Is Gusto HIPAA Compliant? What Employers Need to Know

Overview of Gusto HIPAA Compliance

HIPAA applies when your company’s group health plan—or its vendors—creates, receives, maintains, or transmits Protected Health Information (PHI). Gusto is not a covered entity; it could be a business associate only if it handles PHI for your plan under a signed Business Associate Agreement (BAA). Your use of Gusto is HIPAA-aligned only when the right contract, configuration, and governance are in place.

If you use Gusto solely for payroll, time tracking, onboarding, and general HR, you should avoid storing PHI there. Benefits enrollment, eligibility, or plan administration functions can touch PHI; treat those features with heightened controls and contractual safeguards.

In practice, the safe answer to “Is Gusto HIPAA compliant?” is: do not place PHI in Gusto unless you have an executed BAA and you implement administrative, physical, and technical safeguards consistent with HIPAA Security Rule Compliance.

Business Associate Agreements and Their Importance

A Business Associate Agreement (BAA) is the contract that allows a vendor to handle PHI for your group health plan and obligates the vendor to safeguard it. Without a BAA, you must not transmit or store PHI in the system. The BAA allocates responsibilities, defines permitted uses and disclosures, and sets breach notification expectations.

What to verify in the BAA

• Permitted uses/disclosures of PHI and “minimum necessary” commitments.
• Security safeguards aligned to the HIPAA Security Rule, including risk management and access controls.
• Breach notification timelines, cooperation duties, and incident response expectations.
• Subcontractor management: downstream BAAs and oversight for integrated brokers or apps.
• Return/destruction of PHI at termination and data retention limits.
• Right to audit or obtain independent assurance (e.g., SOC 2 Type II summaries).

Before enabling any benefits or health-plan features in Gusto, request, review, and fully execute the BAA. Confirm the scope of services covered and ensure it matches the exact features you plan to use.

Gusto’s Data Encryption and Security Measures

For HIPAA-aligned deployments, you should confirm that the platform enforces Data Encryption In Transit and Data Encryption At Rest, backed by strong key management. Encryption is necessary but not sufficient; you also need hardened access controls, continuous monitoring, vulnerability management, and tested incident response.

Security controls to confirm with the vendor

• Encryption details: protocols for Data Encryption In Transit and algorithms used for Data Encryption At Rest.
• Identity and access: multi-factor authentication (MFA), session controls, and administrator protections.
• Role-based permissions and audit trails for PHI access, downloads, and administrative changes.
• Secure software development lifecycle, penetration testing, and vulnerability remediation practices.
• Backups, disaster recovery, and business continuity testing frequency and targets.

Document the answers, keep them with your risk analysis, and ensure they’re reflected in your contracts, policies, and procedures.

Employer Responsibilities for PHI Handling

Even with strong vendor controls, you remain responsible for how your workforce uses the tool. HIPAA Security Rule Compliance requires risk-based safeguards and proof of due diligence.

• Determine whether data you enter or store constitutes PHI and limit use to the minimum necessary.
• Execute and file the BAA (and BAAs with any integrated brokers or third-party apps) before PHI flows.
• Implement Role-Based Access Control (RBAC) and enforce MFA for all administrators.
• Train your workforce on PHI handling, secure messaging, and what not to upload.
• Secure endpoints used to access the platform; require device encryption and screen locks.
• Conduct a written risk analysis, manage risks, and review access at least quarterly.
• Control exports and reports; prohibit emailing PHI without approved safeguards.
• Maintain an incident response and breach notification plan, including vendor coordination.
• Set retention schedules and purge PHI no longer required for plan operations.
• Document everything—configurations, approvals, exceptions, and training attestations.

Gusto Compliance Training and Resources

HIPAA requires workforce education, so establish Employee Training Programs tailored to how you use Gusto. Train administrators and managers on avoiding PHI in free-text fields, restricting uploads to approved document types, and escalating health-related questions through approved plan channels.

• Provide role-based training for benefits administrators and payroll/HR staff.
• Deliver new-hire training within 30 days and annual refreshers thereafter.
• Include practical scenarios: what counts as PHI, how to handle medical notes, and secure alternatives.
• Capture attestations and track completion for audits.

Vendor materials such as setup guides and security overviews can supplement your program, but they do not replace your obligation to train and enforce internal policies.

Configuring Gusto for HIPAA Compliance

Step 1: Decide whether PHI will reside in the platform

• If no BAA is in place, configure processes to keep PHI out (use carrier portals or broker tools for PHI).
• If a BAA is executed, restrict PHI to the specific features and users covered by the agreement.

Step 2: Lock down security settings

• Enable MFA for all admins and require strong passwords; use SSO if available in your plan.
• Limit report access and downloads to a small set of authorized users.
• Review notification emails and webhooks to ensure they do not expose PHI.

Step 3: Control documents, notes, and custom fields

• Prohibit uploads of medical records, EOBs, diagnoses, or treatment notes unless the BAA explicitly permits it.
• Sanitize templates and remove fields that could capture PHI unintentionally.

Step 4: Provisioning and deprovisioning

• Use least privilege when granting roles; implement approval for elevated access.
• Terminate access immediately at role change or separation; rotate shared secrets where used.

Step 5: Monitoring, audits, and retention

• Review access logs and administrative activity monthly; investigate anomalies promptly.
• Apply retention schedules to reports and exports; store backups securely with encryption.

Role-Based Access Controls in Gusto

Role-Based Access Control (RBAC) limits who can view or handle PHI according to the minimum necessary standard. Map tasks to permissions, assign only what each role needs, and review regularly.

• Identify PHI-related tasks (e.g., benefits eligibility, dependent updates) and isolate them to designated roles.
• Avoid broad “all reports” or “company-wide” access for users who do not require PHI.
• Use just-in-time or time-bound access for exceptions; document approvals.
• Run quarterly access reviews and remove dormant or unnecessary accounts immediately.
• Separate duties so no single user can both grant access and audit their own activity.

Summary

Whether Gusto can be used in a HIPAA-aligned manner depends on your scope, a signed BAA, and disciplined configuration. Keep PHI out of the platform unless the BAA and controls are in place; then enforce encryption, RBAC, MFA, monitoring, and rigorous training to maintain compliance.

FAQs.

What is a Business Associate Agreement and why is it important?

A Business Associate Agreement (BAA) is the contract that authorizes a vendor to handle PHI for your group health plan and binds the vendor to safeguard it. Without a BAA, sharing PHI with that vendor is not permitted under HIPAA.

How does Gusto protect employee health information?

Protection should include a combination of technical and administrative controls: Data Encryption In Transit, Data Encryption At Rest, strong access management, auditing, and incident response. Confirm in writing which controls the platform provides and align your own policies to prevent unauthorized PHI access.

Can employers request a copy of the BAA with Gusto?

You should request a BAA from the vendor before enabling any feature that may involve PHI. Your ability to obtain and execute a BAA depends on the specific services you use and the vendor’s policy. If a BAA is not available, do not store or transmit PHI through the platform.

What training does Gusto provide to support HIPAA compliance?

Vendors may offer setup guides or security overviews, but HIPAA requires you to implement your own Employee Training Programs covering PHI handling in the tool, acceptable use, secure alternatives for medical information, and escalation paths. Use vendor resources as supplements, not substitutes, for your internal training.