Must all small health plans comply with the Privacy Rule?
No. Certain plans are specifically excluded from having to comply with the HIPAA Administrative Simplification requirements, including the Privacy Rule. See 45 CFR 160.103 (GPO). An employee welfare benefit plan that has less than 50 participants and is administered by the employer that establishes and maintains the plan is not a HIPAA covered entity. These plans, therefore, are not subject to the Privacy Rule. For additional information regarding compliance with the Privacy Rule, see the Office for Civil Rights Web site.