Author: Frank DuMond

Group Health Plans and the HIPAA Privacy Rule

            Under the administrative simplification provision of the Health Insurance Portability and Accountability Act (HIPAA), there are pertinent regulations that lead to compliance obligations for employer-sponsored group health plans. In accordance with 45 CFR § 160.103, the HIPAA Privacy Rule can only be applied to the groups that are listed and deemed to be covered entities. For purposes of the Privacy Rule, covered entity means any health plan, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with a transaction.  Within the list of covered entities, health plans are defined as an individual or group plan that provides, or pays for the cost of medical care.  Further, a group health plan means an employee welfare benefit plan, including fully insured and self-insured plans, to the extent that the plan provides medical care.This provision includes items and services paid for as medical care to employees or their dependents directly or through insurance, reimbursement. The HIPAA Privacy Rule will also apply to a plan that has 50 or more participants, or is administered by an entity other than the employer that established and maintains the plan. Thus, the group health plan is deemed to be an entity that is entirely separate from the employer and plan sponsors that provide the requisite care or insurance to the employees. 

            While the usage of group health plans is clearly significant within the context of the HIPAA Privacy Rule, it is certainly helpful to distinguish between the types of plans that are frequented by employers. A fully insured health plan is commonly considered to be the traditional method of insuring employees that work within their companies. Within this framework, employers pay a fixed premium to a large insurance provider (Aetna, Kaiser Permanente, United Health) for their employees, and the provider covers the cost of the employee’s medical expenses. While fully insured plans are typically more expensive for the employer, the premium rates are annually fixed based on number of enrolled employees. The insurance provider will handle claims in accordance with the plan outline that is selected by the employer, and employees are responsible for reaching a deductible or copays depending on the types of medical services the plan covers. On the contrary, self-insured health plans are more flexible than fully insured plans because it enables the employer to select a plan that best meets the individualized medical needs of their employees. More specifically, this plan cuts out the preset framework from insurance providers, and employers are responsible for determining the costs of their own plan. Commonly, employers will use a form of stop-loss insurance in order to mitigate the cost if one of their employees is well beyond the coverage window.  While there are benefits and downsides to both types of health plans, the HIPAA Privacy Rule will apply to both in a variety of different circumstances. First off, if the company heath plan is administered by a third party it will not matter whether the plan is fully or self-insured and these parties will always be subjected to the Privacy Rule. However, if the health plan is truly self-administered (no third parties), has under 50 total participants, and does not handle protected health information (PHI), then the Privacy Rule will not apply.  Consequently, it is extremely uncommon for a fully insured plan to be subjected to the standards of the Privacy Rule because the relationship between the employer and insurance provider will attempt to eliminate PHI being transferred. Additionally, ERISA requires that if an individual is titled as the “plan administrator” but does not carry out daily functions of the plan then self-administration cannot possibly apply.

            Navigating HIPAA and the complex application to group health plans can be challenging for many businesses and organizations to conceptualize. Therefore, it is essential for employers to select the type of plan that best suits their employee’s needs, but they also need to remain cognizant of the restraints that both ERISA and the HIPAA Privacy Rule attach to group health plans.