
• Prepare the privacy notice and be prepared to provide the notice to individuals that are covered by the plan. (The plan is actually only required to provide the notice upon request since the primary obligation lies with the health insurance issuer); and
• Comply with the administrative requirements.
Protections will need to be put in place to make sure that any PHI disclosed to the plan sponsor will not be used for any employment related activities. In addition, there needs to be policies in place to make sure that only the employees performing plan administrative function have access to the PHI.
Fully Insured Group Health Plan: Plan is “hands-off” PHI
When a group health plan provides health benefits through an insurance contract and neither the employer-sponsored group health plan nor the plan sponsor creates, maintains, or receives PHI, most of the administrative requirements that are imposed by the privacy rule would apply to the insurer and not the group health plan or the plan sponsor. A self insured group plan does not qualify for “hands-off” status.
This content is being provided as an informational tool. It is believed to be accurate at the time of posting and is subject to change. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this information, Meritain Health is not exercising discretionary authority or assuming a plan fiduciary role, nor is Meritain Health providing legal advice.