articleIcon-icon

Article

5 min read

What is HIPAA, and Who Does It Apply To? Our Simple Guide

Image

Author

Dr Kristine Lennie

Last Update

April 17, 2025

Published

April 17, 2025

Table of Contents

What is HIPAA?

Key components of HIPAA

Who does HIPAA apply to?

What is a HIPAA custodian?

HIPAA vs. employee privacy laws

Deel empowers US teams to stay compliant

Key takeaways
  1. HIPAA is a US federal law that protects the privacy of individuals’ medical data within covered entities in the healthcare system and related third-party business associates.
  2. Employers and HR teams that offer self-insured healthcare plans or handle personal medical data must ensure HIPAA compliance.
  3. Deel’s PEO services can help ensure federal and state-specific compliance for US teams.

The Health Insurance Portability and Accountability Act (HIPAA) is a US data privacy law that protects the confidentiality of a person’s medical information and sets standards for safe data management and storage. HIPAA applies to covered entities that handle private health information (PHI) (including healthcare providers, health plans, and healthcare clearinghouses) and their related third-party business associates.

Although most employers are not subject to HIPAA regulations, it is important for HR professionals and company founders to understand when HIPAA might apply to avoid incurring any potential penalties or legal liability.

Deel is a global HR and payroll solution that enables companies in the US and beyond to hire, pay, and manage their employees seamlessly and securely.

In this article, we will cover what HIPAA is, its key components, who it affects, and when it might apply to employers.

What is HIPAA?

HIPAA is a federal law introduced in 1996 with the goal of protecting US citizens’ private health information (PHI). Under HIPAA, covered healthcare entities and organizations are mandated to safeguard patients’ private medical data and prevent disclosure without consent. HIPAA also improved efficiency and data security in the healthcare system by standardizing how PHI is recorded, handled, shared, and stored.

HIPAA compliance is compulsory for all covered entities (see below) and the third-party business associates who handle PHI on their behalf. Infringements can result in penalties, criminal and civil charges, and reputational damage.

Learn more about how Deel PEO services can help you compliantly employ workers in all 50 states with Deel’s Guide to Professional Employer Organizations (PEO).

A Guide to International Hiring

Guide

Independent contractors or full-time employees?
Take your pick. Find the best talent for your team and leave the rest to Deel. Read Deel’s International Hiring Guide to get the basics of hiring globally.

Key components of HIPAA

HIPAA includes six key provisions: the Privacy Rule, the Security Rule, the Breach notification Rule, the Enforcement Rule, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Business associate agreements (BAAs). Each outlines a specific set of regulations for the compliant handling and/or protection of PHI within the healthcare system.

Rule Objective Requirements
Privacy Rule Protects individuals' medical records and other PHI Sets limits on the use and disclosure of PHI without patient authorization and grants patients rights over their health information (including the right to obtain a copy of their health records and request corrections)
Security Rule Establishes standards to protect electronic PHI (ePHI) Mandates administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI
Transactions and Code Sets Rule Standardizes the electronic exchange of healthcare transactions Requires the use of standardized codes and formats for transactions such as claims, enrollment, eligibility, and payment
Unique Identifiers Rule Mandates the use of unique identifiers for health plans, healthcare providers, and employers Assigns National Provider Identifiers (NPIs) to streamline the identification process in healthcare transactions
Enforcement Rule Provides guidelines for investigations and penalties for non-compliance Establishes procedures for compliance reviews and imposes civil and criminal penalties for violations of HIPAA standards
Breach Notification Rule Requires covered entities to notify individuals, the Secretary of Health and Human Services (HHS), and in some cases, the media, of breaches of unsecured PHI Specifies the content and timing of breach notifications

Who does HIPAA apply to?

HIPAA applies to covered entities within the healthcare sector and their business associates who handle PHI on their behalf. In this section, we discuss each in more detail.

HIPAA-covered entities

Under HIPAA, covered entities include the following organizations and individuals that directly use and transmit PHI:

  • Healthcare providers: Doctors, hospitals, clinics, and pharmacies that use electronic means of transmitting information, etc.
  • Healthcare plans: Insurance companies, employer health plans, health maintenance organizations (HMOs), and governmental health programs such as Medicare or Medicaid
  • Clearinghouses: Organizations that act as intermediaries for processing nonstandard health information into HIPAA-compliant, standardized format for use by other covered entities (or, conversely, process standardized health data into nonstandard format, as needed)

Covered entities are generally involved in the delivery of healthcare services or the related admin and payment operations. As such, they are the primary organizations that HIPAA aims to govern to ensure the correct handling and transmission of sensitive PHI.

HIPAA business associates

A covered entity can also use vendors and service providers—also known as ‘business associates’—to perform healthcare services or functions on the covered entity’s behalf. This requires the business associates to sign a Business Associate Agreement (BAA), a contract that mandates that any delegated responsibilities that involve PHI are conducted in compliance with HIPAA regulations and protections.

Examples of operations carried out by HIPAA business associates include:

  • Payroll and billing processes
  • Cloud storage or other software services
  • Third-party administrative work
  • Legal and accounting services
  • Data analysis or transcription services

Business associates play a critical role in supporting and enabling the efficient functioning of the healthcare system and the covered entities within. Strict compliance with HIPAA ensures all data managed by these third parties remains confidential, safe, and in line with national standards.

Does HIPAA apply to employers?

Typically, HIPAA applies to covered entities and business associates to those entities, not employers. However, there are certain situations where HIPAA might also apply to employers.

When does HIPAA apply to employers?

