Is Gusto HIPAA Compliant? BAAs, PHI, and What Employers Should Know

Gusto HIPAA Compliance Overview

Whether a payroll and HR platform is “HIPAA compliant” depends on how your organization uses it and whether Protected Health Information (PHI) is involved. HIPAA applies to covered entities (health plans, providers, clearinghouses) and their business associates that create, receive, maintain, or transmit PHI. If you use Gusto only for payroll, HR records, and general benefits administration without sharing PHI, HIPAA may not apply to that use case.

If PHI will flow through the platform—for example, during health plan enrollment support, evidence of insurability, or leave management that references diagnoses—then the vendor must agree to act as a Business Associate and sign a Business Associate Agreement (BAA). Absent a BAA, you should not store or transmit PHI in the system.

Business Associate Agreement Requirements

A Business Associate Agreement is the contract that permits a vendor to handle PHI under HIPAA. It defines permissible uses and disclosures, requires safeguards aligned to the HIPAA Security Rule, mandates breach notification, and flows down obligations to any subcontractors that access PHI.

What to confirm with the vendor

• Scope: Which specific features may process PHI (e.g., health plan enrollment files, COBRA administration, disability leave documentation)?
• Safeguards: Administrative, physical, and technical controls mapped to HIPAA Security Rule standards.
• Subprocessors: Whether third parties (for example, cloud infrastructure or support tools) are covered by equivalent agreements.
• Data boundaries: Data types considered PHI vs. employment records; instructions to avoid uploading PHI to unapproved fields or attachments.
• Incident response: Timelines and processes for security incident and breach reporting.

Request a copy of the BAA, confirm signature workflows, and retain the fully executed document with your compliance records.

Protection of Protected Health Information

PHI in HR contexts typically surfaces in health benefit enrollments, qualifying life event documents, claims support, disability/leave certifications, and dependent medical details. To protect PHI, configure the platform to follow the minimum necessary rule and segment access to only those roles that require it.

Core safeguards to expect

• Role-Based Access Control (RBAC) with least-privilege permissions and periodic access reviews.
• Granular data segmentation so PHI fields are limited to authorized administrators; shield PHI from managers and general HR users by default.
• Audit logging for view, edit, export, and file-download events; regular log review.
• Secure data handling procedures for uploads, exports, and SFTP or API file transfers to carriers or TPAs.
• Data lifecycle management: retention schedules, secure deletion, and backups that respect PHI controls.

Data Encryption and Security Measures

Data Encryption Standards are central to HIPAA-aligned implementations. Look for encryption in transit with modern TLS and encryption at rest using strong algorithms (for example, AES-256), backed by managed key services or HSMs. Verify that backups and disaster recovery replicas are encrypted and periodically tested.

Security controls aligned to the HIPAA Security Rule

• Identity and access: SSO/SAML, MFA, session timeouts, device hygiene controls, and privileged access management.
• Application security: Secure SDLC, code review, dependency scanning, and routine penetration testing with remediation tracking.
• Infrastructure: Network segmentation, hardened baselines, vulnerability management, and continuous monitoring.
• Secrets and keys: Centralized key management, rotation policies, and strict administrator access logging.
• Operational resilience: Documented incident response, disaster recovery objectives, and tested restoration procedures.

If the platform uses AWS Data Hosting or similar cloud infrastructure, confirm region(s), availability zones, key management approach (such as AWS KMS), and how tenant data is logically segregated.

Third-Party Vendor Agreements

Most HR platforms rely on third-party services for cloud hosting, email/SMS, analytics, support tools, and file transfer. Your Vendor Risk Management program should ensure each subprocessor that may access PHI is under an appropriate agreement and meets security requirements equivalent to the primary vendor’s BAA commitments.

Due diligence checklist

• Maintain an up-to-date subprocessor list and review change notifications.
• Confirm that subcontractors supporting PHI have BAAs or equivalent contractual protections.
• Assess data flows to and from carriers, TPAs, and brokers; require secure transfer channels and encryption end to end.
• Evaluate data residency, retention, and deletion terms for each third party.

Employer Responsibilities for HIPAA Compliance

Compliance is shared. Even with a signed BAA, you must configure and use the system responsibly. Establish clear policies describing what constitutes PHI in your workflows and where it may be stored.

Actions to take

• Enable RBAC, MFA, and SSO; remove default broad permissions and review access quarterly.
• Train benefits and HR staff on minimum necessary access and proper handling of PHI.
• Prohibit PHI in free-text fields, general document uploads, or tickets unless the BAA explicitly permits it.
• Secure endpoints used to access the platform (disk encryption, patching, EDR) and enforce strong password and session policies.
• Document and test incident response; define how to notify the vendor and affected individuals if PHI is involved.
• Conduct periodic risk analyses covering data inventory, threat likelihood, impact, and mitigating controls.

Gusto Security Best Practices

To align a Gusto implementation with HIPAA expectations when PHI is in scope, combine contractual assurances with strong technical and administrative controls.

Configuration and operational tips

• Limit PHI-enabled features to designated administrators; verify permissions via RBAC and approval workflows.
• Turn on MFA for all admins; integrate SSO for centralized identity governance.
• Use secure file exchange methods approved by the vendor for carrier feeds and PHI-related attachments.
• Schedule regular audit-log reviews and access recertifications; document findings and remediation.
• Coordinate with your broker, carrier, or TPA to ensure consistent encryption, file formats, and timelines across systems.
• Work with the vendor’s security or legal team to obtain and archive the executed Business Associate Agreement and any subprocessor attestations.

Bottom line: If PHI will transit the platform, obtain a signed BAA, enable strong security settings, and operate under a documented, risk-based program mapped to the HIPAA Security Rule. If no BAA is available, do not upload, store, or transmit PHI through the system.

FAQs

What is a Business Associate Agreement with Gusto?

A Business Associate Agreement is the contract that allows the platform to handle Protected Health Information on your behalf under HIPAA. It spells out permissible uses and disclosures, required safeguards, breach notification duties, and obligations for any subcontractors. You should request and retain a fully executed BAA if PHI will be processed.

How does Gusto protect PHI data?

When a vendor supports PHI, you should expect encryption in transit and at rest, Role-Based Access Control with least privilege, audit logging, secure file transfer for carrier feeds, and documented incident response. Confirm these controls in writing—ideally within the BAA and security documentation—before enabling PHI-related features.

Can employers access the BAA document in Gusto?

Employers typically obtain the BAA by requesting it through the vendor’s sales, legal, or support channels. Ensure the correct legal entity is named, verify subprocessor coverage, and store the executed agreement with your HIPAA compliance documentation.

What security standards does Gusto implement for HIPAA compliance?

Look for controls aligned to the HIPAA Security Rule, such as strong Data Encryption Standards, MFA, SSO, vulnerability management, logging, and tested incident response. If the service uses AWS Data Hosting or other cloud providers, confirm key management, region, and segregation details. Always verify specifics directly with the vendor before transmitting PHI.