NCW Insurance:News, Articles & Events

Understanding When a Company is Required to Comply with HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) seems to be causing confusion to employers.  They tend to believe that they have a great deal of responsibility under HIPAA rules simply based on the fact that they offer a group health plan to employees, have information regarding individual employee’s enrollment into a group health plan, and/or receive employee medical information during the course of employment.


It is important to understand the purpose of HIPAA Privacy Rule - who within the organization may or may not have access to protected information, privacy and security standards that must be maintained as well as other provisions employers must take in order to be in compliance with the law.


To maintain compliance, it is critical to understand who is required to comply with medical Privacy Rules under the law.  These Rules include the following in the definition of covered entities:


A Health Care Provider

A Health Plan

A Health Care Clearinghouse

This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

…but only if they transmit any information in an electronic format in connection with a transaction for which HHS has adopted a standard.

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

This includes entities that process nonstandard health information they receive from another entity into a standard format (i.e., standard electronic format or data content), or vice versa.



If a covered entity contracts with a non-covered entity to perform some of its essential functions, (ie: an insurance broker or a company that stores documents that contain medical information), the non-covered entity becomes what is considered a “business associate” and therefore will be treated as a covered entity for the purposes of HIPAA compliance. 


According to guidance from Health and Human Services (HHS), any group health plan with fewer than 50 participants that is administered solely by the employer is not considered a covered entity and is therefore exempt form compliance with the Privacy Rule requirements of HIPAA. A group health plan is actually a separate legal entity from an employer and therefore is not considered a covered entity.

If an employer sponsors a fully insured health plan, the burden of compliance with HIPAA is typically shifted to the insurance carrier. The carrier is generally the one with access to employee/patient protected health information (PHI). A company that sponsors a self-insured plan is more likely to have access to PHI and therefore would be required to protect such PHI in accordance with HIPAA privacy and security rules.


Another factor to consider when trying to determine a company's responsibilities is the type of information that the company or its employees have access to and whether it would be considered PHI under the HIPAA rules. Plan enrollment and disenrollment information is not considered PHI. De-identified information received by the employer is not PHI.


Self-funded health plans may receive or have access to PHI in order to perform the administrative functions for the plan.


Only when a company determines that it must comply with the privacy rules of HIPAA does it need to take steps such as:

  • Designating a Privacy Officer for the company;
  • Preparing and distributing a Notice of Privacy Practices as required by HIPAA;
  • Amending group health plans and implementing amendments;
  • Establishing policies and procedures designed to ensure compliance;
  • Entering into business associate agreements with all third parties who receive PHI; and
  • Training of the workforce with regard to HIPAA compliance.

A company can be both an employer who sponsors a health plan and a covered entity if the company is, for example, a healthcare provider. Therefore, compliance as an employer who offers a health plan will be different from what is required of the business in ensuring that patient PHI is protected and policies and procedures are in place as required by HIPAA for a covered entity.


The US Department of Health and Human Services (HHS) website has a HIPAA for Professionals section with frequently asked questions regarding HIPAA compliance. The site is: and can be a good resource for other questions that may not be addressed in this month's HR Clinic.


Source: HR Workplace Services