Some of the common scenarios where employers have obligations under HIPAA are if:

  • The employer is a covered entity or a business associate to a covered entity: These categories must be fully HIPAA-compliant, including when staff PHI and staff training is concerned
  • The employer operates or offers a self-insured healthcare plan: In this case, the healthcare plan is the covered entity, mandating that the employer complies with the HIPAA regulations for any PHI handled for the purposes of the plan
  • The employer sponsors a healthcare plan and, as a result, has access to PHI for administrative purposes: The employer must handle all PHI data in a HIPAA-compliant way
  • The employer provides an Employee Assistance Program (EAP)—a workplace benefits program aimed at improving employee well-being and productivity: If treatments or counseling services are included, the EAP is operating as a covered service and must comply with HIPAA regulations

When does HIPAA not apply to employers?

Medical information provided to the employer in the context of the employment relationship is not covered by HIPAA. Some specific examples of such information are:

  • Sick leave: A doctor’s note used to request or prove sick leave
  • Leave under Family and Medical Leave Act (FMLA): Evidence from the healthcare provider validating the existence of a serious health issue
  • Disability accommodations: Information disclosed to the employer to certify the need for additional disability or health-related accommodations at the workplace
  • Health screening for workplace safety: Medical examinations or assessments carried out to ensure the employees are fit for a specific role (e.g., vision or mental health tests)

Learn more about how to safeguard your workers’ confidential information with Deel’s Data Privacy Compliance: Best Practices for Global Teams.

us payroll guide

Guide

Step-by-Step Guide to US Payroll
Get a clear breakdown of how to manage payroll in the US, including how to calculate payroll taxes, navigate local labor requirements, the top payroll software options, and more.

What is a HIPAA custodian?

A HIPAA custodian is a commonly used term that refers to a person, team, or entity whose role involves managing PHI in accordance with HIPAA regulations. HIPAA custodians can have a number of different titles, such as a Privacy Officer, Security Officer, or Compliance Officer.

Employers subject to HIPAA, such as those that sponsor or offer a healthcare plan, designating a HIPAA custodian could be crucial for minimizing compliance risks. HIPAA custodians have a range of duties, including overseeing PHI processes, conducting audits and staff trainings, and coordinating data breach responses.

The table below provides an overview of some of the main responsibilities performed by or entrusted to a HIPAA custodian:

Responsibilities Tasks
Privacy and security oversight Ensuring the organization adheres to HIPAA's Privacy and Security Rules
Implementing policies and procedures to protect PHI from unauthorized access, use, or disclosure
Data protection Safeguarding electronic PHI (ePHI) through technical, physical, and administrative safeguards
Managing access controls, encryption, and secure transmission methods for PHI
Compliance and training Conducting regular training sessions for employees on HIPAA compliance and data protection best practices
Ensuring all staff members understand their roles and responsibilities regarding PHI
Breach response and reporting Developing and implementing a breach response plan
Reporting breaches of unsecured PHI to affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media
Risk management Performing regular risk assessments to identify potential vulnerabilities in the handling of PHI
Taking corrective actions to mitigate identified risks
Documentation and audits Maintaining thorough documentation of compliance efforts, policies, procedures, and breach incidents
Preparing for and responding to audits or investigations by regulatory bodies

HIPAA vs. employee privacy laws

Workplace records include employee information and documentation collected and managed by an employer to facilitate an effective employment relationship. This could include a worker’s personal information, such as contact information, performance records, payment details, and medical data.

Though some of this can be subject to HIPAA regulation, HIPAA’s primary purpose is to protect PHI that is created, handled, stored, and transmitted by covered entities or their business associates. As such, HIPAA does not regulate all medical information that might be needed by an employer. Instead, other types of privacy laws might apply.

Examples of such laws include the Americans with Disabilities Act (ADA), which enforces confidentiality in handling disability-related worker data, and the FMLA, whose goal is to protect information regarding a worker’s (or their close family member’s) serious health conditions.

Employers need to ensure they are compliant with the right privacy laws when it comes to managing their employees’ data, and not assume all medical data is governed by HIPAA.

See also: Data Privacy Compliance: Best Practices for Global Teams

Deel empowers US teams to stay compliant

HIPAA safeguards the handling, storage, and transmission of PHI by covered entities within the healthcare system and their business associates. In general, HIPAA does not apply to most employers, meaning founders and HR teams do not necessarily need to be experts on the topic. However, understanding when to apply HIPAA is still essential.

If you offer, run, or sponsor a healthcare plan, or handle confidential health data, you should verify any compliance and data privacy responsibilities you might have. Deel PEO empowers US teams by providing a unified service that streamlines every aspect of your HR operations, from payroll compliance to taxes, benefits, and onboarding—in accordance with regulations in all 50 states.

Book a demo with our team to learn more.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Please consult a certified professional for help with compliance questions.

FAQs

Under HIPAA, Protected Health Information (PHI) is individually identifiable medical data that is managed or transmitted by a covered entity or its business associate.

HIPAA applies to all businesses, regardless of size.

Yes, HR can request a doctor’s note from an employee. Employment-related information, such as sick leave or disability accommodation requests, is not covered by HIPAA.

No, HIPAA does not infringe on an individual’s right to voluntarily disclose their personal health information.

Image

About the author

Dr Kristine Lennie holds a PhD in Mathematical Biology and loves learning, research and content creation. She had written academic, creative and industry-related content and enjoys exploring new topics and ideas. She is passionate about helping create a truly global workforce, where employers and employees are not limited by borders to achieve success.

Book a free 30-minute product demo

Experience a personalized product demo and get all your questions answered by our experts

G2OrangeLogo-icon

4.8/ 5

 7360 reviews

We respect your data. By submitting this form, you agree that we will contact you in relation to our products and services, in accordance with our privacy policy.

Contractor or employee? Sign up here instead.