Connect with Our Team

Compliance Considerations: Changing from a Fully Insured Medical Plan to a Self-Insured Medical Plan

April 23, 2026
Employee Benefits Employee Benefits Compliance
13 min read
Regulatory & Legislative Strategy Group
Changing from Fully Insured Medical Plan to Self-Insured Medical Plan

Table of Contents

    Key Takeaways

    • Self-insuring a medical plan can offer flexibility and transparency, but it also places more compliance obligations directly on the employer
    • Several requirements may be new to employers with self-funded plans including PCORI fee reporting and payment, IRC Section 105(h) Non-discrimination rules and more robust HIPAA Privacy and Security requirements
    • Although several compliance tasks may be delegated to TPAs or PBMs, employers sponsoring self-insured plans ultimately remain accountable for their timely and accurate completion
    • Ongoing compliance reviews and coordination with benefits specialists, legal counsel, and tax advisers can help support compliant self-insured plan operations

    As healthcare costs continue to rise, many employers are exploring strategies to manage expenses while maintaining benefits that remain both affordable and competitive for employees. For some organizations, transitioning from a fully insured medical plan to a self-insured plan can be an effective approach to gaining greater cost control and plan design flexibility.

    Changing funding models, however, is a significant organizational decision with wide‑ranging implications. While a move to self‑funding can create opportunities and cost savings, employer plan sponsors should clearly understand the compliance obligations associated with this funding structure.

    This document provides a high‑level overview of the key compliance considerations for transitioning from a fully insured to a self-insured medical plan.

    Note: This overview focuses solely on compliancerelated considerations. It does not address broader strategic or financial considerations, such as rate-setting (including COBRA continuation rates), claims volatility, or budgeting. In addition, it does not cover requirements unique to self-insured dental or vision plans, as not all considerations discussed herein apply to those plans. 

    Background

    Fully Insured Plans

    A fully insured group medical plan is a type of health insurance plan where the employer contracts with a health insurance company to provide medical and pharmacy benefits to employees and their covered dependents. In this plan, the insurance company assumes the risk of paying the medical and pharmacy claims costs of the plan’s participants in exchange for receiving fixed premium payments. The insurer is responsible for paying all covered medical and pharmacy claims in accordance with the policy terms and conditions.

    Self-Insured Plans

    Unlike a fully insured group medical plan, in a self-insured plan, an employer assumes the financial risk associated with providing medical and pharmacy benefits to its employees. Rather than paying a fixed premium to an insurer, the employer pays the actual cost of employees and covered dependents’ medical and pharmacy claims as they are incurred.

    Under this structure, the employer typically contracts with a third‑party administrator (TPA), and often a pharmacy benefit manager (PBM, to handle the day‑to‑day functions of the plan, such as claims processing, customer service, network access, and reporting. While the employer retains financial responsibility for claims payments, many self-insured plan sponsors purchase stop‑loss insurance to protect against unexpectedly high individual claims or overall plan costs.

    Level-Funded Plans

    Another popular funding plan is a level-funded plan. A level-funded plan is a hybrid between a fully insured plan and a self-insured plan - combining some of the financial benefits of a self-insured plan, while still sharing some financial risk with the insurance carrier. For compliance obligation purposes, a level-funded plan is generally treated as a self-insured plan, and the self-insured plan compliance requirements outlined below apply unless otherwise noted.

    Switching from a Fully Insured Medical Plan to a Self-Insured Medical Plan

    Introduction to Compliance Matters of Self-Insured Plans

    Self‑funding can offer employers greater transparency, flexibility in plan design, and potential cost savings over time. However, it also shifts certain compliance, fiduciary, and administrative responsibilities to the employer.

    The table below outlines various compliance items employers should be aware of as they relate to self‑insured medical plans, detailing the notable differences for each item as a plan moves between funding structures.

    The section ERISA Requirements focuses specifically on plans subject to ERISA (i.e. private plans that are not church or governmental plans), but the remaining tables below that table address separate topics (e.g., ACA, HIPAA, Transparency in Coverage rules) that apply both to ERISA and non-ERISA group health/medical plans.

