When offering a group health plan to its employees, employers may wear many hats: Plan Sponsor, ERISA Fiduciary, ERISA Plan Administrator and Covered Entity. Our recently published FAQs explore the relationship between employers and their self-funded group health plans in relation to acquiring and using protected health information (PHI). This has significant implications in the application of HIPAA Privacy and Security rules and regulations. HIPAA Privacy and Security is a highly regulated area and penalties for noncompliance can be substantial. Employers that sponsor self-insured health plans should review these FAQs to ensure they understand their roles and responsibilities when dealing with PHI.