Are health plan sponsors covered entities?

The Health Insurance Portability and Accountability Act (HIPAA), enacted under Public Law 104-191 and codified across 45 CFR Parts 160, 162, and 164, establishes rules around the privacy and security of protected health information (PHI). Central to HIPAA's framework is the concept of the "covered entity", which is the category of organizations bound by the law's requirements.

Under 45 CFR § 160.103, covered entities fall into three primary categories:

• Health plans - including individual and group health plans, insurance companies, HMOs, and employer-sponsored health plans that meet certain criteria.
• Healthcare providers - doctors, hospitals, clinics, pharmacies, and any provider that transmits health information electronically in connection with HIPAA-covered transactions.
• Healthcare clearinghouses - entities that process nonstandard health information into standard formats.

Health plans vs. health plan sponsors

A health plan is the benefit program itself, the arrangement through which healthcare benefits are provided. Under 45 CFR § 160.103, an employer-sponsored group health plan is a covered entity when it has 50 or more participants or is administered by an entity other than the employer.

A health plan sponsor, on the other hand, is the employer or organization that establishes and maintains the health plan. In most cases, the plan sponsor, for example, a mid-sized company offering health benefits to its employees, is not itself a covered entity.

This means that because the sponsor is not a covered entity, HIPAA's Privacy Rule does not directly apply to the sponsor in the same way it applies to the health plan. The sponsor can be an employer (not covered) and plan administrator (potentially covered), and the rules govern what information can flow between them.

Importantly, as a 2004 analysis published in Report on Patient Privacy by Brian D. Gradle of Hogan & Hartson, LLP noted, HIPAA's privacy rule cuts through "any business, regardless of its size, location or industry," meaning that employers can be liable under HIPAA when they sponsor group health plans.

What happens when a sponsor also administers the plan?

Some employers self-administer their health plans, especially in smaller organizations. In these situations, the employer acts as both the plan sponsor and the plan administrator.

When an employer performs administrative functions on behalf of the health plan, such as processing claims, making eligibility determinations, or reviewing appeals it steps into a role that involves handling PHI. HIPAA's regulations recognize this complexity through 45 CFR § 164.504(f), which imposes specific requirements to manage it.

Under 45 CFR § 164.504(f)(2), if a plan sponsor wants to receive PHI from the health plan for plan administration purposes, the plan documents must be amended to include specific provisions. These provisions must:

• Establish the permitted uses and disclosures of PHI by the plan sponsor
• Require the plan sponsor to implement appropriate safeguards
• Prohibit the sponsor from using or disclosing PHI for employment-related decisions (45 CFR § 164.504(f)(2)(ii)(C))
• Require the sponsor to report any unauthorised uses or breaches to the plan (45 CFR § 164.504(f)(2)(ii)(D))
• Ensure that employees performing plan administration functions are separated from those making employment decisions (45 CFR § 164.504(f)(2)(iii))

This structural separation is a requirement designed to prevent an employer from using an employee's health information, obtained through the health plan, to make discriminatory employment decisions.

To show how these obligations play out in practice, the 2004 Report on Patient Privacy analysis offered five instructive scenarios. A small, self-administered plan with fewer than 50 participants, such as a car dealership with 37 enrolled employees, falls outside the definition of a group health plan and faces no privacy rule obligations. On the other hand, a large self-insured employer that self-administers its plan faces a compliance burden which includes appointing a Privacy Officer, training staff, disseminating notices of privacy practices, executing business associate agreements, and amending plan documents before any PHI can flow to the plan sponsor.

The firewall requirement

HIPAA demands what compliance professionals often call a "firewall" between an employer's role as a plan sponsor and its role as an employer, as outlined under 45 CFR § 164.504(f)(2)(iii). Sensitive health data flowing through the plan must not leak into HR decision-making, performance reviews, or termination processes.

