What is TPA in healthcare

A third-party administrator (TPA) in healthcare is an independent individual or organization responsible for managing administrative tasks for an employer's self-funded health plan. Engaging a TPA allows employers to utilize their expertise and existing technologies to streamline administrative tasks, identify cost savings, and enhance the overall flexibility of their health plan.

Understanding self-funded health plans

Employers with 50 or more full-time equivalent (FTE) employees in the private sector must provide health insurance under the Affordable Care Act (ACA). Many of these employers choose self-funded health plans, covering the cost of medical claims themselves rather than paying a fixed premium to a commercial insurance carrier. Through self-funding, employers can avoid state premiums, brokers, and insurance commission taxes, and have the flexibility to tailor the plan to the specific needs of their workforce.

The rise of self-funded health plans

According to the analysis of Form 5500 filings, a substantial portion of private employers, approximately 25,500 out of 60,500 health plans, have implemented self-funded health plans. The trend towards self-fund plans is driven by the potential cost savings and increased flexibility.

Potential drawbacks of self-funded health plans

While self-funded health plans offer numerous benefits, they also come with their own set of challenges. Employers may face indirect costs associated with self-administering the plan, and they may be limited by the services and conditions that healthcare providers are willing to offer. These potential drawbacks are where TPAs can mitigate the disadvantages and maximize the advantages of self-funded health plans.

Read also: Understanding the Affordable Care act and HIPAA

The role of third-party administrators (TPAs) in healthcare

TPAs in healthcare typically offer a range of services to support self-funded health plans, including:

• Benefit plan design and implementation: Assisting with the customization and implementation of the self-funded health plan, including benefits such as health, pharmacy, dental, vision, and retirement planning.
• Enrollment, disenrollment, and eligibility management: Handling the enrollment and disenrollment processes for employees and dependent plan members, ensuring coverage details are up-to-date and compliant with eligibility requirements.
• Provider network setup and management: Negotiating contracts with healthcare providers, managing provider networks, and facilitating payments to ensure the availability of benefits.
• Customer service for plan members: Providing assistance and support to employees and plan members regarding their benefits and coverage-related inquiries, concerns, or issues.
• Claims processing and management: Handling and processing all insurance claims, managing eligibility and verification, adjudicating claims, and issuing payments to healthcare providers or policyholders.
• Large case management coordination: Evaluating the medical necessity and appropriateness of healthcare services or treatments to ensure they meet established guidelines, particularly for complex or high-cost cases.

Given the diverse needs of employers, there is no one-size-fits-all approach to TPA services. TPAs typically customize their offerings to meet the requirements of each employer, ensuring that the self-funded health plan is tailored to workforce needs. 

HIPAA compliance and TPAs

The Health Insurance Portability and Accountability Act (HIPAA) influences the relationship between TPAs and self-funded health plans. Compliance requirements depend on the size of the health plan, especially if it has 50 or more plan members.

HIPAA-covered entities and business associates

If the self-funded health plan qualifies as a covered entity under HIPAA (i.e., has 50 or more plan members), the TPA acting as an independent intermediary between the employer and healthcare providers is considered a business associate. In such cases, the employer and the TPA must enter into a business associate agreement before any protected health information (PHI) is disclosed to the TPA.

HIPAA compliance for ASOs

Alternatively, suppose the TPA is providing administrative services on behalf of a commercial insurance carrier (commonly known as an "ASO in healthcare"). In that case, the commercial insurance carrier is the covered entity, and disclosures of PHI between the two parties are permitted without a business associate agreement under the HIPAA privacy rule.

Advantages of engaging a TPA in healthcare

By partnering with a TPA, employers can enjoy several benefits that can enhance the overall effectiveness and efficiency of their self-funded health plans:

• Cost savings: TPAs can leverage their expertise to identify cost-saving opportunities, such as negotiating better rates with healthcare providers or streamlining administrative processes.
• Increased flexibility: Employers can customize their health plans to meet the specific needs of their workforce, with the TPA providing the necessary support and guidance.
• Improved administrative efficiency: TPAs handle many administrative tasks, from enrollment and eligibility management to claims processing and customer service, freeing up the employer's resources to focus on their core business activities.
• Enhanced HIPAA compliance: TPAs ensure the self-funded health plan's operations and data management practices adhere to HIPAA regulations, reducing the employer's compliance burden.
• Access to specialized expertise: TPAs often have deep knowledge and experience in the healthcare industry, allowing employers to benefit from their expertise in areas like provider network management and regulatory compliance.

Considerations when selecting a TPA

When choosing a TPA, employers should carefully evaluate several factors to ensure that the selected provider aligns with their specific needs and requirements:

• Experience and reputation: Look for a TPA with a proven track record of successfully managing self-funded health plans and a strong reputation in the industry.
• Customization capabilities: Assess the TPA's ability to customize its services to meet the unique needs of the employer's workforce and health plan requirements.
• Technology and automation: Evaluate the TPA's technological capabilities, including automation and data analytics to streamline administrative processes and identify cost-saving opportunities.
• Customer service and support: Ensure the TPA has a customer service infrastructure to assist employees and plan members with their inquiries and concerns.
• Regulatory compliance: Verify the TPA's understanding and adherence to HIPAA regulations, as well as its ability to maintain compliance with other relevant healthcare laws and regulations.

FAQs

Is a TPA a covered entity?

A TPA, or third-party administrator, is typically a company that processes insurance claims and employee benefit plans for a separate entity. According to HHS, the answer is no, TPAs are not considered covered entities. A TPA may, however, be classified as a business associate instead. As a caveat, if a TPA also provides other services like group health insurance, it meets the definition of a covered entity.

What are the potential risks associated with using TPAs under HIPAA?

• Data breaches: Unauthorized access to or exposure of PHI due to inadequate security measures by the TPA.
• Non-compliance penalties: Fines and legal consequences for failing to protect PHI as required by HIPAA.
• Financial losses: Costs related to breach remediation, legal fees, and potential settlements with affected individuals.
• Reputational damage: Loss of trust from patients, partners, and the public due to the TPA’s failure to secure sensitive information.
• Operational impact: Disruptions to healthcare services and administrative functions due to compromised data security.

How can healthcare facilities ensure TPAs maintain HIPAA compliance? 

• Conduct thorough due diligence: Evaluating the security practices and compliance history of TPAs before engaging their services.
• Execute business associate agreements (BAAs): Establishing formal agreements that require TPAs to comply with HIPAA’s security and privacy rules.
• Monitor TPA performance: Regularly auditing and reviewing the TPA’s security measures and compliance with the terms of the BAA.
• Provide training and support: Educating TPA personnel about HIPAA requirements and the importance of protecting PHI.
• Implement robust data protection measures: Ensuring that TPAs use encryption, access controls, and other security technologies to safeguard PHI.

Learn more: HIPAA Compliant Email: The Definitive Guide