HIPAA Coverage for Insurers: Health Plans, Business Associates, and Exceptions

HIPAA Coverage for Health Plans

What qualifies as a health plan

If you operate or administer health benefits, HIPAA likely treats you as a Covered Entity. The HIPAA Privacy Rule and Security Rule apply to most arrangements that pay for medical care and touch Protected Health Information (PHI).

• Health Insurance Issuer and HMOs offering individual or group medical coverage.
• Government programs that pay for health care, such as Medicare Advantage and Medicaid managed care.
• Employer-sponsored Group Health Plans, whether fully insured or self-funded (subject to limited exceptions covered below).
• Prescription drug plans, dental and vision plans when they are not limited-scope excepted benefits, and other medical reimbursement arrangements.

Core obligations for health plans

• Use and disclose PHI only as permitted by the HIPAA Privacy Rule, apply the minimum necessary standard, and issue a Notice of Privacy Practices.
• Honor member rights (access, amendments, restrictions, confidential communications, and accounting of disclosures).
• Implement administrative, physical, and technical safeguards for ePHI under the Security Rule.
• Execute a Business Associate Agreement before sharing PHI with vendors that perform functions on your behalf.
• Assess incidents and provide breach notifications when required.

HIPAA Coverage for Business Associates

Vendors that create, receive, maintain, or transmit PHI for a Covered Entity are Business Associates. An insurer may be both a Covered Entity for its own health plan products and a Business Associate when it performs services for another Covered Entity.

Common insurer Business Associate roles

• Third-party administrator (TPA) services for a self-funded Group Health Plan.
• Claims processing, appeals, utilization review, case management, and care coordination.
• Data aggregation, analytics, and quality measurement involving PHI.
• Cloud hosting, archival storage, and customer support that maintains ePHI.
• Subcontractor services supporting any of the above functions.

Obligations that attach to Business Associates

• Comply with the Security Rule for ePHI and relevant Privacy Rule provisions incorporated by contract.
• Use and disclose PHI only as permitted by the Business Associate Agreement and applicable law.
• Flow down the same PHI safeguards to subcontractors.
• Report breaches and certain security incidents to the Covered Entity.
• Return or securely destroy PHI at contract end where feasible.

Exceptions to HIPAA Coverage

HIPAA excludes certain plans and insurance arrangements from “health plan” status, and therefore from coverage. Understanding these carve-outs helps you avoid over- or under-applying HIPAA controls.

• Self-administered Group Health Plans with fewer than 50 participants are not HIPAA “health plans.”
• Policies that provide only excepted benefits (for example, accident-only, disability income, workers’ compensation, automobile medical payment, or general liability coverage).
• Credit-only insurance and coverage solely for on-site medical clinics.
• Life insurance and other non-health product lines; those business units are not Covered Entities.
• Stop-loss insurance for an employer’s self-funded plan (not itself a health plan). If the stop-loss carrier accesses PHI to administer functions for the plan, it may become a Business Associate.

Business Associate Agreements

A Business Associate Agreement (BAA) is the contract that authorizes a vendor to handle PHI and binds it to HIPAA. You must have a BAA in place before disclosing PHI for outsourced functions.

Essential elements to include

• Permitted and required PHI uses and disclosures; prohibition on unauthorized uses.
• Security Rule safeguards for ePHI and a requirement to mitigate and report incidents.
• Subcontractor flow-down: any subcontractor with PHI must agree to the same restrictions.
• Individual rights support: access, amendments, and accounting of disclosures when tasks are delegated.
• Minimum necessary standard, breach notification timelines, and cooperation duties.
• Return or destruction of PHI at termination and ongoing restrictions if destruction is infeasible.

Employer-Sponsored Health Plans

With employer benefits, the Group Health Plan—not the employer—is the Covered Entity. The employer acts as the plan sponsor and can receive PHI only for plan administration if strict conditions are met.

Plan sponsor access to PHI

• Amend plan documents to permit plan administration uses and establish a firewall identifying which workforce members may access PHI.
• Use PHI only for plan purposes; avoid employment-related uses (such as hiring or firing decisions).
• Limit routine employer access to enrollment/disenrollment information and de-identified or summary health information when feasible.

Fully insured vs. self-funded differences

• Fully insured plans that do not create or receive PHI (other than enrollment/disenrollment or summary health information) have streamlined HIPAA duties; the Health Insurance Issuer handles most operational obligations.
• Self-funded plans generally shoulder the full suite of Privacy Rule and Security Rule responsibilities and must manage BAAs with TPAs and other vendors.

Exemptions from Business Associate Agreements

Not every disclosure of PHI requires a BAA. You can disclose PHI without a BAA in these common situations:

• Disclosures to another Covered Entity for treatment, payment, or certain health care operations activities permitted by the Privacy Rule.
• Disclosures to individuals about themselves and to the Department of Health and Human Services for compliance reviews.
• Disclosures of enrollment and disenrollment information to a plan sponsor and disclosure of summary health information for obtaining bids or amending the plan.
• Use of “mere conduits” that transmit PHI without persistent storage or routine access (for example, postal services or basic telecom), noting this is a narrow exception.
• Sharing de-identified data that meets HIPAA’s de-identification standards.

Covered Entity and Business Associate Relationship

Insurers often wear multiple hats. As a Health Insurance Issuer selling medical policies, you are a Covered Entity and must comply with the full Privacy Rule and Security Rule. When your organization administers a self-funded Group Health Plan or performs outsourced functions for a provider or plan, you act as a Business Associate for those services and need a Business Associate Agreement.

Keep roles separate. PHI obtained as a Business Associate cannot be repurposed for your own underwriting or marketing unless expressly allowed. Likewise, PHI from your Covered Entity operations cannot be used to benefit unrelated business lines such as life or disability insurance without proper authorization.

In short, determine your role for each activity, apply the right rule set, and document it. If you are paying for care as a plan, you are a Covered Entity; if you are performing services for another Covered Entity, you are a Business Associate; and if an arrangement falls into a HIPAA exception, HIPAA may not apply—though other laws and contractual duties might.

FAQs

Is an insurance company considered a covered entity under HIPAA?

Yes. A health insurer (Health Insurance Issuer) or HMO that provides medical coverage is a Covered Entity under HIPAA as a “health plan.” The same corporate family may have non-health lines (for example, life or disability) that are not Covered Entities.

What types of health plans are exempt from HIPAA coverage?

Self-administered Group Health Plans with fewer than 50 participants are not HIPAA health plans. In addition, arrangements that provide only excepted benefits—such as accident-only, disability income, workers’ compensation, liability and auto medical payment coverage, credit-only insurance, or coverage solely for on-site clinics—are excluded.

When does a health insurer become a business associate under HIPAA?

When the insurer performs services for a Covered Entity and handles PHI on its behalf—such as acting as a TPA for a self-funded Group Health Plan, processing claims, or providing utilization review—it is a Business Associate and must sign a Business Associate Agreement and comply with the Security Rule.

Are employers considered covered entities under HIPAA for their health plans?

No. The employer is not the Covered Entity; the Group Health Plan is. Employers may receive limited PHI for plan administration if the plan documents are amended and privacy safeguards are in place, but employment decisions must be segregated from plan PHI.