A Health Plan paid the largest HIPAA fine in U.S. history for the largest HIPAA breach in history. Anthem, Inc., paid $16 million after 79 million patients’ data was breached. Anthem is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans yet they didn’t follow HIPAA.
OCR Hit Anthem Hard for Failing Health Plan HIPAA Compliance
In its press release about the settlement, the Office for Civil Rights (OCR) scolded Anthem for failing to prevent or quickly detect the breach because it failed to implement required HIPAA safeguards. The HIPAA Rules are a blueprint to protect Health Plans, and The HIPAA E-Tool® has the Health Plan solution.
In addition to the $16 million fine Anthem was required to submit to a 2-year Corrective Action Plan, which included:
- Improve its HIPAA Risk Analysis for security management
- Revise its basic HIPAA policies and procedures
- Improve its information system activity review and access controls, including password management
Health Plan HIPAA Compliance has Unique Features
Private Health Plans insure the majority of Americans – they are “covered entities” and must comply with HIPAA. They are not seeing patients directly, or providing care, but they are intimately involved in patient care through agreements to pay healthcare costs and are entrusted with protected health information to fulfill that agreement. Understanding health plan HIPAA compliance and its special requirements is critical.
Health Plan HIPAA compliance requires familiarity and compliance with the Employee Retirement Income Security Act of 1974, or ERISA. HIPAA rules, which came later, refer to ERISA and incorporate some of its concepts and definitions.
Three Types of Private Health Plan “Covered Entities”
Health Plans in general are forms of insurance to cover costs of medical care. The HIPAA Rules define “Health Plan” broadly because the United States has many different types of health insurance. The three types of health plan covered entities are described below.
A Health Insurance Issuer is an insurance company (like Anthem), insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State Law that regulates insurance. A Health Insurance Issuer is not a Group Health Plan defined by HIPAA.
A Health Maintenance Organization (HMO) is a federally qualified HMO or an organization that State Law recognizes as an HMO or regulates like an HMO.
Health Insurance Issuers and HMOs must comply with HIPAA.
Most privately employed people obtain Health Insurance through Group Health Plans. A Group Health Plan is an employee welfare benefit plan covering 50 or more Participants established by an employer or employee organization like a labor union called the “Plan Sponsor” that pays for or provides employee or member Medical Care or, regardless of size, is administered by someone besides the Plan Sponsor. It may be fully-insured or self-insured. The Plan (the Group Health Plan) is a HIPAA Covered Entity – not the Plan Sponsor (the employer or labor union or other employee organization). But a Plan Sponsor must ensure its Group Health Plan complies with HIPAA Rules. A Group Health Plan may be fully-insured or self-insured.
A Group Health Plan is a distinct legal entity that must comply with HIPAA.
HIPAA Health Plan Compliance includes Compliance with ERISA
Unlike other covered entities like hospitals, doctors and other healthcare professionals, Health Plans are required to also comply with the Employee Retirement Income Security Act of 1974 or ERISA. HIPAA came 20 years after ERISA, and the laws overlap. For example, HIPAA Health Plan Rules define important terms like “Plan Sponsor” by just identifying a section of the ERISA law.
Two Types of Group Health Plans
Group Health Plans may be either fully-insured or self-insured. A fully-insured Group Health Plan is one in which a Plan Sponsor (for example an employer or employee organization) contracts with a Health Insurance Issuer or HMO for coverage of its employees or members. If a fully insured group health plan has limited exposure to PHI, it is exempted from most, but not all, HIPAA Privacy Rule compliance requirements.
A self-insured Group Health Plan is one where the Plan Sponsor takes on the financial responsibility for providing healthcare benefits to its employees or members instead of contracting with a Health Insurance Issuer or HMO.
Self-insured Group Health Plans typically establish a special trust fund to pay claims instead of paying premiums to Health Insurance Issuers or HMOs. A Self-insured Group Health Plan can be administered in-house or by a Third Party Administrator. However, if done in-house, there must be a strict firewall between health information created, received and used for administration of a self-insured Group Health Plan and the Plan Sponsor. A Participant’s PHI may not be disclosed to the Plan Sponsor for the purpose of employment-related actions or decisions or in connection with any other employee benefit offered by the Plan Sponsor.
A Third Party Administrator (TPA) for a Group Health Plan is a Business Associate and also must comply with HIPAA.
Key Takeaways of Health Plan HIPAA Compliance
HIPAA, ERISA and Plan Sponsors
- A Plan Sponsor is not a HIPAA Covered Entity, but the Group Health Plan established by the Plan Sponsor is the HIPAA Covered Entity.
- The protected health information (PHI) a Group Health Plan may share with a Plan Sponsor is strictly limited. HIPAA prohibits a Group Health Plan from disclosing PHI to a Plan Sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit.
- ERISA Fiduciary – Responsibility and Liability. A Fiduciary is defined by ERISA as a person or entity that has any discretionary authority over management of a Group Health Plan even if that person or entity is not named as a Fiduciary in the Plan Documents. Fiduciaries can be held personally liable for failing to carry out Group Health Plan duties in compliance with ERISA.
- A Plan Sponsor (Employer, Employee Organization, Association) is a Fiduciary. A Plan Sponsor’s selection of a Group Health Plan (Health Insurance Issuer, HMO or TPA) is a Fiduciary act, so a Plan Sponsor is a Fiduciary under ERISA. When a Plan Sponsor contracts with outside organizations like Health Insurance Issuers, HMOs and Third Party Administrators those organizations also take on Fiduciary roles.
- Third Party Administrators are HIPAA Business Associates but with extra responsibility. A Plan Sponsor must verify that its TPA complies with HIPAA Business Associate Rules and have a Business Associate agreement with them. Although TPAs are Business Associates, the nature of their representation of Group Health Plans makes them a ‘‘surrogate’’ for those Health Plans. Therefore, a TPA must be thoroughly familiar with all Health Plan HIPAA compliance requirements because it may be charged with carrying out those requirements for the Group Health Plan it serves.
- NEW 2019 HHS Health Care Operations Guidance for Health Plans. A Health Plan may disclose PHI about an individual it has in common with another Health Plan for case management and care coordination without Authorization. For example, if an individual enrolled in Health Plan “A” switches to Health Plan “B”; “A” can disclose PHI subject to the Minimum Necessary Standard to “B” to enable “B” to manage and coordinate the individual’s care without obtaining an Authorization.
The Key Takeaways above are summaries, not the complete story of what you should know about HIPAA, ERISA and Plan Sponsors. Find out more from The HIPAA E-Tool® and avoid the Anthem disaster.
At The HIPAA E-Tool® we understand Health Plan HIPAA compliance and have complete policies and forms specifically designed for Health Plans, and a Glossary with all the associated ERISA terms and definitions needed to ensure 100% clarity and compliance.
You won’t find Health Plan HIPAA compliance expertise like this all in one place anywhere else!