Guide: The Three HIPAA Covered Entities and Employer Health Care Benefits Compliance

HIPAA Covered Entities Overview

The three HIPAA covered entities

• Health plans: This includes Group Health Plans, health insurance issuers, HMOs, Medicare, and Medicaid. Employer-sponsored Group Health Plans are themselves covered entities.
• Health care providers: Any provider that transmits health information electronically in standard transactions (claims, eligibility, referrals), such as clinics, hospitals, labs, or on-site/near-site employer clinics.
• Health care clearinghouses: Intermediaries that translate nonstandard health information into standard formats and vice versa.

Protected Health Information (PHI)

PHI is individually identifiable health information held or transmitted by a covered entity or its business associate, in any form. Electronic PHI (ePHI) triggers the HIPAA Security Rule. Employment records a company maintains in its role as an employer are not PHI, even if health-related.

What HIPAA does not cover in your workplace

HIPAA applies to the Group Health Plan, not to the employer’s general HR files or routine management functions. Keep a strict boundary: information used for plan administration is PHI; information used for hiring, firing, or accommodation decisions is generally an employment record outside HIPAA, though other laws may apply.

Employer Health Plans and Legal Status

Plan sponsor versus the plan

You, as the employer, act as the plan sponsor. The Group Health Plan is a separate covered entity with its own HIPAA duties. When your employees perform plan administration functions, they do so on behalf of the plan and must follow HIPAA Privacy Rule and Security Rule requirements.

Common employer-sponsored arrangements

• Major medical, dental, and vision plans (group or individual coverage arranged through the employer).
• Self-funded arrangements like HRAs and many FSAs, which the plan sponsor administers or oversees.
• Employee Assistance Programs that provide counseling or referrals—often treated as group health plans under HIPAA.
• On-site or near-site clinics that deliver care may be health care providers subject to HIPAA when they conduct standard electronic transactions.

Employer Responsibilities for HIPAA Compliance

HIPAA Privacy Rule: core obligations

• Issue a Notice of Privacy Practices (NPP) to plan participants when required, and update it as your practices change.
• Adopt written privacy policies, designate a privacy official, and train workforce members who handle PHI.
• Apply the minimum necessary standard, manage authorizations, and honor individual rights (access, amendment, and accounting of disclosures).
• Amend plan documents to restrict employer use of PHI to plan administration and create a firewall from employment decisions.

HIPAA Security Rule: ePHI requirements

• Conduct and document a risk analysis; implement risk management with administrative, physical, and technical PHI safeguards.
• Use access controls, unique IDs, role-based access, and audit logs; encrypt ePHI at rest and in transit where reasonable and appropriate.
• Establish contingency planning, incident response, and periodic evaluations; include vendors with system access in your risk program.

PHI safeguards in everyday operations

• Route claims and clinical details directly to insurers/TPAs; avoid collecting unnecessary PHI in HR inboxes.
• Secure mail, fax, and print workflows; lock file cabinets; use secure portals instead of email when possible.
• Limit who can view enrollment files; verify identities; clean desks and screens; shred or securely delete PHI.

Documentation and retention

Maintain NPPs, policies, Business Associate Agreements (BAAs), risk analyses, training logs, and incident records. Keep documentation for at least six years from creation or last effective date, whichever is later, to support Employer Health Plan Compliance.

Role of Business Associates

Who is a business associate

Vendors that create, receive, maintain, or transmit PHI for your plan are business associates. Common examples include TPAs, PBMs, wellness vendors, COBRA administrators, benefits brokers when they handle PHI, cloud/email providers, and analytics firms.

Business Associate Agreements

• Define permitted uses/disclosures of PHI and require appropriate PHI safeguards aligned with the HIPAA Security Rule.
• Mandate breach reporting, subcontractor flow-down obligations, and return or destruction of PHI at termination.
• Provide for monitoring rights, cooperation during investigations, and clear allocation of responsibilities.

Due diligence and oversight

• Vet security practices (e.g., SOC 2, penetration tests), incident histories, and subcontractor chains.
• Keep an up-to-date vendor inventory; review BAAs periodically and after scope changes.

