HIPAA (US)

The Health Insurance Portability and Accountability Act of 1996, a federal law that protects the privacy and security of individually identifiable health information and gives employees the right to continue health coverage when changing jobs.

What Is HIPAA?

Key Takeaways

  • HIPAA has two main purposes: protecting the privacy and security of individuals' health information, and guaranteeing health insurance portability when employees change or lose their jobs.
  • The Privacy Rule (2003) establishes national standards for protecting individually identifiable health information, called Protected Health Information (PHI).
  • The Security Rule (2005) sets standards specifically for electronic PHI (ePHI), requiring administrative, physical, and technical safeguards.
  • HIPAA applies to covered entities (health plans, healthcare providers, healthcare clearinghouses) and their business associates, not to employers directly in most situations.
  • Penalties for violations range from $141 to $2,134,831 per violation, with criminal penalties up to $250,000 in fines and 10 years in prison for knowing misuse of health information.

HIPAA is one of the most misunderstood laws in HR. Most people think it prevents employers from asking about employee health. It doesn't. HIPAA regulates how covered entities, which are health plans, healthcare providers, and healthcare clearinghouses, handle protected health information. An employer isn't a covered entity simply because it employs people. However, an employer that sponsors a group health plan does become subject to HIPAA in that specific capacity. The health plan itself is the covered entity, and the employer acting as plan sponsor and administrator has obligations around how it handles PHI received from the plan. This is where HR teams get caught. When a benefits manager receives medical claims data, enrollment information with diagnosis codes, or disability documentation from the group health plan, that information is PHI subject to HIPAA. The same benefits manager can ask an employee directly about their medical condition for ADA accommodation purposes without triggering HIPAA, because the employer isn't acting as a covered entity in that interaction. The distinction matters enormously for compliance.

5,150+HIPAA enforcement actions completed by the HHS Office for Civil Rights since 2003 (HHS OCR)
$2.1BTotal HIPAA penalties and settlements collected since the enforcement program began (HHS, 2024)
725+Major healthcare data breaches (500+ records) reported to HHS in 2023 (HHS Breach Portal)
133MIndividual records exposed in healthcare data breaches in 2023, the highest ever (HHS)

The HIPAA Privacy Rule and HR

The Privacy Rule sets limits on who can see protected health information and under what circumstances.

What counts as PHI

Protected Health Information is any individually identifiable health information that's created, received, maintained, or transmitted by a covered entity. It includes diagnosis codes, treatment records, prescription information, lab results, health plan enrollment data, claims data, and any information that connects health data to a specific person. PHI covers 18 identifiers including names, dates, phone numbers, email addresses, Social Security numbers, and medical record numbers. De-identified data (with all 18 identifiers removed) is not PHI and isn't subject to HIPAA.

When employers handle PHI

Employers most commonly encounter HIPAA when administering self-funded health plans, processing health plan enrollment, handling health plan claims appeals, receiving explanation of benefits (EOB) documents, managing Health Savings Account (HSA) or Flexible Spending Account (FSA) claims, or working with stop-loss insurance carriers. Information obtained outside the health plan context, such as sick leave requests, doctor's notes for FMLA, ADA accommodation requests, or workers' comp claims, generally isn't subject to HIPAA. However, it may be protected under the ADA, state privacy laws, or other regulations.

Minimum necessary standard

When accessing PHI for plan administration, employers must limit access to the minimum amount of information necessary to accomplish the intended purpose. A benefits manager processing a dental claim doesn't need to see the employee's mental health records. HR staff not involved in plan administration shouldn't have access to any PHI. This requires role-based access controls, policies defining who can access what, and training on appropriate use.

The HIPAA Security Rule

The Security Rule applies specifically to electronic PHI (ePHI) and requires three types of safeguards.

Administrative safeguards

Risk analysis: identify where ePHI lives, who accesses it, and what threatens it. This isn't a one-time exercise. It must be ongoing. Designate a security official responsible for developing and implementing security policies. Implement workforce training on HIPAA security, with refresher training at least annually. Develop and test contingency plans for data backup, disaster recovery, and emergency mode operations. Sanction policies: employees who violate security policies must face consequences.

Physical safeguards

Control physical access to facilities where ePHI is stored or accessed. This includes locked server rooms, badge access to areas where PHI is processed, workstation security (auto-lock, privacy screens), and policies for removing ePHI from the facility (encrypted laptops, secure remote access). Device and media controls govern how hardware and electronic media containing ePHI are disposed of, reused, or moved within the organization.

