Covered Entity or Not? HIPAA Rules for Insurance Companies Explained

HIPAA Covered Entity Definitions

The Health Insurance Portability and Accountability Act sets the baseline Data Privacy Requirements for how health information is used and shared. Under HIPAA’s Covered Entity Classification, three groups are regulated: health plans, most health care providers (when they conduct standard electronic transactions), and health care clearinghouses. Insurance companies fall under HIPAA only when they operate as, or for, a health plan.

Protected Health Information (PHI) is any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form. PHI includes member IDs, claims and payment data, clinical details related to diagnoses and treatments, and demographics when linked to health or payment information. De-identified data is not PHI.

In short, an insurance company is a covered entity when it functions as a health insurance issuer or HMO, or when it operates a group health plan. For other lines of business, HIPAA may not apply unless the company is acting as a business associate to a covered entity.

Health Plans as Covered Entities

Health plans are expressly covered entities. This category includes health insurance issuers and HMOs, employer-sponsored group health plans, and government programs such as Medicare or Medicaid. When an insurer sells or administers a medical plan, it is bound by HIPAA for that activity.

Some arrangements are excluded from the “health plan” definition, such as workers’ compensation programs, accident-only coverage, disability income policies, and certain limited-scope benefits offered separately (for example, stand-alone vision or dental). By contrast, a group health plan that provides medical care is a covered entity—even if it buys insured coverage—subject to limited exceptions.

A notable exception: a group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains it is not a covered entity. However, the health insurance issuer providing the coverage remains a covered entity. When acting as a health plan, insurers must also support standardized electronic transactions (for example, Health Plan Eligibility inquiries and responses) when they or their providers use HIPAA standard transactions.

Differentiating Fully Insured and Self-Insured Plans

Fully insured group health plans purchase coverage from an insurance company or HMO. The insurer, as a covered entity, adjudicates claims, manages PHI, and provides the plan’s Notice of Privacy Practices. The employer-sponsored plan remains a covered entity, but if it does not create or receive PHI beyond enrollment/disenrollment information and summary health information, many operational duties fall to the insurer.

Self-insured (self-funded) group health plans pay claims from employer or trust assets. The plan is the covered entity, while third-party administrators (TPAs), pharmacy benefit managers, and utilization reviewers typically serve as business associates. If an insurance company administers a self-insured plan, it acts as a business associate for that function, not as a covered entity. Plan sponsors may access PHI only for plan administration and only if plan documents are amended and safeguards are in place.

In both models, you should map PHI flows carefully—who creates, receives, maintains, or transmits PHI—and verify whether each party is a covered entity component or a business associate subject to Business Associate Agreements.

Role of Business Associates

Business associates are persons or organizations that perform services for a covered entity involving PHI. Typical examples in the insurance context include TPAs, PBMs, nurse case managers, actuarial and analytics firms, cloud hosting providers, and certain brokers and agents when they handle PHI beyond enrollment tasks.

Business Associate Agreements must be executed before PHI is shared. A compliant BAA defines permitted uses and disclosures, requires Security Rule safeguards for ePHI, mandates breach reporting, extends obligations to subcontractors, and allows termination for material breach. Business associates are directly liable for many HIPAA violations, so you should evaluate their security posture and evidence of ongoing compliance.

Hybrid Entity Designation

Many insurers operate multiple lines of business. HIPAA’s Hybrid Entity Rules let a company designate specific “health care components” (for example, its HMO or health plan administration unit) as subject to HIPAA, while carving out non-health lines such as life or property insurance. The designation must be formal, documented, and accompanied by internal firewalls.

As a hybrid entity, you must limit workforce access so PHI from covered components is not used by non-covered components, except as permitted by HIPAA. Policies should specify the components, govern permitted cross-component disclosures, and assign a privacy and security official with authority across components to ensure consistent compliance.

Exclusion of Life and Property Insurance

Life, disability income, auto, homeowners, and other property and casualty products are not “health plans” and therefore are not covered entities under HIPAA. Information collected for underwriting or servicing these policies is generally outside HIPAA, though other laws—such as state insurance privacy rules and the Gramm-Leach-Bliley Act—may apply.

If a life or property insurer performs services for a health plan that involve PHI, it may become a business associate for that specific function. Similarly, if a covered entity discloses PHI to such insurers under an authorization or a HIPAA-permitted exception, the receiving insurer is not transformed into a covered entity; its obligations arise from the authorization terms and non-HIPAA privacy laws unless it is acting as a business associate.

Compliance Requirements for Insurance Companies

When your organization is a covered entity (or a hybrid entity’s covered component), you must implement a governance program that meets HIPAA’s Data Privacy Requirements and security standards. At a minimum, you should:

• Appoint a privacy official and a security official; conduct an enterprise-wide risk analysis and apply administrative, physical, and technical safeguards for ePHI.
• Adopt Privacy Rule policies for permitted uses and disclosures, the minimum necessary standard, and role-based access to PHI.
• Publish and distribute a Notice of Privacy Practices for health plans (or coordinate with the issuer in fully insured arrangements, as applicable).
• Honor individual rights: access, amendment, and accounting of disclosures within required time frames.
• Execute and manage Business Associate Agreements; verify downstream compliance and restrict disclosures to the minimum necessary.
• Implement incident response and Breach Notification Rule processes, including assessment, documentation, and timely notification (no later than 60 days to affected individuals for reportable breaches).
• Maintain hybrid-entity firewalls to prevent impermissible sharing between covered and non-covered components.
• Support HIPAA standard transactions where used (for example, Health Plan Eligibility verification, claims, remittances, and enrollment) and maintain required documentation for at least six years.

Bottom line: an insurance company’s HIPAA status depends on function. When you operate or administer a health plan, HIPAA applies. For life, disability, and property lines, HIPAA generally does not—unless you handle PHI on behalf of a covered entity, in which case business associate obligations attach.

FAQs

Is an insurance company always considered a covered entity under HIPAA?

No. An insurer is a covered entity only when it functions as a health plan (for example, a health insurance issuer or HMO) or operates a group health plan. For other lines of business, HIPAA does not apply unless the insurer serves as a business associate handling Protected Health Information for a covered entity.

What distinguishes fully insured from self-insured group health plans in HIPAA?

In a fully insured plan, the insurer is the covered entity that adjudicates claims and manages PHI; the employer’s plan remains a covered entity but often has limited direct HIPAA duties if it receives only enrollment/disenrollment and summary health information. In a self-insured plan, the plan is the covered entity, and TPAs (including insurers acting as administrators) are business associates subject to Business Associate Agreements.

Can life insurance companies be classified as covered entities?

Generally, no. Life insurance and disability income policies are not “health plans” under the HIPAA definition. A life insurer becomes subject to HIPAA only if it performs services for a covered entity that involve PHI, making it a business associate for that specific work.

How do hybrid entities affect insurance companies’ HIPAA compliance?

Hybrid entities designate their HIPAA-covered components (such as an HMO unit) and must implement Hybrid Entity Rules: document the designation, maintain firewalls, limit workforce access, and apply Privacy and Security Rule safeguards to the covered components. Non-covered lines (like property or life) remain outside HIPAA, provided PHI is not improperly shared across components.