Fully insured group health plans may face fewer obligations under the HIPAA Privacy and Security Rules as compared to self-insured group health plans (including health FSAs and HRAs) — but only if the plan sponsor maintains a strictly hands-off approach with respect to protected health information (PHI). “Hands-off” is not a HIPAA-defined term but is used to describe a plan sponsor’s minimal involvement with PHI. When a fully insured plan limits its involvement to basic functions such as enrollment, disenrollment, or summary health data, it will significantly reduce compliance obligations under the Privacy and Security Rules. However, if the employer begins to access or manage PHI beyond these limited functions, the plan may be considered “hands-on,” triggering broader obligations. Thus, many fully insured plan sponsors intentionally avoid handling participant health data to minimize compliance risk.
Despite best efforts to remain hands-off, employers sponsoring fully insured plans often find themselves in situations where they feel compelled to help with an employee’s claims issue. A participant may be struggling to navigate the insurer’s customer service line, or human resources might be asked to intervene during an employee’s medical emergency or other coverage dispute. In these situations, employers must be mindful of when they are handling PHI as a health plan sponsor and the corresponding additional compliance obligations.
Background
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to improve access to health coverage and strengthen protections for PHI. HIPAA touches nearly every part of the U.S. healthcare system, from how individuals maintain medical coverage to how health information is managed, protected, and exchanged.
Among its most significant provisions for health plans are the Privacy and Security Rules, which collectively govern how PHI is used, disclosed, and safeguarded. PHI is defined as individually identifiable health information that relates to an individual’s health condition, care, or payment for care, and is created, received, maintained, or transmitted in any form by or for a covered entity, such as an employer-sponsored group health plan. While the Privacy and Security Rules apply broadly to group health plans, the extent of the plan sponsor’s compliance obligations varies significantly depending on the plan’s structure and involvement with PHI.
Importantly, an employer that sponsors fully insured medical, dental, and vision coverage, and offers a health FSA or HRA, is considered “hands-on” for purposes of those self-insured arrangements, and therefore subject to the full scope of HIPAA Privacy and Security Rule obligations.
Hands-Off vs. Hands-On Group Health Plans
A hands-off, fully insured group health plan is structured so that the plan sponsor does not access or manage PHI beyond enrollment, disenrollment, or summary health data. In hands-off arrangements, the health insurer assumes primary responsibility for privacy and security compliance. In contrast, a hands-on, fully insured group health plan is one in which the plan sponsor receives PHI from the insurer or other service providers and must therefore satisfy a broader scope of Privacy and Security Rule obligations. The moment a plan sponsor begins to access, use, or manage PHI beyond the limited scope permitted for hands-off plans, the plan shifts into hands-on territory.
|
NFP Observation |
While fully insured group health plans may enjoy reduced Privacy and Security Rules compliance obligations when structured as hands-off, maintaining that status requires deliberate operational boundaries, clear documentation, and disciplined internal practices. (See Best Practices below.) |
Under the Privacy Rule, self-insured and hands-on, fully insured plans must implement certain administrative requirements to ensure that PHI is protected. Under the Security Rule, self-insured and hands-on, fully insured plans must undertake certain measures to protect electronically maintained or transmitted PHI (known as ePHI).
- Privacy Rule Obligations for Hands-Off Plans. Hands-off, fully insured plan sponsors are largely exempt from the Privacy Rule administrative requirements. Their obligations include:
- Avoiding involvement in claims advocacy or other activities that would expose them to PHI.
- Educating workforce members on the boundaries of the plan’s hands-off status.
- Reminding participants of the availability of the Notice of Privacy Practices, which is typically distributed by the insurer.
- Privacy Rule Obligations for Hands-On Plans. Hands-on, fully insured plan sponsors, as well as all self-insured plan sponsors (including those offering HRAs and health FSAs), must fully comply with the Privacy Rule administrative requirements, including:
- Evaluating how PHI (and ePHI, under the Security Rule) are accessed, used, and disclosed.
- Maintaining written policies and procedures outlining how PHI is used and protected.
- Providing workforce training on HIPAA compliance and the minimum necessary standard.
- Designating a Privacy and Security Official to oversee compliance.
- Providing a Notice of Privacy Practices.
- Limiting disclosures to those permitted by HIPAA.
- Certifying in the plan document that PHI will be safeguarded in accordance with HIPAA and not be used for employment purposes.
- Managing Business Associate Agreements (BAAs) with plan vendors who access and disclose PHI.
Plan sponsors often rely on HIPAA compliance vendors to satisfy the Privacy Rule’s requirements.
- Security Rule Obligations for Hands-Off Plans. Hands-off, fully insured plan sponsors are largely exempt from the Security Rule’s administrative, physical, and technical safeguard requirements if they do not access or maintain any ePHI. Plans should conduct a risk analysis to confirm there is no access to ePHI.
|
NFP Observation |
HHS has developed a HIPAA Security Risk Assessment Tool to assist small and medium-size organizations with the task of analyzing their own potential risks and vulnerabilities with respect to ePHI. The downloadable tool can be accessed at HIPAA Security Risk Assessment Tool (HealthIT.gov). |
- Security Rule Obligations for Hands-On Plans. Hands-on, fully insured plan sponsors must implement comprehensive measures to protect the ePHI that they access, including:
- Ongoing administrative protocols such as risk analyses, workforce training, and incident response procedures.
