An employer that changes its medical plan from fully insured – where the insurance company sets the terms of the policy and retains the risk that claims will exceed the premiums paid – to self-funded – where the employer is responsible for the claims – must re-examine all aspects of the operation of its medical plan. In addition to drafting a new plan document and summary plan description, negotiating contracts with a claims administrator and other vendors, and purchasing stop-loss coverage to insure against the risk of catastrophic claims, employers must address privacy and security obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and reporting requirements under the Patient Protection and Affordable Care Act (PPACA).

HIPAA Privacy Rules

HIPAA regulates how covered entities, which includes an employer-sponsored medical plan, may use and disclose protected health information (“PHI”). PHI is information created or received by the medical plan, and identifies the individual or information for which there is a reasonable basis to believe can be used to identify the individual. It relates to:

  • The past, present, or future physical or mental health or condition of an individual (which may be the plan participant, or a covered spouse or dependent);
  • The provision of health care to an individual; or
  • The past, present, or future payment for the provision of health care to an individual.

When a medical plan becomes self-funded, the employer and its business associates will have access to PHI that was not available to them when the medical plan was an insured plan.

HIPPA requires that the medical plan adopt policies and procedures identifying the members of the employer’s workforce who may have access to PHI, how the PHI may be used, and how access to PHI will be safeguarded. The plan must appoint a Privacy Officer responsible for developing and implementing these privacy policies and training the employer’s workforce. A Notice of Privacy Practices must be developed and distributed to plan participants at the time of initial enrollment in the plan and at least once every three years thereafter. A contact person must be appointed to receive complaints about possible violations of the plan’s privacy procedures. The plan document must incorporate HIPAA’s rules restricting the use or disclosure of PHI, and the employer must agree to comply with these rules.

HIPAA Security Rules

HIPAA also requires a plan to adopt security policies and prepare a risk assessment for PHI that is transmitted by or maintained in electronic media (“electronic PHI”). The plan must appoint a security official who is responsible for the development and implementation of security policies. It must also have a breach notification policy and a process for determining if a reportable breach has occurred to electronic PHI. The Department of Health and Human Services recently released sub-regulatory guidance addressing how medical plans and business associates can respond to cybersecurity incidents and emphasizing a covered entity’s responsibility to timely report certain security incidents. The guidance can be found here.

Affordable Care Act Reporting

The Affordable Care Act (“ACA”) requires that applicable large employers, those that employed on average at least 50 full-time equivalent employees in the prior year[1], report on Form 1095-C the employer’s offer of minimum essential coverage to the employee for the calendar year. This reporting is required notwithstanding whether the coverage is through an insured or self-funded medical plan. Small employers – those with less than 50 full-time equivalent employees in the prior year – are sometimes surprised to learn that the switch to a self-funded medical plan means that the employer must now provide employees with Form 1095-B, reporting the offer of coverage under a self-funded medical plan.

In the past, it was very unusual for an employer with less than 50 employees to offer a self-funded medical plan. During due diligence for a potential acquisition, I recently dealt with issues involving a target company that used a “level-funded” contract to provide self-funded medical coverage to its 35 employees. The carrier’s level-funded administrative services contract resembled an insured medical plan in that the employer paid the carrier a monthly amount based on the number of employees who elected single, two-person, or family coverage for that month. These monthly payments funded the plan’s current and future claims, administrative costs, and stop-loss insurance premiums. The attachment point for the stop-loss insurance was low at $30,000 per covered individual. The carrier confirmed that the run-off claims were pre-funded and the employer would have no liability after it terminated the contract. The contract clearly disclosed that the benefits are provided following a “self-insured employee welfare benefit plan.” As a self-funded plan, the target company was required to comply with the ACA reporting requirement but failed. A small employer should carefully review the terms of any “level-funded” contract to determine if its plan is insured or self-funded.

Employers sponsoring self-funded medical plans with questions about complying with HIPAA’s Privacy and Security Rules or the ACA reporting requirements should reach out to an experienced employee benefits attorney for guidance.