Does HIPAA Apply to Employers?

“Does HIPAA Apply to Employers” is a question that has triggered varied responses because of the complex nature of the HIPAA Privacy Rule. The HIPAA Privacy Rule appears complicated because it aims to standardize how individually identifiable personal information is safeguarded throughout different use cases. The language used is “non-specific” and so it is subject to several interpretations.

Many have tried to sum up the HIPAA Privacy Rule in a style that plainly describes who the legislation covers and how it must be employed. Sadly, due to its complex nature, the majority of summaries do not sufficiently answer “how does HIPAA apply to employers?” This article aims to answer the question as precisely and succinctly as possible.

What are HIPAA-Covered Transactions?

The HIPAA Privacy Rule details the 18 elements of individually identifiable health information that must be secured and protected from unauthorized access and classes information containing these identifiers as Protected Health Information (PHI). A lot of these data elements are given to an employer or the HR Department when a person joins a company. Thus, under that summarized explanation, the answer would be yes. HIPAA does apply to employers.

However, information containing those identifiers is only covered by HIPAA if it is utilized to communicate data concerning a person’s past, current or future health condition, the provision of healthcare services to a person, or for the payment of healthcare services. Consequently, if a worker provided their individually identifiable health information to an employer, but the employer never used any information for the purposes mentioned above, HIPAA does not apply to the employer.

In addition, one factor frequently disregarded in HIPAA Privacy Rule summaries is that before a “Covered Entity” can be subject to the regulation, the purpose for generating, using, holding or disclosing PHI must be a HIPAA-covered transaction. The following are considered HIPAA-covered transactions (but aren’t limited to these):

  • A request to claim payment by a healthcare company from a health plan supported by proper documentation.
  • An query from a healthcare company to a health plan regarding the eligibility of a person to get treatment.
  • A request to a health plan to refer a person to a different healthcare company (as well as the health plan’s reply).
  • Transmitting (1) Explanation of benefits or (2) Remittance advice from a health plan to a healthcare company.

For more details on HIPAA-covered transactions, see 45 CFR Part 2, particularly §§ 162.1101 to 162.1801.

Does HIPAA Apply to Employers’ Self-Insured Health Plans?

By using the conditions mentioned above for HIPAA-covered transactions, an employer could only be engaged in these kinds of transactions if:

  • They have onsite clinics that are part of the employees’ health benefits
  • They offer employees a self-insured health plan
  • If they serve as an intermediary among employees, healthcare companies and health plans

Since an onsite clinic isn’t a “portable” employee health benefit (i.e. an employee cannot take the benefit when he or she transfers to another job), it is exempted from the HIPAA Privacy Rule. Employers offering self-insured health plans are likewise exempted since HIPAA considers the employer as a separate legal entity from the health plan, even though the employer manages the self-insured health plan.

Nevertheless, to be able to manage a self-insured health plan, or work as an intermediary between employees, healthcare companies and health plans, the employer must “partially comply” and must present certification that PHI will be protected and not utilized for employment-related transactions.

The certification is similar to a Business Associate Agreement and it permits the self-insured health plan to share PHI with the employer, but just to accomplish the purpose of managing the health plan. Any other use of PHI will be tantamount to an unauthorized disclosure exposing the employer to sanctions by the Department of Health & Human Services and state attorneys general. More information concerning employer certification is available in 45 CFR 164.504(f).


The general answer to the question “Does HIPAA Apply to Employers” is no. But there are instances whereby employers must comply with HIPAA regarding the protection of the privacy, integrity and security of PHI. While it is relatively rare for HIPAA to apply, it is crucial that employers know about their compliance requirements.

Organizations still uncertain regarding how HIPAA is applicable to Employers ought to seek expert assistance related to their particular situations.