Technical safeguards

Access controls: unique user IDs, automatic logoff, encryption of ePHI at rest and in transit. Audit controls: hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. Integrity controls: mechanisms to protect ePHI from improper alteration or destruction. Transmission security: encrypt ePHI when transmitted over electronic networks (email, file transfers, API connections). The Security Rule is technology-neutral: it doesn't mandate specific technologies but requires "reasonable and appropriate" safeguards based on the organization's size, complexity, and risk environment.

HIPAA Breach Notification Rule

When a breach of unsecured PHI occurs, HIPAA requires notification to affected individuals, HHS, and in some cases, the media.

What constitutes a breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. Not every security incident is a breach. The covered entity must conduct a risk assessment considering four factors: the nature and extent of PHI involved, who accessed it, whether PHI was actually acquired or viewed, and what mitigation steps were taken. There are three exceptions: unintentional access by an authorized person acting in good faith, inadvertent disclosure between authorized persons within the same organization, and disclosures where the recipient couldn't reasonably retain the information.

Notification requirements

Individual notice: written notification to each affected person within 60 days of discovering the breach. HHS notification: breaches affecting 500+ individuals must be reported to HHS within 60 days. Breaches affecting fewer than 500 individuals can be reported annually within 60 days of the end of the calendar year. Media notification: breaches affecting 500+ individuals in a single state or jurisdiction require notification to prominent media outlets in that area. HHS maintains a public "Wall of Shame" listing all breaches affecting 500+ individuals. As of 2024, it lists over 6,000 reported breaches.

Common HIPAA Violations in the Workplace

HR teams and employers face HIPAA risk in several everyday scenarios.

Sharing health plan information inappropriately

A benefits manager tells a department supervisor that an employee's health plan claims show mental health treatment. A payroll specialist mentions an employee's prescription drug costs at lunch. An HR director shares disability claim details with a manager to explain an employee's absence. All of these violate the Privacy Rule's minimum necessary standard and use/disclosure restrictions. PHI from the health plan can only be used for plan administration, not employment decisions.

Inadequate safeguards for ePHI

Storing enrollment spreadsheets with SSNs and diagnosis codes on unencrypted laptops. Emailing claims data without encryption. Leaving benefits paperwork on desks in open offices. Sharing HRIS login credentials among HR staff. Using a shared email inbox for health plan correspondence without access controls. The most common breach reported to HHS involves email (phishing, misdirected emails), followed by network server incidents and stolen/lost devices.

Missing business associate agreements

Any vendor that creates, receives, maintains, or transmits PHI on behalf of the covered entity (the health plan) must sign a Business Associate Agreement (BAA). This includes TPAs, PBMs, wellness program vendors, benefits brokers who access claims data, HRIS vendors storing PHI, IT companies with access to systems containing ePHI, and cloud storage providers. Operating without a BAA is itself a HIPAA violation, regardless of whether a breach occurs.

HIPAA Violation Penalties

The HHS Office for Civil Rights (OCR) enforces HIPAA through investigations, corrective action plans, and financial penalties.

TierKnowledge LevelPenalty Per ViolationAnnual Cap
Tier 1Didn't know and couldn't have known$141 to $71,162$2,134,831
Tier 2Reasonable cause, not willful neglect$1,424 to $71,162$2,134,831
Tier 3Willful neglect, corrected within 30 days$14,232 to $71,162$2,134,831
Tier 4Willful neglect, not corrected$71,162 to $2,134,831$2,134,831

HIPAA vs. Other Health Privacy Laws

HIPAA doesn't exist in isolation. HR teams must consider how it interacts with other federal and state privacy protections.

LawWhat It CoversHow It Relates to HIPAA
ADADisability-related medical information in employment contextADA restricts employer use of medical information independently of HIPAA. An employer can violate the ADA's confidentiality rules without triggering HIPAA
FMLAMedical certifications for leaveFMLA medical certifications aren't PHI if obtained directly from the employee, not from the health plan
GINAGenetic information in employment and health insuranceGINA prohibits health plans from using genetic information for underwriting. HIPAA Privacy Rule also restricts genetic information disclosure
State lawsVarying state health privacy protectionsHIPAA sets a federal floor. States can impose stricter protections. California's CCPA/CPRA, for example, adds consumer health data rights beyond HIPAA

HIPAA Compliance Checklist for HR Teams

These steps cover the most critical HIPAA obligations for employers that sponsor group health plans.

