Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Self-Funded vs. Fully-Insured Employee Benefits and HIPAA Compliance

Jason Karn, Total HIPAA’s Chief Compliance Officer, recently spoke with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss how fully-insured, self-funded, and hybrid employee benefits plans impact HIPAA compliance. They explore the steps companies in transition from one category to another must take in order to remain compliant. You can listen to this episode of our podcast HIPAA Talk! here or on your mobile device via Apple Podcasts. Or, read the analysis below.

Transitioning From a Fully-Insured to Self-Funded or Hybrid Plan

When companies transition from a fully-insured to a self-funded plan, or a hybrid of the two, they gain access to full claims data. Under a self-funded plan, the company knows everything that goes on between employees and healthcare providers. This includes information like who goes to which provider, which medical procedures they receive, diagnosis codes, and the breakdown of procedure costs for the patients and the insurance company. Under a fully-insured plan, employers are insulated from this level of detail. However, employee self-disclosure opens the requirement for HIPAA compliance in a fully-insured plan.

With a self-funded plan, employers collect the money from premiums paid by employees when they enroll in the company health plan. Then, they use that source of funding to cover the cost of employees’ health claims. This way, employers are basically running their own plan, which saves them the money they would pay if they were going through an insurer. When claims cost less than expected, employers pocket the leftover funds.1

PHI and Self-Funded Plans

Having total access to this Protected Health Information (PHI) comes with a great deal of responsibility. Companies with self-funded plans must equip themselves to handle this sensitive information.

To prepare for increased dealings with PHI, companies should train their employees on HIPAA compliance. If an employer already offered a health plan, they should be HIPAA compliant. (Re)training employees is a required part of compliance because human error is the number one cause of data breaches.

With more PHI present in your office under a self-funded plan, there is an increased likelihood that it could be exposed inappropriately.

Employees must know they cannot discuss or disclose any PHI they come in contact with unless authorized to do so. They should also be made aware of cybersecurity threats that could render the company’s electronic data vulnerable to hackers or attacks.

David Smith compares the levels of access to data between a fully-insured and self-funded plan to the difference between knowing how to drive a car and actually understanding how the car works. Though employers may save money by operating their own plan, they also gain a great deal of liability.1

HIPAA Compliance and Employee Benefits

When transitioning to a self-funded plan, a company must designate one or more employees as the Privacy and Security Officer. They manage the HIPAA compliance process. Often, businesses select their owner or head of HR.

Make sure to choose someone trustworthy, who understands the seriousness of this responsibility. They must have the authority to impose the sanction policies outlined in your Privacy Policies and Procedures.

Remember, PHI comes in many forms: written, verbal, and electronic. Employers must appoint an organized person as Privacy/Security Officer who will not share the details of others’ insurance information.

Self-funded plans give the company full access to employees’ medical information. Therefore, employers must allow minimal access (only by necessary parties) to this data.

Because a self-funded benefits plan gives the company full access to employees’ medical information, this data needs to be shared with as few people as possible.

Under no circumstances may an employer make any decisions about one of their workers’ employment based on their health or the health of any of the employee’s family member. For example, an employer cannot fire one of their employees because they contracted an illness that increased the health plan premium.


If your company is thinking about transitioning to a self-funded or hybrid plan, give yourself plenty of time to implement HIPAA privacy and security compliance so that your company is prepared to follow the rules governing this additional responsibility. Though self-funded plans typically save companies money, they require more work and diligence. Make sure to properly prepare before accepting this additional responsibility.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.


1. JP Farley Blog: How Self-Funded Health Insurance Can Save Your Company Money

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)