Sarah Borders June 1, 2026 3 min read

HIPAA Enforcement Against a Self-Funded Employer Plan

On April 23, 2026, the HHS Office for Civil Rights (OCR) announced a $245,000 settlement with the Star Group, L.P. Health Benefits Plan ("SG Health Plan"), a self-funded employer-sponsored group health plan, after a 2021 ransomware attack exposed the protected health information (PHI) of over 9,300 participants. The employer did not have a Risk Analysis to identify ways Protected Health Information (PHI) could be compromised, did not have a Risk Management Plan with robust policies and procedures to vigorously protect PHI from attack, and likely had access to more PHI than the minimum necessary they truly needed for plan oversight and operations.

The announcement followed OCR’s most recent Annual Report to Congress on Breaches of Unsecured Protected Health Information (2023 Breach Report), which shows hacking drove 81% of large breaches in 2023 and affected roughly 113 million people.

Health care providers and Business Associates continue to dominate the violations reflected in each year’s report to Congress, which seems to give plan sponsors a false sense that comprehensive HIPAA compliance can wait. One lost or stolen device or one hacking incident is all it takes to risk violating HIPAA, and OCR can and will hold the plan sponsor directly accountable.

Applies to:

Employer sponsors of self-funded or level-funded group health plans, including medical, dental, vision, and prescription drug plans, Health Flexible Spending Arrangements (FSAs), and Health Reimbursement Arrangements (HRAs), that handle, create, receive, maintain, or transmit PHI beyond enrollment, disenrollment, and summary health information for purposes of plan administration.
Business Associates of those plans, including third-party administrators (TPAs), claims processors, pharmacy benefit managers (PBMs), brokers and consultants handling PHI, IT vendors, and cloud service providers.

Excluded from the definition of "health plan" entirely under 45 CFR § 160.103 are group health plans with fewer than 50 participants that are self-administered by the employer that established and maintains the plan. Note, it is quite rare for an employer to self-administer a self-funded plan such as an HRA without the help of a TPA, so this exception does not apply in most cases.

Go Deeper:

Download the full article from Benefits Compliance Solutions on the 2023 Breach Report and self-funded employer enforcement action here.

Sarah Borders

Principal, Benefits Compliance Solutions. Sarah has spent the last 15 years in the employee benefits industry, has numerous designations and serves on NAHU’s Employer Working Group Subcommittee and is an active board member of Austin AHU. She recently stepped down as Vice President of Benefits Compliance at one of the nation's largest brokerage firms to start her own compliance consulting practice. Her designations include an active license with the Texas Department of Insurance, CEBS (Certified Employee Benefits Specialist), Certified Health Care Reform Professional, HIPAA certification and Health Care Service Associate. She holds an MBA from Texas A&M Corpus Christi and a BA from University of Incarnate Word. Her consulting firm, Benefits Compliance Solutions, partners with employers to identify unknown risks and avoid hundreds of thousands of dollars in fines and lawsuits from failure to comply with their healthplan obligations.

HIPAA Enforcement Against a Self-Funded Employer Plan

Applies to:

Go Deeper:

Sarah Borders

COMMENTS

RELATED ARTICLES

Affordability Percentage Increased for Plan Years Beginning in 2025

Affordability Percentage Increased to 9.96% for Plan Years Beginning in 2026

Employer Alert: COBRA Subsidy Tax Credit Due July 31