Q&A: Health insurance exchanges and HIPAA

Q: Is HealthCare.gov considered a covered entity under HIPAA?

A: No. Health insurance exchanges (HIX) are not subject to HIPAA unless they have contracted with a health plan to provide services over and above what is required to operate as an HIX. In that case, the HIX would be a business associate of the health plan. The federal HIX, HealthCare.gov, only provides services as outlined in the Affordable Care Act (ACA).

The ACA included provisions that require HIXs to implement sound privacy and security practices. More information about the requirements can be found in 45 CFR § 155.260. While HIXs are not subject to HIPAA, they are subject to the provisions of the ACA and the associated rules. See 45 CFR Part 155.