Introduction to HIPAA Privacy and Security Rules

NFP Corp.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a sweeping federal law that touches nearly every part of the U.S. healthcare system. HIPAA’s Privacy and Security Rules set national standards for conducting electronic healthcare transactions and safeguarding personal health information. 

Our Benefits Compliance team recently discussed the impact of HIPAA’s Privacy and Security Rules on employer sponsors of group health plans. We covered topics such as identifying protected health information (PHI), explaining the different requirements that apply to self-insured and fully insured plans, and outlining the administrative obligations that organizations must undertake to remain compliant. Whether you are new to the industry or an experienced benefits professional, you will gain a better understanding of the HIPAA Privacy and Security Rules and how they impact your role in servicing our clients. 

Agenda     

• HIPAA Overview 
• Hands-Off (Fully Insured Only) vs. Hands-On PHI 
• Common Scenarios
• Key Takeaways and NFP Resources 

Key Takeaways: Employer Considerations 

What are the key takeaways for employers? 

• Focus of HIPAA Privacy and Security Rules is PHI. 
  • PHI does not include employment records or information from non-health plans. 
• HIPAA Privacy and Security Rules apply to all employer-sponsored group health plans, but scope of compliance obligations depends on whether the plan handles PHI (hands-on vs. fully insured hands-off). 
  • All self-insured group health plans are hands-on, including health FSAs and HRAs. 
  • Fully insured group health plans can take hands-off approach but must avoid PHI. 
  • All plans should undergo a security risk analysis to check whether PHI is handled. 
  • Hands-on plans should use a vendor to assist with HIPAA compliance. 

More Information, How to Register