When Employers Are Not Covered Entities Under HIPAA—and What To Do

Employers often wonder whether HIPAA applies to them directly. In most cases, the employer itself is not a covered entity. However, employer-sponsored health plans and certain employer activities can trigger HIPAA duties, especially where Protected Health Information (PHI) is involved. This guide explains when employers are outside HIPAA’s covered entity scope and what to do to manage risk and comply with the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule through your health plans and vendors.

Determining Covered Entity Status

What counts as a covered entity

HIPAA covered entities are health plans, health care clearinghouses, and health care providers that transmit standard electronic transactions. The “employer” as an HR or corporate function is generally not one of these. PHI is individually identifiable health information held or transmitted by a covered entity or its business associate; employment records an employer maintains in its role as employer are not PHI.

When employers are not covered entities

Most employers are not covered entities. The entity that is covered is typically the group health plan you sponsor. If you operate an onsite clinic or employee assistance program that provides health care and conducts standard electronic transactions, that component may be a covered health care provider. In such cases, you may designate yourself a hybrid entity so HIPAA applies only to the health care components.

Practical self-check

• Do you sponsor a group health plan, health FSA, HRA, EAP, or wellness program that provides medical services?
• Do any components provide health care and send electronic claims or eligibility transactions?
• Do HR staff receive PHI for plan administration (beyond enrollment/disenrollment or summary health information)?
• Do vendors on your behalf create, receive, maintain, or transmit PHI? If yes, they likely need a Business Associate Agreement.

Managing Employer Health Plans

Fully insured plans

With fully insured plans, the insurer is the covered health plan handling most HIPAA obligations. As plan sponsor, you generally receive only enrollment/disenrollment information and, for limited purposes, summary health information. If you need PHI for plan administration, amend plan documents to permit it, restrict access to a need-to-know group, and use the minimum necessary standard.

Self-Insured Health Plans

Self-insured health plans are covered entities. Even when you hire a third-party administrator (TPA), you—as plan sponsor—must set plan administration “firewalls,” designate a privacy official, adopt and maintain plan policies, issue a Notice of Privacy Practices, train staff who handle PHI, and ensure vendors provide adequate safeguards. Keep plan records distinct from employment files.

Related arrangements

HRAs, health FSAs, many EAPs, and wellness programs providing medical services are typically group health plans subject to HIPAA. Treat them like any other plan: update plan documents, define who may access PHI for plan administration, and align all vendors under appropriate agreements and safeguards.

Implementing Privacy Rule Compliance

Plan documents and permitted uses

Amend plan documents to define the plan sponsor’s permitted uses/disclosures of PHI for plan administration (e.g., claims appeals, vendor oversight). Identify the workforce members who may access PHI and apply the minimum necessary standard. Prohibit PHI use for employment decisions or non-plan purposes.

Individual rights

Participants have Privacy Rule rights with respect to the health plan, including the right to access their designated record set and request restrictions or confidential communications. Establish processes for requests, response timelines, and fee practices, and document decisions consistently.

Notice, training, and documentation

Issue and maintain a health plan Notice of Privacy Practices and remind participants of its availability. Train the limited group handling PHI, apply sanctions for violations, and retain required HIPAA documentation (policies, notices, attestations, risk assessments) for the mandated retention period.

Securing Electronic Protected Health Information

Risk analysis and risk management

The Security Rule requires a thorough risk analysis of ePHI across systems and vendors, followed by prioritized risk management. Reassess after major changes (new TPA, platform migrations, M&A) and track remediation to closure.

Administrative, physical, and technical safeguards

• Administrative: access governance, workforce training, contingency planning, vendor due diligence, and incident response playbooks.
• Physical: secure areas storing ePHI, device and media controls, clean desk/device practices, and decommissioning procedures.
• Technical: unique IDs, multi-factor authentication, role-based access, encryption in transit and at rest, audit logging, and timely patching.

