While small health plans have some exemptions and reduced regulatory burdens under HIPAA compared to larger health plans, core provisions still ensure the protection of individuals' health information and the integrity of electronic healthcare transactions.
When does HIPAA apply to health plans?
HIPAA applies to health plans when they meet certain criteria. Specifically, HIPAA applies to health plans that provide, pay for, or manage medical care in electronic form during financial or administrative activities related to healthcare. This includes health plans that handle electronic health information for processing claims, making payments, checking eligibility, and more. If a health plan uses electronic methods for certain healthcare-related transactions, it falls under the regulations and requirements of HIPAA to protect the privacy and security of individuals' health information.
These include:
- Group Health Plans
- Health Insurance Issuers
- Health Maintenance Organizations (HMOs)
- Medicare
- Medicaid
- Medicare Supplemental Policy Issuers
- Long-Term Care Policy Issuers
- Employee Welfare Benefit Plans
- Active Military Personnel Health Care Program
- Veterans Health Care Program
- Civilian Health and Medical Program of the Uniformed Services (CHAMPUS)
- Federal Employees Health Benefits Program
- State Child Health Plan (Title XXI)
- Medicare+Choice Program
- High-Risk Pools
- Other Individual or Group Plans
See also: HIPAA and health plan marketing
What qualifies as a small health plan?
As defined in HIPAA, a small health plan is a health plan with annual receipts of $5 million or less. In simpler terms, it refers to a health insurance or benefits plan that has a relatively small financial scale, meaning it either receives or pays out $5 million or less annually. This classification helps differentiate smaller health plans from larger ones for regulatory purposes under HIPAA.
HIPAA and small health plans
HIPAA does not apply to small health plans primarily due to the practicality of regulatory compliance. Small health plans, defined as those with annual receipts of $5 million or less, are exempted from some requirements under HIPAA because imposing the same rigorous regulations on them as larger plans might be administratively burdensome and costly for these smaller entities.
By exempting them, HIPAA aims to balance safeguarding individuals' health information and recognizing the limited resources and scale of smaller health plans. This exemption helps prevent potential barriers to healthcare access and affordability that might arise if all health plans, regardless of size, were subjected to the same stringent regulations. However, small health plans are still required to comply with HIPAA's core privacy and security provisions, ensuring a baseline level of protection for individuals' health information.
Which provisions of HIPAA still apply to small health plans?
- Privacy rule: Small health plans must comply with the HIPAA Privacy Rule, which governs the use and disclosure of protected health information (PHI), including individuals' rights to access and control their PHI.
- Security rule: Small health plans are also required to adhere to the HIPAA Security Rule, which outlines standards for securing electronic PHI (ePHI) to protect it from unauthorized access or breaches. This includes secure transmission such as HIPAA compliant email.
- Transaction standards: Small health plans must follow HIPAA's transaction standards when conducting electronic healthcare transactions, such as processing claims and checking eligibility.
- National provider identifier (NPI): Small health plans must use National Provider Identifiers (NPIs) for electronic healthcare transactions, ensuring standardized identification of healthcare providers.
- Enforcement and penalties: Small health plans remain subject to HIPAA enforcement and penalties for non-compliance, including investigations and potential fines for violations.
See also: What are HIPAA's special enrollment rights?
Kirsten Peremore
