Health Plans:
Not All Group Plans Are Exempt From HIPAA
Published on Wed May 26, 2004
Only some provisions are mitigated for fully insured plans.
Group health plans may not need to satisfy all of the requirements of the privacy rule if they are fully insured, according to the HHS Office of Civil Rights, since the mainstay of responsibility belongs to the health insurance issuer or health maintenance organization contracted by the plan.
"Fully insured group health plans that do not create or receive protected health information other than summary health information and enrollment or disenrollment information are not required to have or provide a notice of privacy practices," OCR explains.
However, despite exemption from these and other administrative responsibilities, fully insured plans can and will be held liable for engaging in intimidating or retaliatory acts, or for forcing an individual to surrender his privacy rights. These plans also may be required to adhere to certain documentation requirements when sharing PHI with the plan sponsor.
Lesson Learned: Group health plans have firm guidance on their accountability under HIPAA.