Contributed by Elizabeth R. Larkin and Jessica Forbes Olson

Health care providers know about and have worked with HIPAA privacy and security rules for well over a decade. They have diligently applied it to their covered entity health care provider practices and to their patients and think they have HIPAA covered.

What providers may not realize is that they may actually have two separate HIPAA covered entities. A provider that offers an employee group health plan (which includes a self-insured medical, dental, or vision plan, an employee assistance program, a health reimbursement arrangement, and any health flexible spending account benefits) has a covered entity health plan and there are some additional and different HIPAA requirements that must be addressed.

Health care providers need to ensure they have implemented HIPAA for their covered entity group health plans and plan participants (employees) and their dependents who are enrolled in coverage. Providers should not rely on the HIPAA compliance documentation that they use for patients for use with their group health plans.

HIPAA applies differently to covered entity health care providers and covered entity group health plans. For example:

  • A group health plan is required to have a HIPAA plan document amendment that includes specific promises to comply with the HIPAA rules, including an obligation of the plan sponsor (employer) to not use protected health information (PHI) for employment related reasons or for any benefits other than the group health plan without signed authorizations from impacted group health plan participants and their dependents. The plan document amendment needs to be adopted (signed) in the same manner as other group health plan amendments.
  • A group health plan needs to indicate in the plan document amendment which employees are allowed to have access to group health plan PHI to perform group health plan administration activities. This will be limited to a small group of individuals (e.g., individuals in HR/benefits and payroll and IT personnel who provide support services to them along with the HIPAA privacy and security officials for group health plans).
  • A group health plan is required to have a document certifying that they have the appropriate HIPAA plan document amendment in place.
  • HIPAA training for the group health plans is limited to those workforce members listed in the HIPAA plan amendment as being entitled to access PHI in connection with performing plan administration functions (instead of the entire company workforce).
  • A group health plan needs its own HIPAA notice of privacy practices that describes how the group health plan will use and disclose PHI, which will be different from the notice of privacy practices it uses as a health care provider. (For example, one main reason a provider will use PHI is for treatment for its patients.  This will not apply to a group health plan since it does not provide treatment, but instead pays for covered treatment.)
  • The posting and distribution requirements for a group health plan notice of privacy practices to plan participants are different than the posting and distribution requirements that apply to patients.
  • A group health plan may not have to comply with more stringent state privacy or security laws due to ERISA preemption.
  • A group health plan needs HIPAA policies and procedures, but due to the differences between covered entity providers and covered entity group health plans, they will be different.
  • A group health plan needs a HIPAA privacy and HIPAA security official appointed. They can be the same individuals that act in this capacity for the covered entity provider, but do not have to be and often are not, at least for the HIPAA privacy official.  Group health plans often appoint as their HIPAA privacy official someone senior who is responsible for overseeing employee benefits (e.g., VP of Compensation and Benefits or Director of Benefits), while covered entity providers often appoint an organization-wide compliance officer or someone who works closely with that person to be the HIPAA privacy official.

The U.S. Department of Health and Human Services (HHS) is in the process of selecting covered entities and their business associates to audit for HIPAA compliance, and it is possible that HHS could select the health care provider’s covered entity group health plan to audit rather than (or in addition to) the covered entity health care provider practice. HHS can impose separate penalties for covered entity group health plan violations.  The range of possible penalties is the same for covered entity group health plans and covered entity health care providers.

Not only do covered entity health care providers have an obligation to ensure that their separate covered entity group health plans are in compliance with HIPAA, it will reflect poorly on a practice to have a HIPAA violation with respect to its group health plan. If you don’t comply with HIPAA for your employee group health plans, patients may assume that you don’t comply with HIPAA for your practice.

In short, health care providers need to make certain that they comply with HIPAA with respect to both their practices and their employee group health plans.