Does a Covered Entity’s Health Plan Need Separate HIPAA Policies?

Health Plan Definition

A health plan under HIPAA includes any individual or group plan that pays for medical care, such as group medical, dental, vision, and prescription drug benefits. A group health plan sponsored by an employer is itself a Covered Entity, distinct from the employer in its role as an employer. This distinction matters because the plan handles Protected Health Information tied to claims, eligibility, authorizations, and appeals.

While employers administer benefits, the HIPAA obligations attach to the plan. Plan sponsors may delegate functions to third parties, but the plan remains responsible for how PHI is created, received, maintained, and transmitted during plan operations.

HIPAA Applicability to Health Plans

HIPAA applies to health plans through the Privacy, Security, and Breach Notification Rules. Privacy Rule Compliance requires policies governing permissible uses and disclosures, minimum necessary standards, and individual rights (access, amendments, and accounting of disclosures). The Security Rule requires safeguards for electronic PHI, including administrative, physical, and technical controls.

Because the plan is a Covered Entity separate from the employer’s non-plan activities, it needs its own HIPAA policies tailored to plan functions. Even when a sponsoring employer has enterprise-wide privacy practices, dedicated plan policies and procedures are necessary to address plan-specific data flows, vendor oversight, and plan sponsor disclosures.

Distinctions Between Self-Insured and Fully Insured Plans

A Self-Insured Health Plan pays claims from the employer’s assets (often with a TPA). It typically creates or receives PHI and therefore must implement the full set of HIPAA privacy and security policies, distribute a Notice of Privacy Practices as required, and manage vendor relationships.

A Fully Insured Health Plan purchases coverage from an insurer or HMO. If the employer’s plan does not create or receive PHI beyond enrollment/disenrollment information or summary health information, many administrative obligations (such as issuing a notice) fall primarily on the insurer. However, if the fully insured plan accesses PHI for plan administration, it must maintain full HIPAA policies and Security Rule safeguards for that PHI.

Organized Health Care Arrangements and HIPAA Compliance

An Organized Health Care Arrangement allows certain covered entities—such as a group health plan and its insurer—to coordinate certain HIPAA activities, like issuing a joint notice or sharing PHI for joint operations. An Organized Health Care Arrangement can streamline administration but does not merge entities or transfer liability.

Participation in an OHCA does not eliminate the plan’s need for its own policies. Each participating Covered Entity remains independently responsible for Privacy Rule Compliance, Security Rule safeguards for ePHI, workforce training, and breach response within its control.

Business Associate Agreements Requirements

Health plans must execute a Business Associate Agreement with any vendor that creates, receives, maintains, or transmits PHI on the plan’s behalf. Common business associates include third-party administrators, pharmacy benefit managers, utilization review vendors, wellness program providers, data warehouses, and cloud or email service providers handling ePHI.

• Define permitted and required uses/disclosures of PHI by the business associate.
• Require appropriate safeguards and Security Rule compliance for ePHI.
• Mandate prompt reporting of incidents and breaches, including subcontractor breaches.
• Flow down obligations to subcontractors that handle PHI.
• Support individual rights (access, amendments, and accounting) when applicable.
• Provide for return or destruction of PHI at termination, where feasible.
• Allow termination for material breach of the agreement.

Creating HIPAA Policies and Procedures for Health Plans

Start with a data map of plan operations: claims, appeals, eligibility, COBRA, pre-authorizations, and vendor exchanges. Identify where Protected Health Information and ePHI originate, how they flow, and who accesses them. Use this map to apply minimum necessary standards and access controls.

• Governance: designate privacy and security officials; define workforce roles and training; set a sanction and complaint process; document Privacy Rule Compliance and retention (typically six years).
• Privacy operations: uses/disclosures, authorizations, individual rights, plan sponsor disclosures, and procedures for confidential communications and restrictions.
• Security safeguards: risk analysis and risk management; access management; authentication; encryption and transmission security; audit logging; device/media controls; contingency planning and testing.
• Incident response: detect, investigate, and document security incidents; conduct breach risk assessments; provide timely notifications.
• Vendor management: Business Associate Agreement lifecycle, due diligence, and ongoing monitoring.

Employer Responsibilities for HIPAA Compliance

As plan sponsor, the employer must amend plan documents to permit the plan to disclose PHI to the sponsor for plan administration and certify it will safeguard that PHI. You must establish “firewalls” that restrict PHI access to employees performing legitimate plan functions and prohibit use for employment decisions.

Employers should ensure workforce training for anyone with plan PHI access, distribute required notices when the plan—not only the insurer—is responsible, and maintain documentation of policies, risk analyses, and vendor oversight. In short, even when benefits are fully insured or administered by vendors, the plan’s status as a Covered Entity means you need plan-specific HIPAA policies calibrated to your Self-Insured Health Plan or Fully Insured Health Plan structure and any Organized Health Care Arrangement in place.

FAQs

What distinguishes self-insured from fully insured health plans under HIPAA?

A self-insured plan pays claims from the employer’s funds (often using a TPA) and typically creates or receives PHI, requiring a full HIPAA program. A fully insured plan purchases coverage from an insurer; if the plan does not access PHI beyond enrollment/disenrollment or summary data, many obligations rest with the insurer. If the fully insured plan accesses PHI for plan administration, it must implement full HIPAA policies and safeguards.

Does an employer need separate HIPAA policies for its health plan?

Yes. The group health plan is a Covered Entity distinct from the employer’s general business functions. It needs its own policies and procedures aligned to plan operations, vendor arrangements, and Security Rule requirements for ePHI, even if the employer already maintains enterprise privacy practices.

What role do Business Associate Agreements play in HIPAA compliance?

A Business Associate Agreement contractually requires vendors that handle PHI for the plan to safeguard it, comply with the Security Rule, report incidents and breaches, support individual rights as applicable, and return or destroy PHI at termination. BAAs are a cornerstone of vendor risk management and overall HIPAA compliance.

Can multiple entities share HIPAA compliance through an Organized Health Care Arrangement?

They can coordinate certain activities—such as issuing a joint notice and sharing PHI for joint operations—within an Organized Health Care Arrangement. However, each entity remains a separate Covered Entity and must maintain its own policies, safeguards, training, and breach response for the PHI it controls.