HIPAA Compliance Guide: Employee Health Information vs Financial Data, with Examples

HIPAA Applicability to Employers

HIPAA regulates covered entities—health plans, most healthcare providers, and clearinghouses—and their business associates. In your role as an employer, you are generally not a covered entity. However, your employer-sponsored group health plan is a covered entity, and any vendors that handle its data are business associates.

Protected Health Information (PHI) is individually identifiable health information created or received by a covered entity or business associate. Employment records maintained by you in your role as an employer are not PHI, even when they contain health details.

Hybrid and partial coverage in practice

Many organizations operate as a partial covered entity—HIPAA calls this a “hybrid entity.” In this model, you formally designate the health plan (and any other healthcare components) as HIPAA-covered, and segregate them from the rest of the company for compliance purposes.

Examples

• HR collects a doctor’s note for sick leave: employment record, not PHI under HIPAA.
• Group health plan claim files and Explanation of Benefits: PHI subject to the Privacy and Security Rules.
• Worksite COVID-19 test results gathered for return-to-work decisions by HR: not PHI under HIPAA (though other laws may apply).

Employee Health Information Governance

Governance depends on which “hat” you wear. When acting as plan sponsor for Health Benefit Plan Administration, HIPAA applies to the plan’s PHI. When acting as employer, HIPAA does not cover your employment records, but other laws like the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act (GINA) can restrict what you collect and how you use it.

For the HIPAA-covered components, you must implement the Privacy and Security Rules, limit uses and disclosures to permitted purposes, and apply the “minimum necessary” standard. When you need data for workforce analytics, use De-Identified Data or a limited data set whenever possible.

Examples

• Using aggregated, de-identified claims trends to negotiate premiums: permissible and safer.
• Sharing an employee’s claim detail with a supervisor to manage performance: impermissible under HIPAA and employment laws.
• Requesting family medical history for hiring: prohibited by the Genetic Information Nondiscrimination Act.

Employer-Sponsored Health Plans Compliance

Your group health plan must satisfy HIPAA’s administrative requirements. That includes plan document amendments, a Notice of Privacy Practices for participants, a designated privacy official, workforce training, and processes for individual rights (access, amendments, and accounting of disclosures).

For electronic PHI (ePHI), the HIPAA Security Rule—often described as the Electronic Security Rule—requires a documented risk analysis, risk management, access controls, audit logging, transmission security, and contingency planning. Vendors that support claims, eligibility, HRAs/FSAs, or EAPs must sign Business Associate Agreements.

Examples

• Firewalling: HR may receive enrollment data to run payroll deductions, but cannot use claims data for hiring or promotion decisions.
• Minimum necessary: benefits staff view only the claim fields needed to resolve an appeal.
• Vendor oversight: your FSA administrator signs a BAA and undergoes annual security due diligence.

Financial Data Protection under HIPAA

Financial data such as bank account numbers, pay statements, or credit card details are not PHI unless they are part of PHI held by a covered entity or business associate. HIPAA protects health information, not general financial records. When financial identifiers appear inside PHI (for example, an EOB showing masked account details), the PHI must be safeguarded under HIPAA.

Outside the HIPAA context, other frameworks typically govern financial data (for example, banking privacy requirements or payment card standards). If a financial institution performs Health Benefit Plan Administration—for instance, adjudicating FSA claims on your plan’s behalf—it may be a business associate and must protect any PHI it receives.

Examples

• Direct-deposit forms for payroll: not PHI; HIPAA does not apply.
• EOBs mailed by the health plan to a participant’s home: PHI subject to HIPAA.
• Bank administering your HRA and receiving medical receipts: PHI handled under HIPAA via a BAA.

Privacy Safeguards for Employee Health Information

Apply layered safeguards for PHI handled by your plan. Administratively, define roles, train staff, and enforce the minimum necessary standard. Technically, implement access controls, MFA, encryption, audit logging, and secure file transfer. Physically, secure storage, limit workstation access, and control printing and mailing.

Use De-Identified Data for reporting and dashboards. When identifiers are necessary, prefer a limited data set with a data use agreement. Ensure secure disposal and retention schedules align with legal and operational needs.

Examples

• Separate mailboxes and systems for plan administration versus HR employment files.
• Automatic redaction of Social Security numbers from plan reports not requiring them.
• Encryption at rest and in transit for ePHI, with quarterly access reviews.

Compliance Best Practices for Employers

Start by mapping data flows to know exactly where PHI, employment health records, and financial data reside. Designate HIPAA-covered components, operate as a partial covered entity (hybrid entity), and document the firewall between plan functions and HR employment decisions.

Execute Business Associate Agreements, standardize “minimum necessary” role-based access, and maintain a written risk analysis with remediation plans under the Electronic Security Rule. Build an incident response process, test breach notification playbooks, and retrain annually with scenario-based exercises.

Examples

• Plan governance: appoint a privacy and security officer for Health Benefit Plan Administration and document approval workflows.
• Vendor management: require SOC 2 or equivalent evidence and evaluate subcontractors that touch PHI.
• Data minimization: provide leaders de-identified trend reports rather than member-level details.

Risks of Non-Compliance with HIPAA

Non-compliance can trigger civil penalties that escalate with the level of culpability, corrective action plans monitored by regulators, and—when PHI is misused intentionally—potential criminal liability. Breaches also drive notification costs, participant distrust, and operational disruption.

Beyond HIPAA, missteps can implicate the Genetic Information Nondiscrimination Act, state privacy laws, and contractual obligations with plan vendors. Reputational harm and employee relations fallout often exceed direct remediation costs.

Conclusion

HIPAA centers on PHI held by your health plan and its vendors—not on your general employment or finance records. Treat the plan as a distinct, protected component, apply the Privacy and Security Rules rigorously, prefer De-Identified Data for business insights, and keep financial data governed by the right non-HIPAA standards. Clear governance, disciplined safeguards, and tested procedures are your strongest protections.

FAQs.

Does HIPAA protect employee health information collected by employers?

Usually no. Health details kept in employment files (such as accommodation requests or return-to-work notes) are not PHI under HIPAA. HIPAA applies when the information is created or received by a covered entity or business associate, such as your group health plan. Other laws—like the ADA or GINA—can still govern employer-held records.

Are employer-sponsored health plans subject to HIPAA requirements?

Yes. A group health plan is a covered entity and must comply with HIPAA’s Privacy and Security Rules, provide a Notice of Privacy Practices, honor individual rights, conduct a security risk analysis, and manage vendors through Business Associate Agreements. Employers often operate as a partial covered entity (hybrid entity) to segregate plan administration from HR.

How must financial institutions handle health-related employee data under HIPAA?

If a financial institution performs Health Benefit Plan Administration—for example, processing FSA or HRA claims—it acts as a business associate and must protect any PHI it receives under HIPAA and a BAA. If it holds only general banking data (like payroll direct deposits) outside the plan context, HIPAA does not apply.

What are the best practices for employers to safeguard employee health information?

Separate plan administration from HR employment functions; limit access using the minimum necessary standard; encrypt ePHI; log and review access; train the benefits workforce; execute BAAs; use De-Identified Data for reporting; and maintain a documented risk analysis and incident response plan aligned to the Electronic Security Rule.