‍

Introduction

HIPAA (Health Insurance Portability and Accountability Act) has been in place since 1996, but it continues to evolve as health data becomes more digital and more widely shared. For employers that sponsor group health plans, HIPAA is not just a healthcare issue, it is a plan administration responsibility that often sits with HR and benefits teams.

The challenge for many organizations is not just understanding what HIPAA is, but figuring out when it applies, what counts as protected health information (PHI), and what systems and safeguards are actually required in day-to-day operations.

This overview breaks down the key HIPAA privacy, security, and breach rules in practical terms so employers and HR leaders can better understand their obligations and reduce compliance risk.

Key Takeaways

• HIPAA applies to group health plans, not directly to the employer, but employers are responsible for compliance as plan sponsors
• Protected Health Information (PHI) includes more than medical records and can include identifiers like names when tied to a health plan
• Employers must limit how PHI is used and shared, following the “minimum necessary” standard
• HIPAA requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI)
• Most employers must appoint privacy and security officials and maintain written policies and training
• A “breach” triggers specific notification requirements unless a formal risk assessment shows low risk of compromise

Understanding HIPAA in the Employer Context

What HIPAA Actually Covers

HIPAA is a federal law designed to protect personal health information as it moves through healthcare systems. It applies to:

• Health plans (including employer-sponsored group health plans)
• Healthcare providers
• Healthcare clearinghouses
• Business associates that handle PHI on behalf of these entities

For employers, the key distinction is that the health plan is the covered entity, not the employer itself. However, because employers sponsor and administer these plans, they are responsible for ensuring HIPAA compliance on behalf of the plan.

What Counts as PHI?

Protected Health Information (PHI) is broader than many employers realize. It includes any individually identifiable health information that is created, received, or maintained by a health plan.

Examples include:

• Names, dates of birth, or member IDs tied to a health plan
• Claims data or enrollment information
• Medical diagnoses or treatment details when handled by the health plan

However, not all health-related information is PHI. For example:

• Workers’ compensation records handled outside the health plan
• FMLA documentation maintained solely by the employer
• Drug test results kept in an employment file (not a health plan record)

The key question is whether the information was handled by the group health plan in its role as a covered entity.

When HIPAA Applies to Employer-Sponsored Plans

What's the Difference Between a Self-Funded vs. Fully Insured Plan

HIPAA obligations depend in part on how the health plan is structured:

Self-funded and level-funded plans

• Always subject to HIPAA privacy and security rules
• Employer is closely involved in administration and PHI handling

Fully insured plans

• May have limited HIPAA exposure if the employer only receives summary or enrollment data
• Still subject to certain security expectations in practice
• If the employer has access to broader PHI, full HIPAA requirements apply

Business Associates and Third Parties

Any vendor or service provider that handles PHI on behalf of the plan is considered a business associate. This includes:

• Benefit administrators
• IT providers with system access
• Brokers or consultants handling claims or enrollment data

These relationships must be governed by a Business Associate Agreement (BAA) that outlines how PHI must be protected.

HIPAA Privacy Rule: How Can PHI Be Used and Shared?

What Does the Privacy Rule Require?

The HIPAA Privacy Rule sets limits on how PHI can be used or disclosed. It generally allows use of PHI only for:

• Treatment
• Payment
• Healthcare operations

For employers, “healthcare operations” is the most relevant category and includes plan administration tasks such as claims review and eligibility management.

The Minimum Necessary Standard

When PHI is shared, only the minimum amount necessary should be used or disclosed. This means:

• Avoid sharing full records when partial information is sufficient
• Limit access to employees who need PHI to perform their role
• Apply safeguards in routine communication (such as emails or reports)

Employee Access Rights

Individuals have rights under HIPAA to:

• Access their own PHI
• Request corrections
• Receive a record of disclosures
• Request restrictions on certain uses

Employers acting on behalf of the health plan must respond to these requests appropriately.

Notices and Administrative Requirements

Covered plans must:

• Provide a Notice of Privacy Practices to participants
• Update and redistribute notices when material changes occur
• Maintain written privacy policies and procedures
• Designate a privacy official responsible for compliance
• Train employees who handle PHI

HIPAA Security Rule: Protecting Electronic PHI

What the Security Rule Covers

The HIPAA Security Rule applies specifically to electronic PHI (ePHI). It requires organizations to implement safeguards in three areas:

• Administrative safeguards (policies, training, governance)
• Physical safeguards (facility access, document storage, disposal)
• Technical safeguards (passwords, access controls, encryption)

Risk Analysis Requirement

A core requirement is conducting a risk analysis, which involves:

• Identifying where ePHI is stored
• Evaluating how it is accessed and used
• Identifying vulnerabilities and threats
• Determining appropriate safeguards

This analysis forms the foundation for all HIPAA security policies.

Flexibility in Security Controls

Some security measures are “required,” while others are “addressable,” meaning organizations must evaluate whether they are reasonable for their environment.

However, in practice, measures like encryption and access controls are often expected as standard safeguards, especially for email and data transmission.

What Happens When There Is a HIPAA Breach?

What Counts as a Breach

A breach is any impermissible use, access, or disclosure of PHI that compromises its security or privacy.

Common examples include:

• Sending PHI to the wrong recipient
• Unauthorized access to health plan data
• Lost or stolen devices containing ePHI

There is a presumption that an incident is a breach unless a formal risk assessment shows low risk of compromise.

What Are Some Breach Risk Assessment Factors?

Organizations must evaluate:

• Sensitivity of the information
• Whether it was actually accessed or viewed
• Whether the recipient is obligated to protect it
• Whether the risk has been mitigated

Notification Requirements

If a breach occurs:

• Individuals must be notified within 60 days (if fewer than 500 people affected)
• Larger breaches require notification to HHS and sometimes the media
• Notifications must describe what happened, what data was involved, and what steps individuals should take

Clarifications & Added Context

• HIPAA does not typically apply to employment records, even if they contain health-related information, unless the health plan is involved
• Spouses and adult dependents are not automatically allowed access to PHI without authorization
• Verbal permission may be acceptable in limited cases but usually applies only to a specific instance
• Employers can leverage existing corporate IT and security policies to support HIPAA compliance rather than building new systems from scratch

What is a Good Practical Example of an Optional Expansion?

A common scenario involves HR receiving an email that references an employee’s medical condition. Whether HIPAA applies depends on the source:

• If the information came from the employee directly, it is not PHI
• If it came from the group health plan or a provider, it likely is PHI

This distinction matters because it determines whether HIPAA rules, including privacy safeguards and disclosure limits, must be followed.

Disclaimer

This content is provided for general informational purposes only and is not intended as insurance advice. Coverage, terms, and availability can vary by carrier and state. For guidance specific to your situation, we recommend speaking with a licensed insurance professional.

‍