How Does HIPAA Apply to Employers?

November 08, 2023

Explore the different HIPAA rules, what they do, how they apply to employers, some common incidents to avoid, and the penalties involved.

Despite the persistent prompts to share everything we see online, some information should definitely be kept private. Social Security numbers, bank account PINs, credit card passwords — the list could go on.

Medical history, due to its sensitive nature, also belongs on that list. Even in professional settings like the workplace, a person's medical records shouldn't be known or shared by others without that person's consent.

This is why the Health Insurance Portability and Accountability Act (HIPAA) was enacted. Its main purpose is to ensure the confidentiality and integrity of an individual’s health information while also granting access to that information for covered entities who provide healthcare services.

The following guide will describe exactly what HIPAA does, explain to whom it applies, review common instances that can lead to a HIPAA violation, and the punishments that typically accompany a violation.

Key Takeaways

  • HIPAA is a federal law that requires the creation of national standards to prevent Protected Health Information (PHI) from being disclosed without a person’s consent or knowledge.
  • Covered entities include health plans, clearinghouses, and healthcare providers, while organizations that provide services that use PHI for a covered entity are called business associates.
  • Some of the most common incidents that lead to a HIPAA violation center around PHI being available to someone it shouldn't, such as a lost device, sending unencrypted data, or giving unauthorized access.

What is HIPAA?

HIPAA is a federal law that regulates the protection of a person's medical records and other individually identifiable health information by strengthening the privacy, security, and accessibility of that information.

Its rules apply to covered entities and their business associates, both of whom must also provide patients with certain rights regarding their PHI.

Covered entities that use a business associate must have a written contract or arrangement that specifies what the associate does and subjects the associate to HIPAA’s standards.

Important HIPAA Definitions




Individually identifiable health information that’s transmitted or maintained in any form (i.e., written, spoken, or electronically) and:

  • is created or received by a healthcare provider, health plan, employer, public health authority, life insurer, school or university, or healthcare clearinghouse
  • relates to any of the following:
    • an individual’s past, present, or future physical or mental condition (including genetic information)
    • the healthcare provided to an individual
    • the past, present, or future payment for an individual’s healthcare
  • identifies or could reasonably be used to identify the individual

Covered Entities

  • Health plans
  • Healthcare providers who transmit any information electronically in connection with a transaction for which the Department of Health and Human Services (HHS) has a standard
  • Healthcare clearinghouses that process claims or nonstandard health information received from another entity (or vice versa) into a standard format or data content

Business Associates

  • A person or organization that performs certain functions and activities for or provides certain services to a covered entity, which involve PHI use or disclosure.
  • This doesn’t include a member of the covered entity’s own workforce, but a covered entity can also be a business associate of another covered entity.

What Does HIPAA Do?

There are five different HIPAA titles, each focusing on a different aspect of individual healthcare. Title II is one of the more relevant sections for employers, as it establishes the following rules:

  • Privacy Rule - Covered entities must secure and maintain the confidentiality of everyone's PHI via safeguards and limits on when that data can be used or shared without the person's consent. This rule also gives individuals certain rights regarding their PHI.
  • Security Rule - Describes the administrative, physical, and technical security measures that covered entities must meet to protect the electronic versions of a person's PHI.
  • Breach Notification Rule - All covered entities and business associates must give notice if unsecured PHI is ever breached and share the alert with the impacted individuals, the HHS Secretary, and sometimes the media.
  • Transactions Rule - Imposes standardization guidelines for electronic exchanges of healthcare data (a.k.a., transactions), such as healthcare claims and payments, enrollment, premium payments, and coordination of benefits.
  • Enforcement Rule - Sets financial penalties for violating HIPAA requirements and the procedures for investigating possible non-compliance.

Does HIPAA Apply to Employers?

HIPAA compliance primarily focuses on those in the healthcare industry, but there are instances where it applies to non-medical businesses:

  • If an employer is a business associate for a covered entity
  • If an employer offers self-funded health insurance (i.e., plans where employers collect premiums from employees and process claims on their behalf). These healthcare plans qualify as covered entities, so even if the rest of the company isn't a covered entity or business associate, these employers must ensure the plan's operations are HIPAA compliant.

What is a HIPAA Violation in the Workplace?

The most common types of HIPAA violations all center around unauthorized access to or disclosure of PHI. Incidents that can cause these violations include:

  • Lost Devices – when a mobile device (e.g., phones, laptops, tablets, etc.) used to handle or access PHI is misplaced or stolen
  • Unencrypted Data – when a device doesn’t use an appropriate level of encryption to prevent cybercriminals and viruses from accessing stored or transmitted PHI
  • Unauthorized Access – when an employee accidentally attaches the wrong file or opens the wrong folder that contains PHI without the proper authorization

There are, however, some situations where employers are allowed to request medically related information. Asking a doctor to confirm the medical need for a work absence or reviewing worker’s compensation records don’t qualify as HIPAA violations.

Penalties for HIPAA Violations

Breaches of medical confidentiality in the workplace are usually classified as civil violations that come with a monetary fine. The specific amounts range in severity based on the covered entity's awareness, actions, and mitigating factors.

Employer's Awareness and Actions

Amount Per Incident

Annual Cap Amount

Unaware or couldn't have known

$137 - $34,464*


Reasonable cause for the entity to know or should've known if using reasonable due diligence. 

$1,379 - $68,928


Willful negligence corrected in 30 days

$13,785 - $68,928


Willful negligence not corrected in 30 days



*Since the adjustment process was adopted at different times for single incidents and annual caps, an anomaly resulted where the maximum amount for the lowest level of violation ($68,928) actually exceeds the corresponding annual cap amount ($34,464). To avoid confusion, the above table instead uses the annual cap amount for both columns.  

Take the Complex out of Compliance

Navigating HR compliance can feel like sailing through turbulent waters without a compass. Download our toolkit to stay on track and keep your organization covered.

Employer HIPAA Compliance Checklist

Thankfully, there are several steps organizations can and should take to avoid the risk of violating HIPAA.

  • Confirm if the organization qualifies as a covered entity or business associate.
  • Check if any of its offered benefits, health plans, or insurance plans qualify as a covered entity.
  • Determine which, if any, HIPAA-related audits will apply to the organization or its offerings.
  • Adopt HIPAA compliance training policies and reporting procedures. Maintain a record of all completed training data and awareness efforts.
  • Consider appointing a HIPAA officer to manage all HIPAA-related matters.
  • Adopt procedures for handling and responding to any PHI breaches.

Invest in a Secure HR System to Avoid HIPAA Violations

Completing the items above will greatly help your organization, but HIPAA compliance isn't a one-and-done process. It requires ongoing monitoring and maintenance.

Paylocity’s HR and Payroll software is equipped with a learning management system (LMS) and HIPAA compliance courses for educating your workforce on how to keep PHI safe. You can easily assign training to your employees or let them complete coursework on demand from both desktop and mobile devices.

Beyond just training, Paylocity also embeds employee data security within its practices and processes. Third-party auditors review our security environment annually to ensure compliance with privacy and security laws. Learn more about Paylocity’s commitment to client data security here.

Want to find out more? Request a demo of our HR and Payroll software today!


Keep Up With Compliance

Between constantly changing employment laws and updates to the Affordable Care Act (ACA), keeping your workplace compliant can be a time-consuming and costly challenge. Eliminate the stress and stay up to date with our Compliance Dashboard. View compliance alerts and get a bird’s eye view of what you need to do to avoid fines and penalties.


Manage HR Compliance