Article
5 min read
What is HIPAA, and Who Does It Apply To? Our Simple Guide
Author
Dr Kristine Lennie
Last Update
April 17, 2025
Published
April 17, 2025
Key takeaways
- HIPAA is a US federal law that protects the privacy of individuals’ medical data within covered entities in the healthcare system and related third-party business associates.
- Employers and HR teams that offer self-insured healthcare plans or handle personal medical data must ensure HIPAA compliance.
- Deel’s PEO services can help ensure federal and state-specific compliance for US teams.
The Health Insurance Portability and Accountability Act (HIPAA) is a US data privacy law that protects the confidentiality of a person’s medical information and sets standards for safe data management and storage. HIPAA applies to covered entities that handle private health information (PHI) (including healthcare providers, health plans, and healthcare clearinghouses) and their related third-party business associates.
Although most employers are not subject to HIPAA regulations, it is important for HR professionals and company founders to understand when HIPAA might apply to avoid incurring any potential penalties or legal liability.
Deel is a global HR and payroll solution that enables companies in the US and beyond to hire, pay, and manage their employees seamlessly and securely.
In this article, we will cover what HIPAA is, its key components, who it affects, and when it might apply to employers.
What is HIPAA?
HIPAA is a federal law introduced in 1996 with the goal of protecting US citizens’ private health information (PHI). Under HIPAA, covered healthcare entities and organizations are mandated to safeguard patients’ private medical data and prevent disclosure without consent. HIPAA also improved efficiency and data security in the healthcare system by standardizing how PHI is recorded, handled, shared, and stored.
HIPAA compliance is compulsory for all covered entities (see below) and the third-party business associates who handle PHI on their behalf. Infringements can result in penalties, criminal and civil charges, and reputational damage.
Learn more about how Deel PEO services can help you compliantly employ workers in all 50 states with Deel’s Guide to Professional Employer Organizations (PEO).
Key components of HIPAA
HIPAA includes six key provisions: the Privacy Rule, the Security Rule, the Breach notification Rule, the Enforcement Rule, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Business associate agreements (BAAs). Each outlines a specific set of regulations for the compliant handling and/or protection of PHI within the healthcare system.
| Rule | Objective | Requirements |
|---|---|---|
| Privacy Rule | Protects individuals' medical records and other PHI | Sets limits on the use and disclosure of PHI without patient authorization and grants patients rights over their health information (including the right to obtain a copy of their health records and request corrections) |
| Security Rule | Establishes standards to protect electronic PHI (ePHI) | Mandates administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI |
| Transactions and Code Sets Rule | Standardizes the electronic exchange of healthcare transactions | Requires the use of standardized codes and formats for transactions such as claims, enrollment, eligibility, and payment |
| Unique Identifiers Rule | Mandates the use of unique identifiers for health plans, healthcare providers, and employers | Assigns National Provider Identifiers (NPIs) to streamline the identification process in healthcare transactions |
| Enforcement Rule | Provides guidelines for investigations and penalties for non-compliance | Establishes procedures for compliance reviews and imposes civil and criminal penalties for violations of HIPAA standards |
| Breach Notification Rule | Requires covered entities to notify individuals, the Secretary of Health and Human Services (HHS), and in some cases, the media, of breaches of unsecured PHI | Specifies the content and timing of breach notifications |
Who does HIPAA apply to?
HIPAA applies to covered entities within the healthcare sector and their business associates who handle PHI on their behalf. In this section, we discuss each in more detail.
HIPAA-covered entities
Under HIPAA, covered entities include the following organizations and individuals that directly use and transmit PHI:
- Healthcare providers: Doctors, hospitals, clinics, and pharmacies that use electronic means of transmitting information, etc.
- Healthcare plans: Insurance companies, employer health plans, health maintenance organizations (HMOs), and governmental health programs such as Medicare or Medicaid
- Clearinghouses: Organizations that act as intermediaries for processing nonstandard health information into HIPAA-compliant, standardized format for use by other covered entities (or, conversely, process standardized health data into nonstandard format, as needed)
Covered entities are generally involved in the delivery of healthcare services or the related admin and payment operations. As such, they are the primary organizations that HIPAA aims to govern to ensure the correct handling and transmission of sensitive PHI.
HIPAA business associates
A covered entity can also use vendors and service providers—also known as ‘business associates’—to perform healthcare services or functions on the covered entity’s behalf. This requires the business associates to sign a Business Associate Agreement (BAA), a contract that mandates that any delegated responsibilities that involve PHI are conducted in compliance with HIPAA regulations and protections.
Examples of operations carried out by HIPAA business associates include:
- Payroll and billing processes
- Cloud storage or other software services
- Third-party administrative work
- Legal and accounting services
- Data analysis or transcription services
Business associates play a critical role in supporting and enabling the efficient functioning of the healthcare system and the covered entities within. Strict compliance with HIPAA ensures all data managed by these third parties remains confidential, safe, and in line with national standards.
Does HIPAA apply to employers?
Typically, HIPAA applies to covered entities and business associates to those entities, not employers. However, there are certain situations where HIPAA might also apply to employers.
When does HIPAA apply to employers?
