Does HIPAA's 'health plan' definition cover North Carolina state agencies like the Divisions of Aging, Vocational Rehabilitation, and Services for the Blind?

Plain-English summary

Bill Cox at the NC Department of Health and Human Services asked the AG to interpret HIPAA's "health plan" definition as applied to certain DHHS divisions. The Divisions of Aging, Vocational Rehabilitation, and Services for the Blind each administered programs that paid providers for various services to clients, some of which could be characterized as health services. The question was whether each division was a "health plan" and therefore a HIPAA "covered entity" subject to all the Act's privacy, security, and electronic-transactions obligations.

Senior Deputy AG Ann Reed and Special Deputy AG R. Marcus Lodge answered no for these divisions, with an important caveat at the end about health-care-provider status.

HIPAA applies to "covered entities," defined in 45 CFR § 160.103 as health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form in connection with a HIPAA transaction (generally health claims and insurance information).

The statutory definition of "health plan" at 42 U.S.C. § 1320d lists 13 categories of entities, including commercial health insurance carriers, Medicaid, and Medicare. The first HIPAA regulation to become final, the Standards for Electronic Transactions effective October 16, 2000, expanded the statutory definition by adding state child health plans and including language about "the components of the government agency administering the program."

Four months later, the Privacy Regulations effective April 14, 2001 amended the definition significantly. They removed the broad government-agency-component language and added a specific exclusion. The new definition excludes:

A government-funded program (other than one listed in the enumeration of included entities):

(A) whose principal purpose is other than providing, or paying the cost of, health care; or
(B) whose principal activity is:
(1) The direct provision of health care to persons; or
(2) the making of grants to fund the direct provision of health care to persons.

The federal commentary to the Privacy Regulations clarified this further. The commenters had been confused about how the statutory inclusion of "any other individual or group plan that provides or pays the cost of medical care" applied to government programs. The federal regulation drafters wrote (emphasis in original):

"We therefore clarify that while many government programs (other than the programs specified in the statute) provide or pay the cost of medical care, we do not consider them to be individual or group plans and therefore, do not consider them to be health plans. Government funded programs that do not have as their principal purpose the provision of, or payment for, the cost of health care but which do incidentally provide such services are not health plans (for example, programs such as the Special Supplemental Nutrition Program for Women, Infants and Children (WIC) and the Food Stamp Program, which provide or pay for nutritional services, are not considered to be health plans). Government funded programs that have as their principal purpose the provision of health care, either directly or by grant, are also not considered to be health plans. Examples include the Ryan White Comprehensive AIDS Resources Emergency Act, government funded health centers and immunization programs. We note that some of these may meet the rule's definition of health care provider."

Applying the exclusion: the Divisions of Aging, Services for the Blind, and Vocational Rehabilitation fall outside the "health plan" definition because their principal purpose is not providing or paying the cost of health care. Each division has statutory duties that show payment of health care costs is, at best, an incidental function (G.S. § 143B-181.1 for Aging; Chapter 111, Articles 1 and 2 for Services for the Blind; G.S. § 143-545.1 for Vocational Rehabilitation).

The AG generalized: under the post-April-2001 regulations, virtually all government-funded programs are excluded from the "health plan" definition except those specifically enumerated in the regulations (Medicare, Medicaid, state child health plans, etc.) and the rare programs whose principal purpose and activity is payment to providers for health care services. The starting presumption should be that a government program is not a health plan unless it is specifically identified or fits a narrow enumerated category.

The important caveat. A program that is not a "health plan" may still be a "health care provider" under HIPAA. Health care providers are covered entities too if they transmit health information electronically in connection with HIPAA transactions. So a DHHS division that is not a health plan might still be a covered entity in a different role. The AG flagged this as a separate inquiry not addressed in the opinion.

