Most independent ACA brokers handle health data every day and have not read the actual HIPAA text. That is not necessarily a compliance problem. The framework does not apply to brokers the same way it applies to a hospital. But the exact contours of the obligation matter, because where you are not a covered entity, you may still be a Business Associate. And where neither applies, state law may fill the gap.
Key Takeaways
- Independent insurance agents and brokers are not covered entities under HIPAA. Covered entities are health plans, healthcare providers, and healthcare clearinghouses.
- Brokers become Business Associates when they create, receive, maintain, or transmit Protected Health Information on behalf of a covered entity. An agreement (BAA) is required in that situation.
- In practice, most ACA brokers see PHI as part of the enrollment process. CMS and the carriers they work with are covered entities. A BAA with those entities is the standard expectation.
- The practical obligations for a solo broker are narrower than most assume: secure communications for health data, appropriate access controls on client files, a response plan for potential breaches, and minimum necessary access to PHI.
- State privacy laws may impose obligations beyond HIPAA. Washington state's My Health My Data Act, for example, covers health data broadly and applies to tools used in ACA enrollment workflows.
What HIPAA actually covers: three entity types
HIPAA identifies three categories of covered entities: health plans (insurers, HMOs, employer-sponsored plans), healthcare providers who transmit health information electronically, and healthcare clearinghouses. Independent brokers are not on that list. The typical ACA broker is not a covered entity.
The rules brokers care about come from the Business Associate framework. A Business Associate is a person or organization that performs functions or activities on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting Protected Health Information. When a broker assists a client with enrollment involving a carrier (a covered entity), and sees health data in that process, the broker is operating in Business Associate territory.
In practice, most ACA brokers who do any volume work with PHI in the course of their work. Health conditions disclosed during intake, drug lists used to evaluate formularies, health status discussions before plan selection. Whether a formal BAA exists or not, the expectation from CMS and carriers is that brokers handle that data appropriately.
Business Associate Agreements: when are they required
A Business Associate Agreement is a contract between a covered entity and a Business Associate (or between two Business Associates) that specifies permitted uses of PHI and requires protections for it. When a covered entity engages a Business Associate, a signed BAA is required before PHI is shared.
For ACA brokers, the question is whether carriers or CMS require a BAA as a condition of broker participation. Many carriers include data handling obligations in the broker agreement itself. CMS has its own data use and non-disclosure terms for accessing Marketplace data. The specific document varies by entity. The practical takeaway: if you are affiliated with a carrier as an appointed broker and access system data containing PHI, there is almost certainly a signed agreement in place. Review what it actually says about your obligations.
For your own vendor stack, the same logic applies in reverse. If you use a CRM that stores client health details, or a cloud storage service where client files live, those vendors need to offer HIPAA-eligible service terms for that arrangement to hold up. Inshura, for example, markets an integrated quoting and CRM platform to ACA brokers. Whether their service tier includes BAA terms is a question for their sales team, not their public site as of the date of this post.
Five practical obligations for a solo ACA broker
| Area | What the rule requires | Practical action |
|---|---|---|
| Email and messaging | PHI sent over standard email is not HIPAA-encrypted by default. | Use an encrypted email service or a secure portal for health-related client data. Obtain consent before sending PHI over standard email if you choose to. |
| File storage | Client files containing health information must be stored with appropriate access controls. | Use a password-protected system with role-based access. Shared drives without access restrictions are the most common gap for solo and small agency operations. |
| Business Associates | Vendors who touch PHI on your behalf must sign a BAA. | Check whether your CRM, cloud storage, and email vendors offer HIPAA-eligible service tiers. Many standard-tier business plans do not qualify. |
| Breach response | A breach of unsecured PHI requires notification to affected individuals and, above certain thresholds, to HHS. | Have a written plan before a breach happens. Even a solo broker needs a documented response process. |
| Minimum necessary | Access to PHI should be limited to what is necessary to perform the work. | Do not collect health details beyond what the enrollment requires. Do not store prior-year health information for clients who moved to different coverage. |
The minimum necessary standard in a quoting context
HIPAA's minimum necessary standard requires that PHI be accessed, disclosed, or used only to the extent necessary to accomplish the intended purpose. For a broker, this means collecting the health information required for enrollment and plan selection, not accumulating a client health history that goes beyond what the work requires.
Quoting tools that use health data only to check formularies or network matchups are collecting for a defined purpose. Storing that data indefinitely after the enrollment is complete goes further. A clean intake process documents what was collected and why, and a retention policy defines how long it is kept.
For how to structure an intake workflow that captures what is needed without accumulating excess data, read how to onboard a new ACA client. For larger shops managing data access across multiple agents, read setting up a multi-agent ACA agency.
State laws that go further than HIPAA
Washington state's My Health My Data Act, effective 2023 for most entities, covers consumer health data broadly and applies to entities that are not HIPAA covered entities. If a broker collects, shares, or sells health data about Washington residents, the Act applies regardless of HIPAA status. The Act has private right of action, which means individuals can sue directly. California's CPRA covers sensitive personal information including health data for California residents.
ACA brokers who serve clients in multiple states should understand that federal HIPAA compliance is a floor, not a ceiling. The states that have passed additional health data laws treat broker-collected data the same as data held by any other commercial entity. Legal counsel familiar with the state laws applicable to your client base is the right resource for the specifics.
This post describes the framework as educational context. It is not legal advice. Brokers with specific compliance questions should work with qualified legal counsel.
FAQ
Common HIPAA questions from independent ACA brokers.
Are independent insurance agents covered entities under HIPAA?
Generally no. HIPAA defines covered entities as health plans, healthcare providers, and healthcare clearinghouses. Independent brokers are not in any of those categories. However, brokers who handle Protected Health Information on behalf of a covered entity, such as an insurance carrier, are Business Associates and have separate obligations under HIPAA.
Do I need a HIPAA Business Associate Agreement as an ACA broker?
If you create, receive, maintain, or transmit PHI on behalf of a covered entity as part of your work, yes. ACA enrollment typically involves seeing PHI in the course of assisting a client with a carrier or with Healthcare.gov. CMS and the carriers are covered entities. A BAA with the relevant entities is the standard expectation for brokers who work with PHI in that capacity.
What counts as Protected Health Information for a broker?
PHI is individually identifiable health information held or transmitted by a covered entity or Business Associate. For an ACA broker, this includes health conditions a client discloses during intake, prescription information used to evaluate plans, and any health data tied to the client's identity in your files. Plan selections and premium amounts alone, without health details, are not PHI.
Does HIPAA apply to my quoting software?
Your quoting tool is not a covered entity. But if the tool stores client health data and is used in connection with a covered entity's operations, the vendor may need to operate under a BAA with you or with the carrier. Review the terms of any tool that stores health-related client data. Many standard-tier software plans do not include HIPAA-eligible terms.
Are state privacy laws stricter than HIPAA for ACA brokers?
Yes, in several states. Washington's My Health My Data Act covers health data broadly, including data collected by entities that are not HIPAA covered entities. California's CPRA has similar breadth. Brokers serving clients in those states should review state law obligations separately from the federal HIPAA framework. These rules are not administered by HHS and have their own enforcement mechanisms.
