5 Steps to Successful HIPAA Compliance for Self-Insured Group Health Plans

Self-insured group health plans can offer significant cost and flexibility advantages for employers but come with an increased responsibility for protecting your employees’ sensitive health information. And the effort required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can be more difficult than with fully-insured plans.

In this blog post, we’ll compare key differences between self-insured and fully-insured health plans, review relevant HIPAA requirements, and describe five essential steps that employers with self-insured group health plans should take to ensure successful HIPAA compliance.

If your organization is considering moving from a fully-insured plan to a self-insured plan, or offering a self-insured plan as your initial group health plan offering, you’ve come to the right place!

What Are The Differences Between Fully-Insured and Self-Insured Group Health Plans?

Here some of the key differences between fully-insured and self-insured (also known as self-funded) group health plans:

Group Health Plan Attributes	Fully-Insured Plans	Self-Insured Plans
Business Model	· Employer engages third-party insurance company to provide health coverage to their employees. · Traditional route for providing employee health coverage.	· Employer provides funding and management of health coverage offered to their employees. · More recent option for providing employee health coverage. · Employer typically contracts with third-party administrator (TPA) to handle administrative functions such as: –  Claim payments to providers. –  Group health plan setup. –  Coordination of stop-loss coverage (which reimburses employers for claims that exceed a set amount for scenarios such as catastrophic loss and claims exceeding expected level of coverage). –  Customized reporting.
Premiums	· Employer pays premiums to third-party insurance company. Typically, premium rates are based on employer size, employee population, and healthcare use. · Employees may pay premiums to employer to cover a portion of their health insurance costs.	· No premiums paid to third-party insurance company. ·  Employees may pay premiums to employer to cover a portion of their health insurance costs.
Business Risk	· Insurance company assumes the risk of providing health coverage.	· Employer assumes the risk of providing health coverage.
Flexibility	· Limited flexibility and control over the way in which coverage is provided to employees.	· More flexibility and control over the way in which coverage is provided to employees.

What Are The HIPAA Implications For Fully-Insured vs. Self-Insured Group Health Plans?

With fully-insured plans, insurance companies handle full claims data, including Protected Health Information (PHI), and employers are separated from access to this data. The main responsibility for HIPAA compliance and the financial and security risks associated with handling PHI rests with the insurance company and not the employer. 

Self-insured plans handle and allow employers to have access to full claims data, including PHI. This gives employers the ability to track that an employee has received treatment or medical procedures from a specific healthcare provider, with full details of the diagnosis, prescriptions, and billed to costs covered by both the employer and the employee. It also requires that the employer assume full responsibility for HIPAA compliance and management of PHI financial and security risks.

Self-insured plans are rarely exempt from HIPAA compliance. The only case where an employer is exempt is if they provide coverage for less than 50 employees and administer Health Reimbursement Arrangements (HRAs) and Federal Reimbursement Allowances (FRAs) internally, and not with a TPA. Because self-insured plans are more suited for larger companies with the funding to provide coverage, most self-insured health group plans are subject to HIPAA compliance (Including both the Security and Privacy Rules).

Can Self-Funded Plans Reduce Costs For Employers?

Because self-insured plans do not require premiums to be paid to an insurance company, they can reduce health coverage costs for employers. The following diagram provides a comparison of fully insured and self-funded insurance plan costs and potential cost savings with self-funded plans.

What Steps Should We Take To Achieve HIPAA Compliance For Our Self-Funded Plan?

Here are five key steps you should take to bring your self-funded plan into compliance with HIPAA:

Appoint a Privacy and Security Officer

• This role is to identify and provide oversight of PHI that is created, received, maintained, or transmitted by the group health plan.
• One or more employees must be appointed as a HIPAA Security Officer and HIPAA Privacy Officer. The same person can perform both duties, or different people can be appointed for each role.

Develop HIPAA-Compliant Privacy Policies

• Establish the permitted uses and disclosures of PHI.
• Require third-party administrators (TPAs) to adhere to Business Associate Agreements (BAAs). BAAs are contracts between a HIPAA Covered Entity (the employer in this case) and a business or individual that performs functions or activities on behalf of, or provides services to, the Covered Entity when these functions/activities involve access to PHI.

Develop HIPAA-Compliant Security Policies

• These must address the administrative, physical, and technical controls to safeguard PHI.
• Security Officers must conduct risk assessments to identify vulnerabilities, followed by risk analysis to implement controls and policies to further mitigate risks.

Develop a Breach Notification Policy

• Self-insured organizations must develop a breach notification policy to be invoked in the event of unauthorized disclosure of PHI to advise employees that sensitive information may have been compromised. In some cases, notifications must also go out to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights.

Employee Training

• Members of the group health plan must be given notice of the plan’s privacy practices.
• Employees that handle PHI are required to undergo special training.
• Each employee must be made aware of the sanction process/disciplinary process associated with failing to comply with the privacy policies and procedures and breach notification rules.

Tevora Can Help

Bringing your self-insured health plan into compliance with HIPAA will require a significant commitment of staff resources. This can be challenging for some organizations. If you would like some help, Tevora has extensive experience helping organizations like yours adopt and assess compliance with HIPAA and would be happy to help you plan for and execute this important effort.

Here are some of the reasons that make Tevora uniquely qualified to help with your journey to HIPAA compliance:

• Expertise—In addition to our deep expertise and experience with the HIPAA standard, we understand the nuances of self-insured group health plans and know how to ensure their security and privacy.
• Partnership—We work with a long-term outlook. We’re motivated to succeed today so we can exceed your expectations again next year. We spend the time to get to know your team and business priorities, which enables us to develop customized solutions, tailor-made to meet your unique requirements. And we’re committed to delivering security and privacy solutions that you can sustain and maintain long term, so training and equipping are always an integral part of our projects.
• Dedication—Our dedicated team of experts is laser-focused on keeping your brand and environment safe. We are committed to providing high-quality services and meeting tight timelines while maintaining flexibility to adapt with you as business conditions change. Going above and beyond is just another day at the office for us.
• Proven Compliance Approach—Our proven approach puts you on a fast track to HIPAA compliance. Here’s a summary of the process steps we follow:

Additional Resources

Below are additional resources that provide a deeper dive on the topics covered in this blog post:

• HIPAA Journal article on HIPAA Compliance for Self-Insured Health Plans
• HHS Guidance on Self-Funded, Non-Federal Governmental Plans
• HHS Factsheet on Self-Funded, Non-Federal Governmental Factsheet

Contact Us

If you have questions about HIPAA compliance for self-insured health plans or would like help becoming compliant with this important standard, just give us a call at (833) 292-1609 or email us at sales@tevora.com.