Thu, Sep 19, 2013

Considering Self-Funded Insurance Plans? Don’t Forget HIPAA Laws

With the Affordable Care Act mandate requiring employers to offer health insurance delayed for one year, many employers are considering different options to offset related costs, including self-funded health plans. Typically perceived as an option only viable for larger employers, providers are looking at ways to make self-funded insurance plans a possibility for small businesses as well.

A “Self-Funded Plan” is an insurance arrangement in which the employer assumes direct financial responsibility for the costs of enrollees’ medical claims. Employers sponsoring self-funded plans typically contract with a third-party administrator or insurer to provide administrative services for the self-funded plan. In some cases, the employer may buy stop-loss coverage from an insurer to protect the employer against very large claims. Recent data shows that 61 percent of covered workers are in a self-funded plan.

While employers consider self-funded plans, it is also important for them to note how such a plan may obligate them to follow the regulations set forth under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), now amended under the omnibus final rule (Final Rule) and with a compliance deadline set for September 23, 2013.

The Final Rule amends the privacy, security and breach notification and enforcement regulations of HIPAA and HITECH. It requires covered entities and business associates to conduct a security risk assessment; revised existing privacy, security and breach notification policies and procedures; amend business associate agreements; and retrain employees on the revised policies.

While federal law (the Employee Retirement Income Security Act of 1974) exempts self-funded plans from state insurance laws, when an employer funds insurance benefits itself, an employer still has access to employees’ medical information, either directly or through a third party administrator (either as a covered entity or a business associate). For this reason, employers with self-funded plans are nevertheless responsible for complying with HIPAA, and may not realize that they have less than a week to review these compliance responsibilities under the Final Rule because, with few exceptions, the Final Rule applies to all health plans, including self-insured and fully insured plans.

With the deadline for compliance looming, it’s important for employers to consider all their options. Let us know what you think – is your organization considering adding or changing healthcare benefits for employees?

By Kroll Editorial Team

Compliance Risk and Diligence

The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

HIPAA Security Risk Assessments

Kroll’s HIPAA security risk assessments are unique in how they help you meet HIPAA standards.