HR Q&A: Who is Governed by the HIPAA Privacy Rules?

The HIPAA Privacy Rules apply to Covered Entities. Covered Entities include:

• Health plans
• Health care clearinghouses
• Health care providers that conduct certain transactions electronically

The HIPAA Privacy Rules do not directly regulate an employer sponsoring a group health plan. Only the health plan is directly regulated. However, where the plan sponsor has access to Protected Health Information (PHI) related to the administration of the health plan, it must comply with the requirements of the HIPAA Privacy Rules.

Self-administered, self-funded group health plans with fewer than 50 participants are not required to comply with the HIPAA Privacy Rules. In addition, the following benefits are not subject to the HIPAA Privacy Rules:

• Accident-only
• Disability income
• Liability insurance
• Life insurance
• Worker’s compensation

Many aspects of the HIPAA Privacy Rules apply directly to Business Associates. A Business Associate is an entity that performs a function or activity for a Covered Entity or provides certain services for a Covered Entity and has access to PHI. The HIPAA Privacy Rules require Covered Entities and Business Associates to enter into an agreement regarding the protection of PHI. The HIPAA Privacy Rules also specify the provisions that must be contained within a Business Associate agreement. Note: The benefits excluded under the Privacy Rules differ from those excluded under the nondiscrimination, pre-existing condition and special enrollment provisions of HIPAA (for example, limited-scope dental and vision plans are subject to the HIPAA Privacy Rules).