Are Health Plans a Covered Entity Under HIPAA? (w/Examples) + FAQs

Yes. Health plans are one of the three types of covered entities under the Health Insurance Portability and Accountability Act of 1996, as defined at 45 CFR 160.103. That means most health insurance issuers, HMOs, employer-sponsored group health plans, Medicare, Medicaid, Medicare Advantage, Medigap, CHIP, TRICARE, and long-term care insurance carriers must follow the HIPAA Privacy Rule, the Security Rule, and the Breach Notification Rule.

The problem is this. Health plans hold the most sensitive information a person owns, and every billing file, eligibility roster, claims appeal, and prior-authorization note lives inside a system that can be hacked, faxed to the wrong number, or sent to the wrong member. When a plan fails to protect that data, the U.S. Department of Health and Human Services Office for Civil Rights can issue civil money penalties through its enforcement process, with tiered fines reaching $2,134,831 per violation category per year in 2025 after inflation adjustments.

The HIPAA rules are not optional, and the consequences of non-compliance are steep. A single missing Business Associate Agreement cost North Memorial Health Care $1.55 million, and a breach at Anthem produced a record $16 million resolution still cited by regulators today.

Here is what you will learn in this guide:

• 📘 Which health plans qualify as covered entities under the statute and which are carved out
• 🏛️ How federal HIPAA rules interact with state laws like California’s CMIA, Texas HB 300, and the New York SHIELD Act
• ⚖️ The real dollar cost of enforcement, including OCR resolution agreements against insurers
• 🧩 How Business Associate Agreements work between plans, TPAs, brokers, and PBMs
• 🚨 The most common mistakes health plans make and how to avoid each one

What HIPAA Actually Says About Health Plans

The statute at 42 U.S.C. § 1320d-1 and the regulation at 45 CFR 160.103 define a “health plan” as any individual or group plan that provides or pays the cost of medical care. That is the legal trigger. If an entity pays for care, bills for care, or arranges coverage for care, HIPAA almost certainly applies to it.

The rule lists specific examples, and each example is its own covered entity. The list includes a group health plan, a health insurance issuer, an HMO, Part A or Part B of Medicare, the Medicaid program, a Medicare supplemental policy, a long-term care policy, an employee welfare benefit plan, a high-risk pool, a state child health plan under CHIP, the Indian Health Service, the Federal Employees Health Benefits Program, and an approved state health benefit exchange.

The consequence of being named a covered entity is direct. The plan must appoint a Privacy Officer and a Security Officer, as required by 45 CFR 164.530(a) and 45 CFR 164.308(a)(2). It must give members a Notice of Privacy Practices. It must train its workforce. It must lock down electronic protected health information with the administrative, physical, and technical safeguards in the Security Rule.

A common misconception is that a plan is only covered if it is “big” or if it is a household-name insurer. That is wrong. A two-person HR department running a self-insured medical reimbursement arrangement can still be a HIPAA-covered group health plan.

The Three Covered Entity Categories

HIPAA recognizes three covered entity types, and a health plan is one of them. The other two are health care providers that transmit standard electronic transactions and health care clearinghouses, under the Covered Entity Decision Tool from the Centers for Medicare and Medicaid Services.

For health plans, the coverage trigger is not electronic transactions. The plan is covered the moment it meets the definition at § 160.103, even if it never files a single 837 claim or 270 eligibility request.

The consequence of misclassifying your entity is real. If a plan believes it is not covered and skips the Privacy Rule, an OCR audit under the HIPAA Audit Program can produce a finding of willful neglect, which sits in the highest penalty tier.

Why Employer-Sponsored Plans Count

Employers are not covered entities. The plan the employer sponsors is the covered entity. That distinction matters because an employer can wear two hats at once, one as plan sponsor and one as employer, and HIPAA only regulates the plan-sponsor hat.

