HIPAA Employee Rights Explained: Employer Obligations, Limits, and Compliance Examples

HIPAA Applicability to Employers

When HIPAA applies—and when it does not

HIPAA applies to covered entities (health plans, most health care providers, and health care clearinghouses) and their business associates. Most employers are not covered entities in their role as employers. However, HIPAA applies to your organization when it operates or sponsors a group health plan, runs an on-site clinic that provides medical care, or performs services for a plan that involve Protected Health Information (PHI).

Protected Health Information in the workplace

PHI is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. If your HR team handles claims data from a group health plan, wellness program medical results administered by a covered provider, or records from an employer clinic, that information is likely PHI subject to the HIPAA Privacy Rule and HIPAA Security Rule.

Hybrid entities and firewalls

Organizations with both covered and non-covered functions can designate themselves as “hybrid entities.” In that case, you must erect administrative “firewalls” to keep PHI within the health care components and away from employment decision-makers. This segregation is a cornerstone of Group Health Plan Compliance.

What about employment files?

Employment records kept by an employer in its capacity as an employer—such as sick notes or accommodation requests—are not PHI. See the Employment Records Exclusion section below for details on what that means in practice.

Employer Obligations Under HIPAA

Privacy Rule duties

Under the HIPAA Privacy Rule, you may use or disclose PHI only for permitted purposes (such as treatment, payment, and health care operations) or with a valid authorization. Plan sponsors may receive PHI for plan administration only if plan documents are amended and privacy safeguards are in place. Use the minimum necessary standard, maintain a Notice of Privacy Practices for the plan, designate a privacy official, and implement complaint and sanction processes.

Security Rule duties

The HIPAA Security Rule requires you to protect electronic PHI with administrative, physical, and technical safeguards. Conduct a Risk Assessment, implement Administrative Safeguards (policies, training, workforce clearance, contingency planning), and deploy technical controls such as access management, audit logging, encryption in transit and at rest, and multi-factor authentication.

Business associates and contracts

Vendors that create, receive, maintain, or transmit PHI on your behalf—such as TPAs, benefits platforms, data warehouses, and consultants—are business associates. You must execute Business Associate Agreements and verify that appropriate safeguards, breach reporting terms, and subcontractor flow-downs are in place.

Handling impermissible uses and unauthorized disclosure

If PHI is used or disclosed in a way not permitted by the Privacy Rule, you must perform a breach Risk Assessment. If a breach is confirmed, follow the Breach Notification requirements, which can include notifying affected individuals and, in some cases, regulators. Document all findings and corrective actions.

Group Health Plan Compliance practicals

• Amend plan documents to limit the employer’s access to PHI and to prohibit use for employment-related decisions.
• Limit routine data sharing to enrollment/disenrollment data and de-identified or summary health information unless a valid authorization is obtained.
• Keep PHI within designated plan administration staff and systems, not general HR or management channels.

Employment Records Exclusion

What is excluded from HIPAA

Employment records maintained by an employer in its role as employer are not PHI and are outside HIPAA. Examples include doctor’s notes for sick leave, FMLA certifications, workers’ compensation documents, ADA accommodation requests, fitness-for-duty certifications, and drug test results kept for employment purposes.

Privacy still matters—even if not HIPAA

Although these records are not PHI, other laws and sound ethics require confidentiality. Store employment medical files separately from personnel files, restrict access to a need-to-know basis, and avoid mixing employment records with group health plan data.

Practical separation

• Use separate systems and repositories for plan PHI and employment records.
• Assign different staff for plan administration and employment decisions.
• Train supervisors never to request or use plan PHI in hiring, promotion, or discipline.

Examples of Employer HIPAA Violations

• Using group health plan claims data to decide promotions or terminations, or sharing a worker’s diagnosis with a supervisor for performance management.
• Allowing HR team members without plan administration duties to access a benefits portal containing PHI.
• On-site clinic personnel emailing unencrypted visit notes or lab results to a manager, leading to an unauthorized disclosure.
• Sending a spreadsheet of plan participants’ medications to a broker or consultant without a Business Associate Agreement.
• Failing to conduct a Security Rule Risk Assessment, resulting in weak access controls and impermissible access to ePHI.
• Discussing an employee’s claim details in open office areas, hallways, or chat channels where others can overhear or view.