  • Establish a firewall between health plan administration and employment functions. PHI obtained for plan administration can never be used for hiring, firing, promotions, or other employment decisions.
  • Execute Business Associate Agreements with every vendor that touches PHI: TPAs, PBMs, wellness vendors, benefits brokers, HRIS platforms, shredding companies, and cloud providers.
  • Train HR staff who handle plan administration on HIPAA Privacy and Security Rules annually. Document training completion dates. Include scenario-based examples specific to their roles.
  • Encrypt all devices (laptops, phones, tablets, USB drives) that may contain ePHI. Encryption is an addressable specification under the Security Rule, meaning you must implement it or document why an alternative measure is equally effective.
  • Conduct a risk assessment at least annually to identify vulnerabilities in how you store, transmit, and dispose of PHI. Document findings and remediation steps.
  • Develop a breach notification procedure with clear escalation paths. Know who investigates potential breaches, who makes the determination, and who handles notifications. Test the process annually.

HIPAA Enforcement and Breach Statistics [2026]

Data showing the scale of HIPAA enforcement and the growing frequency of healthcare data breaches.

133M
Individual records exposed in healthcare data breaches in 2023, a record highHHS, 2024
$2.1B
Total HIPAA penalties and settlements collected since enforcement beganHHS, 2024
725+
Major breaches (500+ records) reported to HHS in 2023 aloneHHS Breach Portal
$4.45M
Average cost of a healthcare data breach in 2023IBM Cost of a Data Breach, 2023

Frequently Asked Questions

Does HIPAA prevent my employer from asking about my health?

No. This is the most common HIPAA misconception. HIPAA applies to covered entities (health plans, healthcare providers, clearinghouses), not to employers as employers. Your boss can ask if you're feeling well, request a doctor's note for sick leave, or inquire about a workplace injury without violating HIPAA. Other laws like the ADA restrict certain medical inquiries, but that's a separate issue. HIPAA only applies when the employer is handling information in its capacity as a health plan sponsor.

Can an employer access my health insurance claims?

It depends on the plan structure. In a self-funded plan, the employer may have access to de-identified claims data for plan management purposes. However, HIPAA requires a firewall between plan administration staff and employment decision-makers. The HR benefits manager can see aggregate claims trends but shouldn't share individual claims with supervisors. In a fully insured plan, the insurance carrier handles claims and the employer typically doesn't have access to individual claims data.

Is a doctor's note for FMLA leave considered PHI under HIPAA?

It depends on how the information was obtained. If the employee provides the medical certification directly to the employer, it's not PHI under HIPAA because the employer received it in the employment context, not from the health plan. However, if the employer obtained the information through the group health plan, it would be PHI. Regardless of HIPAA, the ADA and FMLA have their own confidentiality requirements for medical information. Store FMLA medical certifications in a separate, locked file apart from general personnel records.

What should HR do if a manager asks about an employee's medical condition?

Share only what the manager needs to know for legitimate business purposes, and never share PHI from the health plan. For example, if an employee is on FMLA leave, the manager can be told the expected return date and any work restrictions, but not the diagnosis. If the employee has an ADA accommodation, the manager can be told what the accommodation is, but not the underlying condition. Document what was shared and with whom.

Does HIPAA apply to wellness programs?

Yes, when the wellness program is part of or offered through the group health plan. A wellness program that collects health assessments, biometric screenings, or health risk questionnaire data is handling PHI. The wellness vendor must sign a BAA. If the program is completely separate from the health plan (a standalone gym membership benefit, for example), HIPAA may not apply, though the ADA and GINA still restrict what health information employers can collect through voluntary wellness programs.

What's the biggest HIPAA penalty ever imposed?

The largest HIPAA settlement to date is $16 million, paid by Anthem Inc. in 2018 after a 2015 data breach exposed ePHI of nearly 79 million individuals. The second largest is $5.55 million against Advocate Health Care Network in 2016 for multiple breaches involving unencrypted laptops. On the criminal side, individuals have received prison sentences of up to 10 years for knowingly obtaining or disclosing PHI for personal gain or malicious purposes.
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next