Health Plan HIPAA Requirements: A Practical Compliance Checklist

HIPAA Applicability to Health Plans

HIPAA applies to health plans as covered entities, including employer-sponsored group health plans (fully insured or self-funded), insurers, HMOs, and government programs such as Medicare and Medicaid. The employer itself is not a covered entity; the plan is. Plan sponsors may receive PHI only if plan documents are amended and appropriate certifications and safeguards are in place to support covered entity compliance.

Some arrangements are not “health plans” under HIPAA, such as workers’ compensation and many excepted benefits (e.g., accident-only, disability, or certain limited-scope dental/vision if separately elected). Employee Assistance Programs, Health FSAs, and HRAs typically are health plans and must comply. TPAs, PBMs, brokers, and cloud vendors are business associates that handle PHI on the plan’s behalf.

Checklist

• Confirm whether each benefit arrangement meets the definition of a health plan and document the basis.
• Designate privacy and security officials for the plan and define their authority and responsibilities.
• Amend plan documents and obtain plan sponsor certifications before sharing PHI with the sponsor.
• Map all vendors that touch PHI and classify them as business associates or subcontractors.

Protected Health Information Management

PHI is individually identifiable health information in any form; electronic PHI (ePHI) is PHI created, received, maintained, or transmitted electronically. Maintain a clear inventory of PHI in your designated record set and limit access to workforce members who need it for plan administration.

Use and disclosure without authorization is permitted for treatment, payment, and health care operations, subject to the minimum necessary standard. Provide a Notice of Privacy Practices and support individual rights: access (generally within 30 days), amendments, accounting of disclosures, confidential communications, and certain restrictions.

Adopt documentation retention policies that preserve required HIPAA policies, NPP versions, risk analyses, training logs, and breach assessments for at least six years from the date of creation or last effective date, whichever is later. Maintain an accounting-of-disclosures log and procedures for timely responses.

Checklist

• Define your designated record set and data flows for PHI and ePHI.
• Implement minimum necessary rules and role-based access for plan staff.
• Publish and distribute the NPP; track acknowledgments where applicable.
• Establish request workflows: access, amendments, and accounting of disclosures.
• Enforce documentation retention policies for at least six years.

Privacy Rule Safeguards

Appoint a Privacy Official, adopt written policies and procedures, and implement staff HIPAA training requirements appropriate to job duties. Maintain a sanctions policy, a complaint intake and investigation process, and practices to mitigate harmful effects of improper uses or disclosures.

Apply the minimum necessary standard, role-based access, and need-to-know sharing with plan sponsors and vendors. Where feasible, de-identify data or use limited data sets with data use agreements to reduce risk and enable analytics while preserving privacy.

Checklist

• Adopt and annually review privacy policies, including minimum necessary and workforce sanctions.
• Train all plan workforce members on privacy practices at hire and periodically thereafter; document completion.
• Maintain a complaint process, investigation templates, and mitigation playbooks.
• Limit plan sponsor access to PHI and ensure plan documents and certifications are in place.

Security Rule Safeguards

The Security Rule requires risk-based administrative, physical, and technical safeguards for electronic PHI protection. Controls must be reasonable and appropriate to the plan’s size, complexity, and capabilities, and should be verified through ongoing evaluation and monitoring.

Administrative Safeguards

• Conduct an enterprise-wide risk analysis and implement risk management plans.
• Designate a Security Official and define workforce security/clearance procedures.
• Implement security awareness and training (e.g., phishing, password hygiene, incident reporting).
• Establish incident response, contingency planning, data backup, disaster recovery, and emergency-mode operations.
• Manage vendor security through BAAs, due diligence, and periodic assessments.

Physical Safeguards

• Control facility access; secure workstations and storage areas used for plan administration.
• Use device and media controls for encryption, inventory, reuse, and secure disposal of hardware or portable media.
• Define remote-work standards for accessing ePHI offsite.

Technical Safeguards

• Access controls: unique user IDs, role-based access, emergency access procedures, and automatic logoff.
• Encryption: strongly encrypt ePHI at rest and in transit; manage keys and disable weak protocols.
• Audit controls and activity review: log access, changes, and transmissions; regularly reconcile anomalies.
• Integrity and authentication: hashing, digital signatures, and MFA to prevent unauthorized alteration or access.
• Transmission security: TLS for data in motion; restrict insecure channels and public file-sharing.