Compliance Steps for Employers

Build a compliant program

• Determine your HIPAA footprint: identify covered components (plans, clinics) and business associate roles.
• Appoint privacy and security officials; set governance, reporting lines, and escalation paths.
• Complete a comprehensive Risk Assessment and gap analysis covering administrative, physical, and technical safeguards.
• Update plan documents to establish Group Health Plan Compliance “firewalls” and certify permitted plan sponsor access.
• Implement Administrative Safeguards: policies and procedures, workforce training, sanctions, and periodic reviews.
• Deploy technical controls: least-privilege access, unique IDs, audit logs, encryption, secure file transfer, and MFA.
• Strengthen physical safeguards: locked storage, clean desk standards, privacy screens, and secure media disposal.
• Manage vendors: execute BAAs, review security questionnaires, and verify incident reporting obligations.
• Prepare for incidents: establish intake channels, triage criteria, breach Risk Assessment templates, and notification playbooks.
• Document everything: decisions, assessments, training, incidents, and corrective actions.

Employee Rights Under HIPAA

What you can expect from covered entities

• Access and copies: you may inspect and obtain copies of your PHI held by a covered entity (such as a group health plan or employer-run clinic) in the requested form and format if readily producible.
• Amendments: you can request corrections to PHI you believe is inaccurate or incomplete; denials require a written explanation and your right to submit a statement of disagreement.
• Accounting of disclosures: you can request a list of certain disclosures made by the covered entity.
• Restrictions: you may request restrictions on certain uses or disclosures; the covered entity is not always required to agree.
• Confidential communications: you can ask a health plan to send communications to an alternate address or by alternate means.
• Complaints: you can file a complaint with the covered entity’s privacy official or with regulators without retaliation.

Important limitation

These HIPAA rights apply to PHI held by covered entities and business associates—not to employment records your employer keeps for HR purposes. For access to employment files, follow your company’s HR procedures and applicable employment laws.

Best Practices for Protecting Employee Health Information

Operate with least data, least access, least time

• Data minimization: collect only what is necessary for plan administration; avoid storing diagnoses in HR systems.
• Segregation: keep PHI systems and repositories separate from HR and payroll platforms.
• Role-based access: grant access to PHI only to designated plan administrators; review privileges quarterly.

Harden technology and workflows

• Encryption by default for email, files, and backups containing ePHI; use secure portals for data exchange.
• Strong authentication and device management for remote work; disable local downloads of PHI when possible.
• Automated audit logs and alerts for anomalous access to PHI; document reviews and follow-ups.

Cultivate privacy habits

• Train managers to redirect medical conversations to appropriate channels and never to request plan PHI.
• Use private spaces for plan-related calls; avoid posting PHI in chat tools or meeting agendas.
• Adopt retention schedules and secure destruction for both PHI and employment medical records.

Conclusion

HIPAA employee rights focus on PHI held by covered entities, while most employment records fall outside HIPAA. Your compliance priorities are clear: know when HIPAA applies, protect PHI under the Privacy and Security Rules, prevent unauthorized disclosure, and maintain disciplined Group Health Plan Compliance. Clear policies, strong safeguards, continuous training, and thorough documentation keep both employees and employers protected.

FAQs

What rights do employees have under HIPAA?

You have rights to access and obtain copies of your PHI, request amendments, receive an accounting of certain disclosures, ask for restrictions, request confidential communications, and file complaints without retaliation. These rights apply to PHI held by covered entities such as group health plans or employer clinics, not to employment records maintained for HR purposes.

How does HIPAA affect employer access to employee health information?

Employers generally cannot access PHI unless acting as a plan sponsor with certified plan document safeguards or with an employee’s valid authorization. Even then, access must be limited to plan administration, not employment decisions. Routine sharing should be limited to enrollment/disenrollment information or de-identified/summary data for plan operations.

What are common HIPAA violations by employers?

Common violations include using plan PHI for hiring or disciplinary decisions, allowing non-plan staff to access PHI systems, disclosing PHI to supervisors, emailing ePHI without encryption, failing to conduct a Security Rule Risk Assessment, and working with vendors that lack Business Associate Agreements.

How can employers ensure compliance with HIPAA rules?

Identify covered components and data flows, assign privacy/security leads, perform a comprehensive Risk Assessment, amend plan documents and implement Administrative Safeguards, lock down technical and physical controls, execute BAAs, train the workforce, and establish incident response with breach Risk Assessment and documentation.