Would non-federal-government, not-for-profit, self-funded health plans be exempt, in whole or in part, from the HIPAA Administrative Simplification regulations?
The characteristics identified in the question - status as a non-federal government entity, non-profit status, and self-funded status - are not relevant to determining whether an entity is a health plan or not. The question is whether the entity in question meets the definition of health plan at 45 CFR 160.103, either because it is included in one of the specific listings or because it meets the general definition, and is not otherwise excluded from the definition.
Plans that meet the definition of health plan at 45 CFR 160.103 are covered entities under the HIPAA Administrative Simplification provisions and must comply with the applicable requirements of the regulations. The definition of health plan includes group health plan (see below for definition) and also includes any other individual or group plan (other than those specifically listed in the definition of health plan), or combination of individual and group plans, that provides or pays for the cost of medical care. The definition of health plan lists two exclusions. The first of these might apply to the plan in the question. The definition excludes "any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c) (1) of the PHS Act, 42 U.S.C. 300gg-91 (a) (2)".
Group health plan is defined at 45 CFR 160.103 as an employee welfare benefit plan, including insured and self-insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance reimbursement or otherwise, that
- Has 50 or more participants; or
- Is administered by an entity other than the employer that established and maintains the plan.
The only employee welfare benefit plans that are excluded from the definition of health plan are those that have fewer than 50 participants and are administered by the employer that established and maintains the plan.
If the plan in the question does not fall under one of the exclusions mentioned above, it would be a covered entity and would be required to comply with the HIPAA Administrative Simplification regulations.