Are Employers Covered Entities Under HIPAA? Scope, Exceptions, and Examples

Definition of Covered Entities

At a high level, HIPAA regulates “covered entities,” not employers per se. Covered entities include health plans, health care clearinghouses, and health care providers that transmit standard electronic transactions. Protected Health Information (PHI) flows within this regulated ecosystem, and HIPAA’s rules attach to those entities and their business associates.

Most employers, acting in their role as employers, are not covered entities. However, an employer’s group health plan is a covered entity, and an employer-run onsite clinic can be a covered entity if it conducts HIPAA-standard electronic transactions. Health Care Clearinghouses—entities that transform nonstandard data into standard formats—are covered regardless of who owns them.

Who is included

• Health plans: insurer-issued plans and self-insured group health plans.
• Health care providers: only if they transmit standard electronic transactions (e.g., claims, eligibility).
• Health care clearinghouses: billing intermediaries and repricers.

Examples

• A self-insured group health plan sponsored by your company is a covered entity; your company as employer is not.
• An employer-operated clinic that bills electronically is a covered health care provider under HIPAA.
• Your HR department’s personnel files are not covered entities; HIPAA applies to the plan, not to general HR functions.

Employer Role in Group Health Plans

As a plan sponsor, you wear two hats: employer and steward of the plan. HIPAA treats the group health plan as the covered entity, while you (the employer) may perform Group Health Plan Administration on the plan’s behalf. To receive PHI for plan administration, you must create a “firewall” between plan functions and employment decisions.

Scope varies by funding and administration. Self-insured plans typically create or receive PHI and must implement comprehensive compliance. Fully insured plans that do not receive PHI beyond enrollment/disenrollment and summary health information have narrower duties, with the insurer handling most Privacy Rule obligations.

Self-Administered Plan Exemptions

A key exception: group health plans with fewer than 50 participants that are administered solely by the employer are exempt from being covered entities. These Self-Administered Plan Exemptions narrow HIPAA’s reach for very small, employer-run plans.

Operational examples

• Self-insured plan: you establish privacy policies, train plan workforce, and limit access to PHI to plan administration tasks.
• Fully insured plan (no PHI received beyond enrollment): your plan’s HIPAA footprint is limited; the carrier delivers the Notice of Privacy Practices and handles most requests.

Privacy Rule and Employer Responsibilities

The HIPAA Privacy Rule sets the baseline for how PHI may be used and disclosed. For employer-sponsored plans, this means separating employment decisions from plan administration, applying the minimum necessary standard, and documenting who on your workforce may handle PHI for the plan.

• Amend plan documents to restrict uses and disclosures of PHI to plan administration and prohibit employment-related use.
• Designate a privacy official for the plan, adopt written policies and safeguards, and train any plan workforce members.
• Provide or coordinate the Notice of Privacy Practices (NPP) as applicable to your plan’s funding and data flows.
• Honor individual rights (access, amendments, accounting of disclosures) when your plan maintains the records.

Remember: your employer role is distinct from the plan. PHI accessed for plan purposes cannot be repurposed for hiring, promotion, or disciplinary actions.

PHI Disclosure to Employers

HIPAA limits when PHI can flow from a plan or provider to an employer. Without an individual’s authorization, the plan may share only specific categories of information with the plan sponsor: enrollment/disenrollment data and “summary health information” used to obtain premium bids or change plan design, provided the plan documents include required HIPAA restrictions.

To receive identifiable PHI for Group Health Plan Administration (e.g., appeals, COBRA, vendor oversight), the plan sponsor must certify that plan documents have been amended to safeguard PHI, identify the workforce with access, and prevent employment-related use. Outside these conditions, the plan needs the individual’s authorization.

Practical examples

• Allowed without authorization: de-identified data, summary claims trends for plan design, enrollment confirmations.
• Allowed with plan-document safeguards: claim files needed to adjudicate an appeal or audit a TPA.
• Allowed with individual authorization: details about a particular employee’s course of treatment for non-plan purposes.

