HIPAA Compliance Checklist for Health Plan Sponsors

The Health Insurance Portability and Accountability Act (HIPAA) imposes obligations on employer-sponsored group health plans.  Plans subject to HIPAA include health, dental, and vision plans, health reimbursement arrangements, medical flexible spending accounts, and employee assistance programs.  Given recent enforcement actions, sponsors of self-funded health plans should use this checklist to ensure they are meeting their compliance obligations.

Privacy Standards

  • Appoint a privacy official.
  • Identify where PHI is created, maintained, received, or disclosed by the plans.
  • Determine whether authorizations can be obtained for otherwise impermissible uses and disclosures.
  • Distribute a notice of privacy practices to all covered persons.

Security Standards

  • Appoint a security official.
  • Conduct a risk analysis and develop and document a risk-management plan based on the analysis.
  • Conduct the risk analysis and develop a risk-management plan at least annually and in response to organizational changes, external threats, security incidents, and data breaches.

Breach Notification Standards

  • Coordinate breach-notification responsibilities with business associates and third-party service providers.

Policies and Procedures

  • Develop HIPAA-compliant privacy policies establishing permitted and required uses and disclosures of PHI as well as compliance with individual rights with respect to PHI.
  • Develop HIPAA-compliant security policies and procedures establishing security responsibilities or delegate those responsibilities to the relevant third-party service provider or business associate.
  • Develop HIPAA-compliant breach policies that establish breach response procedures, timely notification requirements, and appropriate notification standards.
  • Implement a training program and sanctions policy for noncompliance.
  • Document the responsibilities of the privacy and security officials.


  • Train all employees on the policies and procedures for the Privacy, Security, and breach notification rules.
  • Identify business associates of plans and verify that HIPAA-compliant business associate contracts are in place with each business associate.

ASR assists our client plan sponsors with compliance by ensuring the plan language is current and by providing certification documents and a notice of privacy practices.  If you have questions about HIPAA compliance, call ASR Health Benefits at (616) 957-1751 or (800) 968-2449.