Are health plan sponsors covered entities?

If you are an employer sponsoring a group health plan, you are not considered a covered entity under HIPAA. However, the group health plan is a covered entity. HIPAA governs how protected health information (PHI) is shared between the plan and the employer.

Who are covered entities under HIPAA?

Under HIPAA, covered entities include:

1. Health plans: Entities that provide or pay for medical care, including group health plans.
2. Healthcare providers: Those who transmit health information electronically in connection with certain transactions.
3. Healthcare clearinghouses: Intermediaries that process health data.

The HHS clarifies that "A ‘group health plan’ is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA."

The employer's role in sponsoring a group health plan

While employers sponsor group health plans, HIPAA views the plan as a separate legal entity. The plan must comply with HIPAA’s rules, but the employer is not directly subject to HIPAA in its general role. For example, health-related information in employment records, such as sick leave requests or disability accommodation documentation, falls outside HIPAA’s scope.

When does HIPAA apply to employers?

HIPAA applies to employers only when they access PHI through the group health plan for specific administrative functions, such as verifying eligibility for benefits, processing health claims, or facilitating enrollment. In these situations, HIPAA strictly regulates how PHI is accessed, used, and safeguarded. Employers must ensure that PHI is used exclusively for plan administration and are expressly prohibited from using this information for employment-related actions, such as hiring, firing, or disciplinary decisions. 

Requirements for employers acting on behalf of the group health plan

When an employer accesses PHI for plan administration purposes, the HIPAA Privacy Rule imposes specific requirements:

• Certification of compliance: Employers must certify that they will: use PHI solely for plan administration, protect PHI according to HIPAA’s rules, and avoid using PHI for employment-related purposes.
• Safeguards for PHI: Employers must implement administrative, technical, and physical safeguards to ensure PHI confidentiality. 
• Privacy notice: If the employer handles PHI, the group health plan must provide a notice of privacy practices to plan participants.

Fully insured vs. self-administered plans

The level of HIPAA compliance required depends on the type of group health plan. For fully insured plans, the health insurance provider assumes most compliance responsibilities. However, employers must still protect any PHI they receive from the plan, ensuring it is used only for permitted purposes. In contrast, self-administered plans (those managed in-house without a third-party administrator) place a greater compliance burden on employers, as these plans are considered covered entities under HIPAA. However, there is an exception for self-administered plans with fewer than 50 participants, which are not subject to HIPAA regulations.

Practical tips for employers to stay compliant

• Limit PHI access: Allow only authorized personnel to handle PHI and use it exclusively for plan administration.
• Provide training: Educate employees about HIPAA and the importance of safeguarding PHI.
• Sign business associate agreements (BAAs): If you work with third-party administrators, ensure they sign BAAs and comply with HIPAA.
• Separate roles: Maintain a clear separation between health plan administration and employment-related functions to avoid misuse of PHI.
• Use secure systems: Implement systems to securely store, transmit, and dispose of PHI.

FAQs

Does HIPAA regulate health information in employment records?

No, HIPAA does not apply to health information maintained in employment records, such as sick leave forms or workplace injury reports.

Are there penalties if employers misuse PHI obtained through a group health plan?

Yes, improper use of PHI, such as for employment-related decisions, can result in HIPAA violations and legal consequences for the group health plan, even if the employer is not directly a covered entity.

Are electronic health records (EHRs) used by the group health plan subject to HIPAA?

Yes, any electronic health records (EHRs) maintained or transmitted by a group health plan must comply with the HIPAA Security Rule, requiring safeguards like encryption and access controls.

Related: What is an electronic health record (EHR)?