Under 45 CFR 164.504(f), the plan document must be amended before the plan can share protected health information with the employer. Without that amendment, the plan cannot lawfully give the employer claims data for any reason other than enrollment and disenrollment.

The real-world consequence is that benefits managers who peek at claims without the plan amendment create a reportable breach. A common misconception is that “we are all the same company, so we can share anything.” The firewall is legal, not organizational.

Types of Health Plans That Are Covered Entities

Almost every arrangement that pays for medical care is a covered entity, and the list below is not exhaustive. The HHS guidance on covered entities walks through each category with useful examples.

Group Health Plans

A group health plan is an employee welfare benefit plan as defined in ERISA § 3(1), so long as it has 50 or more participants, or is administered by an entity other than the employer that established the plan. Fully insured plans, self-insured plans, HRAs, health FSAs, and certain EAPs can all fall inside the definition.

The consequence of being a group health plan is full HIPAA application, including the need for a plan document amendment, a firewall between the plan and the employer, and a Notice of Privacy Practices distributed to every enrollee as required by 45 CFR 164.520.

Example: Maria runs HR at a 600-employee manufacturing company with a self-insured PPO. Her plan is a covered entity. She must keep claims data in a separate system from the personnel files she uses to run performance reviews.

A common misconception is that fully insured plans “pass the compliance buck” to the carrier. That is only partly true. The limited exception at § 164.530(k) narrows, but does not eliminate, the sponsor’s duties.

Health Insurance Issuers and HMOs

A health insurance issuer is a state-licensed insurance company that offers health insurance, and an HMO is a federally qualified or state-licensed managed care organization. Both are covered entities, full stop.

Carriers like Anthem, UnitedHealthcare, Aetna, Cigna, and Blue Cross Blue Shield plans all sit in this bucket. The Anthem resolution agreement shows how OCR treats issuer breaches.

The consequence of being an issuer is the full stack of Privacy, Security, and Breach Notification duties, plus the obligation to contract with every downstream vendor through a Business Associate Agreement.

Government Programs

Medicare Parts A and B, Medicare Advantage (Part C), the Medicare prescription drug program (Part D), state Medicaid agencies, CHIP, TRICARE, the Veterans Health Administration, and the Indian Health Service all qualify as health plans under HIPAA. See the CMS HIPAA page for the agency’s own statement of coverage.

The consequence of government-program coverage is that both the federal agency and its contractors follow HIPAA, and the contractors are business associates. For veterans, the VA’s Privacy Act notices layer extra duties on top.

A common misconception is that federal agencies are exempt. They are not. They are covered entities that also follow the Privacy Act of 1974.

Other Specialty Plans

Long-term care policies, Medigap policies, high-risk pools, and approved state health benefit exchanges are all covered entities under § 160.103. The HealthCare.gov privacy notice is a live example of an exchange meeting its HIPAA duties.

The consequence of ignoring these specialty categories is the same as for any other plan, and OCR has pursued settlements across the spectrum.

Plans That Are NOT Covered Entities

A small number of arrangements are carved out, and the carve-outs are narrow.

The “Fewer Than 50 Participants” Exception

A group health plan that has fewer than 50 participants and that is administered solely by the employer that established and maintains the plan is excluded from the HIPAA definition at 45 CFR 160.103. Both prongs must be met.

The consequence of the carve-out is that the small self-administered plan has no HIPAA duties. If the employer hires a TPA, the exception vanishes and HIPAA snaps back on.

Example: Jamal owns a 12-person accounting firm with a self-funded, self-administered medical expense plan. He handles everything in-house and uses no TPA. His plan is not a HIPAA covered entity. The moment he hires a TPA next year, he becomes one.

A common misconception is that “fewer than 50 employees” triggers the exception. The statute counts participants, which includes enrolled dependents in some calculations and always includes COBRA beneficiaries.

Certain Excepted Benefits

Some benefits are “excepted benefits” under ERISA and the Public Health Service Act, including standalone dental, standalone vision, most disability income, workers’ compensation, and auto medical payments coverage. These can fall outside the HIPAA definition of a health plan.

