Your HR Guide to HIPAA Compliance
Last Updated on June 9, 2026 by MyHRConcierge
HIPAA is one of the most frequently misunderstood workplace laws. Many employers and employees assume that any health-related information is automatically protected by HIPAA, but the law’s scope is much narrower. Understanding when HIPAA applies- and when it does not- is essential for employers, HR professionals and business leaders responsible for handling sensitive information.
This guide explains what HIPAA is, who must comply, what information it protects and common situations where HIPAA does not apply. Importantly, even when HIPAA does not apply, employers may still be subject to other federal and state laws that govern the collection, use and confidentiality of employee medical information.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 to improve the portability of health insurance coverage and establish standards for safeguarding sensitive health information. While the law contains several provisions, it is most commonly associated with the HIPAA Privacy Rule and Security Rule, which govern how certain organizations use, disclose and protect protected health information (PHI).
HIPAA is enforced primarily by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which investigates complaints and enforces compliance requirements. The law is intended to protect individuals’ health information while still allowing healthcare providers, health plans and other covered entities to share information necessary for treatment, payment and healthcare operations.
What Is Protected Health Information (PHI)?
Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained or transmitted by a covered entity or business associate.
PHI may include information such as medical diagnoses, treatment records, health insurance information, prescription records, medical billing information and laboratory results. To qualify as PHI, the information must relate to an individual’s past, present or future physical or mental health condition and be capable of identifying the individual.
PHI can exist in paper, electronic or verbal form. Electronic protected health information (ePHI) is subject to additional safeguards under the HIPAA Security Rule.
Who Must Comply With HIPAA?
HIPAA applies to specific organizations known as covered entities, as well as their business associates.
Covered Entities: Covered entities include organizations directly involved in healthcare delivery, healthcare payments or healthcare information processing. These entities generally include:
- Health plans
- Healthcare providers that electronically transmit health information in connection with certain transactions
- Healthcare clearinghouses
Examples of covered entities may include health insurance carriers, physician practices, hospitals and employer-sponsored group health plans.
Business Associates: A business associate is an individual or organization that performs services for a covered entity and has access to PHI while providing those services.
Examples may include third-party administrators, claims processing vendors, healthcare consultants, cloud storage providers and benefits administration vendors that handle PHI on behalf of a covered entity.
Business associates are directly subject to many HIPAA requirements and may face penalties for violations.
Does HIPAA Apply to Employers?
One of the most common misconceptions about HIPAA is that it applies to all employers. In reality, employers are generally not considered covered entities simply because they employ workers.
In most cases, HIPAA does not apply to employers’ employment records, even when those records contain medical information. For example, documentation related to sick leave, Family and Medical Leave Act (FMLA) certifications, disability accommodation requests, return-to-work releases and similar employment records are generally not considered PHI under HIPAA.
That does not mean employers may handle this information carelessly. Other laws, including the Americans with Disabilities Act (ADA), FMLA and various state privacy laws, may require employers to maintain the confidentiality of employee medical information.
Self-Insured Health Plans and Employer Responsibilities
Employers that sponsor self-insured group health plans may have HIPAA obligations related to the administration of those plans.
In these situations, HIPAA applies to the health plan component of the organization rather than the employer’s general HR function. Employers must maintain appropriate safeguards, limit access to plan-related PHI and keep health plan information separate from employment records whenever possible.
Understanding this distinction is critical because information maintained for health plan administration may be subject to HIPAA, while information maintained as part of an employee’s personnel file generally is not.
Have Questions?
Get answers to questions about government rules and regulations that may affect your business by using MyHRConcierge. We provide expert guidance to employers that helps them stay compliant with state and federal labor laws—fast.
What HIPAA Does Not Apply To
Many types of health-related information fall outside HIPAA’s scope.
Employment Records: Employment records maintained by an employer are generally excluded from HIPAA protections, even when they contain medical information. Examples include doctor’s notes, fitness-for-duty certifications, accommodation documentation and leave-related medical records.