The dating qualification. The AG opened with an important caveat that HIPAA was enacted in 1996 but the first two sets of implementing regulations had only recently become effective (October 2002 and April 2003 were the compliance dates). Other regulations and additional federal policy guidance were expected. The opinion was based on the present statute, regulations, and accompanying materials at the time of writing, and future regulations or policy could alter the conclusions.

Currency note

This opinion was issued in 2001. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. The HIPAA regulatory landscape changed substantially after 2001, including the HITECH Act (2009), the Omnibus Rule (2013), and continued federal guidance from HHS. The "covered entity" definition has been refined, and "business associate" rules added significant compliance obligations to many entities that work with covered entities. Anyone evaluating HIPAA covered-entity status today should consult current 45 CFR Part 160 regulations and current HHS Office for Civil Rights guidance.

Background and statutory framework

HIPAA's three covered-entity categories. HIPAA applies to three categories of "covered entities": health plans, health care clearinghouses, and health care providers (the last only if they transmit health information electronically in connection with a HIPAA transaction). Each category has its own definition. Being in any one category triggers the full set of HIPAA obligations, including the Privacy Rule, the Security Rule (once that was finalized), and the Transactions and Code Sets standards.

Why government programs caused confusion. Many government programs provide some health-related services or pay for some health-related costs. The Food Stamp Program pays for groceries (which include groceries used for medically prescribed diets). WIC pays for nutritional services for low-income mothers and infants. State elder-services divisions pay for home-care services that often include some health-care components. Vocational rehabilitation programs may pay for rehabilitative services that include physical therapy. Under a broad reading of the statute's "individual or group plan that provides or pays the cost of medical care" language, all of these might be "health plans."

The October 2000 EDI regulations. The first HIPAA implementing regulations, the Standards for Electronic Transactions, were finalized August 17, 2000 (65 Fed. Reg. 50,366) and took effect October 16, 2000. They expanded the statutory health-plan definition by adding state child health plans (SCHIP/CHIP) and by including "the components of the government agency administering the program" within the health-plan concept. That language created the breadth that led to Cox's question.

The April 2001 Privacy Regulations correction. The federal HHS recognized the over-breadth problem when drafting the Privacy Regulations (finalized December 28, 2000, effective April 14, 2001). The Privacy Regulations rewrote 45 CFR § 160.103 to remove the broad government-agency-component language and to add the specific exclusion for government-funded programs whose principal purpose is not health care. The commentary explained the rationale: the statutory inclusion of "any other individual or group plan that provides or pays the cost of medical care" should not be read to swallow virtually every government program with any health-related activity.

The "principal purpose" test. The exclusion uses "principal" as the operative qualifier. A program whose principal purpose is something other than health care payment is not a health plan, even if it incidentally pays for some health-related services. A program whose principal activity is the direct provision of health care is not a health plan either (though it may be a health care provider). And a program whose principal activity is grant-making for health care provision is not a health plan (though it may have its own regulatory issues).

Why the Divisions of Aging, Services for the Blind, and Vocational Rehabilitation are not health plans. Each division's statutory duties show that health-care-related payment is not the principal purpose:

• Aging Division (§ 143B-181.1): principal purposes include coordinating services for older adults, advocating for senior issues, managing nutrition programs, providing support for caregivers. Some payments may go to providers for services that include health components, but health-care payment is not the principal function.
• Services for the Blind (Chapter 111, Articles 1 and 2): principal purposes include vocational rehabilitation, education, training, and assistance for blind and visually impaired North Carolinians. Some services have health-care aspects, but the division's mission is rehabilitation and accommodation, not health care payment.
• Vocational Rehabilitation (§ 143-545.1): principal purposes include workforce reintegration for persons with disabilities. Health care is one component of rehabilitation but is not the principal mission.

Examples from the federal commentary. The federal HHS specifically listed examples of programs that are not health plans: WIC, Food Stamps (now SNAP), Ryan White HIV/AIDS programs, government-funded health centers, and immunization programs. The North Carolina divisions Cox asked about fit comfortably within the pattern of these examples.