Compliance Requirements for Self-Insured Plans

What self-insured means for HIPAA

In self-insured plans, the plan—not an insurer—bears claims risk. Because you and your TPA routinely access PHI, the plan must implement full Privacy Rule and Security Rule programs and execute robust Business Associate Agreements.

Action checklist for self-insured plans

• Map PHI data flows, then perform a formal risk analysis covering systems, vendors, and manual processes.
• Adopt comprehensive privacy and security policies; designate privacy and security officials; train all plan workforce members.
• Issue and distribute the NPP; manage individual rights requests; implement minimum necessary and role-based access.
• Encrypt laptops and portable media; require multifactor authentication; enable audit logging and retain logs.
• Sign BAAs with TPAs, PBMs, wellness vendors, and other service providers; monitor vendor performance.
• Establish incident response and breach notification procedures with clear timelines and decision criteria.

Common risk areas

• Uncontrolled email of claims images or ID cards; shared mailboxes without retention or access limits.
• Ad hoc data extracts to brokers or consultants without BAAs or minimum necessary review.
• Stop-loss coordination that inappropriately shares PHI with the employer outside plan administration.

Responsibilities under Fully Insured Plans

When your plan does not handle PHI

If your fully insured Group Health Plan does not create or receive PHI (other than enrollment/disenrollment information and limited summary health information for plan design or premium bids), the insurer primarily handles HIPAA obligations. You should still apply reasonable PHI safeguards to the limited data you touch.

When you receive PHI for plan administration

Once you receive PHI beyond enrollment and summary data, you must amend plan documents, issue an NPP, adopt privacy/security policies, train staff, and execute BAAs. Ensure a firewall so PHI is used solely for plan administration and never for employment actions.

Practical guardrails

• Certify plan-sponsor status to the insurer before receiving PHI for plan administration.
• Prefer de-identified or aggregated reports; request summary health information whenever detailed PHI is unnecessary.
• Direct employees to the insurer’s customer service for claims details to minimize PHI flowing to HR.

HIPAA Penalties and Enforcement

How enforcement works

The HHS Office for Civil Rights investigates complaints, breaches, and audits. Outcomes may include corrective action plans, monitoring, and civil monetary penalties. State attorneys general can also enforce HIPAA, and contractual remedies may apply under BAAs.

Civil and criminal penalties

Civil penalties are tiered by culpability, with per-violation amounts and annual caps that scale from “did not know” to “willful neglect—uncorrected.” Knowing misuse of PHI can also trigger criminal liability. Beyond fines, investigations consume time, disrupt operations, and damage trust.

Key takeaways

• Identify which HIPAA covered entities you interact with and keep clear boundaries between employer functions and plan administration.
• Build a Privacy Rule and Security Rule program proportionate to your PHI footprint, with strong PHI safeguards and vendor oversight.
• Tailor requirements by funding model: self-insured plans need full-scale compliance; fully insured plans should minimize PHI access and certify plan-sponsor needs.

FAQs

What are the three main types of HIPAA covered entities?

The three covered entities are health plans (including Group Health Plans), health care providers that conduct standard electronic transactions, and health care clearinghouses. Each has independent HIPAA obligations and may rely on business associates for support.

How does HIPAA apply to employer-sponsored health plans?

HIPAA applies to the Group Health Plan, not the employer’s general HR files. When you perform plan administration, you must follow the HIPAA Privacy Rule and Security Rule, restrict PHI to that purpose, and maintain PHI safeguards with appropriate Business Associate Agreements.

What are employer responsibilities under HIPAA?

As plan sponsor, you must amend plan documents, issue an NPP when required, implement privacy and security policies, train staff, honor participant rights, conduct risk analyses for ePHI, and oversee vendors via Business Associate Agreements and ongoing due diligence.

What penalties exist for HIPAA non-compliance?

HHS can impose tiered civil monetary penalties per violation with annual caps, and serious misconduct can trigger criminal penalties. Resolutions often require corrective action plans and monitoring, adding operational and reputational costs in addition to fines.