    Please note the following compliance items, which will typically apply to the self-insured medical plan and/or plan sponsor that typically would not have applied to a fully insured plan:

    • PCORI (Patient-Centered Outcomes Research Institute) fee reporting and payment

    • Internal Revenue Code (IRC) Section 105(h) Non-discrimination rules

    • Exemption from certain state insurance mandates if the plan is subject to ERISA

    • Covered Individuals Reporting in ACA Form 1095-C, Part III

    • More robust HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security requirements

    ERISA Requirements

    Compliance Item

    Requirement

    Fully Insured

    Self-insured

    Fiduciary Duties

    Plan Fiduciaries1 are responsible for acting for the exclusive benefit of the plan participants. Applies to plan administration decisions, as well as managing, or controlling a plan’s

    assets

    Regardless of funding method (i.e., self-funded or fully insured) an ERISA plan sponsor has a fiduciary duty to the plan participants. For fully insured plans, more of the fiduciary duties may fall onto the carrier rather than the plan sponsor.

     

    Although the fully insured carrier bears more of the fiduciary duty in a fully insured plan, this doesn’t absolve the plan sponsor (as the fiduciary) of the overarching fiduciary duties and obligations involving plan governance/oversight (e.g., selecting and monitoring the insurance carrier, managing plan assets, ensuring ERISA compliance, in accordance with the Plan Document and Form 5500 filings, as applicable)

     

    Regardless of funding method (i.e., self-funded or fully insured) an ERISA plan sponsor has a fiduciary duty to the plan participants. However, for fully insured plans, more of the fiduciary duties may fall onto the carrier rather than the plan sponsor.

     

    These fiduciary duties involve plan governance/oversight (e.g., selecting and monitoring the insurance carrier,

    managing plan assets, ensuring ERISA compliance, in accordance with the Plan Document, and Form 5500 filings, as applicable)

     

    Claims and Appeals

    Must comply with the U.S. Department of Labor (DOL) standards for timing and content

    Insurance carrier typically administers claims and appeals and adheres to any DOL and/or applicable state-specific standards.

    Plans must follow defined procedures. Claims and appeal services can be outsourced to the TPA (often for an additional fee), however, the plan administrator (i.e. employer) may still have fiduciary responsibilities as it relates to the final level of claims appeal.

     

    The plan should confirm during plan implementation and confirm overall compliance with any DOL and/or ERISA standards.

    Form 5500

    Plan administrators are required to file a Form 5500 if they had 100 or more plan participants enrolled in the group heath plan on the first day of the plan year, or if the plan is a “funded” plan (e.g., plan assets are segregated into a separate account in the name of the health plan)

    Schedule A is produced by fully insured plan’s carrier and must be included in Form 5500 filing.

    Schedule C may be produced by the self-insured plan’s TPA. If not, the plan administrator will need information from their service providers to complete the Schedule C.

    If the plan pays benefits from the general assets of the employer, Schedule C does not need to be included in the Form 5500 filing.

     

    If benefits are paid through a trust, or if the plan is funded, the Schedule C must be included.

    State Group Health Plan Mandates

    Plan coverage or eligibility requirements set forth under state insurance laws.

    Fully insured plans are required to comply with all state mandates.

     

    State mandates are typically based on the state where the plan is written out of, but can also be extra-territorial, meaning could apply to a non-sitused state if it covers employees within that state.

    Self-insured ERISA plans are exempt from state insurance laws.

     

    Note: Certain state mandates might apply to self-insured non-ERISA plans (e.g., church plans or governmental plans).

     

    Affordable Care Act (ACA) Requirements

    Compliance Item

    Requirement

    Fully Insured

    Self-insured

    Applicable Large Employer (ALE) Reporting

     

    Note: An ALE is an employer that averaged 50 or more full-time /full-time equivalent employees s in the previous calendar year.

    ALEs must report information related to offers of coverage to full-time employees (defined as employees who average 30 or more hours of service per week) via Forms 1094-C and 1095-C. Self-insured employers must also report individuals covered under the plan.

    ALEs that are fully insured must utilize Forms 1095-C/1094-C to report information on whether they offer medical coverage to full-time employees, however, they do not need to complete Part III (covered individuals) of Form 1095-C. This information is provided by the fully insured carrier on the carrier’s Form 1095-B.

    Self-insured employers, regardless of whether they are or are not an ALE, must report individuals who are covered under the self-insured medical plan. If the employer is an ALE, they may report the information related to covered individuals in Part III of Form 1095-C. If the employer is not an ALE, then typically most employers choose to report the covered individuals’ information on Form 1095-B.

    Essential Health Benefits (EHBs)

    A core set of at least 10 general categories of items and services, for which a group health plan may not impose lifetime or annual dollar maximums.

     

    Only non-grandfathered, fully insured, small group plans (typically 1-50 employees)2 are required to cover all EHBs. If a large group plan (including a fully insured large group plan) offers a plan that covers an ACA essential health benefit, that specific benefit cannot be subject to a lifetime or annual dollar maximum.

