HIPAA Compliance for Insurance Brokers

Posted By Steve Alder on Mar 6, 2025

HIPAA compliance for insurance brokers acting on behalf of a HIPAA-covered health plan consists of complying with the HIPAA Security and Breach Notification Rules and any parts of the HIPAA Administrative Simplification Regulations relevant to their activities on behalf of a health plan.

Medical insurance brokers do not meet the definition of a HIPAA Covered Entity because, although they may create, receive, or maintain individually identifiable health information, they do so on behalf of a health plan. Under HIPAA, the health plan is the Covered Entity, and the insurance broker – acting as an intermediary between the health plan and the plan member – is a Business Associate.

As a Business Associate, HIPAA compliance for insurance brokers consists of complying with the HIPAA Security Rule and any Privacy Rule and Breach Notification requirements included in a Business Associate Agreement. However, insurance brokers can act as intermediaries for multiple health plans simultaneously – each of which may have unique Business Associate requirements.

Some Insurance Products are Exempted from HIPAA

It is also recommended that medical insurance brokers understand what information they create, receive, or maintain is covered by HIPAA. Under §160.103 of the HIPAA Administrative Simplification Regulations, a the definition of a health plan excludes “any policy, plan, or program […]listed in §2791(c)(1) of the Public Health Service Act.” Exempted policies, plans, and programs include:

• Coverage only for accident, or disability income insurance, or any combination thereof.
• Coverage issued as a supplement to liability insurance.
• Liability insurance, including general liability insurance and automobile liability insurance.
• Workers’ compensation or similar insurance.
• Automobile medical payment insurance.
• Credit-only insurance.
• Coverage for on-site medical clinics
• Other similar insurance coverage under which benefits for medical care are secondary or incidental to other insurance benefits.

Other insurance-related exemptions in HIPAA occur when a group health plan purchases insurance from a health insurance issuer or a Health Maintenance Organization (HMO) – because the relationship if defined by the Privacy Rule as an Organized Health Care Arrangement (OHCA) – and when a Covered Entity purchased a health plan (or other insurance) directly from an insurer.

Recommended HIPAA Compliance for Insurance Brokers

While not required to have a full understanding of the HIPAA Privacy and Breach Notification Rules, it is recommended insurance brokers are familiar with these HIPAA Rules in addition to the Security Rule – notwithstanding that most states have adopted similar Privacy and Breach Notification requirements to comply with Title V of the Gramm-Leach-Bliley Act (GLBA).

Because states have adopted GLBA standards in different ways, because health plans may have unique Business Associate requirements, and because some states have adopted privacy laws that extend beyond their state boundaries (i.e., California´s Consumer Privacy Act and Texas´ Medical Records Privacy Act), there is no “one-size-fits -all” HIPAA compliance for insurance brokers.

Consequently, insurance brokers acting as intermediaries for medical insurance products not exempted from HIPAA should seek professional compliance advice with regards to what state and federal laws they are required to comply with, and how best to comply with them. There have been several significant data breaches involving insurance brokers; and although no brokers have yet been issued with a financial penalty for violating HIPAA, the corrective actions that have had to be implemented are both disruptive to the brokerage´s operations and costly.