Are Insurance Companies Covered Entities Under HIPAA? Requirements Explained

You often hear that “HIPAA covers insurance companies,” but the truth depends on the type of insurance and the data involved. This guide explains how the HIPAA Privacy Rule, HIPAA Security Rule, and Administrative Simplification standards apply to insurers, when the Gramm-Leach-Bliley Act (GLBA) controls instead, and what covered entity compliance looks like in practice.

Defining Covered Entities Under HIPAA

Health Plan Definition

HIPAA defines covered entities as health plans, health care clearinghouses, and health care providers that transmit standard electronic transactions. A health plan is any individual or group plan that provides or pays the cost of medical care. This includes commercial health insurers, HMOs, employer group health plans, Medicare, Medicaid, and certain long-term care policies (excluding nursing home fixed-indemnity policies). A group health plan with fewer than 50 participants that is self-administered by the employer is not a HIPAA “health plan.”

What HIPAA Regulates

The HIPAA Privacy Rule governs how covered entities use and disclose protected health information (PHI) and grants individual rights (access, amendment, accounting). The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Administrative Simplification sets national standards for transactions, code sets, identifiers, and operating rules to streamline claims, eligibility, and related exchanges.

Who Is Not a Covered Entity

Organizations that do not provide or pay for medical care—such as most property and casualty insurers, life insurers, and disability insurers—are generally not HIPAA covered entities. However, they may still handle PHI in limited contexts (for example, via authorizations) or act as business associates for covered entities that delegate functions to them.

Health Insurance Companies as Covered Entities

When Insurers Are Covered

Commercial health insurers and HMOs squarely meet the health plan definition and are covered entities. They may use and disclose PHI for treatment, payment, and health care operations, following the minimum necessary standard, and must honor member rights under the Privacy Rule. When they receive, create, or transmit electronic PHI, they must implement Security Rule safeguards.

Common Operational Roles

• Payment: Processing claims, coordination of benefits, subrogation, and risk adjustment.
• Health care operations: Utilization management, quality improvement, auditing, underwriting (with restrictions), and customer service.
• Business associates: Insurers must execute business associate agreements (BAAs) with vendors like TPAs, PBMs, and analytics firms that handle PHI on their behalf.

Insurers that also administer Medicare Advantage, Medicaid managed care, or Marketplace products remain covered entities for those lines of business and must ensure compliance across all plan types.

Non-Health Insurance Companies and HIPAA

Lines Typically Outside HIPAA

Life, disability, workers’ compensation, auto, homeowners, and other property and casualty carriers are not health plans and are typically outside HIPAA. If they request medical records (e.g., for life underwriting), they generally must rely on an individual’s HIPAA-compliant authorization or obtain information from non-HIPAA sources.

When HIPAA Can Still Matter

• Business associate functions: If a non-health insurer performs services for a covered entity that involve PHI, HIPAA applies via a BAA.
• Dual-role organizations: A company that sells both life and health insurance must segregate PHI and apply HIPAA to its health plan operations.
• State law intersections: State privacy and insurance data security statutes can impose obligations even when HIPAA does not directly apply.

Intersection of HIPAA and GLBA Regulations

Different Laws, Different Data

The Gramm-Leach-Bliley Act (GLBA) governs how financial institutions, including many insurers, protect Nonpublic Personal Information (NPI) about consumers. HIPAA protects PHI created or received by health care covered entities and their business associates. A single insurer may be subject to HIPAA for its health plan activities and GLBA for its non-health lines.

Practical Boundary Lines

• PHI held by a health plan is subject to HIPAA’s Privacy and Security Rules.
• Customer information gathered by a life or auto insurer is generally NPI regulated by GLBA’s Privacy and Safeguards Rules.
• Where data sets overlap, the stricter rule or the rule specific to the function and data type typically governs.

Many states also implement GLBA principles through insurance-specific laws (for example, data security model laws), complementing HIPAA without displacing it.

Compliance Requirements for Health Insurance Entities

Governance and Risk Management

• Designate a privacy official and a security official to oversee covered entity compliance.
• Conduct an enterprise-wide risk analysis and implement risk management plans.
• Adopt, document, and regularly review privacy, security, and breach response policies and procedures.

