Employer-Sponsored Group Health Plans & HIPAA

If small business employers think that the Health Insurance Portability and Accountability Act—or what we fondly refer to as “HIPAA”—only applies to health care providers, they need to think again. Small business owners need to get hip to HIPAA because those that offer employer-sponsored health plans (as most do) must also protect the privacy of employees’ medical information.

Physician practices typically understand they are “Covered Entities” under HIPAA due to their status as medical providers but many are unaware they may carry the title of Covered Entity” by way of their employer status.

Though employers are not Covered Entities under HIPAA, many employers offer fully or partially self-funded health plans to their employees and those health plans are Covered Entities under HIPAA. Indeed, even flexible spending accounts or 125 plans are considered health plans and thereby must comply with HIPAA.

Last April, the final installment in the series of three HIPAA regulations went into effect. The first installment was the Electronic Health Care Transaction and Code Sets (October 2002). The second installment was the Privacy Rule (April 2003 or April 2004 for small group health plans). Finally, as of April 20, 2005, all covered entities (as defined by HIPAA) were required to implement the Security Rule. Small health plans, defined as those that spend $5 million or less in claims, were given until April 20, 2006, to comply.

The Security Rule, a series of standards, provides administrative, physical and technical safeguards to protect the security of electronic health information. It may be found at Title 45, Code of Federal Regulations, Part 164, Sections 302-318 (45 CFR 164.302).

While the Privacy Rule includes a mini-security rule, the regulations of the Security Rule are far more detailed and include comprehensive ways in which a covered entity may perform a risk analysis to determine the measures required to comply with the Rule. The Security Rule applies to the same covered entities as the Privacy Rule and similarly applies to the covered entities’ business associates. If you offer a health plan to your employees, that plan must meet both the Privacy Rule and Security Rule requirements. By extension, the employer must ensure that the plan has met those requirements.

For small plans, compliance may be simple, especially when most employers outsource their health care operations to third party administrators and have very little interaction with electronic protected health information, or PHI.

Like the Privacy Rule, the Security Rule requires health plans to limit disclosures of PHI to the plan sponsor employers unless certain conditions are met. Consequently, non-covered entity employers who are health plan sponsors are affected by HIPAA’s Security Rule including having to amend employer health plan documents to incorporate provisions requiring such employers who receive PHI from the health plan to implement security safeguards.

These safeguards include three standards which fall under the categories of administrative, physical and technical, and numerous implementation specifications.

The good news is that the Security Rule permits flexibility in your entity’s approach based upon organizational size, complexity, staff capabilities, the likelihood of potential risks, costs, and your computer hardware and software capability.

It’s also a good time to be reminded that every three years, covered entities should revisit their adherence to the Privacy Rule requirements by evaluating actions taken and determining whether it is appropriate to modify compliance processes and procedures. HIPAA compliance does not have a completion date, rather it is an ongoing process.

View PDF