The first step is for the Group Health Plan to determine its obligation to HIPAA Privacy Rule and its insurance status as either fully-insured or self-funded. While there is no distinction in the definition of Group Health Plan between fully-insured and self-funded groups, there is a difference in what a group must do to comply based on its insured status.
The next step is to determine how important it is for the Group Health Plan to receive Protected Health Information (PHI). The following information will assist in analyzing what obligation to the Privacy Regulations.
FULLY-INSURED GROUP HEALTH PLANS
Fully-insured plans that have access to Protected Health Information PHI (other than enrollment / disenrollment and eligibility data and Summary Health Information) must fully comply with all the following provisions of the Privacy Regulations:
• Develop and implement Privacy Policies and Procedures.
• Furnish a Notice of Privacy Practices to its members.
• Appoint a Privacy Official and establish a contact office.
• Train employees on their Privacy Policies and Procedures and establish sanctions for violations.
• Implement data privacy and security safeguards. • Develop a mitigation plan in the event of Privacy breaches.
• Establish a complaint process for members.
• Allow for access, copying and requests for amendment of PHI.
• Provide for an accounting of disclosures to their members upon request.
• Retain compliance documentation for six years.
IMPORTANT EXCEPTIONS: If a fully-insured Group Health Plan elects to only receive Summary Health Information, it will fall under the insurer's HIPAA Privacy umbrella. Summary Health Information is PHI that summarizes claims history, claims expenses or types of claims experience by enrollees for whom the Plan Sponsor has provided health benefits under the Group Health Plan and is stripped of all individual identifiers but is not necessarily fully de-identified as defined by the Privacy Regulation. The level of effort required to comply with the Privacy Regulations will be significantly reduced as indicated below:
• No HIPAA-specific Privacy Policies and Procedures required;
• No Notice of Privacy Practices to distribute or maintain;
• No requirement to appoint a Privacy Official and establish a contact office;
• No employee Privacy training or sanctions required;
• No HIPAA-specific data privacy and security safeguards required;
• No HIPAA-specific complaint process required;
• No requirement to allow members to access, copy or request to amend their PHI;
• No requirement to provide enrollees with an accounting of disclosures;
• Must only retain any Plan Document amendments for six years.
If fully-insured Group Health Plans elect not to receive PHI, and elect instead to receive only Summary Health Information, they should formally document this decision and modify any of their existing practices that involve greater use of PHI.
SELF-INSURED GROUP HEALTH PLANS
Fully and partially self-funded Group Health Plans are not granted the same exceptions for compliance with the HIPAA Privacy Regulations as those available to fully-insured Group Health Plans. This means that the self-funded Group Health Plan must fully comply with all provisions of the Privacy Regulations that were outlined above for fully-insured Group Health Plans that elect to receive PHI. However, even though they must comply with all provisions of the Regulations as outlined above, self-funded Group Health Plans may be able to reduce the actual amount of administrative work they must do by limiting the amount of PHI that their employees use or disclose.
RETURN TO TOP
Disclaimer: EDH obtains its information from sources it believes to be reliable. However, due to human and mechanical errors as well as other factors, EDH makes no representations or other warranties, express or implied, to the accuracy of the information. This information is provided for discussion purposes only. It does not constitute legal advice and is not intended for use without advice of legal counsel. It is also not a substitute for legal or other professional advice. Users should consult their own legal counsel for advice regarding the application of the law and this document as it applies to the HIPAA regulations.