The consequence of being excepted is narrow. A standalone dental plan is not a covered entity, but the moment it is bundled into the medical plan, the whole arrangement can be swept back in.

Life, Disability, and Workers’ Comp

Life insurance, short-term disability, long-term disability, and workers’ compensation carriers are not health plans under HIPAA. See the OCR FAQ on workers’ compensation. They may still receive PHI from providers, but they do not themselves become covered entities by writing those policies.

The consequence is that these carriers do not owe a Notice of Privacy Practices, and state insurance law fills much of the gap.

Three Scenarios Every Plan Should Know

The scenarios below show how the rules play out in practice.

Scenario 1: Self-Insured Employer Plan

Scenario 2: Fully Insured Small Group

Scenario 3: Medicare Advantage Plan

The Privacy, Security, and Breach Notification Rules

Once a plan is a covered entity, three rule sets apply in full. The Privacy Rule governs use and disclosure of PHI in any form. The Security Rule governs electronic PHI specifically. The Breach Notification Rule governs what happens when something goes wrong.

Privacy Rule Duties

The Privacy Rule requires a plan to use or disclose PHI only for treatment, payment, health care operations, or with a written authorization, under 45 CFR 164.506 and 45 CFR 164.508. Members have the right of access under § 164.524, the right to amend under § 164.526, and the right to an accounting of disclosures under § 164.528.

The consequence of over-disclosure is enforcement, and OCR’s Right of Access Initiative has produced more than 45 settlements against entities that failed to give patients their records. Example: Priya is a Medicare Advantage member who asks for her claims file. The plan has 30 days to deliver it, with one 30-day extension allowed.

Security Rule Duties

The Security Rule demands a documented risk analysis, a risk management plan, workforce training, access controls, audit logs, encryption (addressable but expected), and a contingency plan, under 45 CFR 164.308 through § 164.312.

HHS published a Notice of Proposed Rulemaking on December 27, 2024 that would make encryption mandatory, require multi-factor authentication, and eliminate most “addressable” flexibility. Plans should watch the docket closely in 2026.

Breach Notification Rule Duties

If unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule, a breach is presumed unless the plan shows a low probability of compromise under the four-factor test at § 164.402.

Individual notices go out within 60 days. HHS gets notified on the breach portal. Breaches of 500 or more in a state trigger media notice.

State Law Overlays

HIPAA is a floor, not a ceiling, under the preemption rule at 45 CFR 160.203. Stricter state laws apply in addition.

California’s Confidentiality of Medical Information Act imposes its own penalties and a private right of action. Texas HB 300 expands the definition of a covered entity to any person who handles PHI in the state. New York’s SHIELD Act adds a reasonable-safeguards mandate that reaches health plans doing business with New York residents.

The consequence of ignoring state overlays is double exposure. A single breach can trigger a federal OCR action and a state attorney general action simultaneously, as happened in the Anthem multistate settlement.

Business Associates and Health Plans

Health plans rely on dozens of vendors. Every vendor that creates, receives, maintains, or transmits PHI on the plan’s behalf is a business associate under § 160.103. A written Business Associate Agreement is required under § 164.504(e).

Common business associates for a plan include the TPA, the pharmacy benefit manager, the broker of record in certain capacities, the actuarial firm, the case management vendor, the wellness program administrator, the cloud storage provider, and the shredding company.

The consequence of missing a BAA is direct liability. North Memorial paid $1.55 million in 2016 for a missing BAA alone.

Example: Chen is the benefits director at a regional HMO that hires a new wellness vendor. She must have a signed BAA in place before a single member record leaves the plan’s systems.

The 2013 Omnibus Rule made business associates directly liable for their own violations, so plans and vendors now share risk.

Enforcement and Penalties

OCR is the primary enforcer, and it uses a tiered civil money penalty structure set by the HITECH Act and adjusted annually for inflation.

