The Proposed Rule on Association Health Plans and HIPAA Compliance


The Department of Health & Human Services (HHS) released a proposed rule that helps small businesses and self-employed workers to get less expensive health coverage. The proposed rule broadens the criteria of the Employee Retirement Income Security Act (ERISA) by partly changing the definition of “employer” to include small businesses and self-employed workers who have a “commonality of interest” e.g. a common industry or geography. The amended definition allows small businesses and self-employed workers to form an association health plans for the purposes of obtaining less expensive health coverage.

The proposed rule does not treat Association Health Plans like individual and small-group insurance plans. HIPAA compliance for Association Health Plans still applies as the plans cannot exclude an employee with a pre-existing condition from coverage. The plans can charge different premiums depending on employees´ age, gender or industry. The plans do not need to provide the same level of benefits as required by the Affordable Care Act.

The Department of Labor approximates that up to 11 million employees would be qualified for cheaper healthcare insurance under the proposed rule. Currently, less than 200 Associate Health Plans exist in the U.S. It is very likely that the number of Associate Health Plans will increase to over 1,000 as a result of the new rule. If the 11 million employees opt out of their insurance policies, consequentially, premiums in large fully-insured group plans will increase. In turn, it would increase deductibles to maintain the level of benefits required by the Affordable Care Act.

HIPAA compliance obligations remain the same for Associate Health Plans. If the projected fivefold increase in Associate Health Plans happen, it’s possible that there will be more unauthorized disclosures of Protected Health Information (PHI) because the administrators of the associate health plans, particularly the self-insured (also called “employee-sponsored) and self-administered, still lack experience.

HIPAA considers all health plans as “Covered Entities.” Covered Entities need to comply with all the HIPAA regulations to guarantee the security, integrity and confidentiality of Protected Health Information whether at rest or in transit. Administrators of Association Health Plans or employers administering self-insured Association Health Plans need to know how PHI can be used or disclosed. Some of the HIPAA rules regarding this are:

  • Employee information will not be disclosed outside the permitted uses unless authorized by the employee.
  • Agents and sub-contractors will not have access to PHI without a certification.
  • PHI will not be used or disclosed for employment-related actions.
  • Employees can request their information will be made available to employees who request it, amended as necessary, and destroyed when it is no longer required.
  • Any use or disclosure of PHI that is inconsistent with the permitted and required uses and disclosures will be reported.

The HHS can penalize non-compliance with HIPAA Rules. Civil action and criminal prosecution against third parties can result in case of breach of the regulations.