Is Your Company a HIPAA Covered Entity? Guide for Employer Compliance

Overview of HIPAA Covered Entities

What HIPAA Covers

HIPAA’s Administrative Simplification rules establish national standards for privacy, security, and standardized transactions involving protected health information (PHI). Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions.

Where Employers Fit

Most employers are not covered entities. However, an employer-sponsored group health plan is a covered entity, even though the employer itself is not. If your company operates or contracts for health-related services—such as a self-insured medical plan, a health FSA, an on-site clinic, or an EAP that sends standard electronic transactions—the parts performing those functions are subject to HIPAA.

Key Takeaway

Ask: Do we operate a health plan or provider function that handles PHI? If yes, HIPAA applies to that component, and you must implement Privacy Rule compliance and related safeguards.

Employer Group Health Plan Implications

Fully Insured vs. Self-Insured Plans

In a fully insured arrangement, the insurance carrier is the covered entity primarily responsible for HIPAA obligations. The plan sponsor’s HIPAA exposure is limited if it does not receive PHI beyond enrollment/disenrollment and summary health information. In a self-insured arrangement, the employer’s group health plan is the covered entity and must maintain policies, notices, and vendor oversight directly.

Permissible Employer Access

Without additional steps, a plan sponsor may receive only enrollment/disenrollment data and de-identified or summary health information to obtain bids or modify benefits. To receive PHI for plan administration—such as claims appeals or stop-loss support—the plan documents must be amended and the sponsor must provide required certifications and safeguards.

Required Documentation

A self-insured group health plan must maintain a Notice of Privacy Practices, designate a privacy official, and implement administrative, physical, and technical safeguards. It must also manage vendor relationships through a business associate agreement when vendors handle PHI on the plan’s behalf.

Self-Administered Plan Exemptions

Who Qualifies

The self-administered plan exemption generally applies to a group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan. When this narrow test is met, the plan itself is not treated as a covered entity for HIPAA purposes.

Common Pitfalls That Remove the Exemption

• Using a third-party administrator or claims platform to process benefits.
• Allowing the plan sponsor to receive PHI beyond enrollment/disenrollment or permitted summary information.
• Exceeding the participant threshold or expanding plan features over time without reassessing HIPAA status.

If the exemption no longer applies, treat the group health plan as a covered entity and implement full privacy rule compliance immediately.

Business Associate Roles

Which Vendors Are Business Associates

Vendors that create, receive, maintain, or transmit PHI for your plan—such as TPAs, PBMs, wellness vendors, nurse lines, COBRA administrators, and data analytics firms—are business associates. Brokers and consultants may also be business associates when their services involve PHI.

Business Associate Agreement Essentials

A business associate agreement should define permitted uses and disclosures of PHI, require safeguards and breach reporting, flow down obligations to subcontractors, support individual rights (access, amendment, accounting), and mandate return or destruction of PHI when services end. The plan must monitor material performance and address noncompliance.

Plan Sponsor vs. Business Associate

The plan sponsor is not automatically a business associate of its own group health plan. Instead, the plan must amend its governing documents and certify restrictions before disclosing PHI to the sponsor for plan administration. When the sponsor provides services to the plan through a separate corporate affiliate, that affiliate may need a business associate agreement.

Employer Privacy Rule Responsibilities

Core Privacy Rule Compliance Tasks

• Adopt written policies and procedures governing PHI use, disclosure, and minimum necessary.
• Designate a privacy official and a contact for complaints; maintain a sanctions policy.
• Issue and maintain a Notice of Privacy Practices (typically required for self-insured plans).
• Maintain records for access, amendment, and accounting of disclosures.
• Implement retention practices for privacy records and participant requests.

Security and Breach Obligations

While the Privacy Rule governs PHI uses and disclosures, the Security Rule requires administrative, physical, and technical safeguards for electronic PHI. If a breach occurs, perform a risk assessment and provide required notifications without unreasonable delay and no later than 60 days after discovery, consistent with breach notification rules.

Workforce Segregation and Employment Records

Keep employment records separate from plan PHI. Restrict PHI access to workforce members performing plan administration duties and erect firewalls to prevent use of PHI for employment decisions. Train staff with PHI access and document all training.

Hybrid Entity Designation

When to Designate

A hybrid entity designation is appropriate when a single legal entity performs both covered and non-covered functions, such as a company that operates an on-site clinic that engages in HIPAA transactions while also running non-health business operations. The designation limits HIPAA obligations to defined health care components.

How to Structure Covered Components

• Formally document the hybrid entity designation and identify each health care component.
• Isolate PHI within the component and limit workforce access to those who need it.
• Establish policies for disclosures across the boundary and for shared services.
• Periodically review the designation as operations evolve.

Practical Examples

Common covered components include a self-insured group health plan, a health FSA, and an on-site clinic or EAP that transmits standard electronic transactions. Non-covered business units remain outside the designation and should not receive PHI unless a permitted disclosure applies.

Compliance and Enforcement

OCR Enforcement and Penalty Tiers

The HHS Office for Civil Rights enforces the Privacy, Security, and Breach Notification Rules. Civil penalties follow a four-tier structure based on culpability—from lack of knowledge to willful neglect not corrected—with per-violation amounts and annual caps adjusted for inflation. Resolution agreements often include multi-year corrective action plans.

State and Criminal Enforcement

State attorneys general may bring actions for HIPAA violations affecting residents. The Department of Justice can pursue criminal cases for knowingly obtaining or disclosing PHI without authorization, including for personal gain or malicious harm. Contractual and reputational consequences often exceed fines.

Audit-Readiness Checklist

• Current Notice of Privacy Practices and plan document amendments in place.
• Completed risk analysis and documented safeguards for electronic PHI.
• Active business associate agreement inventory and oversight process.
• Training records, sanctions, and complaint logs maintained.
• Tested breach response plan and incident documentation procedures.

Conclusion

If your company sponsors a group health plan or runs health-related services, treat those components as covered. Confirm whether a self-administered plan exemption applies, formalize any hybrid entity designation, and execute strong vendor agreements. Clear policies, targeted training, and disciplined oversight are the backbone of sustainable HIPAA compliance.

FAQs

Is an employer considered a covered entity under HIPAA?

Generally, no. The employer is not a covered entity merely by employing people. However, the employer-sponsored group health plan is a covered entity, and any health care components your company operates (for example, an on-site clinic that transmits standard electronic transactions) must comply with HIPAA.

What are the HIPAA requirements for employer group health plans?

At a minimum, adopt privacy policies, designate a privacy official, issue a Notice of Privacy Practices (for self-insured plans), train staff with PHI access, and implement safeguards for electronic PHI. Limit employer access to enrollment/disenrollment and permitted summary data unless plan documents are amended for plan administration. Use business associate agreements for vendors handling PHI.

How do hybrid entities affect employer HIPAA obligations?

With a hybrid entity designation, HIPAA obligations attach to identified health care components—such as the group health plan, health FSA, or on-site clinic—while non-health business units remain outside the scope. You must document the designation, segregate PHI, and control disclosures across the boundary.

What penalties can employers face for HIPAA non-compliance?

Penalties include tiered civil monetary fines per violation with annual caps, corrective action plans, and potential state actions. Serious, intentional misconduct may trigger criminal liability. Beyond enforcement exposure, breaches can lead to contractual damages, remediation costs, and significant reputational harm.