What Is a Self-insured Health Plan?
Many large employers (including hospitals, long-term care facilities, large physician practices, automotive and other manufacturers, and airline carriers) have found they can save money by self-insuring their employee health plans rather than purchasing coverage from private insurers. This self-insured health plan program is permitted under the Employee Retirement Income Security Act (ERISA), and may be known as an ERISA plan. Self-insured health plans are considered group health plans (GHPs) and are subject to HIPAA regulations.A group health plan, as defined by HIPAA (p. 82,799), is: an employee welfare benefit plan (as defined in. ERISA), including insured and self-insured plans, to the extent that the plan provides medical care. including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise that:
- Has 50 or more participants (as defined in. ERISA); or
- Is administered by an entity other than the employer that established and maintains the plan.
As a practical matter, virtually all self-insured health plans are subject to HIPAA. Actuarial and cost considerations preclude employers with fewer than 50 participants (that is, employees or former employees eligible for benefits) from self-insuring. The Department of Health and Human Services (HHS) has stated that a health plan that uses a TPA is administered by another entity.
Note, however, that the privacy compliance date for a small health plan with receipts of $5 million or less has been extended by one year. HHS says that ERISA health plans should use proxy measures such as premiums or claims paid to calculate receipts.
Employer versus GHP Responsibilities
Employers must grasp several crucial concepts and definitions to understand their HIPAA obligations. First, many GHPs are really only a piece of paper and most have no staff. The operations of the GHP are either contracted to a TPA, carried out by the employers staff, or performed by the insurance issuer or health maintenance organization (HMO) from which the employerthrough its GHP on paperpurchases benefits.
HHS, like ERISA, recognizes a distinction between the employer as plan sponsor and the insured or self-insured GHP maintained by the plan sponsor. The regulations do not directly regulate the employer. However, unless the employer complies with requirements outlined in the regulations, HIPAA restricts the GHP from disclosing protected health information (PHI) except for summary health information (SHI) to the employer or plan sponsor.
HIPAA appears to impose different obligations on insured and self-insured group health plans. An employer may provide health benefits through a GHP, health insurance issuer, or HMO. The preamble to the August 14, 2002 (p. 53,207), modification to the privacy regulations clarified that an employer is not a hybrid entity simply because it is the plan sponsor of a group health plan. The employer/plan sponsor and group health plan are separate legal entities and, therefore, do not qualify as a hybrid entity. The GHP, however, will have plan documents with the plan sponsor that establishes how the plan will be administered.
A self-insured health plan mayand usually doesdelegate claims processing and other plan administration functions to a TPA or administrative services only (ASO) vendor. However, the TPA is not a covered entity; rather, it is a business associate of the GHP.
What Are GHPs Responsibilities?
A GHP is subject to all HIPAA regulations (that is, transactions and code sets, identifiers, privacy, and security), although sometimes in unique ways. With respect to privacy, there are several specific requirements and exceptions for GHPs. For the transactions, the GHP must be able to accept and send standard transactions if any entity requests that the plan conduct standard transactions.
What Are the Specific Privacy Requirements?
Compliance Responsibilities summarizes the various scenarios in which insured and self-insured plans may operate and how
their privacy rule compliance requirements vary.
Key to understanding the privacy requirements is first understanding who administers the plan and whether the plan receives PHI or only SHI. A GHP that is fully insured and receives only SHI and enrollment/disenrollment information avoids most of the responsibility for HIPAA compliance. However, if the insurer, HMO, or GHP provides PHI to the sponsor, the sponsor is required to certify that plan documents have been amended to incorporate privacy provisions. These certification requirements are summarized in Amending Plan Administration Documents . In some respects, they are similar to provisions of a business associate agreement and include organizational separation requirements.
If the plan sponsor is self-insured and administers the plan in-house or retains final adjudication responsibility for claims, it is obviously handling claims and, therefore, PHI. It is critical that the plan be identified and separated organizationally from all other employment-related functions. These GHPs must amend their plan documents to make the necessary organizational separation. They must also ensure compliance with the other privacy requirements, including providing a notice of privacy practices, and with all administrative requirements, such as having an information privacy official, employing safeguards, having privacy policies and procedures, and more (see Notice of Privacy Practices Requirements, ).
If the self-insured plan uses a TPA, the type of information the plan receives must be established. If the TPA does not supply PHI to the plan sponsor, there is no need for plan documents to be amended to require organizational separation and certification.
Exercise caution here, however, because while the TPA may not directly supply PHI, some TPAs have made PHI available to the sponsor in the past. For example, a plan sponsor may have had access to claim information to assist employees with managing their claims. Many of these plan sponsors are now requesting that this access be discontinued and are referring their employees directly to the TPA for such assistance. When an employee voluntarily brings claim information to an employer or plan sponsor, the employees authorization is implied. However, if the TPA supplies the plan sponsor with the information for the employee, the TPA should obtain an employee authorization.
For self-insured plans, because there is no insurance issuer or HMO, the plan sponsor is the GHP and must supply a notice of privacy practices and adhere to the administrative requirements. The TPA could draw up the notice, make the provision, provide the policies and procedures, and receive complaints, but it is the plan sponsors responsibility to ensure the notice is accurate and has been provided and other requirements are met.
What Are the Transactions Requirements?
A GHP, as a covered health plan, must be able to accept ASC X12N and NCPDP (National Council on Prescription Drug Programs) standard transactions (for example, 837 claims or 270 eligibility inquiries) and return standard transactions (835 remittance advice or 271 eligibility response) if any entity requests the plan to conduct standard transactions.
Self-insured plans, whether self-administered or administered through a TPA, need to assess their capabilities to conduct the HIPAA transactions, and may need to analyze the costs and benefits of obtaining in-house translator software or using a clearinghouse. If a clearinghouse is chosen as the means to accept or return standard transactions, the plan may not pass the cost of the clearinghouse on to the provider. Plans also may not enter into any unilateral agreements with providers where they agree to use non-standard electronic transactions.
What Is the Bottom Line?
The regulations are complicated with respect to self-insured plans and careful consideration of exact relationships is needed. It is essential that providers and other employers understand their relationship to their GHP and determine what their TPA is doing on their behalf, that plan documents are amended appropriately, and that they will be compliant by the respective deadlines.