Are Small Health Care Plans Exempt From HIPAA Privacy and Security Rules?

HIPAA privacy and security rules are complex and cumbersome. Is a small employer health plan exempt? The short answer is that much of the responsibility for compliance with privacy and security issues can be shifted to the health insurer and away from the plan sponsor in many cases. The more difficult questions are:

• What must the small employer do (or refrain from doing) to attain this shift in responsibility?
• What other circumstances will make the shift unavailable?

The only numerical bright line applies to self-insured plans. The size exemption states that self-insured plans with fewer than 50 eligible participants that are internally administered are exempt from the privacy rule. “Self-insured” plans include the comprehensive hospitalization and basic medical plans that many large employers use instead of purchasing health insurance from an insurance company. Typically, they will retain the services of an outside third-party administrator (TPA). Self-insured health care plans also include medical expense reimbursement flexible spending account (medical FSA) plans and health reimbursement account (HRA) plans used by employers of all sizes.

A common HRA plan occurs where an employer purchases a high deductible health insurance plan for its employees, but then agrees to reimburse its employees for some or all of the deductible. These employers are self-insuring a portion of the health care costs. In some cases, the reimbursement is done by the employer itself, in other cases the employer hires an unrelated TPA and in other cases the health insurance company itself acts as a TPA and performs this service.

Only in the case of a self-insured plan where an employer internally administers the reimbursement requests of its employees and the employer has fewer than 50 employees is this plan exempt from the privacy rule. Exclusion from the HIPAA privacy rules under this exception are rare since most medical FSAs and HRAs are administered by independent TPAs. An employer with an insured plan that might be partially exempt from HIPAA privacy and security compliance for its health insurance plan, for other reasons, will nevertheless be subject to the full range of HIPAA privacy and security compliance obligations because of its HRA or medical FSA plan. Maintenance of an employee assistance plan (EAP) or wellness plan will also often trigger detailed HIPAA compliance.

Unless the plan is a small, internally administered, self-insured arrangement, the plan is subject to HIPAA privacy and security rules to some degree. However, there is a partial exemption from HIPAA privacy and security rules for plans that have no access to participant protected health information (PHI). We call these “hands off” plans. Hands off plans are not subject to the requirements to maintain a privacy policy, distribute the notice of privacy practices, enter into business associate agreements or the rights of participants to access their own PHI. These duties are fulfilled by the insurance company. This partial exemption applies only to insured plans where the plan sponsor does not receive or transmit any PHI and where its insurance agent or broker does not receive or transmit any information other than limited enrollment information.

It is hard to imagine any plan sponsor and broker that does not receive at least some PHI in excess of limited enrollment information if the insurance costs are determined at least in part by claim experience. For this reason, we recommend a rule of thumb for starting the discussion of whether a plan is eligible for this partial exemption. If a plan is community rated for insurance premium determination purposes and does not operate in conjunction with an HRA or medical FSA, then it is a candidate for the hands off partial exemption. If the plan is experience rated for purposes of premium determination purposes, then it is unlikely to be eligible for the hand off partial exemption. Plans with fewer than 50 participants are community rated in Michigan, and plans with more than 50 participants are experience rated. (The 50-employee threshold is scheduled to increase to 100 for plan years beginning in 2016 and later.)

I asked two insurance agents whether they thought the community-rated insured plans were good candidates for the hands off approach. Both agreed it was a good starting point. However, both expressed reservations about whether any plan, regardless of size, could avoid receipt of at least some PHI from their agent/broker/insurance company. Whether a specific small plan will be eligible for this partial exemption is a topic too broad for this summary and should be evaluated on an individual basis. We recommend a consultation to determine if your circumstances warrant consideration of a limited compliance response.

A different analysis applies for the security rule. If the plan sponsor receives or transmits any PHI electronically, then the security rule applies. Therefore, this rule covers any plan that transmits PHI electronically whether or not subject to the privacy rule. It also applies to those plans that have fewer than 50 participants, and that are internally self-administered if the plan transmits PHI electronically. For this purpose, electronic transmission includes automatic fax machines and emails that contain PHI.

As a recap, all plans that self-insure, have fewer than 50 participants and are internally administered, are exempt from the privacy rule. Plans that are wholly or partially self-insured and that are either larger than 49 participants or externally administered are subject to the full range of HIPAA privacy compliance and are also subject to the security rules if the plan transmits any PHI electronically. We recommend that all insured plans that operate in combination with an HRA or a medical FSA address the full range of HIPAA privacy and security documents and procedures. Plan sponsors offering EAP or wellness benefits should also carefully evaluate those programs to determine if PHI is received or transmitted. We also recommend that insured plans that are experience rated start their compliance analysis with the presumption that they must comply with the full range of HIPAA privacy and security rules. Insured plans that are community rated and that do not sponsor a medical FSA or HRA can often be structured and operated so that they avoid the detailed HIPAA compliance steps described above. However, care should be taken in evaluating past and expected future operations and we recommend that we assist you in review of your operations and alternative, limited compliance.

If you have questions about HIPAA compliance or would like assistance with reviewing and updating your HIPAA compliance package, contact another member of the Mika Meyers Labor and Employee Benefits Practice Group.