Does HIPAA Apply to Groups of 50 or More? Here’s Who’s Actually Covered

Definition of Group Health Plans

A Group Health Plan is an employer- or union-sponsored arrangement that provides medical care—such as medical, dental, vision, prescription, or certain wellness and employee assistance program (EAP) benefits—to employees and their families. A plan may be fully insured (benefits provided through an insurance policy) or self-funded (benefits paid from the employer’s assets).

For HIPAA purposes, the plan itself—not the employer—can be a Covered Entity. “Participants” generally means eligible employees and former employees, not their dependents, which matters when applying the participant count threshold.

HIPAA Coverage Criteria

Under HIPAA, a Group Health Plan is treated as a Covered Entity if it meets either of these tests:

• It has 50 or more participants (the participant count threshold), or
• It is administered by an entity other than the employer that established and maintains the plan (for example, a Third-Party Administrator or health insurer), regardless of size.

A plan with fewer than 50 participants that is a true Self-Administered Plan—run solely by the employer with no outside administrator—generally is not a Covered Entity. However, the insurer or HMO paying claims for a fully insured plan is always a Covered Entity and must meet HIPAA Compliance obligations.

Role of Plan Administration

Plan Administration determines how HIPAA applies in practice. If you hire a Third-Party Administrator (TPA) or insurer to process claims or manage eligibility, your Group Health Plan becomes a Covered Entity (even with under 50 participants). In that case, the plan must have required HIPAA documentation, including plan document amendments permitting limited employer access to protected health information (PHI), and business associate agreements with vendors that handle PHI.

When the employer truly self-administers the plan (claims adjudication and day-to-day operations done in-house), HIPAA status hinges on participant count. Below 50, the plan can fall outside HIPAA’s “health plan” definition; at 50 or more, it is in scope regardless of who runs it.

Self-Administered Plans Under 50 Participants

A Self-Administered Plan with fewer than 50 participants is typically excluded from HIPAA’s definition of a “health plan.” That means the plan itself is not a Covered Entity and the HIPAA Privacy, Security, and Breach Notification Rules do not directly apply to the plan. Still, if you involve outside vendors or transmit PHI through a service, that can convert the plan into a Covered Entity or create business associate relationships that trigger HIPAA responsibilities.

Even when excluded, it is prudent to minimize PHI collection, restrict access to designated personnel, and maintain written procedures aligned with privacy and security best practices, given overlapping obligations under other laws and the sensitivity of health data.

Employer vs Covered Entity Distinctions

Employers are not Covered Entities simply because they sponsor benefits. The Covered Entity is the Group Health Plan (and the insurer/HMO or TPA, as applicable). Employers may receive limited PHI for plan operations only if plan documents are amended and appropriate safeguards are in place. Access should be restricted to a small workforce segment performing plan functions, with firewalls preventing use of PHI for employment decisions.

If an employer also operates a clinic or provides direct healthcare services, that separate unit may be a Covered Entity or part of a “hybrid entity,” but that status is distinct from the Group Health Plan’s HIPAA posture.

Compliance Requirements for Group Health Plans

When your plan is a Covered Entity, core HIPAA Compliance duties include:

• Privacy Rule: Limit uses/disclosures to treatment, payment, and healthcare operations; implement “minimum necessary”; provide individual rights (access, amendment, accounting); issue a Notice of Privacy Practices when required.
• Security Rule: Safeguard ePHI with administrative, physical, and technical controls (risk analysis, access management, encryption where reasonable and appropriate, incident response).
• Breach Notification: Assess security incidents, determine reportable breaches, notify affected individuals and regulators as required.
• Documentation and Training: Adopt written policies, train the plan workforce, designate a privacy and security official, and maintain records.
• Vendor Management: Execute business associate agreements with each Third-Party Administrator and any vendor that creates, receives, maintains, or transmits PHI for the plan.

Special case: A fully insured Group Health Plan that does not create or receive PHI other than summary information and enrollment/disenrollment data has reduced administrative obligations (the insurer handles most operational HIPAA tasks). If the employer wants broader PHI access, the plan must satisfy the full Privacy and Security Rule requirements first.

Impact of Participant Count on HIPAA Applicability

Participant count determines whether a Self-Administered Plan is inside or outside HIPAA. At 50 or more participants, your Group Health Plan is a Covered Entity regardless of administration method. Below 50, HIPAA applies to the plan only if a TPA, insurer, or other outside party administers plan functions. Remember: participants are employees and former employees eligible for benefits; dependents do not increase the participant count for this threshold.

Practical scenarios

• 18 participants, Self-Administered Plan: Not a Covered Entity; still follow prudent privacy practices.
• 18 participants with a TPA: Covered Entity due to outside administration; full HIPAA program required.
• 75 participants, self-funded and self-administered: Covered Entity by participant count; full compliance required.
• 12 participants, fully insured with insurer administering claims: Covered Entity (outside administration). Many operational duties handled by the insurer; the plan’s obligations depend on its access to PHI.

Conclusion

HIPAA does not hinge solely on “50 or more.” A Group Health Plan is a Covered Entity if it has at least 50 participants or if any outside party administers it, regardless of size. Align Plan Administration, vendor relationships, and internal access to PHI with these rules to right-size your HIPAA Compliance program.

FAQs.

Does HIPAA apply to all group health plans regardless of size?

No. A Self-Administered Plan with fewer than 50 participants is generally outside HIPAA’s “health plan” definition. However, if the plan has 50 or more participants—or uses a Third-Party Administrator or insurer to administer benefits—it is a Covered Entity and HIPAA applies.

When does a group health plan become a covered entity under HIPAA?

A Group Health Plan becomes a Covered Entity when it reaches the 50-participant count threshold or when it is administered by an entity other than the employer (for example, a TPA or insurer), even if it has fewer than 50 participants.

Are employers considered covered entities under HIPAA?

Generally, no. The employer is not a Covered Entity merely for sponsoring benefits. The Covered Entity is the Group Health Plan (and the insurer/TPA). Employers may access limited PHI for plan operations only with proper Plan Administration controls and plan document certifications.

How does plan administration affect HIPAA applicability?

Plan Administration is pivotal. If an outside party (TPA or insurer) processes claims or maintains PHI, the plan is a Covered Entity regardless of participant count, triggering HIPAA Compliance requirements like business associate agreements, privacy and security safeguards, and breach response procedures.