    Self-insured plans (regardless of whether they are small group or large group) are not required to provide any EHBs. However, if a self-insured plan does cover an EHB, it cannot impose a lifetime or annual dollar maximum on the EHB(s). In order to identify whether a benefit is an EHB for this purpose, the self-insured plan must select a state benchmark plan.

     

    Most self-insured plan sponsors/employers choose to cover EHBs within their medical plan for purposes of workforce recruitment and retention.

     

    PCORI Fee Payment & Filing of Form 720

    The PCORI fee rules require carriers and self-insured group health plan sponsors to file Form 720 and pay an annual PCORI Fee to the IRS. The payment is calculated based upon the average number of covered lives, multiplied by the annually indexed PCORI fee amount.

    Plan sponsors of fully insured group medical plans are not subject to paying the PCORI fee (and need not file Form 720), as the requirement applies to the insurance carrier. The carrier is responsible for paying this fee directly to the IRS on behalf of the group health plan. The fee itself is standardly built into the fully insured premiums.

     

    Note: If an employer sponsors a Health Reimbursement Plan (HRA) (which is considered a self-insured plan) in conjunction with the fully insured medical plan, the employer plan sponsor is responsible for filing and paying the PCORI fee for the HRA. HRAs are subject to different member averaging rules.

     

    Employers that sponsor a self-insured medical plan are responsible for calculating and paying the PCORI fee via IRS Form 720. Special rules apply to self-insured plan sponsors that offer an HRA.

     

    Summary of Benefits and Coverage (SBC)

    A standardized explanation of a health plan’s benefits contained in a document that must be distributed to eligible/enrolled participants prior to initial enrollment, with open enrollment, within 90 days of special enrollment, and upon request (within seven business days of request).

     

    Additionally, if a material change to the health plan is made mid-plan year that impacts the content(s) of the SBC, the plan must provide an updated SBC to plan participants at least 60 days prior to the effective date of the change,

    Both the carrier and the plan administrator (employer) have the statutory obligation to distribute the SBC. If the carrier delivers the SBC to plan participants in a timely manner, this satisfies the plan administrator’s obligation.

     

    Additionally, if the medical plan is fully insured, a description of the prescription drug benefits is included in the carrier’s SBC as there is no separate prescription drug benefit outside of the medical plan.

     

     

    The plan administrator of a self-insured plan has the sole responsibility to distribute an accurate SBC to plan participants.

     

    Additionally, if prescription drug benefits are managed by a separate third party (e.g., PBM), the plan administrator will be responsible for adding prescription drug benefits into the medical SBC or providing a separate SBC for the prescription drug benefits.

     

    Note: A mid-year funding change likely coincides with other plan design/coverage changes that would be reflected in an SBC (e.g. carrier/TPA change, increase in copays, deductibles). In these instances, the plan administrator (employer) will need to provide an updated SBC reflecting those changes at least 60 days prior to the effective date of the change.

    HIPAA Requirements

    Compliance Item

    Requirement

    Fully Insured

    Self-insured3

    Privacy & Security Rules

    Safeguard Protected Health Information (PHI), as defined under HIPAA

    May apply to fully insured plans unless the group health plan has a “hands off” policy with PHI. Note:

    The rules apply to the fully insured carrier regardless of whether the plan is hands-on or hands-off.

     

    Generally, fully insured plans are considered “hands off” under HIPAA rules when the plan does not have access to PHI other than enrollment and summary health information.

     

    Note: Many group health plans may have self-insured components (e.g., health FSA) and therefore may be subject to the HIPAA Privacy and Security Rules, even if the medical/dental/vision coverage are fully insured plans.

    Group health plans should create written Policies and Procedures, provide Notice of Privacy Practices, and enter business associate agreements (BAAs) with their business associates4, who must also implement administrative, physical, and technical safeguards as it relates to the group health plans PHI.

    Roles & Designation

    Appoint Privacy & Security Officers

    May apply to fully insured plans unless “hands off” and there is no self-insured benefit (e.g., health FSA) under the group health plan

    Responsible for HIPAA oversight and incident/breach response

    Third Party Agreements

    Business Associate Agreements (BAA) are required for all third-party service providers with access to PHI.

