How HIPAA applies to self-funded health plans and third-party administrators
Many employers are surprised to discover that sponsoring a company health plan can trigger full HIPAA compliance obligations.
Even if you are not a hospital or insurance company, your self-funded health plan may qualify as a “covered entity” under the Health Insurance Portability and Accountability Act. That can create potential legal exposure for both you, as the employer, and for your Third Party Administrator.
What is a self-funded health plan?
In a self-funded health plan, the employer takes on the financial risk of paying employee medical claims directly, rather than paying fixed premiums to an insurance carrier. Funds typically come from a dedicated trust or general company assets, with claims paid as they arise. Employers often choose this model for greater control over benefits design, potential cost savings (especially for larger groups), and better access to claims data for wellness initiatives.
Key HIPAA trigger: Under federal rules, a group health plan, including self-funded ones, is generally a covered entity if it has 50 or more participants or uses an external administrator. The plan itself is treated as a separate legal entity, but the employer (as plan sponsor) usually handles compliance on behalf of the plan.
In contrast, fully insured plans shift most HIPAA compliance responsibility to the insurance carrier. Because the employer is seeing only summary data, its HIPAA obligations are generally lighter.
What is a Third-Party Administrator?
A TPA is an independent company hired to manage the day-to-day operations of a self-funded plan. This includes processing claims, handling enrollment, coordinating with providers, managing appeals, and providing customer service.
Importantly, TPAs do not bear the financial risk of claims. That responsibility stays with the employer. But they do act as service providers who handle sensitive employee health data, known as protected health information.
Because of this access to PHI, Third Party Administrators are classified as business associates under HIPAA, not covered entities.
How HIPAA Roles Differ: Covered entity vs. business associate
Here’s a quick comparison:
Role | Who it is | HIPAA status | Key duties |
Covered Entity | The self-funded group health plan (employer oversees) | Subject to full privacy, security, and breach rules | Risk analysis, policies, training, notifications, Notice of Privacy Practices |
Business Associate | TPA and other vendors | Directly liable for violations | Safeguards, breach reporting to the plan, compliance with Business Associate Agreement |
Plan Sponsor (Employer) | The company | Acts on behalf of the plan | Oversight, plan document amendments, vendor monitoring |
This setup differs sharply from fully insured plans, where the carrier handles most responsibilities. Self-funded plans expose employers to more PHI, which activates fuller compliance requirements.
The essential Business Associate Agreement
Before sharing any PHI, the plan must have a signed Business Associate Agreement with the TPA. This contract specifies permitted uses of data, required security measures, breach notification timelines (no later than 60 days after discovery), and termination rights. Strong BAAs also cover cost sharing for investigations and audits. This cost-sharing is critical since the employer ultimately bears the financial and compliance risk.
What self-funded plan sponsors must do
Sponsors face legal risk if they rely solely on the TPA’s systems. To minimize their legal risk, sponsors should do the following:
- Appoint Privacy and Security Officers
- Perform regular risk analyses and security assessments
- Create written privacy and security policies
- Train relevant employees on handling PHI
- Issue a Notice of Privacy Practices to participants
- Amend plan documents for proper PHI disclosures
- Actively monitor and audit vendors like the TPA
Preparation prevents problems
If your company sponsors a self-funded health plan, understanding these HIPAA roles is crucial. The plan is the “covered entity,” you manage compliance as “sponsor,” and your TPA operates as a “business associate.”
Adopting strong policies to keep health information confidential and secure, conducting regular risk assessments, and negotiating comprehensive Business Associate Agreements can all help to protect your participants and reduce your regulatory risk.
Source(s):
How HIPAA applies to self-funded health plans and third-party administrators | JD Supra. (2026). JD Supra. https://www.jdsupra.com/legalnews/how-hipaa-applies-to-self-funded-health-1737867/