Under HIPAA, Payers May Not Do These Things: Key Health Plan Prohibitions

Health plans and payers are Covered Entities under HIPAA. This guide translates the rules into plain language so you know what payers may not do with your Protected Health Information (PHI). In short: under HIPAA, payers may not do these things—ignore valid restrictions, over-disclose PHI, or use it beyond permitted Health Care Operations and payment.

Use this as a practical reference for Group Health Plan Compliance, PHI Disclosure Restrictions, and boundaries that also affect Employer-Sponsored Health Plans.

Individual's Right to Request Restrictions

You can ask a Covered Entity to restrict uses or disclosures of PHI for treatment, payment, or Health Care Operations. While a payer does not have to agree to every request, once it does, it must honor the restriction except in a bona fide medical emergency.

• Payers may not disregard a restriction they have accepted or use restricted PHI for non-permitted purposes.
• Payers may not require you to waive your right to request restrictions as a condition of enrollment or eligibility for benefits.
• Payers must document agreed restrictions and apply the minimum necessary standard to any remaining permissible disclosures.

Tip: Make restriction requests in writing, identify the PHI and the recipient, and keep a copy for your records.

Disclosure Restrictions When Paid in Full

If you pay a provider in full out of pocket and request it, the provider must not disclose related PHI to your health plan for payment or Health Care Operations. This “paid-in-full” rule prevents the plan from receiving PHI about that specific item or service.

• Payers may not demand PHI about fully self-paid services to perform utilization review, risk adjustment, or other operations for that episode of care.
• Payers may not penalize you for exercising this right or make benefit eligibility contingent on authorizing that disclosure.
• Limited exceptions apply (for example, when disclosure is required by law). The restriction applies to payment/operations—not to treatment disclosures between providers.

Action steps: Tell the provider at the time of service, pay in full, and request nondisclosure to the plan for that episode. Ask how the provider will segment the record.

Information Blocking Regulation Applicability

The federal Information Blocking Regulation targets “actors” (health care providers, health IT developers of certified health IT, and health information networks/exchanges). Most payers are not actors under this rule.

• Payers may not assume the rule exempts them from all data-access duties. Separate CMS interoperability and patient-access requirements still obligate many plans to provide member-accessible data via APIs.
• Payers operating an HIE/HIN function could be treated as actors and must avoid practices that unreasonably impede access, exchange, or use of electronic health information.
• Regardless of information blocking status, HIPAA still requires timely access to designated record sets upon valid member requests.

Permitted Uses and Disclosures of PHI

Outside HIPAA’s permitted uses and disclosures—or a valid member authorization—payers may not use or disclose PHI. Key prohibitions include:

• Marketing and sale of PHI: A payer may not use PHI for marketing or sell PHI without your explicit authorization (with narrow, enumerated exceptions).
• Minimum necessary: For payment and Health Care Operations, a payer may not use or disclose more PHI than is reasonably necessary.
• Underwriting with genetic information: Health plans (other than issuers of long-term care policies) may not use or disclose genetic information for underwriting purposes.
• Employment actions: A payer may not disclose plan PHI to an employer for employment-related decisions without proper authorization and structural safeguards.

Permitted categories (without authorization) include payment, Health Care Operations, certain public health and oversight activities, and disclosures required by law. Anything beyond these requires a valid authorization.

Employer-Sponsored Group Health Plans

When your coverage is an employer-sponsored Group Health Plan, HIPAA draws strict lines between the plan and the employer (plan sponsor). Your PHI sits with the plan or its insurer/TPA—not the HR department.

• Payers may not share PHI with the employer for employment decisions. Plan sponsors generally may receive only enrollment/disenrollment data and “summary health information” for plan design or bidding—unless plan documents are amended to permit specific plan administration uses with proper safeguards.
• Payers may not grant broad employer access without required certifications, firewall provisions, and the minimum necessary standard.
• Business associate rules apply: Payers must ensure vendors handling PHI sign compliant agreements and follow HIPAA safeguards.

Exclusions from Health Plan Definition

Some arrangements are not “health plans” under HIPAA, which changes who is a Covered Entity and how PHI is regulated.

• Coverage only for accident or disability income is excluded.
• Liability insurance (including automobile liability) and workers’ compensation programs are excluded.
• Credit-only insurance and coverage for on-site medical clinics are excluded (on-site clinics are providers, not plans, and are covered by HIPAA only if they conduct standard electronic transactions).
• Other similar insurance where medical coverage is secondary or incidental to other benefits is excluded.

Implication: If an arrangement is excluded, HIPAA’s “health plan” rules do not apply to that entity—though disclosures to it by Covered Entities still must meet HIPAA’s conditions.

Health Plan Definition Clarifications

HIPAA’s “health plan” includes health insurance issuers, HMOs, Medicare/Medicaid and their managed care options, and Group Health Plans. It also includes long-term care insurers (other than certain fixed-indemnity policies).

• Small, self-administered group health plans: A group health plan with fewer than 50 participants that is administered solely by the employer is not a HIPAA-covered entity. However, any insurer or third-party administrator serving the plan remains a Covered Entity or business associate, as applicable.
• Self-funded vs. fully insured: Whether your plan is self-funded or fully insured, HIPAA restricts how your PHI may be used and disclosed for payment and Health Care Operations.
• Plan sponsor boundaries: Employers acting as plan sponsors must keep plan PHI separate from employment records and use it only for permitted plan administration purposes.

FAQs

What restrictions can individuals request under HIPAA?

You may request that a Covered Entity restrict uses or disclosures of your Protected Health Information (PHI) for treatment, payment, or Health Care Operations. The entity is not required to agree in most cases, but once it agrees, it must abide by the restriction except in emergencies. You can also request confidential communications (for example, using an alternate address).

How does full out-of-pocket payment affect PHI disclosure?

If you pay a provider in full out of pocket and request it, the provider must not disclose PHI to your health plan for payment or Health Care Operations related to that item or service. The restriction does not apply where disclosure is required by law or to disclosures for treatment between providers.

Are payers subject to information blocking regulations?

Generally, health plans are not “actors” under the Information Blocking Regulation. However, many payers have separate obligations under CMS interoperability rules to provide member access to data. If a payer operates as a health information network/exchange, information blocking obligations may apply.

What are the exclusions from HIPAA health plan definitions?

Excluded arrangements include coverage only for accident or disability income, liability insurance (including auto), workers’ compensation, credit-only insurance, on-site medical clinic coverage, and other similar insurance where medical benefits are secondary or incidental. These entities are not HIPAA “health plans,” though Covered Entities must still follow HIPAA when disclosing PHI to them.

Bottom line: HIPAA draws bright lines around what payers may not do with your PHI—overriding member restrictions, over-collecting or over-sharing data, or using PHI beyond payment and Health Care Operations. Knowing these limits helps you exercise your rights and hold Employer-Sponsored Health Plans to strong Group Health Plan Compliance.