Health Plan vs. Employer HIPAA Policies: What Must Be Separate?

HIPAA Coverage of Health Plans

Under the HIPAA Privacy Rule, a group health plan is a covered entity. That includes both fully insured and a Self-Insured Health Plan. By contrast, the employer acting as plan sponsor is not a covered entity for its ordinary HR or employment records.

Protected Health Information (PHI) is individually identifiable health data a health plan creates, receives, maintains, or transmits for benefits, payment, or operations. When PHI is electronic (ePHI), the Security Rule applies, requiring appropriate safeguards.

Vendors that handle PHI for the plan—such as third‑party administrators, brokers, or benefits technology platforms—are business associates and must commit contractually to HIPAA compliance. The employer is not its own plan’s business associate; however, when it performs plan Administrative Functions, it must operate under the plan’s HIPAA rules.

Employer's Role in Health Plans

As plan sponsor, an employer may perform defined Administrative Functions—eligibility, enrollment, premium billing, COBRA administration, and claims appeals. Access to PHI for these tasks must be limited, documented in the plan documents, and supported by Role-Based Access.

Employment decisions (hiring, firing, performance, accommodations) are outside the plan’s scope. PHI received through the health plan may not be used for employment-related purposes, marketing, or other non-plan business.

Designate a small, need-to-know workforce to support plan administration. Train those personnel on the Privacy Rule, minimum necessary, and incident reporting, and keep their plan duties distinct from general HR responsibilities.

Separation of Health Plan and Employer

To prevent impermissible use of PHI, you must keep the health plan functionally separate from broader employer operations in specific, demonstrable ways.

• Separate written HIPAA policies and procedures for the health plan (Privacy Rule, Security Rule, and Breach Notification), distinct from company HR policies.
• Segregated records and systems: store plan PHI apart from personnel files; restrict shared drives; use dedicated mailboxes or repositories with Role-Based Access and least privilege.
• Defined “firewall” in plan documents that limits PHI disclosures to the plan sponsor solely for Administrative Functions and prohibits use for employment purposes.
• Identified plan workforce: name who may access PHI, document why, require training, and apply a sanction policy for violations.
• Plan-specific incident response and breach handling, separate from broader enterprise processes to preserve the plan’s compliance record.

Sharing of Protected Health Information

PHI sharing is tightly bounded by HIPAA and the plan’s policies. Apply minimum necessary and Role-Based Access to every disclosure.

• Payment and health care operations by the health plan are permitted without individual authorization.
• Disclosures to the plan sponsor are allowed only for Administrative Functions and only after the plan documents are amended and the sponsor certifies it will safeguard PHI.
• Enrollment/disenrollment information may flow to the employer to manage eligibility.
• Summary health information may be provided for obtaining premium bids or modifying benefits, and de-identified information can be used outside HIPAA’s scope.
• Authorizations are required for uses or disclosures beyond these purposes and must be voluntary, written, and revocable.
• PHI may not be used for employment actions, marketing to employees unrelated to the plan, or other non-plan business.

Compliance Requirements for Employers

• Assign a Privacy Officer and Security Officer for the health plan and maintain plan-specific HIPAA policies, procedures, and forms.
• Conduct and document a risk analysis of ePHI; implement administrative, technical, and physical safeguards such as access controls, encryption, multifactor authentication, auditing, and secure disposal.
• Execute business associate agreements with TPAs, brokers, consultants, and any vendor that creates, receives, maintains, or transmits PHI for the plan.
• Notice of Privacy Practices: ensure participants receive a clear plan NPP and understand how to exercise individual rights (access, amendment, accounting, and restrictions).
• Implement breach response: prompt reporting, risk assessment, mitigation, required notifications, and post-incident improvements.
• Maintain documentation (including training, complaints, sanctions, BAAs, risk analyses, and NPP versions) for required retention periods.

Impact of Fully Insured vs. Self-Insured Plans

Fully Insured Group Health Plan

In a fully insured arrangement, the insurer carries most day-to-day HIPAA operations. If the group health plan does not create or receive PHI beyond enrollment information and summary health information, its operational Privacy Rule duties are narrower. The employer must still maintain plan document “firewalls,” limit access to PHI to Administrative Functions, and ensure safeguards. Security Rule obligations attach only if the plan maintains ePHI.

Self-Insured Health Plan

A Self-Insured Health Plan typically creates and receives detailed claims and eligibility data. The plan must implement full Privacy, Security, and Breach Notification compliance: comprehensive policies, risk analysis and management, vendor oversight via BAAs, workforce training, Role-Based Access, and continuous monitoring of safeguards.

Documentation and Training

• Maintain a plan-specific HIPAA manual: policies, procedures, forms, and a matrix of permissible uses/disclosures tied to Administrative Functions.
• Embed plan language limiting PHI disclosures and documenting the plan sponsor’s certification obligations.
• Operate a structured access program: Role-Based Access definitions, least-privilege provisioning, periodic access reviews, and rapid offboarding.
• Keep security artifacts current: risk analysis, remediation plans, encryption standards, device/media controls, and incident playbooks.
• Track disclosure accountings, complaints, sanctions, and training attendance; retain records for audit readiness.
• Deliver focused onboarding and annual refreshers for plan workforce, plus just-in-time training after policy or system changes.

Bottom line: treat the health plan as a covered entity with its own HIPAA compliance program. Keep PHI, policies, systems, and personnel for the plan distinct from general employer operations, and enforce safeguards that reflect minimum necessary and Role-Based Access.

FAQs

Does a covered entity health plan need separate HIPAA policies from its employer?

Yes. The group health plan is a covered entity, so it must have its own HIPAA Privacy, Security, and Breach Notification policies and records. Employer HR policies do not satisfy these obligations. Keep plan policies, systems, workforce training, and incident response separate from general employer practices.

How should employers handle PHI received from health plans under HIPAA?

Limit PHI to defined Administrative Functions, document the plan sponsor certification in plan documents, and segregate PHI from personnel files. Apply minimum necessary, Role-Based Access, encryption, and logging; prohibit use for employment purposes; and return or destroy PHI when no longer needed for plan administration.

What HIPAA safeguards must employers implement when accessing health plan information?

Implement administrative safeguards (policies, training, sanctions, risk analysis), technical safeguards (unique IDs, MFA, encryption, access controls, audit logs), and physical safeguards (secure storage, clean desk, device/media disposal). Monitor vendors via BAAs and maintain a plan-specific breach response process.