No, not all small health plans must comply with the HIPAA Privacy Rule. Specifically, an employee welfare benefit plan with fewer than 50 participants, administered directly by the employer, is exempt from the HIPAA Administrative Simplification requirements, including the Privacy Rule.
According to the HIPAA Administrative Simplification Regulations, a "Health plan means an individual or group plan that provides, or pays the cost of, medical care.". Small health plans are generally those with fewer resources and participants than larger employer-sponsored health plans. Typical examples include health plans offered by small businesses or limited employee benefit plans that cover a small number of employees. Despite their size, many of these plans are still classified as HIPAA covered entities.
The HIPAA Administrative Simplification requirements set standards for covered entities to protect the privacy and security of patients’ protected health information (PHI). These standards apply to health plans, healthcare clearinghouses, and healthcare providers who conduct certain electronic transactions. The Privacy Rule ensures that PHI remains confidential, allowing disclosure only under permitted circumstances such as treatment, payment, and healthcare operations.
Health plans, as covered entities, are responsible for protecting PHI and ensuring it is only accessed or shared with the necessary security measures. However, HIPAA allows certain small health plans an exemption under specific criteria, meaning they do not fall under these stringent Privacy Rule requirements.
According to HIPAA, "an employee welfare benefit plan that has less than 50 participants and is administered by the employer that establishes and maintains the plan is not a HIPAA covered entity." This exemption, as stated in the regulation at 45 CFR 160.103, excludes such plans from the Administrative Simplification requirements, including the Privacy Rule.
For instance, a small business that offers a health reimbursement plan for its fewer than 50 employees and manages this plan internally, without outsourcing to a third-party administrator, would likely be exempt from HIPAA requirements under this rule. However, this exemption only applies if the plan is administered entirely by the employer. If an employer hires a third-party administrator to manage the plan, HIPAA compliance is still required.
For plans that qualify as exempt:
Although not legally required, exempt plans can still benefit from implementing privacy practices to safeguard employee information and build trust:
On July 26, 2024, United of Omaha Life Insurance Company, a health plan under Mutual of Omaha, reported a data breach involving an employee email account that exposed the information of 107,894 individuals, including protected health information (PHI). The breach was discovered on April 23, 2024, following unusual activity in an employee's email account, which was traced to a phishing campaign targeting the company's employees.
Phishing tactics exploit perceived sender legitimacy, personal habits, emotional triggers, and reliance on security tools, making it challenging to distinguish fraudulent emails from legitimate ones. Health plans are particularly vulnerable due to the volume of PHI they handle and the risk of security fatigue.
Related: Tips to spot phishing emails disguised as healthcare communication
Yes, small health plans exempt from HIPAA can choose to adopt compliance measures voluntarily to improve data security and privacy, which can enhance employee trust and reduce liability risks.
Failure to protect employee health information can lead to breaches of confidentiality, loss of employee trust, and potential legal liabilities, including claims of negligence or violation of state privacy laws.
Even if exempt from HIPAA, small health plans should consider obtaining employee consent for collecting and using health information to build trust.