Employer vs. Covered Entity Under HIPAA: What Applies and When

Understanding where an employer stands under HIPAA is essential to handling Protected Health Information responsibly. This guide clarifies when HIPAA applies to an employer, when it applies to Group Health Plans, and how the Privacy Rule, Business Associates, and Hybrid Entity designations affect your obligations.

HIPAA Covered Entities

Who counts as a covered entity

Under HIPAA, “covered entities” are limited to health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions (such as billing or eligibility checks). An employer, by itself, is not automatically a covered entity.

Protected Health Information (PHI) basics

PHI includes individually identifiable health information created or received by a covered entity or its business associate. PHI can be oral, paper, or electronic (ePHI). De‑identified data is not PHI and falls outside the Privacy Rule.

Employment Records Exclusion

HIPAA’s Employment Records Exclusion is critical: health-related information kept by an employer in its role as an employer—such as FMLA certifications, ADA accommodation files, or fitness-for-duty notes—is not PHI. Those records are governed by other laws, not the HIPAA Privacy Rule.

Employer Health Plans

Group Health Plans are covered entities

Employer-sponsored Group Health Plans (medical, dental, vision, prescription drug plans, health FSAs, certain EAPs) are covered entities in their own right. The plan—not the employer—must comply with HIPAA. The plan and the employer are separate for HIPAA purposes.

Fully insured vs. self-insured plans

In fully insured arrangements, the insurer handles most HIPAA activities. If the employer receives only enrollment/disenrollment data and summary health information, the plan’s HIPAA duties are limited. In self-insured arrangements, the plan (often through a third‑party administrator) creates and receives PHI to pay claims and run operations, so full Privacy Rule and Security Rule responsibilities apply.

Self-Administered Plans under 50 participants

Self-Administered Plans with fewer than 50 participants that are administered solely by the employer are excluded from the “group health plan” definition for HIPAA. In that narrow case, the plan is not a covered entity. If the plan grows or begins using outside administrators, HIPAA status can change.

Onsite clinics and EAPs

Employer onsite clinics or EAPs may be covered entities if they provide health care and conduct standard electronic transactions. If they do not conduct such transactions, they may fall outside HIPAA, but other privacy laws and best practices still apply.

Employer's Role in HIPAA

Plan sponsor boundaries and firewalls

An employer acting as a plan sponsor may obtain PHI only for plan administration. To receive PHI beyond limited data, you must amend plan documents, build “firewalls” that restrict HR and management access, and ensure PHI is never used for employment decisions like hiring, firing, or discipline.

What you can receive without authorization

• Enrollment and disenrollment information.
• Summary health information for obtaining premium bids or amending the plan.
• De-identified information for analytics and reporting.

What requires authorization

Using an individual’s PHI for any non–plan administration purpose—especially employment actions—requires the individual’s valid authorization, unless a specific HIPAA or other legal permission applies.

Business Associates and PHI

Who is a Business Associate

Vendors that create, receive, maintain, or transmit PHI for a covered entity are Business Associates. Common examples include third‑party administrators, benefits brokers, utilization review firms, wellness vendors, pharmacy benefit managers, and data analytics providers.

Business Associate Agreement essentials

A Business Associate Agreement must define permitted uses and disclosures, require safeguards for PHI, mandate breach reporting, flow down the same duties to subcontractors, and allow termination for material breach. Without a Business Associate Agreement, sharing PHI with a vendor is not permitted.

Privacy Rule Applicability

When the Privacy Rule applies

The Privacy Rule applies to covered entities (including Group Health Plans) and to Business Associates handling PHI on their behalf. It does not apply to an employer’s general employment records due to the Employment Records Exclusion.

Common scenarios you’ll encounter

• HR receives a doctor’s note for leave: typically an employment record, not PHI.
• Plan sponsor reviews claim data to audit the TPA: Privacy Rule applies; use only the minimum necessary.
• Wellness program provides medical services and bills the plan: likely part of the plan; HIPAA applies.
• Communicating plan changes: using summary health information is allowed for plan design decisions.

Minimum necessary and safeguards

Use and disclose only the minimum necessary PHI to do the job. Apply administrative, technical, and physical safeguards—especially for ePHI under the Security Rule—to prevent unauthorized access or disclosure.

Employer Obligations

Core duties for self-insured plans

• Adopt and document HIPAA policies and procedures; designate privacy and security officials.
• Provide a Notice of Privacy Practices, train workforce members, and apply sanctions for violations.
• Honor individual rights (access, amendment, accounting of disclosures) in the designated record set.
• Execute and manage each Business Associate Agreement; monitor vendor compliance proportionately.
• Implement Security Rule safeguards for ePHI and conduct periodic risk analyses.
• Follow Breach Notification Rule steps, including risk assessments and timely notifications.

Obligations for fully insured plans with limited PHI

If the plan does not create or receive PHI beyond enrollment/disenrollment and summary data, obligations are narrower. The insurer handles most Privacy Rule tasks, but you must still prevent misuse, maintain plan sponsor firewalls, and avoid retaliatory acts.

Documentation and retention

Keep required HIPAA documentation, including policies, risk analyses, and Business Associate Agreements, for at least six years from creation or last effective date. Review and update documents as your plan design, vendors, or systems change.

Breach response at a glance

• Identify and contain the incident; preserve evidence.
• Perform a four-factor risk assessment and document your findings.
• Notify affected individuals, regulators, and (if applicable) the media within required timelines.
• Remediate root causes and update safeguards and training.

Hybrid Entities and Compliance

What is a Hybrid Entity

A Hybrid Entity is a single organization that performs both HIPAA-covered and non-covered functions and formally designates its health care components. Only the designated components—and the workforce supporting them—must follow HIPAA, while other parts of the organization are not covered.

Applying the Hybrid Entity model to employers

If your organization runs an onsite clinic or EAP that conducts standard electronic transactions, you can designate that unit as a health care component. Maintain strict separation from non-covered employer functions, and ensure appropriate Business Associate Agreements are in place for vendors supporting the component.

Key takeaways

• Employers are not covered entities; Group Health Plans are.
• Privacy Rule obligations hinge on whether the plan creates or receives PHI.
• Use plan sponsor firewalls and limit PHI to plan administration purposes.
• Business Associate Agreement management is central to compliance.
• Consider a Hybrid Entity designation to isolate covered components.

FAQs

Is an employer considered a covered entity under HIPAA?

No. An employer, acting as an employer, is not a covered entity. However, the employer’s Group Health Plan is a covered entity, and any onsite clinic or EAP that provides health care and conducts standard electronic transactions may also be covered. HIPAA applies to those entities—not to the employer’s general employment records.

How do employer health plans comply with HIPAA regulations?

Group Health Plans comply by implementing Privacy Rule and Security Rule safeguards, issuing a Notice of Privacy Practices (when applicable), honoring individual rights, training staff, executing each Business Associate Agreement, and following breach notification procedures. Self-insured plans carry the most direct duties; fully insured plans with only enrollment and summary data have narrower obligations.

When does the Privacy Rule apply to employers?

The Privacy Rule applies when the employer acts as a plan sponsor and receives PHI for plan administration, or when it operates a covered health care component. It does not apply to employment records due to the Employment Records Exclusion, and it does not allow use of PHI for hiring, firing, or other employment decisions without authorization.

What is a hybrid entity under HIPAA?

A Hybrid Entity is an organization that designates specific health care components to which HIPAA applies, while its other functions remain non-covered. For employers with covered clinics or EAPs, this approach isolates compliance duties, creates clear firewalls, and reduces the risk of inappropriate PHI sharing with non-covered parts of the business.