Yes, insurance information is protected health information (PHI) under HIPAA when it identifies an individual and relates to their health care or payment for health care. This includes details like your health plan member ID, group number, claims history, and even your IP address when you log into an insurance portal. But not all insurance types are covered, and the context matters.
What Makes Insurance Data PHI
PHI is any information that can identify a person and was created or used in the course of providing a health care service, including payment for that service. Insurance information fits squarely into this definition because it links your identity to your health coverage, claims, diagnoses, and payments.
HIPAA specifically lists 18 types of identifiers that turn health-related data into PHI. Several of these directly involve insurance records:
- Health plan beneficiary numbers (your member ID on your insurance card)
- Account numbers (used in billing and claims processing)
- Any other unique identifying number, characteristic, or code (which can include group numbers or subscriber IDs)
So your insurance card alone contains multiple pieces of PHI. When those identifiers are combined with information about your health conditions, treatments, or payments, the entire record is protected. A claims summary showing that you visited a specialist on a certain date, paired with your member ID, is a clear example of PHI.
Which Insurance Types Are Covered
HIPAA only applies to “covered entities,” and not every type of insurance qualifies. Health insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare, Medicaid, and veterans health care programs are all covered entities. If your data sits with any of these organizations, it’s PHI and must be protected under HIPAA’s Privacy Rule.
However, HHS explicitly excludes several types of insurance from the definition of a “health plan.” These are called “excepted benefits,” and they include:
- Disability income insurance (short-term or long-term)
- Workers’ compensation
- Automobile liability insurance (including medical payment coverage)
- General liability insurance
- Credit-only insurance
- Accident-only coverage
If your information is held only by one of these excluded insurance types, HIPAA does not apply to it. That doesn’t mean the data is unprotected entirely, since state privacy laws or other federal regulations may still cover it, but HIPAA’s PHI protections specifically do not extend to these categories.
Insurance Information at Work
This is where many people get confused. Your employer likely has some of your insurance information on file for enrollment and benefits administration. HIPAA does not protect your employment records, even when those records contain health-related information. If your HR department has a copy of your insurance enrollment form, that document in their hands is generally not subject to HIPAA’s Privacy Rule.
The distinction is about who holds the data and in what role. Your health plan (the insurance company itself) is a covered entity and must protect your PHI. Your employer, acting as an employer, is not a covered entity. However, if your employer sponsors a group health plan, that plan is a covered entity, and the plan’s use of your information is subject to HIPAA. The same data can be PHI in one context and not in another, depending on who is handling it and why.
Your employer can ask you directly for health information related to sick leave, workers’ compensation, or wellness programs. But if your employer contacts your health care provider or insurer to get information about you, that provider or insurer cannot share it without your authorization.
Digital Insurance Data and Tracking
Insurance information extends beyond paper records. When you log into your health plan’s online portal to check claims, view benefits, or find providers, the data you generate there is also PHI. HHS guidance states that tracking technologies on user-authenticated webpages (like insurance portals that require a login) generally have access to PHI. This includes your IP address, email address, appointment dates, and any information you enter while using the portal.
This matters because health plans and other covered entities sometimes use third-party analytics tools on their websites. If those tools collect data from behind a login screen, that data is PHI and subject to HIPAA protections. The covered entity is responsible for ensuring any third-party vendor receiving that data has a proper business associate agreement in place.
The rules for unauthenticated pages (public-facing pages you can view without logging in) are less settled. A federal court in 2024 struck down part of the HHS guidance that would have treated an IP address combined with a visit to a public webpage about a specific health condition as PHI. So if you browse your insurer’s public page about diabetes without logging in, that browsing data may not be classified as PHI under current legal interpretation. But the moment you log in, the protections kick in.
What This Means in Practice
If you’re wondering whether a specific piece of insurance information counts as PHI, ask two questions: Does it identify you (or could it be used to identify you)? And is it held by or created through a HIPAA-covered health plan, health care provider, or clearinghouse? If both answers are yes, it’s PHI.
Your insurance member ID on its own is an identifier. A claim showing you received a particular medical service is health information. Combined, they are PHI. Even seemingly minor details, like the fact that you are enrolled in a particular health plan, become PHI when tied to your identity, because enrollment itself relates to payment for health care.
HHS has been working to strengthen protections for electronic PHI. A proposed rule from the Office for Civil Rights would update cybersecurity requirements for the first time since 2013, requiring covered entities to maintain detailed inventories of systems that store or process electronic PHI, implement multi-factor authentication, and follow stricter patch management procedures. These updates reflect the reality that insurance data increasingly lives in digital systems vulnerable to breaches.