Many privacy officers are well versed in their organizations’ obligations as healthcare provider-covered entities under HIPAA regulations. However, there are also obligations if the organization has a self-funded health plan. The self-funded health plan is considered the legal entity, but the obligations under HIPAA remain with the employer entity. The health plan is considered a covered entity on its own for purposes of HIPAA regulations.
This means any obligation the provider-covered entity has under HIPAA regulations, the health-plan-covered entity has. The applicability of the self-funded health plan may vary slightly. For example, under the HIPAA Privacy Rule, covered entities are required to provide a Notice of Privacy Practices (NPP). Provider-covered entities must give it to a patient at the first episode of care.[1] Health plans must provide it at the time of enrollment and, at least every three years, notify beneficiaries that it is available, and where to find the NPP.[2]