Group health plans that provide health benefits only through an insurance contract and do not create, maintain or receive PHI do not have to meet the notice requirements or the administrative requirements. These requirements will be satisfied by the insurer or HMO that is providing benefits under the group health plan. For those groups, Blue Cross Blue Shield of Michigan (BCBSM) and Blue Care Network (BCN) will comply with HIPAA's administrative requirements, including preparation and distribution of required privacy notices for the group.

The relation between BCBS/BCN and an underwritten group is as follows: 

Experience (BCBSM only)
Covered Entity Status
BCBSM/BCN is the covered entity
BCBSM is the covered entity
Business Associate Status
Notice of Privacy Practices
  • BCBSM and BCN sends its Notice to members
  • BCN Family Health Centers provide a unique Notice at the time of care

BCBSM sends its Notice to members
Disclosure of protected health information (PHI) to the group
  • BCBSM will not disclose PHI to the group with the exception of enrollment data
  • BCN will not disclose PHI to the group

Enrollment data and Summary Health Information may be shared with these groups. If the group wants PHI from BCBSM, their plan documents must be amended to incorporate HIPAA safeguards and they must sign and return the Plan Sponsor Certification.

If you are uncertain how the HIPAA privacy rule applies to a fully insured group health plan, please read the privacy rule and seek legal counsel as necessary. The rule can be accessed at