Jason Karn, Total HIPAA’s Chief Compliance Officer, recently spoke with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss how fully-insured, self-funded, and hybrid employee benefits plans impact HIPAA compliance. They explore the steps companies in transition from one category to another must take in order to remain compliant. You can listen to this episode of our podcast HIPAA Talk! here or on your mobile device via Apple Podcasts. Or, read the analysis below.
Transitioning From a Fully-Insured to Self-Funded or Hybrid Plan
When companies transition from a fully-insured to a self-funded plan, or a hybrid of the two, they gain access to full claims data. Under a self-funded plan, the company knows everything that goes on between employees and healthcare providers. This includes information like who goes to which provider, which medical procedures they receive, diagnosis codes, and the breakdown of procedure costs for the patients and the insurance company. Under a fully-insured plan, employers are insulated from this level of detail. However, employee self-disclosure opens the requirement for HIPAA compliance in a fully-insured plan.
With a self-funded plan, employers collect the money from premiums paid by employees when they enroll in the company health plan. Then, they use that source of funding to cover the cost of employees’ health claims. This way, employers are basically running their own plan, which saves them the money they would pay if they were going through an insurer. When claims cost less than expected, employers pocket the leftover funds.1
PHI and Self-Funded Plans
Having total access to this Protected Health Information (PHI) comes with a great deal of responsibility. Companies with self-funded plans must equip themselves to handle this sensitive information.
To prepare for increased dealings with PHI, companies should train their employees on HIPAA compliance. If an employer already offered a health plan, they should be HIPAA compliant. (Re)training employees is a required part of compliance because human error is the number one cause of data breaches.
With more PHI present in your office under a self-funded plan, there is an increased likelihood that it could be exposed inappropriately.
Employees must know they cannot discuss or disclose any PHI they come in contact with unless authorized to do so. They should also be made aware of cybersecurity threats that could render the company’s electronic data vulnerable to hackers or attacks.
David Smith compares the levels of access to data between a fully-insured and self-funded plan to the difference between knowing how to drive a car and actually understanding how the car works. Though employers may save money by operating their own plan, they also gain a great deal of liability.1
HIPAA Compliance and Employee Benefits
When transitioning to a self-funded plan, a company must designate one or more employees as the Privacy and Security Officer. They manage the HIPAA compliance process. Often, businesses select their owner or head of HR.
Make sure to choose someone trustworthy, who understands the seriousness of this responsibility. They must have the authority to impose the sanction policies outlined in your Privacy Policies and Procedures.
Remember, PHI comes in many forms: written, verbal, and electronic. Employers must appoint an organized person as Privacy/Security Officer who will not share the details of others’ insurance information.
Self-funded plans give the company full access to employees’ medical information. Therefore, employers must allow minimal access (only by necessary parties) to this data.
Because a self-funded benefits plan gives the company full access to employees’ medical information, this data needs to be shared with as few people as possible.
Under no circumstances may an employer make any decisions about one of their workers’ employment based on their health or the health of any of the employee’s family member. For example, an employer cannot fire one of their employees because they contracted an illness that increased the health plan premium.
If your company is thinking about transitioning to a self-funded or hybrid plan, give yourself plenty of time to implement HIPAA privacy and security compliance so that your company is prepared to follow the rules governing this additional responsibility. Though self-funded plans typically save companies money, they require more work and diligence. Make sure to properly prepare before accepting this additional responsibility.
1. JP Farley Blog: How Self-Funded Health Insurance Can Save Your Company Money