A health plan, according to HIPAA, is any individual or group plan that provides or pays for medical care, which can encompass a wide range of insurance and healthcare coverage options. It includes private health insurance plans and government programs like Medicare and Medicaid. HIPAA regulations establish rules and standards to protect the privacy and security of individuals' health information within these health plans.
According to the HIPAA Administrative Simplification Regulations, a "Health plan means an individual or group plan that provides, or pays the cost of, medical care."
This definition includes a wide range of plans, both individual and group-based, that offer coverage for healthcare services. Some of the specific types of plans that fall under the definition of a health plan include:
Group health plan: An employee welfare benefit plan that provides medical care to employees or their dependents. It can be an insured or self-insured plan and is typically administered by an entity other than the employer.
Health insurance issuer: An insurance company, service, or organization that is licensed to engage in the business of insurance and is subject to state or other laws that regulate insurance.
Health maintenance organization (HMO): A federally qualified HMO, an organization recognized as an HMO under state law, or a similar organization regulated for solvency under state law.
Medicare: This includes Part A and Part B of the Medicare program under Title XVIII of the Act, which provides health coverage for individuals aged 65 and older or individuals with disabilities.
Medicaid: A Medicaid program under Title XIX of the Act, which provides health coverage for low-income individuals and families.
Medicare supplemental policy: This includes policies that supplement Medicare coverage and are defined in section 1882(g)(1) of the Act.
Long-term care policy: This refers to policies that provide coverage for long-term care services, excluding nursing home fixed indemnity policies.
Employee welfare benefit plan: Any arrangement established or maintained to offer or provide health benefits to the employees of two or more employers.
Uniformed services health care program: This is the health care program for uniformed services under Title 10 of the United States Code.
Veterans health care program: This includes the health care program under 38 U.S.C. chapter 17, which provides medical care for eligible veterans.
Indian Health Service Program: The Indian Health Service Program under the Indian Health Care Improvement Act, providing health care services to Native Americans.
Federal employees' health benefits program: The health benefits program for federal employees under 5 U.S.C. 8902, et seq.
State child health plan: Approved state child health plans under Title XXI of the Act, providing child health assistance that meets specific requirements.
Medicare Advantage Program: The Medicare Advantage Program, under Part C of Title XVIII of the Act, providing health coverage through private insurance companies.
High-risk pool: A mechanism established under state law to provide health insurance coverage or comparable coverage to eligible individuals who have difficulty obtaining coverage due to health conditions.
Other individual or group plans: This category includes any other individual or group plan, or combination of plans, that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).
Note that the definition of a health plan excludes certain types of policies, plans, or programs. These exclusions include policies that provide excepted benefits and government-funded programs whose principal purpose is not providing health care or whose principal activity is the direct provision of health care or making grants to fund the direct provision of health care.
Read more: How health plans can share PHI for care coordination
On July 26, 2024, United of Omaha Life Insurance Company, a health plan under Mutual of Omaha, reported a data breach involving an employee email account that exposed the information of 107,894 individuals, including protected health information (PHI). The breach was discovered on April 23, 2024, following unusual activity in the employee's email account, which was traced to a phishing campaign targeting the company's employees.
The breach, occurring between April 21 and April 23, 2023, compromised names, Social Security numbers, addresses, dates of birth, driver’s license numbers, employment details, and health information. In response, United of Omaha reset passwords, hired cybersecurity specialists, reported the fraudulent domain, and re-trained employees on phishing detection and reporting. Affected individuals were notified via letters sent on July 26, 2024.
Phishing tactics exploit perceived sender legitimacy, personal habits, emotional triggers, and reliance on security tools, making it challenging to distinguish fraudulent emails from legitimate ones. Health plans are particularly vulnerable due to the volume of PHI they handle and the risk of security fatigue.
Health plans should implement policies, procedures, and safeguards to protect the privacy and security of PHI, train employees on HIPAA requirements, conduct risk assessments and audits to identify vulnerabilities, and establish processes for responding to breaches or complaints related to HIPAA compliance.
While HIPAA's privacy and security rules generally apply to all health plans, there are certain exceptions and modifications for specific types of plans. For example, HIPAA includes special provisions for certain government-sponsored health plans, such as those offered by Indian Health Service (IHS) facilities or federal correctional institutions.