- Physical controls to manage access to facilities and devices.
- Technical safeguards like access controls, audit logs, and transmission security.
These measures must be tailored to the organization’s size, complexity, and risk tolerance. Due to the complexity of the requirements and the expertise required, plan sponsors must coordinate with their IT professionals and a dedicated HIPAA Security vendor to ensure compliance.
Hands-On Plan Administration. Group health plans that comply with the Privacy and Security Rule requirements are permitted to use and disclose PHI for treatment, payment, and healthcare operations without an individual’s authorization. These are known as plan administrative functions and allow human resources, benefits, finance, and other members of the plan sponsor’s workforce to effectively operate the plan. If those workforce members have been trained and given authorization under the written policies and procedures, then they may access PHI as needed to assist with claims processing, managing benefits, and ensuring payment for plan services.
|
NFP Observation |
While trained workforce members may access PHI as part of their duties, they remain subject to HIPAA’s minimum necessary standard, which requires limiting use, disclosure, and requests for PHI to the minimum needed to achieve the intended purpose. Group health plans should reflect this in their policies by specifying which roles may access specific types of PHI. For instance, finance staff may need claims amounts to process payments, but not diagnostic details. Similarly, HR personnel assisting with a claims dispute should access only the information relevant to that claim. |
When the Lines Blur
While the distinction between hands-off and hands-on may seem straightforward, certain day-to-day plan administration situations can quickly complicate that status. In theory, many plan sponsors expect to remain hands-off when they implement a fully insured group health plan, but in practice, efforts to support employees or resolve benefits issues can lead to deeper involvement than originally anticipated. Well-intentioned support from HR or managers – such as helping employees navigate claim denials, pre-authorizations, or billing issues – can result in the plan sponsor accessing PHI.
Sponsors may also slip into hands-on territory by receiving PHI from insurers or TPAs without proper authorization, or by failing to distinguish between employment-related health information (such as FMLA documentation, disability claims, and sick leave) and PHI held by the group health plan. Without clear internal protocols, even incidental access could trigger additional compliance obligations.
|
NFP Observation |
Hands-off fully insured plan sponsors that require incidental access to PHI can generally do so with a signed authorization from the affected individual that clearly identifies the requested information and its intended use. However, sponsors that routinely assist with claims issues may need to consider adopting a hands-on HIPAA compliance approach. |
Enforcement and Risk
HIPAA is enforced by the Office for Civil Rights (OCR) within HHS. Violations can result in civil and criminal penalties, which can be significant depending on the nature and scope of the violation. Plan sponsors that take a hands-on approach face greater compliance exposure due to their direct interaction with PHI and must therefore implement more robust privacy and security safeguards. By contrast, fully insured plan sponsors can reduce risk by avoiding access to PHI altogether (i.e., staying hands-off), but they must be vigilant to ensure that internal practices do not inadvertently trigger compliance obligations through employee interactions or carrier transmission of PHI.
Operational Guardrails to Maintain Hands-Off Status
To preserve a hands-off structure and avoid triggering additional HIPAA obligations, plan sponsors must be intentional about how they interact with PHI. This includes limiting involvement in plan functions that could expose them to health information and reinforcing internal practices that support a compliant, hands-off approach, including the following guardrails:
- Resisting the urge to intervene without written authorization.
- Training HR and managers to redirect participant inquiries to the insurer and not handle them directly.
- Strictly avoiding direct contact with providers or involvement in claims advocacy.
- Reviewing plan documents to confirm they don’t authorize PHI disclosures beyond HIPAA permitted uses.
- Confirming that vendors are not transmitting PHI to the plan sponsor and clarifying expectations in service agreements.
- Monitoring the use of summary health data to ensure it aligns with HIPAA’s exception to PHI.
Best Practices for Hands-On Plan Sponsors
To maintain HIPAA compliance, sponsors of hands-on group health plans should adopt a structured approach to oversight, including documentation. This may include conducting an annual review of plan operations and governing documents to ensure consistency with current legal requirements and organizational practices. Plan sponsors should work with legal counsel to periodically evaluate PHI access needs and confirm that plan administration practices align with HIPAA requirements. This includes:
- Developing and maintaining HIPAA policies and procedures.
- Training all workforce members with PHI access.
- Conducting regular risk assessments and security audits.
- Maintaining breach documentation and notification protocols.
- Working with legal counsel and HIPAA vendors to ensure a robust compliance program is in place.
Final Thoughts
For fully insured health plan sponsors, maintaining a hands-off approach to PHI avoids significant compliance obligations required under the HIPAA Privacy and Security Rules. However, plan sponsors must remain mindful of the boundary between hands-on and hands-off status and closely monitor their administrative operations to ensure they do not inadvertently stumble into hands-on territory. Plan sponsors who wish to play a more active role in supporting their employees with claims issues should consider adopting a hands-on approach to PHI and engage a vendor to assist in implementing HIPAA’s Privacy and Security requirements. For further information, please ask your broker or consultant for a copy of the NFP publication HIPAA Privacy and Security for Group Health Plans: A Guide for Employers.