45 CFR Section 164.530(k) provides an exception for many administrative
safeguards under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) if an employer sponsors a group insured health plan
that does not create, maintain, or receive "protected health
information" (PHI). Under this exception, the group health plan
is not required to maintain or provide privacy notices or comply with
any of HIPAA's administrative safeguard provisions except for the
prohibitions against intimidating or retaliatory acts and against
requiring a waiver of HIPAA rights. Because the insurance company
providing the health benefits is considered a "covered entity", it must
meet these HIPAA requirements. This exception still applies even
if the insurance company provides the employer sponsoring the health
plan with summary health information and enrollment/disenrollment
information.
