What are the privacy obligations of an insured plan?
A. Generally speaking, insured plans have an easier compliance burden. If the employer does not receive PHI from the plan, the plan’s insurer does all the work. Most notably, this includes issuing a “Privacy Notice” to plan participants (which explains to them about their HIPAA rights and explains the duties of the plan and insurer in respect to HIPAA), and making sure that the plan’s PHI is only used and disclosed as allowed by HIPAA. The insurer must also honor the individual rights which HIPAA creates in connection with PHI. If the plan has “Business Associates” (which is rarely the case with insured plans), contracts must be entered with the Business Associate through which the Associate agrees to be bound by many of HIPAA’s requirements. Finally employees who handle PHI must be trained in HIPAA requirements. In the context of an insured plan, this will generally be employees of the insurer. And, the plan must not retaliate against an individual for exercising his or her HIPAA righ
