Limited offer: Get 80% off your first year. Auto-applied at checkout.See pricing Promotion details unavailable.

Awareness article

Health Plan: HIPAA Definition for Small Clinics

The HIPAA definition of a health plan, the types of plans included, the small employer exception, and why the definition matters for covered entity determination.

Short answer

A health plan under HIPAA is an individual or group plan that provides or pays the cost of medical care. 45 CFR § 160.103. Health plans are one of three types of covered entities and include employer group health plans, health insurance issuers, Medicare, Medicaid, HMOs, and PPOs, subject to a small employer exception.

A health plan is an individual or group plan that provides or pays the cost of medical care. 45 CFR § 160.103 defines the term and enumerates the types of plans that qualify. Health plans are one of the three types of HIPAA covered entities - the payer category. They receive claims from your clinic, process eligibility inquiries, and authorize referrals. Understanding what constitutes a health plan clarifies when and how PHI may be disclosed in the course of billing and payment activities.

Small-clinic example: A 4-provider internal medicine practice submits claims to Blue Cross Blue Shield and to Medicare. Both are health plans - covered entities in their own right. Your clinic’s disclosures to them for payment purposes are permissible without patient authorization under HIPAA’s TPO framework. But a request from either health plan that goes beyond payment - for example, requesting records for marketing analytics - requires patient authorization.

The Regulatory Definition

Under 45 CFR § 160.103, a health plan means an individual or group plan that provides or pays the cost of medical care, including the items and services listed in 42 U.S.C. 300gg-91(a)(2). The regulation then enumerates specific types of plans that qualify.

Health plans include:

Government-sponsored programs:

  • Medicare (Parts A, B, C, and D)
  • Medicaid
  • Medicare Supplement (Medigap) insurance
  • Medicare+Choice programs
  • The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS/TRICARE)
  • The Federal Employees Health Benefits Program (FEHBP)
  • Indian Health Service programs
  • State Children’s Health Insurance Program (CHIP)

Employer-sponsored plans:

  • Employer-sponsored group health plans (fully insured and self-insured)
  • Multi-employer welfare arrangement group health plans
  • Issuers of health insurance

Commercial carriers:

  • Health insurance issuers
  • Health maintenance organizations (HMOs)
  • Preferred provider organizations (PPOs)
  • Point-of-service plans
  • Dental and vision plans that are part of a comprehensive health plan

Long-term and supplemental:

  • Long-term care insurers (subject to certain exclusions)
  • Medical savings accounts and health savings accounts (when sponsored by covered plans)

The Small Employer Exception

Not every employer-sponsored group health plan is a covered entity. 45 CFR § 160.103 explicitly exempts group health plans that meet two conditions:

  1. The plan has fewer than 50 participants (as defined under ERISA § 3(7)), and
  2. The plan is administered solely by the employer that established and maintains the plan

This means a small business that self-insures its group health coverage for, say, 30 employees and handles all plan administration internally - with no involvement from an external insurance company, third-party administrator, or claims processor - is not a HIPAA covered entity as a health plan.

In practice, this exception is narrowly applied. Most employer health plans - even at small employers - involve external insurers or third-party administrators that handle claims, eligibility verification, or other administrative functions. Once a third party is involved in administration, the plan loses the exception.

For a small medical clinic that sponsors health coverage for its own employees: if the coverage is provided through a commercial insurance carrier or a third-party administrator handles claims, those entities are covered entities. Your clinic as employer is not a covered entity by virtue of sponsoring the health plan.

How Health Plans Interact with Your Clinic

Your clinic will encounter health plans primarily in the context of billing and payment operations. When you submit a claim to Medicare, Medicaid, or a commercial insurer, you are disclosing PHI to a health plan. That disclosure is permissible under the HIPAA Privacy Rule’s treatment, payment, and healthcare operations framework (45 CFR § 164.502(a)(1)(ii)) - no patient authorization is required.

This interaction creates specific compliance considerations:

PHI disclosed in claims. Every claim submission includes PHI: patient name, date of birth, diagnosis codes, procedure codes, and service dates at minimum. This PHI is disclosed to the health plan for payment purposes, which is permitted without authorization.

Health plan audits. Health plans conduct claim audits and utilization reviews. When a health plan requests records for audit purposes, the disclosure is permissible under the payment and healthcare operations categories - but only to the extent of the minimum necessary PHI for the audit purpose.

Coordination of benefits. When a patient has multiple health plans, your clinic may need to coordinate benefits between plans. PHI disclosures for this purpose are governed by the payment provisions of the Privacy Rule.

Health plan requests that exceed permissible disclosure. If a health plan requests PHI for a purpose that does not fall within treatment, payment, or healthcare operations - for example, requesting records for marketing analytics - the disclosure requires patient authorization. Not every request from a health plan is automatically permissible.

Health Plans as Business Associates

Health plans are covered entities in their own right, not business associates of healthcare providers. Your clinic does not enter into a Business Associate Agreement with a health plan to which it submits claims - the BAA framework applies to vendors who handle PHI on behalf of the covered entity, not to other covered entities with whom the provider has a payment relationship.

This distinction matters: if a health plan discloses PHI inappropriately, OCR investigates the health plan as a covered entity - not your clinic that submitted the original claim. Your compliance obligation is to ensure you disclose only the minimum necessary PHI for the covered purpose when submitting claims.

For context on the full covered entity framework including how providers, plans, and clearinghouses interact, see covered entity vs business associate.

Understanding the health plan definition helps your clinic recognize when PHI disclosures are permissible without authorization, when minimum necessary limits apply, and how to respond to health plan requests that exceed permissible disclosure purposes. PHIGuard’s HIPAA compliance tools help clinics manage these boundaries. See PHIGuard’s HIPAA page.

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current limited offer details.

HIPAA Basics

Core definitions, rules, and operating concepts small clinics need before they can evaluate vendors or workflows.

What Is a Business Associate Agreement Under HIPAA?

Business associate agreement (BAA) explained: what it is, when HIPAA requires it, required contract elements under 45 CFR §164.504(e), and OCR penalty risk.

Accounting of Disclosures: HIPAA Definition for Small Clinics

Patients have a right to an accounting of PHI disclosures for purposes other than TPO for six years. 45 CFR § 164.528. Learn what must be tracked and reported.

Sources

FAQ

Questions related to this topic

Is Medicare a covered entity under HIPAA?

Yes. Medicare is a federal health program that provides or pays for medical care and is explicitly included in the HIPAA definition of health plan. Medicare Part A, Part B, and Part D plans are covered entities. The Centers for Medicare & Medicaid Services (CMS) is bound by HIPAA as the administrator of Medicare.

Does our clinic become a health plan if we offer employee health insurance?

Generally no. A small clinic that offers group health coverage to its own employees through a commercial insurer is sponsoring a group health plan. The insurer administering that plan is a health plan covered entity. The clinic as employer may have plan administration obligations under ERISA, but the HIPAA covered entity status flows to the insurer, not the clinic as an employer. An important exception: if the clinic self-insures and administers the plan itself, the self-insured plan may itself be a covered entity.

Why does knowing whether an insurer is a covered entity matter for my clinic?

When your clinic shares PHI with a health plan for payment purposes - submitting a claim, verifying eligibility, responding to an audit - that disclosure is permissible under HIPAA's treatment, payment, and healthcare operations framework. The health plan's status as a covered entity provides a regulatory basis for that disclosure. If you were sharing PHI with an entity that was not a covered entity, different rules and a potentially higher authorization burden would apply.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.