INSURANEWS Logo
Top Stories
Life
Health
Medicare
Property & Casualty
Annuity
Industry

Understanding HIPAA Compliance for Employer-Sponsored Health Plans

Share:

Non-healthcare companies may be unaware that the Health Insurance Portability and Accountability Act (HIPAA) also applies to their employer-sponsored health plans, imposing compliance obligations irrespective of their primary business focus. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced settlements involving ransomware-related breaches, bringing attention to this often overlooked requirement for employers.

This marks a notable shift in enforcement, as it is the first time the OCR has directly focused on the application of HIPAA on employer health plans in such a manner. Under HIPAA, “group health plans”—which include insured and self-funded plans with 50 or more participants or those using a third-party administrator—are categorized as covered entities if they provide payment for medical care.

The recent enforcement action underscores that employer-sponsored plans are integral to HIPAA compliance, especially in the event of a cybersecurity incident that compromises electronic protected health information (ePHI). Typical ePHI that employers manage includes enrollment data, claims filings, spending summaries, and communications concerning employee health benefits.

HIPAA compliance is required for the health plan, rather than the employer as a whole. However, when employers, on behalf of the health plan, undertake activities that involve ePHI—like creating or storing such data or directing its processing by third parties—OCR mandates the establishment of compliant controls within the regulated parts of the organization.

This development signals to in-house legal counsel, HR leaders, and benefits managers that any handling of health plan data could attract OCR’s scrutiny. The settlements highlight that OCR initiates investigations at the onset of a cyber incident, focusing on whether the entity had conducted necessary risk analyses as per the HIPAA Security Rule, which mandates an assessment of risks and vulnerabilities to ePHI.

The findings stress that plan sponsors cannot rely solely on enterprise-wide cybersecurity measures to satisfy OCR. Instead, they must demonstrate a documented, plan-specific HIPAA compliance framework that addresses Privacy, Security, and Breach Notification Rules.

The key insight is not an imminent enforcement risk for every employer plan but rather OCR's expectation that companies protect their health plan's ePHI with the same compliance standards as healthcare entities. Employers are encouraged to reinforce their focus on core HIPAA obligations to ensure compliance.