Some of the common scenarios where employers have obligations under HIPAA are if:
- The employer is a covered entity or a business associate to a covered entity: These categories must be fully HIPAA-compliant, including when staff PHI and staff training is concerned
- The employer operates or offers a self-insured healthcare plan: In this case, the healthcare plan is the covered entity, mandating that the employer complies with the HIPAA regulations for any PHI handled for the purposes of the plan
- The employer sponsors a healthcare plan and, as a result, has access to PHI for administrative purposes: The employer must handle all PHI data in a HIPAA-compliant way
- The employer provides an Employee Assistance Program (EAP)—a workplace benefits program aimed at improving employee well-being and productivity: If treatments or counseling services are included, the EAP is operating as a covered service and must comply with HIPAA regulations
When does HIPAA not apply to employers?
Medical information provided to the employer in the context of the employment relationship is not covered by HIPAA. Some specific examples of such information are:
- Sick leave: A doctor’s note used to request or prove sick leave
- Leave under Family and Medical Leave Act (FMLA): Evidence from the healthcare provider validating the existence of a serious health issue
- Disability accommodations: Information disclosed to the employer to certify the need for additional disability or health-related accommodations at the workplace
- Health screening for workplace safety: Medical examinations or assessments carried out to ensure the employees are fit for a specific role (e.g., vision or mental health tests)
Learn more about how to safeguard your workers’ confidential information with Deel’s Data Privacy Compliance: Best Practices for Global Teams.
What is a HIPAA custodian?
A HIPAA custodian is a commonly used term that refers to a person, team, or entity whose role involves managing PHI in accordance with HIPAA regulations. HIPAA custodians can have a number of different titles, such as a Privacy Officer, Security Officer, or Compliance Officer.
Employers subject to HIPAA, such as those that sponsor or offer a healthcare plan, designating a HIPAA custodian could be crucial for minimizing compliance risks. HIPAA custodians have a range of duties, including overseeing PHI processes, conducting audits and staff trainings, and coordinating data breach responses.
The table below provides an overview of some of the main responsibilities performed by or entrusted to a HIPAA custodian:
| Responsibilities | Tasks |
|---|---|
| Privacy and security oversight | Ensuring the organization adheres to HIPAA's Privacy and Security Rules Implementing policies and procedures to protect PHI from unauthorized access, use, or disclosure |
| Data protection | Safeguarding electronic PHI (ePHI) through technical, physical, and administrative safeguards Managing access controls, encryption, and secure transmission methods for PHI |
| Compliance and training | Conducting regular training sessions for employees on HIPAA compliance and data protection best practices Ensuring all staff members understand their roles and responsibilities regarding PHI |
| Breach response and reporting | Developing and implementing a breach response plan Reporting breaches of unsecured PHI to affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media |
| Risk management | Performing regular risk assessments to identify potential vulnerabilities in the handling of PHI Taking corrective actions to mitigate identified risks |
| Documentation and audits | Maintaining thorough documentation of compliance efforts, policies, procedures, and breach incidents Preparing for and responding to audits or investigations by regulatory bodies |
HIPAA vs. employee privacy laws
Workplace records include employee information and documentation collected and managed by an employer to facilitate an effective employment relationship. This could include a worker’s personal information, such as contact information, performance records, payment details, and medical data.
Though some of this can be subject to HIPAA regulation, HIPAA’s primary purpose is to protect PHI that is created, handled, stored, and transmitted by covered entities or their business associates. As such, HIPAA does not regulate all medical information that might be needed by an employer. Instead, other types of privacy laws might apply.
Examples of such laws include the Americans with Disabilities Act (ADA), which enforces confidentiality in handling disability-related worker data, and the FMLA, whose goal is to protect information regarding a worker’s (or their close family member’s) serious health conditions.
Employers need to ensure they are compliant with the right privacy laws when it comes to managing their employees’ data, and not assume all medical data is governed by HIPAA.
See also: Data Privacy Compliance: Best Practices for Global Teams
Deel empowers US teams to stay compliant
HIPAA safeguards the handling, storage, and transmission of PHI by covered entities within the healthcare system and their business associates. In general, HIPAA does not apply to most employers, meaning founders and HR teams do not necessarily need to be experts on the topic. However, understanding when to apply HIPAA is still essential.
If you offer, run, or sponsor a healthcare plan, or handle confidential health data, you should verify any compliance and data privacy responsibilities you might have. Deel PEO empowers US teams by providing a unified service that streamlines every aspect of your HR operations, from payroll compliance to taxes, benefits, and onboarding—in accordance with regulations in all 50 states.
Book a demo with our team to learn more.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Please consult a certified professional for help with compliance questions.
FAQs
What is considered PHI under HIPAA?
Under HIPAA, Protected Health Information (PHI) is individually identifiable medical data that is managed or transmitted by a covered entity or its business associate.
Do HIPAA rules apply to small businesses?
HIPAA applies to all businesses, regardless of size.
Can HR ask for a doctor’s note?
Yes, HR can request a doctor’s note from an employee. Employment-related information, such as sick leave or disability accommodation requests, is not covered by HIPAA.
Is HIPAA violated if an employee shares their own health info?
No, HIPAA does not infringe on an individual’s right to voluntarily disclose their personal health information.
About the author
Dr Kristine Lennie holds a PhD in Mathematical Biology and loves learning, research and content creation. She had written academic, creative and industry-related content and enjoys exploring new topics and ideas. She is passionate about helping create a truly global workforce, where employers and employees are not limited by borders to achieve success.