The 2025 tiers, published in the November 2024 Federal Register notice, run from roughly $141 per violation at the “no knowledge” tier to more than $71,000 per violation at the “willful neglect, not corrected” tier, with an annual cap of $2,134,831 per identical provision.

Notable plan-side settlements include Anthem at $16 million, Premera Blue Cross at $6.85 million, Excellus at $5.1 million, and CHSPSC at $2.3 million.

Criminal penalties under 42 U.S.C. § 1320d-6 reach up to 10 years in prison when PHI is sold for personal gain. The Department of Justice prosecutes those cases.

Mistakes to Avoid

Plans repeat the same errors year after year. Avoid these seven.

• Skipping the risk analysis. A missing or stale risk analysis is the single most common finding in OCR enforcement. The outcome is a willful-neglect citation.
• Using a generic BAA template. Vague indemnification and no breach-cost allocation leaves the plan holding the bag after a vendor incident.
• Forgetting the plan document amendment. Sharing claims with the sponsor without § 164.504(f) language is an automatic breach.
• Ignoring state law. A HIPAA-compliant breach response can still violate California, Texas, or New York law and draw a state AG fine.
• Missing the 60-day clock. Late breach notices to individuals are their own separate violation under § 164.404.
• Under-training the workforce. Training must be periodic, documented, and role-specific, not a once-and-done video.
• Mixing employer and plan systems. A shared drive between HR and the plan erases the firewall and invites an impermissible disclosure finding.
• Refusing member access requests. The Right of Access Initiative has produced dozens of five- and six-figure settlements.

Do’s and Don’ts for Health Plans

Do’s

• Do conduct an annual enterprise-wide risk analysis. The Security Rule expects a living document, and OCR’s guidance is clear on scope.
• Do maintain a master BAA log. Knowing every vendor with PHI access is the first step to breach containment.
• Do encrypt ePHI at rest and in transit. Encryption creates a safe harbor from breach notification.
• Do train workforce at hire and annually. Documentation is the proof OCR asks for first.
• Do segment the plan from the employer. Separate credentials, separate file shares, separate printers where feasible.

Don’ts

• Don’t rely on verbal vendor promises. Only a signed BAA shifts liability appropriately.
• Don’t share claims data for employment decisions. This is the fastest route to a civil rights complaint layered on top of HIPAA.
• Don’t delete breach evidence. Preservation is required, and deletion can trigger obstruction.
• Don’t assume small means safe. Small plans are routinely audited.
• Don’t skip the Notice of Privacy Practices update. Material changes require redistribution.

Pros and Cons of Being a Covered Entity

Pros

• Federal floor. HIPAA creates a uniform baseline that simplifies multi-state operations.
• Defined roles. Privacy Officer and Security Officer duties are spelled out.
• Preemption clarity. Weaker state laws yield to HIPAA.
• Member trust. Compliance signals professionalism and due care.
• Enforcement predictability. OCR publishes settlement details, so plans can benchmark.

Cons

• Compliance cost. The HIMSS cost surveys consistently show six-figure annual HIPAA program budgets.
• Vendor management burden. Every BAA is a contract to negotiate, monitor, and renew.
• Breach exposure. A single missing laptop can trigger multi-million-dollar liability.
• Overlap with state law. Dual compliance doubles the review workload.
• Rulemaking churn. The 2024 proposed Security Rule update will force system-level changes.

Named Examples in Action

Example 1 — Maria at a Self-Insured Manufacturer. Maria amends the plan document, installs a firewall between HR and the TPA portal, and signs BAAs with her TPA, PBM, and stop-loss carrier. When a laptop is stolen from a TPA office, she follows the Breach Notification Rule and notifies members within 45 days, well under the 60-day cap.

Example 2 — Chen at a Regional HMO. Chen rolls out mandatory multi-factor authentication ahead of the proposed Security Rule updates. Her annual risk analysis shows the wellness vendor as a top exposure, and she renegotiates the BAA to include breach-cost indemnification.

