Does HIPAA Apply to Employers?

September 10, 2025

HIPAA, or the Health Insurance Portability and Accountability Act, is best known for protecting patient health information in the healthcare industry. But what about your workplace? Does HIPAA apply to employers? The short answer is – usually not. But there are a few key exceptions where it does.

Whether you’re an employer trying to understand your responsibilities or an employee curious about your privacy rights, it’s important to know how HIPAA works in workplace settings. This guide breaks it down simply, using information from trusted sources like HHS.gov, the HIPAA Journal, and the Department of Labor.

When HIPAA Does Not Apply to Employers

In most cases, HIPAA doesn’t apply to employers. That’s because HIPAA applies only to “covered entities” and their “business associates.” These include:

• Health plans
• Health care providers who send data electronically
• Health care clearinghouses

Employers are not on that list. Just because you’re handling health-related information doesn’t automatically mean HIPAA applies.

Employment Records Are Not Covered

If an employer collects health data for employment reasons – like sick notes, ADA accommodations, or drug testing results – that information is not protected under HIPAA.

According to HHS.gov – Employers and Health Information in the Workplace,

“The Privacy Rule does not apply to employment records, even if the information in those records is health-related.”

Instead, other laws like the Americans with Disabilities Act (ADA) or Family and Medical Leave Act (FMLA) may govern how that data is handled.

Examples of What’s Not Covered

Here are some examples of employment-related health records that are not covered by HIPAA:

• Doctor’s notes given to HR for medical leave
• Vaccination status provided to meet office policies
• Results from a pre-employment drug test
• Reports from workstation ergonomic evaluations
• Injury documentation for a minor workplace accident

These are considered employment records, and not protected health information (PHI) under HIPAA.

Why This Distinction Matters

Confusing employment records with PHI can lead to serious missteps. If employers treat all health-related data like PHI under HIPAA, they may impose unnecessary restrictions or overlook the real rules they must follow under different laws. Likewise, employees who mistakenly believe all health info is protected under HIPAA may not realize which records their employer can legally access or store.

It’s important for HR departments and leadership to clarify this boundary in their privacy training materials and internal policies.

When HIPAA Applies to Employers

There are some limited cases where HIPAA does apply to employers, and they usually involve health plans.

Self-Insured Health Plans

If an employer provides a self-insured health plan – meaning they pay for employee health care themselves instead of going through an insurance provider – then the plan itself is a covered entity. In that case:

• The health plan must follow HIPAA rules
• The employer must keep the plan’s information separate from employment records
• Access to PHI must be restricted to only authorized personnel
• The company must implement safeguards like encryption and role-based access
• Documentation, training, and privacy policies are mandatory

These steps are necessary to create a clear separation between the employer’s HR role and its function as a group health plan administrator.

Workplace Wellness Programs

HIPAA may also apply if an employer offers a workplace wellness program as part of a group health plan. For example:

• If your program includes biometric screenings as part of insurance incentives
• If your step-tracking or fitness reporting is linked to an insurance plan benefit
• If a third-party vendor runs the program on behalf of your group plan

Then the data collected is likely protected by HIPAA. However, if the employer runs a casual, standalone program with no link to a group health plan, HIPAA doesn’t apply.

This is clarified in HHS.gov – Workplace Wellness and HIPAA, which explains that HIPAA only applies to wellness programs tied to group health plans.

Acting as an Intermediary

Some employers may help workers fill out forms, answer insurance questions, or submit claims. These tasks can involve access to protected health information (PHI). In these cases, HIPAA applies to that role – not the whole company. It’s essential to limit PHI access and document procedures for these activities.

Quick Look: When HIPAA Applies or Not

Here’s a summary:

• HIPAA applies when the employer administers a health plan or works with PHI as a plan sponsor
• HIPAA does not apply to sick notes or employment-related paperwork
• Wellness programs may or may not fall under HIPAA depending on how they are structured

Other Privacy Laws Employers Must Follow

Just because HIPAA doesn’t apply doesn’t mean there are no rules. Employers still have to follow:

• ADA (Americans with Disabilities Act): Requires medical information to be stored separately and kept confidential
• FMLA (Family and Medical Leave Act): Requires medical leave documentation to be treated securely
• GINA (Genetic Information Nondiscrimination Act): Prevents employers from using genetic information in employment decisions
• EEOC (Equal Employment Opportunity Commission): Has guidance on confidentiality requirements
• State privacy laws: Some states have their own regulations covering employee health and personal data

Best Practices for Employers

To protect employee health information, even when HIPAA doesn’t apply:

• Keep health info in separate, secure files from standard HR records
• Restrict access to authorized personnel only
• Use encryption tools for digital files
• Provide regular training for managers and HR staff
• Use a privacy officer or security lead to oversee compliance
• Conduct internal audits of recordkeeping and information access

Final Thoughts

So, does HIPAA apply to employers? In most cases, no – but there are important exceptions.

If your company runs a self-insured health plan or offers a wellness program tied to insurance, HIPAA may apply. And even when it doesn’t, privacy laws like the ADA and GINA still require employers to handle health data carefully.

The best approach? Act like HIPAA applies even when it doesn’t. Set clear boundaries, follow strong privacy practices, and train your team well.