Practical hardening tips

Segment plan systems from HR and corporate networks, restrict downloads of PHI, enable DLP and endpoint encryption, require secure portals for TPAs and brokers, and regularly test backups and recovery.

Handling Breach Notifications

Assess whether an incident is a breach

Under the Breach Notification Rule, treat any impermissible use or disclosure of unsecured PHI as a presumed breach unless a documented risk assessment shows a low probability of compromise. Evaluate the data’s sensitivity, the unauthorized recipient, whether it was actually viewed, and mitigation steps taken.

Who to notify and when

For a breach involving the health plan, notify affected individuals without unreasonable delay and no later than 60 days after discovery. Depending on the size of the breach, you may also need to notify HHS and, for larger incidents, the media. Log smaller breaches and submit the annual report as required.

Effective response and mitigation

Contain the incident, secure accounts/devices, work with vendors to determine scope, and provide notices describing what happened, the PHI involved, steps individuals should take, and measures your plan is taking. Track corrective actions and lessons learned to prevent recurrence.

Establishing Business Associate Agreements

Identify your business associates

Vendors that create, receive, maintain, or transmit PHI for the plan—TPAs, PBMs, benefits brokers, enrollment platforms, cloud providers, fulfillment/mail houses, and certain wellness or EAP vendors—are business associates.

What a Business Associate Agreement must cover

• Permitted uses/disclosures and the minimum necessary standard.
• Safeguards aligned with the Security Rule and breach reporting duties.
• Subcontractor flow-down obligations and right to audit or receive assurances.
• Return/destruction of PHI at termination and cooperation with investigations.

Oversight in practice

Map PHI data flows, centralize BAAs, verify vendor security (questionnaires, SOC reports, or audits), and test incident notification channels. Update BAAs when services or legal requirements change.

Ensuring Enforcement Rule Adherence

How the Enforcement Rule works

OCR investigates complaints, breach reports, and audit findings. Outcomes range from technical assistance to corrective action plans and civil monetary penalties. Demonstrating a mature compliance program—policies, training, safeguards, monitoring, and timely remediation—reduces exposure.

Accountability and continuous improvement

• Maintain a compliance charter, risk register, training records, and sanction logs.
• Conduct periodic audits of access, vendor performance, and incident handling.
• Document decisions, especially minimum necessary determinations and risk assessments.

Conclusion

Most employers are not HIPAA covered entities, but their health plans are. Focus your efforts where HIPAA applies: tighten Privacy Rule practices, secure ePHI under the Security Rule, prepare for the Breach Notification Rule, and operate with Enforcement Rule readiness. Clear plan documents, disciplined vendor management, and strong oversight are your best safeguards.

FAQs

When is an employer considered a covered entity under HIPAA?

An employer is usually not a covered entity. HIPAA typically applies to the employer’s group health plan (a covered health plan) and to any health care components that provide care and conduct standard electronic transactions, such as an onsite clinic. Employers may also be hybrid entities when only certain components perform covered functions.

What HIPAA rules apply to employer-sponsored health plans?

Employer-sponsored health plans must comply with the Privacy Rule, Security Rule (for ePHI), and the Breach Notification Rule. Plans must issue a Notice of Privacy Practices, adopt policies and procedures, train the limited staff who handle PHI, secure systems and vendors, and follow required timelines and content for breach notifications.

How should employers handle breaches of protected health information?

Act quickly: contain the incident, assess risk to determine if a breach occurred, and, if so, notify affected individuals—and when applicable HHS and the media—within required timelines under the Breach Notification Rule. Document the investigation, mitigation, and corrective actions, and update controls to prevent recurrence.

Which employers must enter into business associate agreements under HIPAA?

When vendors create, receive, maintain, or transmit PHI on behalf of your health plan—such as TPAs, PBMs, brokers, enrollment or cloud platforms—you must execute a Business Associate Agreement with each. The BAA binds the vendor to use/disclosure limits, safeguards, and breach reporting duties consistent with HIPAA.