Application of HIPAA to
Fully Insured Employer-Sponsored Health Plans

Prepared for the Coalition by Robert D. Belfort, of Manatt, Phelps, and Phillips, LLP.
March 12, 2003

You have asked me to provide guidance regarding the extent to which the HIPAA privacy and transactions/code sets rules apply to the type of employee health benefit plans sponsored by the Coalition of Behavioral Health Agencies as well as its member organizations. You have advised me that all of these benefit plans are fully insured, i.e., they purchase commercial health insurance policies from state-licensed insurers, such as insurance companies or HMOs, rather than self-insuring. You have also indicated that the benefit plans do not receive protected health information from the insurers from which they purchase coverage.

The Privacy Rule

In addition to covering health care providers, HIPAA applies to "health plans," a term that is defined to include 17 types of entities, one of which is any "group health plan." The term "group health plan," in turn, is defined as:

An employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that the plan provides medical care ... to employees or their dependents directly or through insurance, reimbursement or otherwise." 45 C.F.R. § 160.103.

The only exception to the above definition is for employer health benefit plans that cover fewer than 50 employees and are self-administered by the employer. Such plans are extremely rare; it is assumed for the purposes of this memo that neither the Coalition nor any of its member agencies self-administer health benefit plans covering fewer than 50 employees. Thus, the employee health benefit plans maintained by the Coalition and its member agencies are "group health plans" and therefore are covered entities under HIPAA.

However, the Privacy Rule states that a group health plan is exempt from complying with virtually all of the Privacy Rule’s requirements if:

  • The group health plan provides health benefits solely through an insurance contract with a state-licensed insurer or HMO; and
  • The group health plan does not create or receive protected health information other than summary health information (e.g., aggregated data that does not facially identify individuals) and enrollment/disenrollment information.

45 C.F.R. § 164.530(k)(1).

Any group health plan meeting both of the above criteria is exempt from: (1) designating a privacy officer; (2) providing privacy training to its employees; (3) establishing safeguards for protected health information; (4) adopting a process for handling privacy-related complaints; (5) imposing appropriate sanctions on employees who violate privacy requirements; (6) mitigating the effects of improper disclosures; and (7) adopting privacy policies and procedures. The only obligations of these group health plans under the Privacy Rule are to:

  • Refrain from engaging in "intimidating or retaliatory acts"; and
  • Refrain from requiring individuals to waive their rights in order to receive coverage.

As indicated above, it is assumed that the employee health benefit plans sponsored by the Coalition and its member agencies all provide coverage through commercial insurance contracts and that they do not create or receive protected health information. If this is the case, the employee health plans sponsored by the Coalition and its member agencies have extremely limited obligations under the Privacy Rule.

The Transactions/Code Sets Rule

The transactions/code sets rule also applies to "group health plans." The rule requires group health plans that conduct specified transactions electronically to use standardized formats and codes with respect to such transactions. The transactions include the submission and payment of claims, claims status inquiry, verification of eligibility, pre-certification of services, coordination of benefits, payment of premiums and submission of enrollment/disenrollment information. See 45 C.F.R. Part 162.

As indicated above, state-licensed insurers are responsible for all operational aspects of the group health plans maintained by the Coalition and its member agencies, including the performance of the electronic transactions noted above. Because the group health plans do not conduct any transactions on their own, they are not directly affected by the transactions/code sets rule.

It is worth noting that, in their capacity as employers (who are referred to as "plan sponsors" under HIPAA), the Coalition and its member agencies may transmit premium payments or enrollment information electronically to the insurers providing coverage. However, HHS has indicated in guidance documents that, because plan sponsors (i.e., employers) are not covered entities under HIPAA, their use of the HIPAA premium payment and enrollment transaction formats is voluntary.

If you have questions, please contact Patricia Gallo Goldstein at or 212-742-1600 ext 106 or Karyn Krampitz at or 212-742-1600 ext 210.