HIPAA Privacy Rules for Self-funded Health Plans

Self-funded group health plans, and other employer welfare plans providing medical benefits that share information with employers, must comply with the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA), including the 2009 amendments to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Frost Brown Todd regularly assists clients with HIPAA and other privacy compliance issues and concerns. Additionally we administer training to employees on these topics as well. Employer-maintained self-funded medical plans, such as a major medical plan, a medical flexible spending account, a Health Reimbursement Arrangement (HRA), or a self-funded dental plan, are "covered entities" under HIPAA. These covered entities are required to evaluate risks and necessary protections for plan information and to document the evaluation and the policies and procedures the employer adopts for the plan to protect all plan information. The plan information required to be protected is called "protected health information" or "PHI".

FBT assists clients in designing and documenting administrative, physical and technical safeguards to protect PHI, which includes preparing written policies and procedures and training client employees on the policies and procedures. Employers must maintain:

  • A Privacy Policy which describes and documents all of the PHI safeguards
  • A Privacy Notice which is required to be given to group health plan participants to explain how their PHI is protected and when it can be disclosed
  • An Authorization Form for an individual to direct the plan to disclose PHI
  • A Business Associate Agreement between the health plan and each service provider. 

FBT also assists employers and other covered entities with investigating a possible breach of PHI and evaluating what notices are required to affected group health plan participants, to the U.S. Department of Health and Human Services (HHS), and to the media. Employers and their health plans also have obligations when there is a breach by a business associate to a plan. We assist employers by reviewing the steps the business associate is taking to ensure all required steps to report the breach and mitigate any possible harmful effects are taken.

Violations of HIPAA can result in civil and criminal monetary penalties and a criminal penalty of imprisonment of up to one year, and penalties are now much higher after the HITECH amendments to HIPAA. HHS has been aggressive about enforcing the rules and assessing penalties. FBT’s employee benefits attorneys have spent a great deal of time assisting employers with establishing policies and procedures to comply with HIPAA and minimize the risk of penalties.