Business Associate Agreements

Vendors that create, receive, maintain, or transmit PHI for your plan are business associates. Typical examples include third-party administrators, pharmacy benefit managers, COBRA administrators, wellness vendors, and benefits consultants. Your plan must execute a Business Associate Agreement (BAA) with each such vendor.

A BAA defines permitted uses and disclosures, requires security safeguards, mandates breach notification, and flows obligations down to subcontractors. As plan sponsor, you often coordinate these agreements on the plan’s behalf. The employer itself is not a business associate of its own plan when performing permitted plan administration functions, but it must honor the plan-document safeguards.

What to include

• Clear purpose and minimum necessary use of PHI.
• Administrative, physical, and technical safeguards for privacy and security.
• Timely breach reporting and cooperation duties.
• Subcontractor flow-downs and termination/return-or-destroy provisions.

Workers' Compensation and HIPAA

HIPAA permits disclosures of PHI without authorization as needed to comply with Workers' Compensation Regulations and similar programs for work-related injuries or illness. Providers and plans may disclose the minimum necessary information to insurers, state agencies, or employers as authorized by law.

These disclosures are narrow. They should relate directly to the work-related injury or illness and the benefits at issue, not to unrelated medical conditions. Where state law is more protective, your plan and vendors must follow the stricter requirements.

Example

• A treating provider shares injury-related progress notes with the workers’ compensation carrier to process benefits; unrelated diagnoses are excluded where feasible.

Employment Records Exemption

HIPAA excludes employment records held by an employer from the definition of PHI, even when they contain health information. Examples include doctor’s notes submitted for sick leave, ADA accommodation documents, fitness-for-duty exams, drug test results, and FMLA certifications maintained in personnel files.

While these records are outside HIPAA, they are still governed by other laws (e.g., ADA confidentiality rules) and should be kept separate from personnel decision files, with strict need-to-know access. By contrast, claim files, EOBs, and eligibility data held by the plan or its business associates are PHI and remain subject to HIPAA.

Key takeaways

• Employers are generally not covered entities; their group health plans are.
• Self-Administered Plan Exemptions may remove very small plans from HIPAA coverage.
• Plan sponsors may receive PHI only for plan administration and with plan-document safeguards.
• BAAs are essential to control vendor handling of PHI.
• Employment records are not PHI under HIPAA, though other laws still apply.

FAQs

Are employers required to comply with HIPAA privacy rules?

Employers themselves are usually not covered entities, but their group health plans are. If you sponsor a self-insured plan—or a fully insured plan that receives PHI beyond enrollment and summary data—the plan must comply with the HIPAA Privacy Rule, and you must maintain plan-document safeguards and workforce separation. If you operate a clinic that conducts electronic transactions, that clinic must comply as a covered provider.

When can employers access employee health information under HIPAA?

You may access PHI for plan administration only after amending plan documents, identifying who can access PHI, and certifying safeguards. Without authorization, you may receive enrollment/disenrollment data and summary health information for bids or plan design. For other uses, obtain the employee’s authorization or ensure the disclosure fits a specific allowance (for example, workers’ compensation as permitted by law). PHI cannot be used for employment decisions.

Does HIPAA apply to employer-sponsored health plans?

Yes. Group health plans are covered entities under the HIPAA Privacy Rule, except for certain small plans under the Self-Administered Plan Exemptions. Fully insured plans that do not receive PHI beyond limited data have fewer obligations, while self-insured plans must implement full privacy and security programs.

How are business associate agreements relevant to employers?

Your plan must have a Business Associate Agreement with any vendor that handles PHI, such as TPAs, PBMs, COBRA administrators, brokers, and wellness vendors. BAAs set the rules for permissible use, security, minimum necessary access, breach notification, and subcontractor compliance. As plan sponsor, you typically negotiate and maintain these agreements on the plan’s behalf to ensure compliant Group Health Plan Administration.