Question: Do employers with fully insured medical, dental and vision plans need a HIPAA notice of privacy practices?

Compliance Team Response:

HIPAA Privacy Notice Generally Not Required for Fully Insured Plans

As a starting point, all employer-sponsored group health plans—including fully insured plans—are HIPAA covered entities.

For fully insured plans, although the group health plan is still a covered entity, the insurance carrier is also acting as a covered entity.  Because there are dual covered entities involved, the HIPAA privacy/security rules largely exempt the employer from HIPAA’s documentation and training compliance requirements that would otherwise apply.

For example, an employer with only fully insured plans would not need to have HIPAA policies and procedures documents, provide employees with a notice of privacy practices, engage in business associate agreements, or undergo HIPAA training.  The insurance carrier (again, also a covered entity) is responsible for those requirements.

Most employers with fully insured plans meet this exception because they generally receive only summary health information for limited purposes and enrollment/disenrollment information.  In other words, in most cases only the carrier will have direct access to claims information without an employee’s authorization.  Furthermore, enrollment/disenrollment information held by the employer are generally considered employment records maintained by the employer (which is not subject to HIPAA) rather than plan information maintained by the covered entity.

What About the Health FSA?

The caveat to be aware of is that most employers with fully insured medical, dental, and visions plans also sponsor a health FSA.  This is an important point because the health FSA is technically a self-insured group health plan in which only the health FSA (sponsored by the employer) is directly subject to HIPAA as a covered entity.  In that case, the TPA for the health FSA acts as a business associate to the plan (i.e., not a covered entity).

Technically, the employer must meet the HIPAA privacy/security rules separately only for the health FSA.  This generally would involve a notice of privacy practices, policies and procedures, HIPAA training, and business associate agreements.

It is also important to note the practical perspective that it is very common for employers not to take all of the HIPAA steps described above (other than entering into a business associate agreement with the TPA for the health FSA) where the only self-insured group health plan is a health FSA.  In that case, the industry norm appears to be to assume that HHS (and the DOL/IRS) would not attempt to enforce the HIPAA privacy/security requirements for the limited nature of a health FSA.  We think this is a reasonable position for employers to take.  There also do not appear to be any publicly known instances where an employer has been subject to enforcement activity related to lack of HIPAA documentation or training when the employer’s health FSA was the only self-insured health plan.

There is no technical exception from those HIPAA rules for a health FSA, so an extra conservative employer would likely want to follow all the same steps that apply for self-insured medical, dental, or vision plans.  Employers following this more conservative route would want to carefully note that the notice of privacy practices does not apply for purposes of any fully insured benefits—which in this scenario would be all health plan benefits other than the health FSA—because those fully insured benefits have a separate notice of privacy practices provided by the insurance carrier.

Regulations

45 CFR §160.103:

Covered entity means:

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

…

Group health plan (also see definition of health plan in this section) means an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care…

…

Health plan means an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).

(1) Health plan includes the following, singly or in combination:

(i) A group health plan, as defined in this section.

(ii) A health insurance issuer, as defined in this section.

(iii) An HMO, as defined in this section.

…

Protected health information means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information:

(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

(iii) In employment records held by a covered entity in its role as employer; and

(iv) Regarding a person who has been deceased for more than 50 years.

45 CFR §164.530(k):

(k) Standard: Group health plans.

(1)   A group health plan is not subject to the standards or implementation specifications in paragraphs (a) through (f) and (i) of this section, to the extent that:

(i)   The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and

(ii)   The group health plan does not create or receive protected health information, except for:

(A)   Summary health information as defined in §164.504(a) ; or

(B)   Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

_(2)  _ A group health plan described in paragraph (k)(1) of this section is subject to the standard and implementation specification in paragraph (j) of this section only with respect to plan documents amended in accordance with §164.504(f) .

67 Fed. Reg. 53181, 53208 (Aug. 14, 2002):

https://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf

While the standard enrollment and disenrollment transaction does not include any substantial clinical information, the information provided as part of the transaction may indicate whether or not tobacco use, substance abuse, or short, long-term, permanent, or total disability is relevant, when such information is available. However, the Department clarifies that, in disclosing or maintaining information about an individual’s enrollment in, or disenrollment from, a health insurer or HMO offered by the group health plan, the group health plan may not include medical information about the individual above and beyond that which is required or situationally required by the standard transaction and still qualify for the exceptions for enrollment and disenrollment information allowed under the Rule.

65 Fed. Reg. 82461, 82496 (Dec. 28, 2000):

https://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf

The preamble to the Transactions Rule noted that plan sponsors of group health plans are not covered entities and, therefore, are not required to use the standards established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. For purposes of this rule, plan sponsors are not subject to the requirements of § 164.504 regarding group health plans when conducting enrollment activities.