The requirement formally kicks in on Wednesday, a year after a similar rule went into effect for larger health programs, according to Spencer Benefits Reports.
Some health plans are not subject to the rules. A self-funded group health plan with fewer than 50 participants administered solely by the employer that maintains the plan is not covered and is freed from complying with HIPAA. However, most small employer health plans are insured (not self-administered), and therefore they come under the law’s dictates.
All other group health plans are legally bound to comply with HIPAA, but if an employer’s insured health plan does not see any protected health information except for summary details, that plan in practice need not involve itself in the privacy rules because:
- it does not have protected health information
- there is a regulatory exemption from the notice requirements
- there is a regulatory exemption from the privacy officer and training requirements.
Because Flexible Spending Accounts are always self-funded, they are subject to HIPAA (unless, they have fewer than 50 participants and are self-administered).
A broker or third party administrator may perform HIPAA compliance services through a business associate’s agreement. However, there remains a legal obligation for the plan to comply with HIPAA, and any penalties imposed for a failure to comply will be imposed on the plan and not the broker or TPA.
Any self-insured plan with 50 or more participants will be deemed to receive employee health information, even if the employer has taken careful steps to ensure that a TPA takes care of all aspects of plan administration. Such an employer is relieved of some, but not all, HIPAA compliance obligations. Also, an employer with a fully-insured plan may be receiving protected health information of which it is not aware. It is the plan’s obligation to determine what information it is receiving and what its compliance obligations are.