Are Health Plans Covered by HIPAA? What Insurers Must Do to Comply

If you’re asking “are health plans covered by HIPAA,” the short answer is yes—most health plans are covered entities that must protect protected health information. This guide explains exactly which plans are covered, which insurance lines are excluded, what employers must do for group health plans, and the safeguards insurers need to comply with the HIPAA privacy rule and HIPAA security rule.

Health Plans as Covered Entities

Under HIPAA, “covered entities” include health plans, health care clearinghouses, and most health care providers. Health plans include health insurance issuers, health maintenance organizations, employer-sponsored group health plans, and government programs that pay for medical care.

What counts as a health plan

• Commercial health insurers and health maintenance organizations that pay for medical care.
• Employer-sponsored group health plans, including self-funded plans using third-party administrators.
• Government programs such as Medicare, Medicaid, and military or state health benefit programs.

Covered functions and hybrid entities

Many insurers are “hybrid entities.” If a company sells both medical coverage and non-medical products (for example, life insurance), only its health plan operations are subject to HIPAA. The non-health lines remain outside HIPAA, but internal “firewalls” must separate them.

Protected health information (PHI)

PHI is individually identifiable health information held or transmitted in any form by a covered entity or its business associates. HIPAA limits uses and disclosures of PHI, requires minimum necessary practices, and gives members rights to access, amend, and receive an accounting of disclosures.

Insurance Types Excluded from HIPAA

HIPAA does not cover insurance that does not provide or pay for medical care, and it excludes certain “excepted benefits.” If an insurer offers only these products, it is not a covered entity for those lines.

• Life insurance and annuities.
• Workers’ compensation, employers’ liability, and similar programs required by law.
• Automobile liability and medical payment coverage, general liability, and property and casualty insurance.
• Disability income and accident-only coverage, credit-only insurance, and coverage for on-site medical clinics.

If a company also operates a health plan or HMO, HIPAA applies to those covered functions even if other lines remain excluded.

Employer Responsibilities in HIPAA Compliance

Employers are not covered entities; the group health plan is. As a plan sponsor, you must set boundaries so your company accesses PHI only for plan administration, not for employment decisions.

Plan governance and documentation

• Amend plan documents to permit PHI use and disclosure solely for plan administration.
• Designate a privacy official and security official for the plan and implement workforce training and sanction policies where applicable.
• Issue a Notice of Privacy Practices if the plan is self-insured or if the sponsor receives PHI beyond enrollment information and summary health information.

Business associate management

• Execute business associate agreements with third-party administrators, brokers, consultants, and vendors that create, receive, maintain, or transmit PHI.
• Ensure downstream subcontractors also sign business associate agreements and follow HIPAA requirements.

Data minimization

• Limit employer access to enrollment/disenrollment information and summary health information for plan design and premium negotiations.
• Maintain “firewalls” so HR staff using PHI for plan administration do not use it for employment actions.

Compliance Safeguards for Insurers

Insurers must implement comprehensive privacy and security programs that protect PHI and ePHI. The HIPAA privacy rule governs permissible uses and disclosures; the HIPAA security rule sets specific administrative, physical, and technical safeguards for electronic data.

Administrative safeguards

• Enterprise-wide risk analysis and risk management, including vendor risk.
• Role-based access, minimum necessary policies, and routine workforce training.
• Incident response, breach notification procedures, and ongoing audit and monitoring.

Physical safeguards

• Secure facilities, workstation controls, and device/media disposal standards.
• Documented procedures for equipment movement, storage, and destruction.

Technical safeguards and electronic health records safeguards

• Unique user IDs, strong authentication, automatic logoff, and robust access controls.
• Audit logs, integrity controls, encryption in transit and at rest, and transmission security.
• Data loss prevention and segmentation to protect claim systems and electronic health records safeguards.

Business associates and downstream compliance

Insurers must execute business associate agreements with all vendors handling PHI, require security controls that align with the HIPAA security rule, and verify remediation of identified risks.

Exemptions for Small Group Health Plans

A group health plan with fewer than 50 participants that is self-administered by the employer is not a HIPAA covered entity. If a small plan is fully insured and the employer does not receive PHI beyond enrollment and summary health information, many privacy obligations are handled by the insurer.

Once the employer receives claims-level PHI or self-funds the plan, full HIPAA privacy and security responsibilities apply to the plan sponsor’s plan administration team.

Protections Against Discrimination

HIPAA’s nondiscrimination rules prohibit group health plans from discriminating based on health factors such as medical condition, claims history, disability, or genetic information. Eligibility, premiums, and contributions cannot vary because of an individual’s health status.

Plans may vary premiums or contributions based on bona fide wellness programs, but such programs must meet strict criteria, including reasonable design and alternatives for those with medical conditions. These protections complement other federal laws that bar discrimination.

HIPAA Portability and Enrollment Rights

HIPAA ensures portability by granting special enrollment rights for group health plans. You can enroll midyear after certain events instead of waiting for the next open enrollment.

Key special enrollment events

• Loss of other coverage, marriage, birth, adoption, or placement for adoption—request enrollment within 30 days.
• Gaining or losing eligibility for Medicaid or a state Children’s Health Insurance Program (CHIP), or qualifying for a state premium assistance subsidy—request enrollment within 60 days.

Preexisting conditions and creditable coverage

Historically, HIPAA limited preexisting condition exclusions using creditable coverage. The Affordable Care Act eliminated preexisting condition exclusions for plan years beginning in 2014, making creditable coverage certificates largely obsolete; special enrollment rights remain central to portability.

Conclusion

Most health plans—insurers, HMOs, and employer-sponsored group health plans—are covered by HIPAA and must protect PHI under the privacy and security rules. Exclusions exist for certain insurance lines, and small self-administered plans under 50 participants may be outside HIPAA. Effective safeguards, business associate agreements, and clear employer “firewalls” are essential to comply.

FAQs.

Is a health insurance company always a covered entity under HIPAA?

It is a covered entity when it provides or pays for medical care as a health plan or operates an HMO. If the company offers only non-health products, such as life or disability income insurance, those lines are not covered; hybrid insurers are subject to HIPAA only for their health plan functions.

What types of insurance are excluded from HIPAA coverage?

Excluded lines include life insurance, workers’ compensation and similar programs, automobile liability and medical payment coverage, general liability and property/casualty, disability income and accident-only coverage, credit-only insurance, and coverage for on-site medical clinics. These do not constitute health plans under HIPAA.

What responsibilities do employers have under HIPAA for group health plans?

Employers must treat the group health plan as a separate covered entity, amend plan documents, and restrict PHI use to plan administration. They must implement privacy and security safeguards, designate officials, train staff, and execute business associate agreements with vendors. Fully insured plans with no access to claims PHI have limited obligations, but self-funded or PHI-accessing sponsors must meet the full requirements.

How must insurers safeguard electronic protected health information under HIPAA?

Insurers must follow the HIPAA security rule by implementing administrative, physical, and technical controls: risk analysis, role-based access, audit logging, encryption, integrity and transmission security, and incident response. They must also maintain electronic health records safeguards and manage vendor risk through business associate agreements and oversight.