HIPAA and Financial Planning: What Advisors Need to Know About Privacy and Compliance

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how Protected Health Information (PHI) may be used and disclosed. PHI includes any individually identifiable health information in paper, verbal, or digital form; when stored or transmitted electronically, it becomes Electronic Protected Health Information (ePHI). The rule applies directly to covered entities—health plans, health care clearinghouses, and most health care providers—and to their business associates.

Most financial advisors are not covered entities. However, you can become a business associate if you receive PHI from a covered entity to perform services on its behalf. In that role, HIPAA’s “minimum necessary” standard applies: access, use, and disclosure must be limited to what is reasonably needed. If clients share their own PHI with you directly—for example, medical underwriting records for Long-Term Care Insurance—HIPAA may not apply, but other laws and your contractual duties still do.

Authorizations are often required for a covered entity to disclose PHI to you. You should confirm the legal basis for every flow of health information, document it, and ensure internal teams follow consistent intake and retention practices.

HIPAA Security Rule Requirements

The HIPAA Security Rule focuses on safeguarding ePHI. It requires a risk-based program spanning Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Even small advisory firms must implement reasonable measures aligned to their size, complexity, and the sensitivity of ePHI handled.

Core safeguards to operationalize

• Administrative Safeguards: risk analysis and risk management, role-based access, workforce training, sanctions, contingency and incident response planning, and vendor oversight.
• Physical Safeguards: secure facilities, workstation/device controls, media handling and disposal, and protections for remote work and mobile access.
• Technical Safeguards: unique user IDs, strong authentication, encryption in transit and at rest where feasible, audit logs, integrity monitoring, and automatic logoff.

Translate policy into practice: inventory systems touching ePHI, define data flows, set access boundaries, and test backup and recovery. Regularly reevaluate risks as you add tools like client portals, cloud storage, or e-signature platforms.

Financial Advisors' Compliance Obligations

Your obligations turn on your role. If you act as a business associate, you must comply with applicable HIPAA requirements, execute Business Associate Agreements (BAAs), and implement the Security Rule’s safeguards. If you are not a business associate, you still owe duties under federal financial privacy rules, state privacy laws, and your contracts—plus basic cybersecurity expectations.

Practices tailored to advisory use cases

• Data minimization: collect only what you need for planning scenarios like Health Savings Accounts (HSAs) eligibility, Medicare planning, or Long-Term Care Insurance underwriting.
• Secure intake: prefer client portals or encrypted email for documents containing diagnoses, treatment details, or EOBs; avoid unprotected channels and shared inboxes.
• Record hygiene: segregate PHI/ePHI from general client files, apply tighter retention schedules, and document client authorizations and consent.
• Team readiness: train staff on identifying PHI, handling requests, and escalation paths for suspected incidents; rehearse breach response.
• Vendor diligence: verify that custodians, TPA partners, and insurtech platforms implement appropriate safeguards and, where needed, sign BAAs.

Business Associate Agreements for Financial Institutions

Business Associate Agreements (BAAs) are contracts that permit PHI sharing from a covered entity to a business associate and set required privacy and security terms. Financial institutions and advisory firms may need BAAs when they receive PHI from a health plan, provider, or insurer to support plan administration, claims advocacy, or similar services.

When a BAA is typically required

• A health plan or insurer shares PHI so your team can resolve claims, appeal denials, or analyze plan options for an employer group.
• A provider authorizes you to access patient billing records to coordinate long-term care funding or manage medical expense cash flows.
• A platform you use processes PHI on your behalf; your subcontractors must also agree to the same restrictions and safeguards.

Key BAA terms to negotiate and operationalize

• Permitted uses/disclosures and “minimum necessary” scope.
• Safeguards, audit rights, and breach/incident notification timelines.
• Subcontractor flow-down, data return/destroy on termination, and cooperation duties.
• Allocation of liability and insurance requirements proportionate to risk.

Align the BAA’s promises with your real-world controls, logs, and response plans. Paper compliance without operational backing increases exposure.

Intersection with Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) covers nonpublic personal information collected by financial institutions, while HIPAA governs PHI handled by covered entities and business associates. Some data may be subject to both frameworks depending on its source, content, and purpose.

In practice, you should map information by category: treat PHI/ePHI under HIPAA obligations when you act as a business associate, and apply GLBA requirements to client financial data regardless. When both could apply, follow the stricter rule on notice, consent, and safeguards, and ensure your privacy notices, opt-out mechanisms, and vendor contracts reflect the correct regime.

California Consumer Privacy Act Considerations

Under the CCPA (as amended), PHI subject to HIPAA and certain GLBA-covered data are exempt. However, other personal information you collect—such as website analytics, marketing lists, or health-related details obtained directly from consumers outside a HIPAA context—may still fall under CCPA.

Advisors should provide clear notices at collection, honor rights to access, delete, and correct where applicable, and manage “sale” or “sharing” opt-outs, including cross-context behavioral advertising. Classify “sensitive personal information,” limit its use as required, and ensure data processing agreements with service providers mirror CCPA/CPRA terms even when BAAs exist.

Risks and Benefits of HIPAA Compliance

Non-compliance risks include regulatory investigations, civil monetary penalties, corrective action plans, contractual liability under BAAs, breach notification costs, and reputational harm. Operational missteps—like over-collection of PHI, weak access controls, or lax vendor oversight—often drive incidents.

Benefits include stronger client trust, smoother referrals from health providers, disciplined data governance, and clearer boundaries for what your team collects and retains. A mature privacy and security posture can also streamline due diligence with insurers, custodians, and enterprise clients.

Action checklist for advisors

• Decide when you act as a business associate and document data flows.
• Stand up Security Rule controls for any ePHI: access, encryption, logging, and training.
• Use BAAs and vendor due diligence to extend protections across your ecosystem.
• Apply GLBA/CCPA to non-PHI; keep PHI/ePHI segmented with tighter retention.
• Test incident response and practice “minimum necessary” in daily workflows.

Conclusion

Financial planning often touches health information, from HSAs to Long-Term Care Insurance. By classifying data accurately, executing BAAs where required, and implementing practical safeguards, you can meet HIPAA expectations while honoring GLBA and CCPA obligations—and reinforce client confidence in the process.

FAQs.

What is the role of HIPAA in financial planning?

HIPAA governs how PHI and ePHI are used and disclosed when a covered entity or its business associate is involved. In financial planning, it matters when you receive PHI from health plans, providers, or insurers to perform services on their behalf; then you must follow HIPAA’s privacy rules and Security Rule safeguards.

How do Business Associate Agreements affect financial advisors?

BAAs authorize PHI sharing and bind advisors to specific privacy, security, and breach-notification duties. They clarify permitted uses, require safeguards, extend obligations to subcontractors, and set termination and data-return terms—turning your privacy program into a contractual commitment that regulators and counterparties can enforce.

What are the penalties for HIPAA non-compliance?

Penalties range from corrective action plans and tiered civil monetary fines per violation to, in egregious cases, criminal exposure. Regulators also require breach notifications and may impose multi-year monitoring. Contractual damages under BAAs and reputational harm often exceed direct regulatory costs.

How do HIPAA and GLBA overlap for financial institutions?

HIPAA applies to PHI handled for covered entities through a business associate role; GLBA applies broadly to nonpublic personal information gathered in providing financial services. When both touch the same engagement, apply HIPAA to PHI/ePHI, GLBA to financial data, and adopt the stricter standard on safeguards, disclosures, and vendor contracts to cover all bases.