Skip Navigation

Is this the first time small health plans are required to comply with HIPAA?


No. If a plan falls within the definition of small health plan in 45 CFR §160.103, it was required to be compliant with the HIPAA Transactions and Code Sets Standards Rule on October 16, 2003. Small health plans must also be in compliance with the HIPAA Employer Identifier Rule as of August 1, 2005, the HIPAA Security Rule as of April 20, 2006, and the National Provider Identifier Rule as of May 23, 2008.

The Department of Health and Human Services (HHS) will publish guidance regarding implementation of these other HIPAA rules as their compliance dates approach. Information regarding compliance with the non-privacy HIPAA rules is available on the HHS Centers for Medicare and Medicaid Services Web site at:

Information regarding compliance with the Privacy Rule is available on the HHS Office for Civil Rights Web site at:

Date Created: 12/20/2002
Last Updated: 01/27/2006

Links Updated: 09/17/2008