Separate HIPAA Policies for Health Plans: Compliance Guide and Examples

If you administer a health plan, you need Separate HIPAA Policies for Health Plans that fit how your plan handles Protected Health Information (PHI) and electronic Protected Health Information (ePHI). This guide explains what to include, how to operationalize requirements, and provides practical examples you can adapt today.

You’ll learn how to draft a plan-specific privacy policy, implement administrative safeguards, physical safeguards, and technical safeguards, respond under the HIPAA Breach Notification Rule, manage Business Associate Agreements (BAAs), and verify compliance with a concise checklist.

Privacy Policy for Health Plans

Scope and purpose

A health plan is a covered entity under HIPAA with obligations distinct from providers and employers. Your privacy policy should reflect plan-specific functions (claims, eligibility, utilization review) and clearly separate them from employer HR activities. Define PHI and ePHI, the plan’s workforce, plan sponsor roles, and when de-identification removes HIPAA requirements.

Core policy elements

• Permitted uses and disclosures for treatment, payment, and health care operations, plus other allowed disclosures (public health, law, oversight, required by law).
• Minimum necessary standard and role-based access for the plan workforce and vendors.
• Individual rights: access, amendment, accounting of disclosures, request for restrictions, and confidential communications.
• Authorizations: when required (e.g., most marketing, sale of PHI) and how you obtain, document, and honor revocations.
• Plan sponsor provisions: what the sponsor may receive, firewall requirements, and prohibition on use for employment decisions without authorization.
• Safeguards overview: how administrative, physical, and technical safeguards protect PHI/ePHI.
• Complaint process, non-retaliation, and sanctions for violations.

Notice of Privacy Practices (NPP)

• Provide the NPP at enrollment and upon request; post on the plan website if available; remind members at least once every three years that the NPP is available.
• Redistribute or post updates after material changes, and keep prior versions.
• Include contact details for your Privacy Officer and instructions for filing complaints.

Documentation and retention

Maintain written policies, procedures, NPP versions, training records, sanctions, and complaints for at least six years from creation or last effective date. Keep decisions and risk analyses that justify your privacy approach.

Security Safeguards for ePHI

Administrative safeguards

• Risk analysis and risk management: identify where ePHI resides (TPA portals, data warehouses, email) and prioritize mitigation.
• Workforce security: background checks, role-based access, onboarding/termination procedures, and sanctions.
• Security awareness: periodic training, phishing simulations, and reminders.
• Contingency planning: backups, disaster recovery, emergency mode operations, and testing.
• Security incident procedures: detection, reporting, triage, and escalation paths.
• Vendor oversight: BAAs, due diligence, and performance monitoring.

Physical safeguards

• Facility access controls: visitor logs and access badges where ePHI is stored or accessed.
• Workstation and device security: screen privacy, automatic lock, secure storage.
• Device and media controls: encryption, inventory, secure disposal, and validated data destruction.

Technical safeguards

• Access controls: unique user IDs, least privilege, multi-factor authentication for remote and privileged access.
• Audit controls: centralized logging, alerting on anomalous activity, and periodic review.
• Integrity and authentication: hashing, digital signatures where appropriate, and anti-malware.
• Transmission security: TLS for data in transit; encryption for data at rest in vendor systems and plan repositories.

Example control set

• Require SSO with MFA for all plan administrator portals.
• Encrypt exported eligibility and claims files; exchange over secure transfer only.
• Quarterly access re-certification for all plan users and vendor admins.
• Test disaster recovery and document outcomes annually.

Breach Notification Procedures

Identify and assess incidents

Define an “incident” broadly and investigate quickly. Use the HIPAA Breach Notification Rule risk assessment: nature and extent of PHI involved, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent of risk mitigation (e.g., retrieval, confidentiality assurances).

When notification is required

• If unsecured PHI is breached, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• If 500+ individuals in a state or jurisdiction are affected, also notify prominent media in that area and report to HHS within 60 days of discovery.
• If fewer than 500 individuals are affected, log the breach and report to HHS within 60 days of the end of the calendar year.
• Notifications are not required if PHI is secured per guidance (e.g., strong encryption) or you document a low probability of compromise.

Content and delivery of notices

• Include what happened, types of information involved, steps individuals should take, what you are doing, and how to contact you.
• Use first-class mail (or email if the individual agreed). Provide substitute notice if contact details are insufficient; add toll-free assistance.

Vendor and plan sponsor coordination

• BAAs should require business associates to inform the plan without unreasonable delay (set an internal target of 24–72 hours).
• Share only the minimum details with the plan sponsor; avoid unnecessary PHI.
• Track corrective actions and lessons learned; update policies and training.

Business Associate Agreement Requirements

Who is a business associate?

Any non-workforce entity that creates, receives, maintains, or transmits Protected Health Information (PHI) for the plan is a business associate: TPAs, PBMs, care management vendors, data warehouses, consultants with PHI access, and certain brokers. Subcontractors with PHI are also business associates.