Workers’ Compensation Information: HIPAA permits certain disclosures for workers’ compensation purposes, and workers’ compensation records maintained as employment records are generally not protected by HIPAA. Employers should still comply with applicable state workers’ compensation laws and confidentiality requirements.
Educational Records: Student records protected under the Family Educational Rights and Privacy Act (FERPA) are generally not subject to HIPAA.
Consumer Health and Fitness Apps: Many wellness apps, fitness trackers and consumer health applications are not covered by HIPAA unless they are operating on behalf of a covered entity or business associate. Consumers should not assume that all health-related data stored in an app receives HIPAA protection.
Information Individuals Share Themselves: HIPAA regulates covered entities and business associates- not individuals. Employees, patients and consumers are generally free to share their own health information if they choose.
Key HIPAA Privacy Rule Requirements
The HIPAA Privacy Rule establishes standards for how covered entities and business associates may use and disclose PHI.
Organizations subject to the rule must implement policies and procedures designed to protect health information while ensuring appropriate access for legitimate healthcare purposes.
Key requirements include limiting uses and disclosures of PHI to permitted purposes, providing individuals with certain privacy rights, maintaining privacy safeguards, training workforce members and designating a privacy official responsible for compliance.
Individuals also have important rights under HIPAA, including the right to access certain health records, request corrections and receive information about how their PHI is used and disclosed.
Key HIPAA Security Rule Requirements
The HIPAA Security Rule applies specifically to electronic protected health information (ePHI). Covered entities and business associates must implement administrative, physical and technical safeguards to protect electronic health data from unauthorized access, disclosure or loss.
Examples of required safeguards may include access controls, password protections, risk assessments, workforce training, encryption measures where appropriate and incident response procedures. The Security Rule is designed to protect the confidentiality, integrity and availability of electronic health information.
Common HIPAA Myths in the Workplace
One common myth is that HIPAA prevents employers from requesting doctor’s notes or medical certifications. In reality, employers may request health-related documentation when permitted under applicable employment laws.
Another misconception is that all medical information is protected by HIPAA. HIPAA only applies to PHI maintained by covered entities and business associates. Medical information maintained solely in employment records is generally outside HIPAA’s scope.
Many people also incorrectly assume that HIPAA applies to all employers. Most employers are not covered entities and therefore are not directly regulated by HIPAA in their role as employers.
Finally, some individuals believe HIPAA prevents employees from discussing their own medical conditions. HIPAA does not restrict individuals from voluntarily sharing their own health information.
HIPAA Violations and Penalties
HIPAA violations can occur when PHI is improperly accessed, disclosed or safeguarded. Examples may include unauthorized access to medical records, improper disclosure of PHI, inadequate security protections, insufficient employee training or failures to follow required privacy procedures.
Penalties can range from corrective action requirements to significant monetary fines depending on the nature of the violation and the organization’s efforts to comply with the law. In certain cases involving intentional misconduct, criminal penalties may also apply.
How Employers Can Reduce Privacy and Compliance Risks
Even employers that are not directly subject to HIPAA should understand how health-related information is handled within their organizations.
Organizations should evaluate whether they sponsor a self-insured health plan, identify what health information is maintained for employment purposes versus health plan administration and establish appropriate procedures for safeguarding sensitive data.
Regular training for HR professionals, managers and benefits administrators can help reduce compliance risks and ensure that employee information is handled appropriately under HIPAA and other applicable laws.
Separating Fact From Fiction in HIPAA Compliance
HIPAA plays an important role in protecting sensitive health information, but its requirements are often misunderstood in the workplace. While healthcare providers, health plans, healthcare clearinghouses and business associates are generally subject to HIPAA, most employers are not covered entities simply because they employ workers.
Understanding the difference between protected health information and employment records can help employers avoid compliance mistakes, protect employee privacy and meet their legal obligations. By reviewing health plan administration practices, maintaining appropriate safeguards and staying informed about evolving privacy requirements, organizations can better manage risk and foster employee trust.
MyHRConcierge offers a valuable solution in compliance, providing expert guidance and support to help employers. Contact us today at 855-538-6947 ext. 108 or ccooley@myhrconcierge.com. Or, schedule a free consultation below: