Do Employers Need HIPAA Compliance? When It Applies and How to Comply

HIPAA Applicability to Employers

HIPAA primarily governs covered entities—health plans, most health care providers that transmit standard transactions, and health care clearinghouses—as well as their business associates. Employers, by themselves, are not covered entities. However, HIPAA compliance becomes relevant when you sponsor or administer a group health plan and handle Protected Health Information (PHI) for plan administration.

Employment records are not PHI, even if they contain health information. PHI is individually identifiable health information maintained or transmitted by a covered entity or business associate for health care or payment/operations. When PHI is involved, the HIPAA Privacy and Security Rules apply, including the Minimum Necessary Standard that limits use and disclosure to what is needed for the task.

When employers fall within HIPAA’s scope

• You act for a group health plan (for example, reviewing appeals or resolving eligibility issues) and receive PHI.
• You sponsor a Self-Funded Group Health Plan and access PHI beyond enrollment or summary data.
• You provide services as a business associate to the plan (e.g., benefits administration functions involving PHI).
• You operate an on-site clinic that conducts HIPAA standard transactions; in that case, the clinic is the covered entity, not the employer.

Exceptions for Self-Funded Health Plans

A Self-Funded Group Health Plan is itself a covered entity. That makes it an exception to the general notion that employers rarely have HIPAA duties: when you sponsor a self-funded plan and touch PHI for plan administration, full HIPAA obligations attach to the plan and, to the extent you receive PHI, to your plan-sponsor activities.

Fully insured vs. self-funded: what changes

In a fully insured arrangement, the insurer usually handles HIPAA compliance. If the employer receives only enrollment/disenrollment data or de-identified/summary health information, many Privacy Rule administrative requirements rest with the insurer, not the employer. By contrast, a self-funded plan must meet Privacy and Security Rule requirements directly, including policies, workforce training, and breach response, because the plan (and its vendors) create or maintain PHI.

What information employers may receive

• Enrollment and disenrollment information to manage eligibility.
• Summary health information for obtaining premium bids or amending the plan.
• PHI for plan administration where plan documents are amended and the plan sponsor certifies restrictions on use and disclosure.
• PHI disclosed pursuant to individual authorization, when appropriate.

Safeguards to Protect PHI

To achieve HIPAA compliance, implement layered safeguards that map to the Privacy and Security Rules and enforce the Minimum Necessary Standard. Focus on people, process, and technology, backed by leadership oversight.

Administrative Safeguards

• Designate a Privacy Officer and a Security Officer to oversee compliance.
• Conduct a risk analysis of how ePHI is created, received, maintained, and transmitted; document risk management steps.
• Adopt written policies and procedures, workforce training, and sanction processes for violations.
• Limit access to PHI to specific plan-administration roles; maintain an access roster and review it regularly.
• Execute Business Associate Agreements with TPAs, COBRA administrators, brokers, and other vendors handling PHI.
• Establish incident response and breach notification workflows, including logging and investigation.

Physical Safeguards

• Secure locations where PHI is stored (locked cabinets, restricted offices) and control facility access.
• Protect devices and media that store PHI; use clear desk/clear screen practices and secure disposal.

Technical Safeguards

• Use unique user IDs, role-based access, and multi-factor authentication for systems with ePHI.
• Encrypt ePHI at rest and in transit; enable automatic logoff and maintain audit logs for monitoring.
• Apply patching, endpoint protection, and data loss prevention; validate vendor security controls.

Other Federal Health Information Laws

HIPAA is not the only framework affecting employee health data. You must also account for other federal requirements that can apply in parallel or where HIPAA does not reach.

• ADA: Medical information obtained for disability accommodations and post-offer exams must remain confidential and stored separately from personnel files.
• GINA: Prohibits collecting or using genetic information for employment decisions and limits wellness program requests for family medical history.
• FMLA: Medical certifications supporting leave must be kept confidential and segregated from HR files.
• 42 CFR Part 2: Imposes heightened confidentiality for substance use disorder treatment records when applicable.
• HITECH Act: Integrates breach notification and strengthens HIPAA enforcement for ePHI.
• OSHA recordkeeping: Requires privacy protections for certain injury/illness records identified as privacy cases.

