HIPAA does not apply to employers in their capacity as employers, and it applies only when an organization functions as a HIPAA Covered Entity or Business Associate that creates, receives, maintains, or transmits protected health information as part of regulated healthcare activities.
Most employers are not HIPAA Covered Entities because they do not provide healthcare, operate a health plan, or act as a healthcare clearinghouse under the HIPAA Administrative Simplification definitions. Employment records held by an employer, including sick leave documentation, workplace injury files maintained for employment purposes, drug testing records maintained by the employer, and human resources files, are not protected health information under the HIPAA Privacy Rule.
HIPAA can apply to an employer when the employer operates a group health plan that is a HIPAA Covered Entity. In that role, the plan is subject to the HIPAA Privacy Rule and HIPAA Security Rule for protected health information created or received by the plan. The employer as plan sponsor may receive certain plan information under conditions that require plan documents to limit uses and disclosures and require separation between the plan’s protected health information and the employer’s employment functions. Access to protected health information for plan administration is distinct from access for employment decisions.
HIPAA also applies when an employer provides healthcare services and transmits health information electronically in connection with standard transactions. Examples include an onsite medical clinic that bills electronically or performs covered transactions through a third party. In that setting, the clinic function can be a HIPAA Covered Entity, and protected health information created in the clinic is subject to HIPAA controls even if the clinic is operated by the employer.
Employers often receive health information from employees through other legal and operational channels. A healthcare provider may disclose limited information to an employer without an authorization in defined circumstances, such as when a disclosure is required by law, when the disclosure is for workers’ compensation purposes consistent with the HIPAA Privacy Rule provisions, or when an employee provides a valid HIPAA authorization. An employer may also receive information directly from the employee. HIPAA does not restrict what an employee chooses to share with an employer, though other federal and state laws may restrict how the employer may use that information.
When a health plan or clinic function exists, compliance depends on policies that control who can access protected health information, how access is logged and monitored, and how information is segregated from employment records. Operational controls include online HIPAA training for staff who handle protected health information, access provisioning tied to job function, vendor agreements when third parties handle protected health information, and incident response procedures aligned with the HIPAA Breach Notification Rule when unsecured protected health information is compromised.