HIPAA is widely misunderstood at work, and the misunderstanding usually goes in the direction of over-compliance. Employees tell HR they can't answer a safety question because of HIPAA; managers claim HIPAA prevents them from acknowledging someone is on leave. Neither is usually accurate. The actual rule is narrower than the pop-culture version, and it's aimed primarily at health plans, health care providers, and their business associates, not at employers operating in their employer capacity. Where HIPAA does touch employers is through group health plans, wellness programs that handle PHI, and the specific information flow between an employee's provider and the plan administrator.
What HIPAA Actually Regulates HIPAA regulates covered entities and their business associates. The three categories of covered entity are health plans (including employer-sponsored group health plans), health care providers that transmit information electronically in connection with covered transactions, and health care clearinghouses. When a covered entity shares PHI with a vendor (a third-party administrator, claims processor, or pharmacy benefit manager), that vendor becomes a business associate and takes on HIPAA obligations.
The key rule set has three pieces: the Privacy Rule (how PHI can be used and disclosed), the Security Rule (technical, administrative, and physical safeguards for electronic PHI), and the Breach Notification Rule (what happens when PHI is improperly disclosed).
Does HIPAA Apply to Employers Directly? Generally no. An employer acting in its employer capacity (deciding whether to grant FMLA leave, responding to a reasonable accommodation request, managing an occupational health program) is not subject to HIPAA for that information. But the employer's group health plan is a covered entity, and the firewall between the plan and the employer's regular HR data is what HIPAA actually polices in the workplace context.
Where HR Actually Intersects With HIPAA HR teams encounter HIPAA most often at the boundary of the group health plan. Enrollment data typically flows from HR to the plan administrator as part of standard employee benefits administration, and that flow has rules. Information that returns the other direction (claims data, disease management program participation, wellness program biometric results) has much tighter rules about what the employer can see and use.
Wellness programs are the highest-risk touchpoint. A wellness program that collects biometric data, tracks participation in health coaching, or manages chronic condition interventions handles PHI and usually requires business associate agreements and a HIPAA-compliant technical stack.
How HIPAA Breaches Actually Happen in HR The common real-world HIPAA incidents in HR are not dramatic cyber breaches. They're operational: an HR generalist copies the full plan administrator on an email that includes a specific employee's diagnosis. A benefits team member accidentally sends a claims report with PHI to the wrong distribution list. A vendor's unsecured portal exposes enrollment files. These produce reportable breaches under the Breach Notification Rule, and HHS's Office for Civil Rights publishes them on the "Wall of Shame."
The 2024 HHS enforcement discretion changes and the updated Security Rule proposed amendments (finalized through most of 2025) have raised the baseline technical safeguard expectations. The HHS HIPAA resources page is the primary authoritative source on current rules.
Building HIPAA-Aware HR Operations Without Over-Compliance The practical operating model has three pieces. First, train HR staff on the narrow but real boundary between employer data and group health plan PHI. Second, treat wellness and occupational health programs as distinct data environments with clear contracts and segregated storage. Third, build an incident response plan for suspected breaches, because the 60-day notification clock is tight and starts when the organization knows (or should have known) about the incident. The goal is neither to over-restrict legitimate HR work nor to create a plan-level data environment that can't withstand a breach review. Most HIPAA-related pain in HR comes from getting the boundary wrong in one direction or the other, and training usually fixes the boundary problem faster than new policy does.
.svg)
.svg)