Employer Responsibilities as Plan Sponsor

As a plan sponsor, you must separate employment functions from plan administration and formalize how PHI flows. This avoids impermissible use of PHI for hiring, firing, or other employment decisions.

• Amend plan documents to describe permitted PHI disclosures to the sponsor and certify compliance with restrictions.
• Establish a firewall that identifies who may access PHI, for what purposes, and how misuse is sanctioned.
• Provide a Notice of Privacy Practices to plan participants and maintain required records for at least six years.
• Ensure Security Rule compliance for ePHI, even when a TPA hosts systems; verify controls via contracts and oversight.
• Apply the Minimum Necessary Standard to all routine uses and disclosures for plan operations.
• Maintain BAAs and monitor vendors; review SOC reports or security attestations where appropriate.
• Test incident response plans and coordinate breach notifications with vendors when needed.

Role of Employers in Group Health Plans

Your role centers on plan administration, not access to medical details for employment. Limit information to what you need to run the plan, and rely on vendors to handle clinical data whenever possible.

Typical data flows and boundaries

• Insurers/TPAs process claims and maintain detailed PHI; the employer receives only what is necessary for eligibility, contributions, appeals, and audits.
• For appeals or complex eligibility disputes, restrict PHI access to designated plan staff and maintain an audit trail.
• Use de-identified or aggregated reports for strategy and budgeting; avoid identifiable PHI unless strictly required.
• Do not commingle PHI with personnel files or use it for performance management or disciplinary actions.

Compliance for Workplace Wellness Programs

Whether HIPAA applies to a wellness program depends on how it is offered. If the program is part of your group health plan and handles PHI (e.g., biometric screenings), the HIPAA Privacy and Security Rules apply. If offered outside the plan, HIPAA may not apply, but ADA and GINA still restrict medical inquiries, incentives, and use of health information.

Design and data practices

• Classify programs as participatory or health-contingent under HIPAA nondiscrimination rules; offer reasonable alternatives and required disclosures for health-contingent designs.
• Route identifiable screening results to a vendor or health plan; receive only aggregate, de-identified outcomes whenever feasible.
• Execute BAAs with vendors that handle PHI; confirm encryption, access controls, and secure portals.
• Provide appropriate notices, obtain authorizations when needed, and apply the Minimum Necessary Standard to any PHI you receive.

Conclusion

Employers usually are not HIPAA covered entities, but HIPAA compliance matters when you administer a Self-Funded Group Health Plan or otherwise handle PHI for plan operations. Build strong Administrative and Technical Safeguards, enforce minimum-necessary access, separate plan and employment functions, and manage vendors diligently. This approach protects employee privacy and keeps your organization aligned with the Privacy and Security Rules.

FAQs

When does HIPAA apply to employers?

HIPAA applies when you act on behalf of a group health plan and receive PHI for plan administration, when you sponsor a Self-Funded Group Health Plan that creates or maintains PHI, or when you provide services as a business associate to the plan. It does not apply to ordinary employment records.

What safeguards must employers implement for PHI?

Implement Administrative Safeguards (policies, training, risk analysis, BAAs, designated Privacy Officer), Physical Safeguards (secure storage and device/media controls), and Technical Safeguards (access controls, encryption, audit logs, MFA). Apply the Minimum Necessary Standard to every routine use or disclosure.

How does HIPAA protect employee health information?

HIPAA limits how PHI may be used and disclosed, requires the Privacy and Security Rules for protection, grants individual rights (such as access and amendments through the plan), and mandates breach response. These protections attach to PHI held by the health plan and its vendors, not to general HR files.

Are employers covered entities under HIPAA?

No. Employers are not covered entities. The group health plan is the covered entity, and the employer—acting as plan sponsor—must comply when it receives PHI for plan administration as permitted by amended plan documents and certifications.

What federal laws protect employee health data besides HIPAA?

ADA confidentiality rules, GINA’s limits on genetic and family medical information, FMLA medical record protections, 42 CFR Part 2 for certain substance use disorder records, HITECH breach provisions, and OSHA privacy requirements can all apply, often alongside or outside HIPAA.