IANAL, most of my knowledge of HIPAA compliance comes from Business Law classes and required trainings when I worked for a healthcare/hospital system.
However, AFAIK that would make them a covered entity. As a payor, they would have direct access to their employee's medical records. Whereas under normal circumstances, the payor/insurer only provides the employer non-PHI data such as enrollment/disenrollment info and summary data (at an aggregate level) to support pricing discussions, which is why they aren't usually a covered entity. You can find a good write-up on HIPAA requirements for self-funded insurance plans here[1].
However, AFAIK that would make them a covered entity. As a payor, they would have direct access to their employee's medical records. Whereas under normal circumstances, the payor/insurer only provides the employer non-PHI data such as enrollment/disenrollment info and summary data (at an aggregate level) to support pricing discussions, which is why they aren't usually a covered entity. You can find a good write-up on HIPAA requirements for self-funded insurance plans here[1].
[1 - pdf] http://www.nixonpeabody.com/files/155838_Benefits_Alert_20MA...