HIPAA BAA Requirements for Health Plans and Health Insurers

By BAA Generator Editorial  ·  Updated Apr 20, 2026  ·  5 min read

Health plans — commercial insurers, managed care organizations, Medicare Advantage plans, Medicaid managed care organizations, and employer self-insured plans — are among the most data-intensive organizations in healthcare. They receive, process, and retain health information for hundreds of thousands or millions of members, and they depend on an extensive ecosystem of third-party vendors to administer benefits. Each of those vendor relationships carries a HIPAA BAA obligation.

Why Health Plans Are HIPAA Covered Entities

Under HIPAA, a "health plan" is explicitly defined as a covered entity. Health plans covered by HIPAA include:

• Commercial health insurance issuers offering group or individual coverage
• Managed care organizations (HMOs, PPOs, EPOs)
• Medicare Advantage (Part C) plans
• Medicare Part D prescription drug plans
• Medicaid managed care organizations (MCOs)
• Employer-sponsored group health plans with 50 or more participants (with some exceptions)
• Self-insured employer health plans above certain thresholds

Small employer health plans with fewer than 50 participants that are administered solely by the employer may be exempt from certain HIPAA requirements, but most employer-sponsored plans that contract with insurers or TPAs are covered.

What PHI Health Plans Handle

Health plans hold some of the most comprehensive PHI in the healthcare system:

• Member enrollment and demographic information
• Claims data with diagnosis codes, procedure codes, and dates of service for all covered services
• Prescription drug history through PBM relationships
• Prior authorization requests and medical necessity determinations
• Utilization management and care management data
• Disease and condition information from claims and care management programs
• Provider network and referral information linked to member records

Vendors Health Plans Typically Need BAAs With

Third-Party Administrators (TPAs)

TPAs administer benefits on behalf of self-insured employers and some commercial health plans. They process claims, manage networks, and handle member services — receiving and processing comprehensive member PHI. TPAs are business associates requiring BAAs. For self-insured employers, the BAA with the TPA is typically the most significant BA relationship in the health plan's compliance structure.

Pharmacy Benefit Managers (PBMs)

CVS Caremark, Express Scripts, and OptumRx process prescription drug claims, manage formularies, and conduct drug utilization reviews for health plans. These activities require access to member prescription histories, diagnoses, and other PHI. Major PBMs have standard HIPAA BAA templates and established processes for executing them with health plan clients. Execute BAAs before the PBM begins processing member claims.

Utilization Management Vendors

Utilization management (UM) companies conduct prior authorization reviews, concurrent inpatient reviews, and retrospective claim audits for health plans. They receive clinical information — including diagnoses, treatment plans, and physician notes — to make medical necessity determinations. As vendors creating and maintaining PHI on the plan's behalf, they require BAAs.

Disease Management and Care Management Programs

Vendors that operate disease management programs (diabetes, CHF, COPD) or care management programs (complex case management, transitions of care) access member PHI to identify and engage at-risk members. These programs involve direct member outreach and clinical data analysis — both activities that require BAAs with the health plan.

Data Analytics Vendors

Health plans increasingly use data analytics platforms to identify cost trends, assess population health, and support value-based care arrangements. Analytics vendors that receive identifiable member data — as opposed to de-identified or aggregated data — are business associates requiring BAAs. If the analytics engagement involves only properly de-identified data under the HIPAA Safe Harbor or Expert Determination method, a BAA may not be required for that specific data exchange, but most health plan analytics involves some identifiable data elements.

CMS Data Use Agreements for Medicare and Medicaid Plans

Health plans that administer Medicare or Medicaid benefits receive data from the Centers for Medicare and Medicaid Services (CMS) subject to CMS data use agreements (DUAs). These agreements impose additional requirements beyond HIPAA BAAs, including restrictions on secondary use of CMS-provided data, data security requirements, and reporting obligations. Health plans handling CMS data must comply with both their HIPAA BAA obligations with vendors and their CMS DUA obligations for the data received from CMS.

Common Vendor BAA Table for Health Plans

Common Compliance Gaps for Health Plans

Health plans — particularly smaller regional plans and self-insured employer plans — face common BAA gaps including: (1) treating the TPA relationship as purely contractual without executing an explicit HIPAA BAA addendum; (2) not obtaining BAAs with data analytics vendors receiving identifiable member data for population health analysis; (3) missing BAAs with point solution vendors (digital therapeutics, mental health platforms) added as supplemental benefits; and (4) not maintaining an updated BA inventory as vendor relationships expand through benefit year changes.

Health plans handling CMS data should review the distinction between HIPAA BAAs and CMS DUAs in our post on HIPAA data use agreements vs. BAAs. For a foundational overview of BAA requirements, see what is a Business Associate Agreement.

Frequently Asked Questions

Do health plans need HIPAA BAAs with their vendors?

Yes. Health plans are HIPAA covered entities required to execute BAAs with every vendor that creates, receives, maintains, or transmits PHI on their behalf. This includes TPAs, PBMs, utilization management firms, disease management vendors, claims clearinghouses, data analytics companies, and care management platforms.

Does a pharmacy benefit manager require a BAA with a health plan?

Yes. PBMs receive comprehensive member prescription and clinical data to process claims and manage pharmacy benefits. They are business associates requiring signed BAAs. CVS Caremark, Express Scripts, and OptumRx all have established BAA processes for health plan clients and offer standard BAA templates.

Do employer self-insured health plans need HIPAA BAAs?

Yes. Self-insured employer health plans meeting HIPAA's coverage thresholds are covered entities. They must execute BAAs with their TPAs, PBMs, stop-loss insurers (when they receive PHI), and other vendors handling member data. The employer sponsor must also maintain a separation between the plan and the employment function to prevent impermissible use of member PHI for employment decisions.

What is a data use agreement (DUA) and how does it differ from a BAA?

A HIPAA DUA governs the use of limited data sets — PHI with specified direct identifiers removed but still containing dates, ages, and geographic data. A BAA governs fully identifiable PHI. Health plans sharing limited data sets for research or operations purposes use DUAs. Health plans receiving CMS data also face CMS-specific DUAs that impose requirements beyond HIPAA BAAs, including restrictions on secondary use of Medicare and Medicaid enrollment and claims data.