Essential BAA terms

• Permitted uses and disclosures, minimum necessary, and prohibition on unauthorized uses (marketing/sale of PHI without authorization).
• Safeguards for ePHI aligned to the Security Rule, including risk management and encryption expectations.
• Incident and breach reporting timelines and cooperation in investigations and notifications.
• Downstream obligations: require subcontractors to sign equivalent BAAs.
• Access and accounting support, HHS access to records, and audit cooperation.
• Return or destruction of PHI at termination, or documentation of infeasibility.
• Indemnification, insurance expectations, and right to terminate for material breach.

Practical tips

• Perform due diligence (security questionnaires, SOC 2 or similar attestations) before contracting.
• Map data flows and restrict file exchanges to secure channels.
• Review BAAs at least annually and after vendor changes.

Access and Authorization Controls

Role-based access and minimum necessary

Define roles (claims, eligibility, appeals, finance) and map each to specific PHI categories. Limit employer access to plan administration functions, not employment-related decisions, unless a signed authorization permits otherwise.

Identity and access management

• Unique IDs, strong passwords, MFA, and time-based session locks.
• Joiner/mover/leaver processes with rapid termination of access.
• Quarterly access reviews; just-in-time elevation for privileged tasks.
• Break-glass emergency access with automatic logging and post-event review.

Individual authorizations

Use written authorizations for disclosures beyond HIPAA allowances. Store authorizations with retention equal to other HIPAA records and honor revocations promptly. Provide individuals access to their records within required timelines and formats when feasible.

Sample HIPAA Policy Templates

Privacy Policy (Health Plan)

Purpose: Describe how [Plan Name] uses and discloses PHI and protects member privacy.

Scope: All plan workforce and vendors handling PHI and electronic Protected Health Information (ePHI).

• Policy: Uses/disclosures, minimum necessary, member rights, complaint process.
• Procedures: NPP distribution, authorization intake, requests for access/amendment, accounting log.
• Responsibility: Privacy Officer; escalation path and timelines.
• Records: Retain for six years; version control.

Security Rule Policy

• Policy: Implement administrative safeguards, physical safeguards, and technical safeguards proportionate to risk.
• Procedures: Risk analysis, training, access control, encryption, logging, contingency planning.
• Monitoring: Metrics, incident tracking, annual evaluation.

Breach Notification Policy

• Policy: Assess incidents under the HIPAA Breach Notification Rule; notify as required.
• Procedures: Triage steps, risk assessment factors, notice content, timelines, documentation.
• Roles: Incident Lead, Privacy Officer, Communications, Vendor Manager.

BAA Management Policy

• Policy: Require BAAs before any PHI sharing.
• Procedures: Vendor due diligence, BAA template, subcontractor flow-down, annual review.
• Records: Repository of executed BAAs and due diligence evidence.

Access and Authorization Policy

• Policy: Role-based access, least privilege, periodic re-certification.
• Procedures: Provisioning, deprovisioning, break-glass, member authorization intake and revocation.
• Controls: MFA, session timeout, audit logs, monitoring.

Compliance Checklist for Covered Entities

• Designate Privacy and Security Officers with defined authority and backups.
• Complete and document an enterprise-wide risk analysis; implement risk management plans.
• Publish and maintain an NPP; send the three-year availability reminder.
• Adopt written privacy, security, breach, BAA, and sanctions policies; retain at least six years.
• Train all workforce initially and at least annually; track attendance and comprehension.
• Execute BAAs with all applicable vendors; verify subcontractor flow-downs.
• Enforce minimum necessary and role-based access; perform quarterly access reviews.
• Encrypt ePHI in transit and at rest; restrict and monitor file exchanges.
• Maintain audit logs; review alerts and investigate anomalies.
• Establish incident response and breach notification playbooks; run tabletop exercises.
• Implement contingency plans with tested backups and disaster recovery.
• Validate plan sponsor firewalls; avoid use of PHI for employment decisions without authorization.
• Track individual rights requests and fulfill within required timeframes.
• Monitor vendors for security posture; refresh due diligence annually.
• Prepare for OCR inquiries: keep documentation organized and current.

Conclusion

Separate HIPAA Policies for Health Plans work best when they are specific, risk-based, and operational. By aligning privacy rules with robust safeguards for ePHI, enforcing strong BAAs, and practicing your breach response, you create a resilient compliance program that protects members and your organization.

FAQs.

Does a health plan require a separate HIPAA privacy policy?

Yes. A health plan is a HIPAA covered entity and needs its own privacy policy and procedures tailored to plan functions, even when an insurer or TPA handles most operations. The policy should define plan workforce roles, member rights, and plan sponsor limitations.

How should breaches of PHI be reported by health plans?

Investigate immediately, assess risk, and notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Report to HHS according to breach size, and notify media for large incidents. Coordinate closely with business associates under your BAA.

What are the essential elements of a Business Associate Agreement?

Permitted uses/disclosures, minimum necessary, Security Rule safeguards for ePHI, prompt incident/breach reporting, subcontractor flow-down, access/accounting support, HHS access, termination and PHI return/destruction, documentation retention, and the right to terminate for material breach.

Are access controls mandatory under HIPAA for health plans?

Yes. The Security Rule requires access controls for ePHI, including unique user IDs and measures like automatic logoff and audit controls. Strong practices such as MFA and periodic access reviews help satisfy the standard and reduce risk.