HIPAA Workplace Compliance
HIPAA — the Health Insurance Portability and Accountability Act — imposes specific obligations on employers who handle protected health information (PHI) as part of their workforce management functions. This page covers which employers fall under HIPAA's workplace rules, how the Privacy and Security Rules operate in an employment context, the scenarios where compliance most commonly breaks down, and the boundaries that separate HIPAA obligations from related privacy frameworks. Understanding these distinctions is essential for employers who sponsor group health plans, coordinate leave programs, or manage occupational health records.
Definition and scope
HIPAA was enacted by Congress in 1996 (Public Law 104-191) and is administered primarily by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In the workplace context, HIPAA applies to employers not in their capacity as employers, but in their capacity as covered entities or as sponsors of group health plans.
A covered entity under HIPAA is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Most private employers are not covered entities for their general HR operations — but when an employer sponsors a self-insured or self-administered group health plan, that plan itself is a covered entity, and the employer's workforce members who administer it are subject to HIPAA's rules.
The two primary regulatory instruments are:
- The Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E) — governs the use and disclosure of PHI.
- The Security Rule (45 CFR Parts 160 and 164, Subparts A and C) — governs electronic PHI (ePHI) safeguards.
Civil monetary penalties for violations are tiered by culpability, ranging from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS Summary of HIPAA Security Rule).
Employers handling employee privacy compliance and employee records compliance must track which records are governed by HIPAA versus which fall under general employment law — a boundary explored in the Decision Boundaries section below.
How it works
When an employer sponsors a group health plan, HIPAA requires the establishment of a firewall between the plan and the employer's general HR and business operations. This is implemented through a plan document amendment and an associated certification process.
The operational framework follows four discrete phases:
- Plan document amendment — The group health plan document must be amended to restrict the plan's disclosure of PHI to the employer, permitting sharing only for specific purposes such as plan administration, enrollment, and audits.
- Workforce designation and training — The employer must identify which workforce members have access to PHI for plan administration purposes and train them on permissible uses (HHS Guidance on Training).
- Administrative safeguards — Policies and procedures must document access controls, minimum-necessary standards, and breach notification protocols under 45 CFR § 164.530.
- Business Associate Agreements (BAAs) — Any third-party vendor — such as a third-party administrator, pharmacy benefit manager, or cloud-based HR platform — that handles PHI on behalf of the plan must execute a BAA conforming to 45 CFR § 164.504(e).
The Security Rule adds a technical layer: any ePHI stored or transmitted by the plan or its administrators must be protected through addressable and required implementation specifications covering access control, audit controls, integrity controls, and transmission security.
Common scenarios
Three employer situations generate the highest share of HIPAA compliance breakdowns in workplace settings:
Self-insured group health plan administration — An employer with a self-funded health plan processes claims data internally. If an HR generalist who also handles terminations gains access to claims data showing an employee's medical condition, a Privacy Rule violation may occur. The minimum-necessary principle under 45 CFR § 164.502(b) requires that access be limited to what is needed for the specific administrative function.
Coordination of FMLA and medical records — Employers frequently conflate HIPAA and FMLA documentation. The Department of Labor administers FMLA (29 CFR Part 825), and FMLA medical certifications are not PHI under HIPAA because the employer receives them in its capacity as employer, not as a health plan. This distinction is critical: FMLA certifications must be kept confidential under FMLA's own rules, not HIPAA's.
Occupational health records — Records generated by an employer's occupational health program (e.g., fit-for-duty exams, injury screenings) are generally governed by ADA confidentiality requirements and OSHA's medical records standard (29 CFR § 1910.1020), not by HIPAA — unless the occupational health provider is itself a covered entity transmitting data electronically.
Decision boundaries
The most operationally significant boundary in HIPAA workplace compliance is covered entity status versus employer status. The same legal entity can simultaneously be an employer (not covered by HIPAA in that role) and a sponsor of a group health plan (subject to HIPAA in that role). PHI used for plan administration must not flow to the employer's HR functions for employment-related decisions.
A structured comparison:
| Function | Governing Framework | PHI Involved? |
|---|---|---|
| Group health plan administration | HIPAA Privacy & Security Rules | Yes |
| FMLA medical certification | DOL / 29 CFR Part 825 | No |
| Workers' compensation records | State law / OSHA | Generally no |
| ADA accommodation documentation | EEOC / ADA | No |
| Occupational health (non-plan) | OSHA 29 CFR § 1910.1020 | No |
Employers with operations in multiple jurisdictions must also account for state health privacy laws, which can exceed HIPAA's floor. California's Confidentiality of Medical Information Act (CMIA) imposes requirements on employers that HIPAA does not, making multi-state employer compliance a distinct operational concern.
Workforce-reduction events introduce another decision point: when an employer undergoes layoffs, severance negotiations may involve health continuation rights under COBRA. Those interactions with the group health plan must still respect the HIPAA firewall, keeping plan data separate from business decisions about workforce composition.
References
- U.S. Department of Health and Human Services — HIPAA for Professionals
- HHS Office for Civil Rights — Summary of the HIPAA Privacy Rule
- HHS — Summary of the HIPAA Security Rule
- 45 CFR Parts 160 and 164 — eCFR (HHS HIPAA Rules)
- Public Law 104-191 — Health Insurance Portability and Accountability Act of 1996
- 29 CFR § 1910.1020 — OSHA Access to Employee Exposure and Medical Records
- 29 CFR Part 825 — FMLA Regulations, eCFR