Medical Privacy: HIPAA: Covered Employer: Does my status as an employer make me a “covered entity” for the purposes of HIPAA privacy?

Jun 15, 2016

No, an employer is not defined as a covered entity based solely on being an employer unless it has a self-insured group health care plan. However, when an employer sponsors an ERISA health plan, the entity administering the employee health plan is the "covered entity." Employers that are exempt from the covered entity designation include those that do not receive or create protected health information (PHI) and employers that offer group health plans using HMOs or insurance company products exclusively.

Covered entities, as defined by the Department of Health and Human Services (DHHS), are health care providers that handle various business transactions, health care clearinghouses such as health care management organizations, and health plans.

Flexible spending plans, vision plans, dental plans and cafeteria plans may be considered covered entities if they pay for medical care and satisfy the ERISA definition of an employee welfare benefit plan. The Employment Retirement Income Security Act (ERISA) views insured and self-insured group health plans as "employee welfare benefit plans." Assuming the plan provides medical care, it would be considered a covered entity. If the plan is self-administered and has fewer than 50 participants, it is not considered a covered entity.

Express Requests 

The HR Knowledge Center has gathered resources on current topics in HR Management. Click here to view and request information.


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect