HIPAA Privacy Rules for Employee Mental Health Insurance: What HR Can Access

HIPAA Applicability to Employers

Who is a covered entity

HIPAA applies to covered entities—health plans, most health care providers, and health care clearinghouses—and to their business associates. When mental health services are billed to a plan, the information created or received by those entities is Protected Health Information (PHI).

Employer versus plan sponsor roles

Your organization, acting purely as an employer, is not a covered entity. However, when you sponsor a group health plan (especially a self-funded plan), the plan itself is a covered entity and HIPAA governs how PHI flows to and from that plan. HR may access PHI only for approved plan-administration functions and must follow the minimum necessary standard.

Business associates and TPAs

Third-party administrators, benefits platforms, and consultants that handle PHI for your plan are business associates. They need written agreements that bind them to HIPAA requirements and limit how they use and disclose mental health insurance information.

Employment Records Exclusion

What the exclusion covers

HIPAA does not apply to employment records your company maintains in its role as an employer. Items like work restrictions, drug test results obtained for employment purposes, leave certifications, and accommodation paperwork fall under the employment records exclusion even if they contain health details.

Americans with Disabilities Act Compliance

Although these documents are not PHI, they remain confidential under Americans with Disabilities Act Compliance rules and similar state laws. Store them separately from personnel files, restrict access to a strict need-to-know group, and use them only for legitimate workplace decisions.

HR Access to Employee Health Information

What HR typically may see

• Enrollment and eligibility data needed to run the plan.
• Summary health information used for premium setting or plan design, stripped of direct identifiers where feasible.
• PHI shared by the plan’s administrator for plan administration tasks (for example, assisting with appeals), subject to the minimum necessary standard.

What HR should not access

• PHI for employment-related actions (hiring, firing, promotion) or for marketing purposes.
• Full clinical details unrelated to plan administration, especially mental health therapy notes, unless a permitted exception applies.

Written Authorization for Disclosure

When a use or disclosure is not otherwise permitted by HIPAA, the individual’s written authorization for disclosure is required. Authorizations must be specific, time-limited, and revocable, and they cannot be a condition of employment or eligibility for benefits (with narrow exceptions allowed by law).

Mental health specifics

Psychotherapy notes—clinician’s personal notes kept separately from the medical record—receive heightened protection and generally require separate authorization. Routine plan operations usually rely on claims information, not psychotherapy notes.

Group Health Plans and HIPAA Compliance

Plan governance and documentation

• Amend plan documents to describe permitted PHI uses by the plan sponsor and to erect a firewall between employment functions and plan administration.
• Identify the workforce members who may access PHI and limit their access accordingly.
• Issue a Notice of Privacy Practices to plan participants and maintain HIPAA policies, procedures, and training.

Business associate management

Execute business associate agreements with TPAs, mental health networks, and vendors that handle claims or eligibility data. Monitor their performance and require incident reporting to protect Group Health Plan Privacy.

Participant rights

• Access and obtain copies of their PHI, subject to limited exceptions.
• Request amendments and receive an accounting of certain disclosures.
• Request restrictions and confidential communications, which the plan must consider and, in some cases, accommodate.

Disclosure of PHI Without Authorization

Permitted uses and disclosures

• Treatment, payment, and health care operations (TPO), including claims adjudication and quality assessment.
• As required by law, to health oversight authorities, or to the U.S. Department of Health and Human Services for compliance review.
• To the plan sponsor strictly for plan administration as defined in plan documents, not for employment decisions.
• To avert a serious and imminent threat to health or safety, consistent with professional judgment and applicable law.
• For workers’ compensation or similar programs to the extent permitted by law.

Minimum necessary and de-identification

Outside of treatment, use or disclose only the minimum necessary PHI. When feasible, use de-identified data or a limited data set with a data use agreement to reduce risk.

Safeguards for Protected Health Information

Administrative safeguards

• Risk analysis, role-based access, workforce training, and sanction policies.
• Documented procedures for intake, appeals, and PHI requests.

Physical safeguards

• Secure storage for paper records and strict workstation controls.
• Visitor management and media disposal protocols.

Technical safeguards

• Unique user IDs, strong authentication, and automatic logoff.
• Encryption at rest and in transit for ePHI; audit logs and monitoring.

Operational PHI safeguards

Adopt PHI safeguards for common HR workflows: segregate plan files from HR employment files, limit email of PHI, use secure portals for claims documents, and verify identities before releasing information.

Breach Notification Requirements

Determining whether a breach occurred

There is a presumption of breach upon impermissible access, use, or disclosure of unsecured PHI unless you document a low probability of compromise after a risk assessment considering the type of PHI, the unauthorized person, whether the PHI was actually viewed or acquired, and the extent of mitigation.

Who must notify and when

• Business associates must notify the covered entity (your group health plan) without unreasonable delay.
• The plan must notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• For breaches affecting 500 or more residents of a state or jurisdiction, notify HHS and prominent media; smaller breaches are reported to HHS annually.

Content and documentation

• Notices must describe what happened, the PHI involved, steps individuals should take, what the plan is doing, and contact information.
• Document all decisions, notifications, and remediation, and update training and controls to prevent recurrence.

In practice, the safest approach is to separate employment information from plan Protected Health Information (PHI), limit HR access to what plan administration truly requires, and implement layered safeguards that reflect the sensitivity of mental health insurance data.

FAQs

What health information can HR legally access under HIPAA?

HR can access PHI only for defined plan administration tasks, such as eligibility, enrollment, premium setting using summary health information, and assisting with claims or appeals. HR should not access PHI for employment decisions or marketing, and psychotherapy notes generally remain off-limits absent a specific authorization.

How does HIPAA apply to employer-sponsored group health plans?

The group health plan is the covered entity. It must maintain policies, issue a Notice of Privacy Practices, train workforce members with plan duties, limit access to designated staff, and execute business associate agreements with vendors. Plan documents must be amended to permit limited disclosures to the plan sponsor and to maintain a firewall from employment functions.

When is employee consent required to disclose mental health information?

When a use or disclosure is not otherwise permitted by HIPAA—such as sharing PHI with an employer for non–plan administration purposes—an employee’s written authorization for disclosure is required. Psychotherapy notes typically require a separate, explicit authorization, with narrow exceptions.

What are employer obligations after a PHI breach?

If unsecured PHI from the group health plan is breached, the plan (or its business associate) must perform a risk assessment, mitigate harm, notify affected individuals without unreasonable delay and within 60 days of discovery, and, when applicable, notify HHS and the media. The plan must also document the incident and strengthen safeguards to prevent recurrence.