Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, Medicare Choice, Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government, church-sponsored health plans, and multi-employer health plans.
There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs that are not health plans: (1) those whose principal purpose is not providing or paying the cost of healthcare, such as the food stamps program; and (2) those programs whose principal activity is directly providing healthcare, such as a community health center, or the making of grants to fund the direct provision of healthcare. Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity concerning the health plan line of business.