HIPAA Checklist: Do Group Health Plans Need Their Own Policies?

Yes. Under the HIPAA Privacy Rule, a group health plan is a covered entity in its own right and must maintain its own policies and procedures. While the employer sponsors the plan, the plan’s compliance obligations stand on their own, especially where Protected Health Information (PHI) is created, received, maintained, or transmitted.

This article walks you through Group Health Plan Compliance essentials—when HIPAA applies, what the employer must do, how to structure policies, when a Business Associate Agreement is needed, key exemptions for fully insured plans, notable rule updates, and practical PHI Safeguards.

HIPAA Applicability to Group Health Plans

Covered Entity Definition

HIPAA defines “health plan” broadly. A group health plan that provides or pays for medical care—self‑insured or fully insured—is a covered entity. This includes major medical plans and, when they provide medical care, dental, vision, health FSAs, and HRAs. The plan, not the employer, carries the direct compliance duty, which is why your plan needs its own policies.

The Plan Versus the Employer

As the plan sponsor, your company is separate from the plan for HIPAA purposes. Employment records are not PHI, but PHI held for plan administration is. To access PHI for plan administration, you must update plan documents, limit access to a need‑to‑know “firewall” group, and use PHI only for plan purposes—not employment decisions.

Employer Responsibilities Under HIPAA

Core Privacy Rule Duties

• Designate a privacy official and a contact person to handle complaints and requests.
• Issue and maintain a Notice of Privacy Practices (NPP) for the group health plan when required.
• Adopt “minimum necessary” standards, use/disclosure rules, and mitigation and sanction procedures.
• Provide workforce training for staff who handle PHI and document completion.

Security Rule and ePHI

If your plan creates, receives, maintains, or transmits electronic PHI (ePHI)—common for self‑insured plans—you must conduct a risk analysis and implement administrative, physical, and technical safeguards (access controls, encryption, audit logs, and contingency plans).

Plan Sponsor Access and Firewalls

Amend plan documents to describe permitted plan‑administration uses and to require PHI safeguards. Identify who within your organization may access PHI for plan functions, keep PHI separate from HR employment files, and document role‑based access standards.

HIPAA Policies and Procedures for Group Health Plans

What Your Plan’s Policies Must Cover

• Uses and disclosures of PHI for treatment, payment, and health care operations, plus authorizations and minimum necessary.
• Individual rights: access, amendment, accounting of disclosures, restrictions, and confidential communications.
• NPP creation, distribution (as applicable), and version control.
• Breach notification processes, including risk assessment and timeliness standards.
• Security safeguards for ePHI and acceptable use (email, portals, mobile devices, and vendors).
• Complaints, sanctions, mitigation, and non‑retaliation commitments.
• Document retention for at least six years and routine policy reviews.

Together, these policies operationalize PHI Safeguards and create an auditable record of Group Health Plan Compliance.

Business Associate Agreements and Group Health Plans

When a Business Associate Agreement Is Required

Your plan must have a Business Associate Agreement with any vendor that creates, receives, maintains, or transmits PHI on the plan’s behalf—think TPAs, PBMs, COBRA administrators, nurse lines, analytics firms, wellness vendors handling PHI, and cloud or document‑storage providers. Brokers and consultants are business associates when they handle PHI for the plan.

Key BAA Terms to Include

• Permitted uses/disclosures and prohibition on non‑permitted uses, including marketing.
• Safeguards for PHI and ePHI, subcontractor flow‑downs, and breach reporting timelines.
• Access, amendment, and accounting support; return or destruction of PHI at termination.
• Audit/inspection rights and termination for material breach.

Note: The insurer to a fully insured plan is not your business associate for insured benefits; it is another covered entity. The employer as plan sponsor is not a business associate but must meet plan‑document and firewall requirements before receiving PHI.

Exemptions for Fully Insured Plans

A fully insured group health plan that does not create or receive PHI other than enrollment/disenrollment information and Summary Health Information has reduced administrative duties. In practice, the insurer issues the NPP and handles most HIPAA functions.

However, once the plan (or employer as plan sponsor) receives PHI for plan administration—such as claims appeals—you must implement full privacy and Security Rule obligations appropriate to that PHI, update plan documents, and apply the same safeguards as a self‑insured plan.

Recent HIPAA Privacy Rule Updates

Recent rulemaking and guidance have focused on sensitive‑information protections, law‑enforcement disclosures, and transparency. In particular, updates have strengthened privacy around reproductive health information, aligned certain federal substance‑use‑disorder confidentiality rules with HIPAA processes, and clarified expectations for online tracking technologies on HIPAA‑regulated websites and patient portals.

Action items for your plan: review and update your NPP language, refine verification and law‑enforcement response procedures, confirm website and vendor tracking practices, and refresh Business Associate Agreement templates. Document effective and compliance dates in your policy matrix and schedule workforce training accordingly.

Protecting PHI in Group Health Plans

Practical Safeguards You Can Implement Now

• Perform a documented risk analysis covering all systems and vendors that touch PHI or ePHI.
• Limit PHI access to a small plan‑administration team; keep PHI out of general HR files.
• Encrypt data at rest and in transit; require secure portals for member communications.
• Establish incident‑response playbooks, including breach risk assessment and notification steps.
• Adopt data‑minimization and retention standards; purge PHI you no longer need.
• Test vendor controls annually and tie obligations to your Business Associate Agreements.

Conclusion

Group health plans are covered entities and need their own HIPAA policies to lawfully handle PHI. By clarifying the Covered Entity Definition, tightening plan‑sponsor access, executing strong Business Associate Agreements, leveraging fully insured exemptions where applicable, monitoring Privacy Rule updates, and embedding PHI Safeguards, you can keep your plan compliant and resilient.

FAQs

Do all group health plans qualify as covered entities under HIPAA?

Yes. If a plan provides or pays for medical care, it is a covered entity, whether self‑insured or fully insured. The plan’s compliance obligations arise from that status, even though the plan is sponsored by an employer.

Does an employer need separate HIPAA policies for their health plan?

Yes. The group health plan needs its own HIPAA policies and procedures. Employer HR or IT policies are not a substitute; plan‑specific rules must govern how PHI is used, disclosed, safeguarded, and administered.

When are business associate agreements required for group health plans?

Whenever a vendor creates, receives, maintains, or transmits PHI on the plan’s behalf—such as TPAs, PBMs, wellness vendors handling PHI, and hosting providers—you must have a Business Associate Agreement with that vendor before PHI is shared.

Are fully insured plans exempt from HIPAA requirements?

No. Fully insured plans remain covered entities, but if they do not create or receive PHI beyond enrollment/disenrollment information and Summary Health Information, many administrative duties shift to the insurer. If the plan or plan sponsor receives PHI for administration, fuller HIPAA obligations apply.