Health Insurance Portability and Accountability Act (HIPAA)

This overview briefly summarizes the Health Insurance Portability and Accountability Act (HIPAA). The laws governing HIPAA are complex and if you have questions regarding our privacy practices, members should contact our Privacy Office at 866.631.5404 . This document should be considered as informational only and is not meant to convey legal advice or counsel.

HIPAA is designed to protect certain health information and make health coverage more portable for individuals who change jobs or health plans by limiting the coverage exclusions that can be imposed when such a change occurs. In addition, HIPAA prohibits discrimination against employees and dependents based on their health status and guarantees renewability and availability of health coverage.


Generally, both group health plans and health insurance insurers offering group health insurance coverage must comply with HIPAA's portability, special enrollment, and non-discrimination requirements. A plan, including a self-insured plan, is considered a group health plan under HIPAA if it has at least two employees on the first day of the plan year, provides health care, and an employer maintains it. The employer sponsoring the health plan is generally held responsible for compliance with HIPAA.

HIPAA applies to:

  • Plans providing medical care, including HMOs, individual medical insurance policies, individual short-term limited duration medical insurance policies, and group medical insurance policies.
  • Self-insured medical plans.
  • Medical plans sponsored by churches.
  • Medical plans sponsored by the federal government.
  • Medical plans sponsored by non-federal governments (state, county, city, village, town, or school district).

HIPAA does not apply to:

  • Accident or disability income coverage, liability insurance and liability supplement coverage, automobile coverage, workers' compensation, credit-only insurance, or coverage for on-site medical clinics.
  • Benefits offered separately for dental or vision coverage, long-term care, nursing home care, home health care, or community-based care.
  • Benefits offered as independent, non-coordinated benefits for specific disease or illness, hospital indemnity, or other fixed-dollar indemnity insurance coverage (such as insurance that pays $100/day for a hospital stay as its only insurance benefit).
  • Supplemental plans, such as Medicare supplement policies and TRICARE supplement policies, if provided under a separate policy, certificate, or contract of insurance.

Special Enrollment

HIPAA provides for special mid-year enrollment opportunities for employees and their eligible dependents. Plans must notify eligible individuals of their special enrollment rights at or before the time the individuals are given the opportunity to enroll in the plan.


HIPAA prohibits group health plans and health insurers from discriminating against individuals with regard to eligibility, premiums, or contributions based on any health status-related factor. For example, a plan may not require an individual to pay a premium greater than what similarly situated individuals pay based on any health status-related factor. A health status-related factor includes health status, medical condition, claims experience, receipt of health care, medical history, genetic information, evidence of insurability, and disability.

Insurance Market Rules

Group health insurers are subject to HIPAA's group market rules including:

  • Guaranteed Renewability Requirement
    Guaranteed Renewability permits insurers to change certain plan attributes at renewal time and members are notified of important changes. All group plans are guaranteed renewable with the following exceptions:
    • - Nonpayment of premiums
    • - Employees no longer live, reside, or work in the network service area
    • - Our company exits the market
    • - Discontinuation of the product or plan by us
    • - Fraud; misrepresentation
    • - Failure of the employer to meet minimum contribution or participation requirements
  • Guaranteed Availability Requirement
    All group health insurers marketing to businesses with 2-50 employees ("small employer" in Wisconsin) must accept every small employer, offer any small employer all of the insurer's small employer products it actively markets, and accept every eligible individual when first eligible for coverage.


Authorization to Use or Disclose PHI via Electronic Means (PDF)
Notice of Privacy Practices (PDF)
Privacy Complaint Form (PDF)
Provider Appeal Form (PDF)
Request for Confidential Communications of PHI (PDF)
Request for PHI (PDF)
Request to Amend PHI (PDF)
Grievance Authorized Representative (PDF)
HIPAA Authorization Form (PDF)