Breach Notification Procedures

A breach is an impermissible use or disclosure of unsecured PHI presumed to compromise privacy unless a documented four-factor risk assessment shows a low probability of compromise. Analyze the nature and sensitivity of PHI, the unauthorized recipient, whether the PHI was actually viewed or acquired, and the extent of mitigation (e.g., prompt recovery, confidentiality assurances).

Start the breach clock upon discovery. Notify affected individuals without unreasonable delay and no later than 60 calendar days. For breaches affecting 500 or more residents of a state or jurisdiction, notify HHS and prominent media within 60 days; for fewer than 500, log and report to HHS within 60 days after the end of the calendar year. Business associates must notify the covered entity without unreasonable delay and within the breach notification timeframe set in the BAA (never longer than 60 days).

Checklist

• Maintain an incident-to-breach decision tree and the four-factor assessment template.
• Preserve evidence, contain the incident, and document mitigation efforts.
• Prepare individual notices with required content and delivery methods; track deadlines.
• Record all determinations and submit HHS reports as required; retain for at least six years.

Business Associate Agreements

Execute BAAs with TPAs, PBMs, brokers, consultants, cloud providers, and other vendors that create, receive, maintain, or transmit PHI for the plan. BAAs operationalize business associate contract standards and flow down protections to subcontractors handling PHI.

At minimum, BAAs must define permitted uses/disclosures; require safeguards for PHI including ePHI; mandate breach and security incident reporting; bind subcontractors; support access, amendment, and accounting; make records available to HHS; require return/destruction of PHI at termination; and allow termination for material breach. Consider enhanced provisions: encryption requirements, right to audit, cyber insurance, specific incident-report timing, and data localization.

Checklist

• Inventory all vendors touching PHI and ensure executed BAAs before sharing PHI.
• Standardize business associate contract standards and apply them consistently.
• Build vendor due diligence and ongoing oversight into procurement and renewal cycles.
• Verify subcontractor “flow-down” and monitor high-risk vendors at least annually.

Risk Assessment Practices

Distinguish two processes: the Security Rule risk analysis for ePHI environments and the breach risk assessment used after an incident. The former is proactive and enterprise-wide; the latter is event-specific and determines notification obligations.

Adopt a defensible risk analysis methodology: define scope (systems, vendors, data flows), inventory assets, identify threats and vulnerabilities, evaluate likelihood and impact, rate inherent risk, map existing controls, determine residual risk, and prioritize remediation. Document decisions, owners, timelines, and funding paths in a risk management plan.

Repeat the security risk analysis regularly—commonly annually—and whenever material changes occur (new systems, vendors, or processes), after incidents, and when regulations or business models shift. Measure progress with metrics such as control maturity, issue aging, and test results.

Checklist

• Maintain a current ePHI system and data-flow inventory, including vendor touchpoints.
• Use a consistent risk analysis methodology with qualitative or quantitative scoring.
• Track remediation to closure; escalate overdue high-risk items.
• Integrate results into the plan’s budget, training, audits, and policy updates.

Conclusion

This practical compliance checklist aligns health plan HIPAA requirements with day-to-day operations. By clarifying applicability, governing PHI lifecycle, hardening privacy and security safeguards, preparing breach response, strengthening BAAs, and institutionalizing risk assessments, you create a resilient, auditable program that protects members and the plan alike.

FAQs.

What defines a health plan as a covered entity under HIPAA?

A health plan is a covered entity if it provides or pays the cost of medical care, such as group health plans (including self-funded), insurers, HMOs, and government programs. Excepted benefits like many accident-only or disability policies are typically not health plans. Employers are not covered entities in their employer role, but their group health plans are.

How must health plans protect electronic PHI?

Health plans must implement administrative, physical, and technical safeguards tailored to risk, including access controls, audit logging, encryption, workforce training, vendor management, contingency planning, and ongoing evaluation. These measures provide layered electronic PHI protection across systems and vendors.

What are the timeframes for breach notification?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For 500+ individuals in a state/jurisdiction, also notify HHS and prominent media within 60 days; for fewer than 500, report to HHS within 60 days after the end of the calendar year. Business associates must notify the plan without unreasonable delay and within the BAA’s deadline (not to exceed 60 days).

How often should health plans conduct risk assessments?

HIPAA requires regular, ongoing risk analysis and management. Best practice is at least annually and whenever significant changes occur—such as new systems, vendors, integrations, or after security incidents—with documentation of scope, results, and remediation plans.