April 24, 2026

OCR Announces HIPAA Enforcement Against Self-Funded Employee Benefit Plan

Holland & Knight Healthcare Blog
Dianne Bourque | Shannon Britton Hartsfield
Healthcare Blog

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on April 23, 2026, what may be one of the first – if not the first – Health Insurance Portability and Accountability Act (HIPAA) privacy and security enforcement actions against a self-funded employee benefit plan. The plan's electronic protected health information (ePHI) was compromised in a ransomware attack, and OCR found that the plan had impermissibly disclosed PHI and failed to conduct an adequate risk analysis, resulting in a $245,000 payment by the plan's employer/sponsor and a Corrective Action Plan (CAP).

Companies that operate completely outside the healthcare industry can sponsor health plans that are subject to HIPAA (unlike employers such as hospitals or health insurers, which are covered entities and have HIPAA compliance obligations applicable to their business operations). In this case, the enforcement action was against the employer's health benefits plan.

HIPAA-covered entities include self-funded employee benefit plans, i.e., plans in which the employer assumes financial risk for providing healthcare benefits to its employees rather than purchasing a "fully-insured" plan from an insurance carrier. Employers with self-funded plans may administer the plans themselves or engage a third-party administrator. HIPAA applicability in this area is complex and can vary based on the size and structure of the plan, but OCR's action in this case emphasizes that it views self-funded plans, and not just their third-party administrators, as directly accountable for HIPAA compliance.

As is often the case, the CAP in this enforcement action is onerous and addresses compliance concerns identified by OCR in its investigation, including the plan's failure to complete a comprehensive and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the plan's ePHI. It also requires, among other things, that the plan develop a complete inventory of all of its facilities, electronic equipment, data systems and applications that contain or store ePHI that will then be incorporated into its risk analysis.

Takeaways and Considerations

Many employers do not realize their employee benefit plans are covered entities for HIPAA purposes, with independent compliance obligations. Although HIPAA's obligations apply to the plan itself, the reality is that responsibility for implementing those compliance obligations typically falls on the employer performing plan administrative functions. If your organization sponsors a self-funded health plan, now is a good time to confirm that the plan:

  • has conducted its own HIPAA risk analysis
  • has appropriate administrative, technical and physical safeguards in place
  • maintains adequate firewalls between the plan sponsor in its role as plan administrator and its role as employer
  • has a Notice of Privacy Practices
  • has the required privacy language included in the plan documents

HIPAA also imposes a number of other requirements, including policies and procedures and workforce training.

For more information or questions regarding a specific matter, please contact the authors.

Related Blog

Healthcare Blog

Editors

Nili Yolin Shalyn Watkins

Related Practices

Healthcare HIPAA and Healthcare Privacy Healthcare Employment, Immigration and Labor Labor and Employment Executive Compensation and Benefits Healthcare Regulatory Compliance Data Strategy, Security & Privacy

Related Industry

Healthcare & Life Sciences
Subscribe to Updates and Events
Click to Sign Up

Related Insights