The health-care-provider caveat. A program excluded from "health plan" status may still be a "health care provider" if it directly provides health care services and transmits health information electronically in HIPAA transactions. A government health center that runs a community clinic, for example, is not a health plan but is a health care provider. Each DHHS division would need a separate inquiry into its health-care-provider status. The AG did not undertake that inquiry in this opinion.

The opinion's safety valve. The AG was explicit that future regulations or HHS policy guidance could alter the conclusions. HIPAA in 2001 was a regulation-in-progress; later guidance from HHS or court decisions interpreting the regulations could expand or contract covered-entity status. The 2001 conclusions were the AG's best read of the then-current text.

Common questions

Q: Is Medicaid a health plan under HIPAA?

A: Yes. Medicaid is one of the enumerated programs in the statutory health-plan definition. The exclusion the AG analyzed does not apply to enumerated programs. Medicaid is a covered entity and must comply with all HIPAA obligations.

Q: Is a state-administered SCHIP program a health plan?

A: Yes. State child health plans were added to the regulatory health-plan definition by the October 2000 EDI regulations and remain within the definition.

Q: What about a DHHS division that runs a small claims-payment operation alongside its main programs?

A: The "principal" test focuses on the program's main purpose and activity. A division whose claims-payment work is incidental to a non-health-care mission probably is not a health plan, but a division that grew its claims-payment role over time could cross the threshold. The inquiry is fact-specific.

Q: If a division is not a health plan, does it have any HIPAA obligations?

A: It might. The division could still be a health care provider (if it directly provides health care services and transmits in HIPAA transactions). It could also be a business associate of a covered entity (if it handles protected health information on behalf of a health plan or provider under a written agreement). The 2001 opinion addresses only the "health plan" question.

Citations from the opinion

• Health Insurance Portability and Accountability Act of 1996, P.L. 104-91
• 42 U.S.C. § 1320d
• 45 CFR Part 160 et seq.
• 45 CFR § 160.103
• N.C. Gen. Stat. § 143B-181.1 (Aging)
• N.C. Gen. Stat. Chapter 111, Articles 1 and 2 (Services for the Blind)
• N.C. Gen. Stat. § 143-545.1 (Vocational Rehabilitation and Services for the Blind)
• 65 Fed. Reg. 50,366 (Aug. 17, 2000)
• 65 Fed. Reg. 82,479, 82,799-800 (Dec. 28, 2000)

Source

• Landing page: https://ncdoj.gov/opinions/scope-of-health-plan-definition-under-hipaa/

Original opinion text

(1) their principal purpose is other than providing, or paying the cost of, health care; or

(2) their principal activity is the direct provision of health care to persons or making grants to fund the direct provision of health care to persons.

Discussion

The Health Insurance Portability and Accountability Act of 1996, ("HIPAA"), P.L. 104-91, and its implementing regulations, 45 CFR Part 160 et seq., apply to "covered entities." A covered entity under HIPAA is a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction within the scope of HIPAA. 45 CFR § 160.103. These transactions generally are health claims and insurance information.

The question has arisen whether certain DHHS agencies fall within the definition of "health plan" for this purpose. Specific examples include the Division of Aging, the Division of Vocational Rehabilitation, and the Division of Services for the Blind. Each of these agencies administer programs that pay providers for a variety of services to clients, including some services that would be characterized as health services.

Although HIPAA was enacted in 1996, the first two sets of implementing regulations have only recently become effective, with implementation dates scheduled in October, 2002 and April, 2003. Other regulations are expected, along with additional policy guidance from the federal Department of Health and Human Services. This opinion, therefore, is based on the present statute, regulations and accompanying materials. It is possible that future regulations or policy pronouncements could alter the conclusions stated below.

The term "health plan" is defined by statute at 42 U.S.C. § 1320d to include 13 categories of entities. Examples include commercial health insurance carriers and the Medicaid and Medicare programs.

