As covered entities under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), healthcare providers are intimately familiar with the strict privacy and security requirements imposed on them by HIPAA and the importance of full compliance. Measures taken over the years to ensure compliance have become ingrained in daily practice, routine to employees, so HIPAA no longer keeps providers up at night. Check. Done. Right?

Hopefully. Maybe. What else is there?

If you are an employer, you may sponsor a group health plan to benefit your employees and their dependents. Group health plans are also covered entities under HIPAA. This article provides an overview of how the HIPAA privacy and security rules apply to group health plans. The breach notification and transaction standards apply to group health plans as well, but are beyond the scope of this article.

Privacy and security protections similar to those that apply to your patients' protected health information ("PHI") apply to the PHI of participants in group health plans offered to your employees. The degree to which a group health plan must provide these protections depends on how the plan is funded and whether you or your employees have access to participant PHI that is maintained by the plan.

If your group health plan is fully insured, you may be able to avoid HIPAA compliance, shifting the burden to the insurance carrier instead. If your plan is self-insured, you can't avoid responsibility for HIPAA compliance altogether. Again, the degree of your compliance burden depends on the information to which you have access. Note that the source of the PHI is key. HIPAA compliance is triggered when the access to PHI is from the plan. If the PHI is received directly from the employee or under an authorization from the employee, the HIPAA protections do not apply.

Download Full Article