Example 3 — Jamal at a 12-Person Firm. Jamal keeps his plan self-administered to preserve the fewer-than-50-participants exception. When he later hires a TPA, he treats the plan as a covered entity from day one and installs policies, training, and BAAs before a single claim is processed.

The Covered Entity Decision Process Step by Step

Every plan sponsor and insurer should walk the same decision tree.

Step 1 — Identify the arrangement. Is it a group health plan, an insurance issuer, an HMO, a government program, or an excepted benefit? The Covered Entity Decision Tool is the cleanest starting point.

Step 2 — Count participants. For a self-administered group health plan, participant count determines whether the small-plan exception applies.

Step 3 — Identify PHI flows. Map which systems create, receive, store, and transmit PHI. This map drives the Security Rule risk analysis.

Step 4 — Appoint officers. Designate a Privacy Officer and a Security Officer in writing.

Step 5 — Execute BAAs. Every vendor touching PHI signs a BAA before go-live.

Step 6 — Publish the NPP. Distribute the Notice of Privacy Practices and post it on any member portal.

Step 7 — Train and document. Workforce training, documented each year, with role-based modules.

Step 8 — Test breach response. Tabletop exercises reveal gaps before a real incident.

Recap of Key OCR Rulings and Guidance

OCR’s public resolution agreements are the clearest source of enforcement signals. Anthem (2018) remains the largest single settlement. Premera (2020) followed with $6.85 million. Excellus (2021) added another $5.1 million.

The Supreme Court has not decided a health-plan HIPAA case directly, but lower courts consistently hold that HIPAA has no private right of action, as in Acara v. Banks, 470 F.3d 569 (5th Cir. 2006). State courts, though, increasingly allow negligence-per-se claims built on HIPAA standards, such as Byrne v. Avery Center for Obstetrics and Gynecology, 314 Conn. 433 (2014), discussed in this Connecticut court summary.

Frequently Asked Questions

Are all health plans covered entities under HIPAA?

Yes. Almost every plan that provides or pays for medical care is a covered entity under 45 CFR 160.103, with narrow carve-outs for small self-administered plans and certain excepted benefits.

Is an employer a HIPAA covered entity?

No. The employer itself is not, but the group health plan the employer sponsors is, and the plan sponsor must respect that firewall under § 164.504(f).

Is a fully insured small group plan subject to HIPAA?

Yes. It is covered, although the limited exception at § 164.530(k) reduces the sponsor’s administrative duties when only summary information is handled.

Are Medicare and Medicaid HIPAA covered entities?

Yes. Both programs are health plans under the statute, and their contractors are business associates bound by BAA terms.

Is a self-insured plan under 50 employees always exempt?

No. The carve-out applies only when the plan is both under 50 participants and self-administered, per § 160.103.

Are standalone dental or vision plans covered?

No. Standalone excepted-benefits dental and vision plans are generally outside the HIPAA definition, per DOL guidance.

Do workers’ compensation carriers follow HIPAA?

No. They are not health plans, although they may still receive PHI from providers under the workers’ comp disclosure rule.

Can members sue a health plan directly under HIPAA?

No. Federal courts have held HIPAA has no private right of action, as in Acara v. Banks, though state-law negligence claims may still proceed.

Are brokers and TPAs covered entities?

No. They are business associates of the plan and sign a BAA under § 164.504(e).

Does HIPAA preempt state privacy law?

No. HIPAA sets a floor, and stricter state laws like CMIA and Texas HB 300 remain enforceable under § 160.203.

Is an HRA a HIPAA covered entity?

Yes. A health reimbursement arrangement is a group health plan, and it is covered whenever it meets the participant and administration tests at § 160.103.

Does a health FSA count as a covered entity?

Yes. A health flexible spending arrangement is a group health plan, though the limited exception may narrow its duties.