The first "final" regulations to be adopted by the Secretary of the US Department of Health and Human Services were the Standards for Electronic Transactions ("EDI"), which became effective October 16, 2000. The EDI regulations included definitions adopted as 45 CFR § 160.103. 65 Fed. Reg. 50,366 (Aug. 17, 2000). These expanded the statutory definition of health plan by adding State child health plans and making additional "clarifications." The regulatory definition of "health plan" included the phrase: "when applied to government funded programs, the components of the government agency administering the program."

Four months later, the regulatory definition of "health plan" was changed by the next set of regulations to become final: Standards for Privacy of Individually Identifiable Health Information ("Privacy Regulations"), effective April 14, 2001. The Privacy Regulations included a revised 45 CFR 160.103. The definition of "health plan" was changed in at least two significant ways. First, the language regarding government funded programs was deleted from the opening paragraph. Second, the following entities were specifically excluded from the definition:

A government-funded program (other than one listed [in the enumeration of included entities]):

(A) whose principal purpose is other than providing, or paying the cost of, health care; or

(B) whose principal activity is:

(1) The direct provision of health care to persons; or

(2) the making of grants to fund the direct provision of health care to persons.

65 Fed. Reg. 82,799-800 (Dec. 28, 2000).

The comments to the Privacy Regulations are fairly explicit about the intent of these changes:

[M]any commenters were confused by the statutory inclusion as a health plan of any "other individual or group plan that provides or pays the cost of medical care;" they questioned how the provision applied to many government programs. We therefore clarify that while many government programs (other than the programs specified in the statute) provide or pay the cost of medical care, we do not consider them to be individual or group plans and therefore, do not consider them to be health plans. Government funded programs that do not have as their principal purpose the provision of, or payment for, the cost of health care but which do incidentally provide such services are not health plans (for example, programs such as the Special Supplemental Nutrition Program for Women, Infants and Children (WIC) and the Food Stamp Program, which provide or pay for nutritional services, are not considered to be health plans). Government funded programs that have as their principal purpose the provision of health care, either directly or by grant, are also not considered to be health plans. Examples include the Ryan White Comprehensive AIDS Resources Emergency Act, government funded health centers and immunization programs. We note that some of these may meet the rule's definition of health care provider.

65 Fed. Reg. 82,479 (Dec. 28, 2000) (emphasis added).

The following government-funded programs, therefore, are excluded from the definition of "health plan" under the current regulations:

• Programs whose principal purpose is other than providing health care.
• Programs whose principal activity is the direct provision of health care to persons.
• Programs whose principal purpose is other than paying the cost of health care.
• Programs whose principal activity is making grants to fund the direct provision of health care to persons.

This appears to leave as possible "health plans" only those government-funded programs whose principal purpose and activity is paying for the cost of health care on some basis other than grants, but which do not directly provide health care to persons.

Under this criteria, the Divisions of Aging, Services for the Blind, and Vocational Rehabilitation fall outside the definition of "health plan," because their principal purpose is other than providing health care or paying the cost of health care. Each of these units have duties established by statute that show that payment of health care costs is only an incidental function at best. See G.S. § 143B-181.1 (Aging); G.S. § 111, Articles 1, 2 (Services for the Blind); G.S. § 143-545.1 (Vocational Rehabilitation and Services for the Blind).

To generalize for other programs, the definition of "health plan" now excludes virtually all government-funded programs except those specifically enumerated in the regulations and the few others whose principal purpose and activity is payment to health care providers for health care services. While this must remain a case-by-case inquiry, the starting presumption in most activities should be that, unless it is specifically identified in the regulations or falls within an enumerated category, a government program is very unlikely to be a health plan.

Note that a program that is not a health plan still may be a "health care provider," and therefore still be a covered entity under HIPAA.

If you require any additional information, please let us know.

Sincerely,

Ann Reed Senior Deputy Attorney General

R. Marcus Lodge Special Deputy Attorney General