    May apply to fully insured plans unless “hands off” and there is no self-insured benefit (e.g., health FSA) under the group health plan

    Applies to, among others, TPAs, brokers/consultants, and technology partners handling PHI

    Policies, Procedures and Training

    Maintain written policies and procedures, and train workforce staff members who have access to PHI

    May apply to fully insured plans unless “hands off” and there is no self-insured benefit (e.g., health FSA) under the group health plan

    Group health plans must comply, document and review regularly.

     

    ACA Transparency In Coverage (TiC) Rules & Consolidated Appropriations Act, 2021 (CAA)

    Compliance Item

    Requirement

    Fully Insured

    Self-insured

    Machine Readable Files (MRFs)

    Disclosure of in-network provider rates, out-of-network allowed amounts and negotiated rates and historical net prices for prescription drugs via three separate files.5

    Must be posted to a public website of the group medical plan.6

    Requirement is handled by the fully insured medical plan carrier, so long as there is a written agreement for the carrier to handle this obligation on behalf of the group health plan.

     

    Plan sponsors should receive written confirmation from their carriers that they will post and update the MRFs in accordance with the regulations.

    Self-insured group medical plans are required to post MRFs to a publicly available site of the group health plan (if applicable) and must update the MRFs on a regular basis.

     

    This requirement can be met by the TPA if it hosts this information on behalf of the group health plan pursuant to a written agreement with the plan sponsor.

    Gag Clause Prohibition and Compliance Attestation (GCPCA)

    Contracts between medical plans and providers, a network of providers, or an entity offering access to a network of providers (e.g., a TPA) are prohibited from including gag clauses.

     

    Gag clauses, for these purposes, are contractual terms that directly or indirectly restrict specific data and information a plan can make available to another party.

     

    Plan sponsor is responsible for annual attestation to CMS7 due by December 31.

    Insurance carriers will typically submit the annual attestation on behalf of the fully insured plan, so long as there is a written agreement for the carrier to handle this obligation on behalf of the group health plan.

     

    Plan sponsors should receive written confirmation from their carriers that they will submit the annual attestation on the plan’s behalf by the deadline.

    Self-insured plans are directly responsible for this requirement but may contract with their TPAs, pharmacy benefit managers (PBMs), and/or managed behavioral health organizations to submit the annual attestation on their behalf via a written agreement.

     

    The plan sponsor may be required to file the GCPCA directly with CMS. The plan sponsor should collect and retain sub-attestations from their TPA, PBM, and any other vendor who maintains provider contracts within the medical plan.

    RxDC Reporting

    Employer plan sponsors are required to submit detailed prescription drug pricing and healthcare spending data to CMS annually by June 1st for prior calendar year.

    Insurance carriers generally report on the employer plan sponsor’s behalf and/or support production of reporting which is permissible so long as there is a written agreement for the carrier to handle this obligation on behalf of the group health plan.

     

    Fully insured plans might need to submit certain plan-related information to their carriers in advance of the annual June 1st deadline.

    TPAs/PBMs may report on employer plan sponsor’s behalf and/or support production/submission of reporting. This is permissible so long as there is a written agreement for the TPA/PBM to handle this obligation on behalf of the group health plan.

     

     

    Employer plan sponsors may need to submit certain plan-related information to their TPAs/PBMs in advance of the annual June 1st deadline.

     

    In addition, even if a TPA/PBM submits reporting on behalf of the employer plan sponsor, an employer plan sponsor may still need to submit one or more files directly to CMS, especially if stop loss coverage is carved out.

    Mental Health Parity and Addiction Equity Act (MHPAEA) NQTL Comparative Analysis

    MHPAEA prevents group health plans that provide mental health/substance abuse disorder (MH/SUD) benefits from imposing limits on those benefits that are more stringent than limits imposed on substantially all of the medical/surgical (M/S benefits).

     

    This generally means that any of the following requirements imposed on a plan’s MH/SUD benefits cannot be more restrictive than those applied to the plan’s M/S benefits:

     

    • Financial requirements: deductibles, co-payments, coinsurance, and out-of-pocket maximums
    • Quantitative treatment limitations (QTLs): number of treatments, visits, or days of coverage
    • Non-quantitative treatment limitations (NQTLs)8: prior authorization requirements, step therapy, provider network standards (including reimbursement rates methodologies).

     

    The CAA amended MHPAEA to expressly require covered plans to conduct and document a comparative analysis of the design and application of NQTLs.

     

    Fully insured plans may generally rely on their medical insurance carrier(s) to conduct and document the NQTL comparative analysis based on their standards.

    Self-insured plans should generally work with their plan TPA(s)/PBM(s) to conduct and document their NQTL comparative analysis.