Security Rule Safeguards

• Administrative: Workforce training, sanction policies, contingency planning, vendor management.
• Physical: Facility access controls, device and media controls, secure disposal.
• Technical: Access controls, audit logs, integrity protections, transmission security (encryption in transit/at rest where reasonable and appropriate).

Privacy Rule Obligations

• Issue a Notice of Privacy Practices to members and honor individual rights (access, amendments, restrictions where applicable).
• Apply the minimum necessary standard to routine disclosures and internal use.
• Obtain authorizations for uses/disclosures not otherwise permitted (e.g., many marketing activities).
• Execute BAAs with service providers that create, receive, maintain, or transmit PHI.

Breach Notification Rule

Implement incident response processes to assess potential compromises of unsecured PHI, perform risk assessments, notify affected individuals and regulators as required, and document decisions when a breach is not reported based on low-probability-of-compromise analysis.

Administrative Simplification Standards

Support HIPAA transactions (claims, eligibility, claim status, remittance, referrals/prior authorizations), use standard code sets and identifiers (e.g., NPI), and comply with operating rules. Align clearinghouse relationships and trading partner agreements to these standards.

Continuous Oversight

Monitor controls, audit high-risk processes, train staff routinely, and update risk, policy, and vendor assessments whenever business models, technologies, or regulations change.

Implications for Employer-Sponsored Health Plans

Who Is the Covered Entity?

The group health plan—not the employer—is the covered entity. The plan sponsor may access PHI only for plan administration after amending plan documents and certifying safeguards. Employers must build “firewalls” so HR or benefits staff do not use PHI for employment decisions.

Plan Size and Administration

A group health plan with fewer than 50 participants that is administered solely by the employer is not a HIPAA health plan. Most larger or third-party-administered plans are covered and must comply with the Privacy, Security, and Breach Notification Rules.

Common Plan Types

• Self-funded major medical plans, HRAs, and many EAPs that provide or pay for medical care are health plans.
• FSAs and dental/vision plans can also be health plans, with the same core HIPAA obligations.
• Third-party administrators, brokers, and consultants that handle PHI for the plan must sign BAAs.

Government Health Programs as Covered Entities

Programs in Scope

Medicare (including Advantage and Part D), Medicaid and CHIP, TRICARE, CHAMPVA, and the Federal Employees Health Benefits (FEHB) Program function as health plans under HIPAA. Their contractors and managed care organizations that administer benefits must also meet applicable HIPAA requirements.

Conclusion

Health insurance companies are covered entities when they operate as health plans; non-health lines usually are not. HIPAA protects PHI through the Privacy and Security Rules and Administrative Simplification, while GLBA safeguards Nonpublic Personal Information in financial services. Knowing which rules apply to which data and function is the key to right-sizing your compliance program.

FAQs.

Are all insurance companies covered by HIPAA?

No. Only entities that provide or pay for medical care—such as health insurers, HMOs, and most employer group health plans—are covered entities. Life, disability, auto, and property insurers are generally outside HIPAA unless they perform services for a covered entity or obtain PHI via a valid authorization.

What distinguishes a health plan under HIPAA?

A health plan is any individual or group arrangement that provides or pays the cost of medical care. This includes commercial health insurance, HMOs, Medicare, Medicaid, and certain long-term care policies. A self-administered group health plan with fewer than 50 participants is not a HIPAA health plan.

How does HIPAA apply to employer-sponsored health plans?

The group health plan is the covered entity. The employer as plan sponsor may access PHI only for plan administration after amending plan documents and implementing safeguards. Most plans must issue a Notice of Privacy Practices, honor member rights, secure electronic PHI, and execute BAAs with vendors.

What regulations apply to insurance companies not covered by HIPAA?

Insurers outside HIPAA (e.g., life or auto) typically fall under the Gramm-Leach-Bliley Act for Nonpublic Personal Information, as well as state insurance privacy and data security laws. If they handle PHI for a covered entity, HIPAA applies through business associate obligations.