Does HIPAA Apply To Me?

START: Are you an employer of any size that offers a health plan?

Yes

No

Are there fewer than 50 participants eligible for your group health plan?

Yes

Do you self-administer your plan (i.e., not use a third party administrator)?

Yes

No

No

Do you offer any of the following types of plans: major medical, dental, prescription drug, vision, health FSA, HRA, EAP, Wellness Program, or other type of plan that pays for the cost of medical care?

No

Yes

Are any of the plans you offer self-funded?

Yes

No

For your fully-insured plans, do you have access to any protected health information (PHI) beyond summary health information or enrollment/disenrollment information?

Protected Health Information (PHI) is any information relating to past, present or future physical or mental health of an individual (e.g. active or terminated employee, spouse or dependent) and includes any individually identifying information such as name, address, SSN, participant identifier, ect.

Yes

No

STOP: You are largely exempt from the HIPAA Privacy and Security regulations, but you still have some compliance obligations

including making sure certain security requirements are met. And remember that if any plans are self-funded, all of HIPAA’s requirements still apply!
Stop. HIPAA does not apply to you
Stop. You must comply with HIPAA