HIPAA Compliance for HR Departments

HIPAA’s Records Retention Requirements

HIPAA compliance for HR departments is necessary for healthcare and health insurance companies, but even companies that are not directly engaged in the healthcare or healthcare insurance sectors must still be aware of HIPAA requirements. It is estimated that one third of all employees and their dependents obtain healthcare benefits through a company self-insured group health plan.

Though this doesn’t mean a self-insuring company becomes a HIPAA-Covered Entity and thus must follow HIPAA regulations, it is very likely that the HR department is going to have some participation in insurance-related functions. When performing those insurance-related functions, HR personnel will certainly deal with Protected Health Information (PHI).

Importance of HIPAA Compliance for HR Departments

The principal goal of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to ensure the portability and continuity of medical insurance coverage. As the Act advanced through Congress, changes were included with the objective of eliminating waste, and combating fraud and abuse in the health insurance and healthcare sectors.

The was achieved through the HIPAA Privacy and Security Rules. The Rules limit PHI access and usage, chiefly to allow patients and group healthcare plan members to control how their private data is utilized. For instance, without a patient’s consent, healthcare providers cannot use a patient’s data for marketing purposes.

Another reason for limiting access to PHI is to prevent people from using another person’s PHI to get free healthcare services, termed medical identity theft. Healtcaredata can also be used for standard identity theft and tax fraud. The versatility of the data makes healthcare information highly valuable. According to a 2014 report, a complete dossier of healthcare data on the black market costs $1,200 or more – Much higher than the value of stolen Visa card credentials, which is typically just $4.

Key Areas of HIPAA Compliance for HR Departments

HR personnel must be well-versed in four key areas of HIPAA compliance. These are:


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  • Understanding the crucial parts of the Privacy and Security Rules
  • Helping workers understand their rights under HIPAA
  • Protecting the PHI of workers
  • Working with Covered Entities and Business Associates with whom employees share their PHI

Though there are HIPAA compliance resources that adequately discuss these areas of HIPAA compliance for HR departments, certain areas of HIPAA compliance can be overlooked. Some common errors have been explained below.

Don’t Think that the IT Department is Answerable for Security Rule Compliance

An IT manager is typically assigned the role of HIPAA Security Officer and is responsible for making sure that each department in a company is following Security Rule requirements. However, HR personnel must never assume the sole responsibility for security compliance is IT. They also have responsibilities under HIPAA.

Give Updates and Reminders of Privacy Practice Notices

Personnel signed up in a self-insured group health plan should be provided with a Privacy Practice Notice reminding them of their rights associated with HIPAA. Many HR departments do not forget to do this, yet some fail to send out reminders when privacy practices are updated, which should be at least once every three years.

Keep a Written Policy for Investigating and Dealing with Complaints

Even if it isn’t mandated by HIPAA, there must be a policy to document privacy complaints, investigations and solutions. This will considerably benefit the company, particularly the HR department, if a worker follows through and reports their issue to the Department of Health & Human Services.

Do not Disregard State Privacy Law Compliance

There is confusion regarding the relationship between HIPAA and state privacy rules. HIPAA preempts state privacy rules with weaker privacy protections; however, in some states, laws have been introduced that provide residents with even greater privacy protections. In the pursuit of HIPAA compliance, HR departments must not ignore state standards.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/