In practical terms, this means:

• Designated employees who handle PHI for plan administration must be identified in plan documents
• Those employees must receive HIPAA training consistent with 45 CFR § 164.530(b)
• Access to PHI must be limited to those with a legitimate need for plan administration purposes (45 CFR § 164.514(d))
• Policies and procedures must be in place to prevent misuse (45 CFR § 164.530(c)(2))

The Report on Patient Privacy analysis notes that this separation exists to ensure PHI is never used for employment-related purposes. Failure to maintain this separation is not only a HIPAA violation, it can also constitute a violation of other federal laws, including:

• The Americans with Disabilities Act (ADA), 42 U.S.C. § 12112, which prohibits disability-based employment discrimination.
• The Genetic Information Nondiscrimination Act (GINA), 29 CFR Part 1635, which prohibits the use of genetic information in employment decisions.

Third-party administrators and business associates

Some employers avoid this by hiring a Third-Party Administrator (TPA) to handle plan administration. In this arrangement, the TPA processes claims and manages PHI. Under 45 CFR § 160.103, the TPA qualifies as a business associate of the health plan, and must sign a business associate agreement (BAA) with the covered entity (the plan), as required by 45 CFR § 164.504(e).

However, as the 2004 Report on Patient Privacy analysis cautions, using a TPA does not insulate a group health plan from its status as a covered entity. The plan remains subject to HIPAA's full requirements, and the employer must still ensure the BAA is properly in place and that the TPA is fulfilling its obligations. If the employer retains any plan administration responsibilities, such as handling benefit claim appeals, it must also have amended its plan documents and taken the other administrative steps required before PHI can lawfully flow from the TPA to the sponsor. Where those steps have not been taken, PHI disclosures should be limited to summary health information and enrollment or disenrollment data.

This arrangement does not eliminate the employer's obligations entirely, but it reduces the volume of PHI the employer itself handles.

Fully insured vs. self-insured plans

The covered entity analysis also differs depending on whether a plan is fully insured or self-insured.

For fully insured plans, the insurance company (not the employer) is the covered entity. Under 45 CFR § 164.504(f)(1)(ii), the employer-sponsor normally receives summary health information for purposes like amending the plan or obtaining premium bids, and may receive information on whether an individual is participating in the plan. In this structure, the employer's HIPAA exposure is minimal and as the Report on Patient Privacy analysis notes, it is the insurer that bears primary responsibility for privacy rule compliance, including issuing notices of privacy practices and entering into business associate contracts.

For self-insured plans, the health plan itself is the covered entity under 45 CFR § 160.103, and the employer takes on the responsibility, especially if it is also self-administering. This is where policies, staff training, and proper plan documentation are needed.

Takeaways for plan sponsors

Navigating the covered entity question requires clarity about roles, responsibilities, and plan structure. Here is a summary:

• Health plan sponsors are generally not covered entities under 45 CFR § 160.103, but the health plans they sponsor may be.
• When sponsors perform plan administration functions, they are subject to the specific requirements of 45 CFR § 164.504(f) governing how they handle PHI.
• Plan documents must be amended to authorise the flow of PHI from the plan to the sponsor, with conditions as set out in 45 CFR § 164.504(f)(2).
• A firewall between plan administration and HR functions is a legal requirement under 45 CFR § 164.504(f)(2)(iii).
• Self-insured employers carry more compliance risk than those with fully insured plans.

FAQs

What is the easiest way for an employer to reduce its HIPAA exposure?

Hiring a Third-Party Administrator to handle plan administration reduces the volume of PHI an employer directly handles.

Can an employee find out if their health information was shared with their employer?

Employees have rights under HIPAA to request an accounting of certain disclosures of their health information.

What happens if an employer violates the firewall requirement?

Violations can trigger regulatory penalties under HIPAA and potential liability under other federal laws such as the ADA and GINA.

Does HIPAA cover retirees on a company health plan?

Retirees who participate in an employer-sponsored group health plan are considered participants and their PHI is subject to the same protections as current employees.