     

    Note: TPAs and PBMs vary in terms of level of support provided for a plan’s NQTL comparative analysis. Plan sponsors may need to engage an independent third-party vendor to conduct and document their NQTL comparative analysis if the plan’s TPA/PBM cannot support this compliance requirement.

    Other TiC & CAA Requirements

    Includes requirements such as ID card information, surprise billing notice, internet-based cost tool, in-network provider directories and continuity of care provisions.

    These requirements are typically administered by the carrier. Employer plan sponsors should confirm in writing that the carrier is assisting with these compliance obligations.

    These requirements are typically administered by the TPA. Employer plan sponsors should confirm in writing that the TPA is assisting with these compliance obligations.

     

    Tax-Related Requirements

    Compliance Item

    Requirement

    Fully Insured

    Self-insured

    IRC Section 105(h)

    Under IRC Section 105(h), if an employer’s self-insured medical plan9 provides tax-free health benefits to employees, the plan cannot discriminate in favor of highly compensated individuals (HCIs) with respect to either eligibility, contributions, or benefits.

     

     

    Does not apply.10

    Self-insured plans should conduct annual testing following the close of the plan year.

    If a self-insured plan discriminates in favor of HCIs, HCIs will be taxed on excess reimbursements that would have otherwise been excluded from their income.

    The excess reimbursements should be included in the HCIs’ gross income and reported on their Forms W-2.

    Self-insured plans are advised to maintain proof of annual testing and results in case of an IRS audit.

     

    Additionally, employers should consider testing the plan for nondiscrimination issues mid-plan year, as it enables the employer to make adjustments prior to the close of the plan year. However, this mid-year testing does not replace the nondiscrimination testing that is required of the plan after the close of the plan year.

    Recommended Compliance Practices for Employers Transitioning from a Fully Insured to Self-insured Medical Plan

    Employer plan sponsors transitioning from a fully insured to a self-insured medical plan are encouraged to take the practical steps outlined below to help facilitate their self-insured plan’s compliance with federal laws and regulations:

    • Conduct periodic audits of plan documents and plan practices/processes for ongoing and consistent compliance efforts in accordance with ERISA (if applicable), ACA, HIPAA, and other relevant regulations.

      • This includes reviewing plan documents, SPDs, SBCs, and benefit notices for accuracy and timeliness

        • Note: the party producing these documents can vary based on funding method and or carrier/vendor

    • Conduct regular training sessions for human resources/benefits team members and the employees of the employer who perform plan administrator functions when the employer is the ERISA plan administrator, to ensure that the plan is adhering to compliance obligations and any applicable changes in the law

      • This can help prevent common compliance traps, such as mishandling participant data/PHI or missing filing deadlines

    • Establish clear and consistent communication with plan participants

      • This includes providing timely updates on changes to plan benefits, rights, and responsibilities, and distributing all required documents and notices

    • Consult with your Brown & Brown benefits consulting team, as well as legal and tax advisers, as necessary, to navigate complex and nuanced compliance concerns specific to self-insured group medical plans

    Footnotes

    [1] In most cases, the employer plan sponsor of the plan will be a plan fiduciary.

    [2] Except for California, Colorado, New York, and Colorado, which defines small group plans as 1-100 employees.

    [3] HIPAA requirements will also apply to self-insured dental, vision, Healthcare Flexible Spending Accounts (FSA) and HRAs.

    [4] A “business associate” is a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a covered entity (the group medical plan). For clarity, a member of the covered entity’s workforce is not a business associate.

    [5] Currently, the pharmacy MRF requirement seems to apply to health plans on a case-by-case basis, pending further guidance on an implementation timeline that could make this requirement more uniformly applicable to all group health plans/policies in the future.

    [6] A group medical plan that does not have its own public website (even if the employer sponsoring the plan does) can contract with a carrier/TPA to post the MRFs on the plan’s behalf, as the employer is not required to post the MRFs on its own employer public website, but must do so if it has its own health plan website.

    [7] The Centers for Medicare & Medicaid Services

    [8] NQTLs are generally non-numerical requirements or limits that restrict the scope or duration of benefits offered under the plan.

    [9] Including a Healthcare FSA or HRA.

    [10] Note: Under the ACA, nondiscrimination rules that are similar to these Section 105(h) rules may apply to non-grandfathered fully insured plans in the future. However, it is of note that if the fully insured plan includes a cafeteria plan component that permits employees to contribute to the plan on a pre-tax basis, the plan would be subject to IRC Section 125 nondiscrimination testing.