HIPAA Compliance for HR Departments

Posted By Steve Alder on Dec 8, 2025

HIPAA compliance for HR departments consists of understanding what HIPAA standards are applicable to the department’s activities, and implementing policies and procedures to ensure the privacy and security of individually identifiable health information where appropriate – not forgetting that state privacy and security regulations may also apply.

Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan.

Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information.

Why HIPAA Compliance for HR Departments is Important

The original purpose of the Health Insurance Portability and Accountability Act (HIPAA) was to improve the portability and continuity of health insurance coverage. As the Act progressed through Congress, a second Title was added with the intention of combating waste, fraud and abuse in the health insurance and healthcare industries and simplifying the administration of healthcare transactions.

As a result of the administrative simplification requirements, the HIPAA Privacy and Security Rules were introduced. The Rules restrict access to and use of Protected Health Information (PHI), and give patients and plan members more control over how personal information is used. For example, healthcare organizations can no longer use a patient´s PHI for marketing activities without the patient´s consent.

A further purpose of restricting access to PHI is to prevent one person using somebody else´s PHI to obtain free healthcare – effectively identity theft. As the costs of medical treatment have increased, so has the value of healthcare data. A 2014 report calculated a full dossier of healthcare data on the black market is worth upwards of $1,200. By comparison, a stolen Visa card is worth $4.

Major Areas of HIPAA Compliance for HR Departments

There are four major areas of HIPAA compliance in which HR personnel should be well-versed. These relate to understanding the key components of the Privacy and Security Rules, helping employees understand their rights under HIPAA legislation, safeguarding the PHI of employees, and working with Covered Entities and Business Associates with whom PHI is shared.

Don´t Assume the IT Department is Responsible for Security Rule Compliance

An IT manager is usually delegated as the HIPAA Security Officer, and it is their responsibility to ensure every department within the company is compliant with the Security Rule. But this is not always the case, and HR personnel should not assume the responsibility for security is not theirs.

Remember to Send Updates and Reminders of Privacy Practice Notices

Employees enrolled in a self-insured group health plan must be given a Privacy Practice Notice informing them of their HIPAA-related rights. Most HR departments remember to do this, but some forget to send updates when privacy practices are revised, and a reminder at least once every three years.

Maintain a Written Policy for Investigating and Resolving Complaints

Although not required by HIPAA, a policy should be in place to record privacy complaints, investigations, and resolutions. This will be of significant benefit to the company – and the HR department in particular- if an employee escalates a complaint to the Department of Health & Human Services.

Don´t Overlook State Privacy Law Compliance

The relationship between HIPAA and state privacy laws is a source of confusion for some people. HIPAA pre-empts state privacy laws with weaker privacy protection, but not those that provide stronger privacy protection. In the quest for HIPAA compliance, HR departments should not overlook state requirements.

HIPAA training for HR department staff matters because HR teams may handle health related information during routine duties and need clear guidance on how to protect it and when HIPAA applies. In many organizations, HR staff encounter sensitive details through benefits administration, leave and accommodation requests, wellness programs, and employee support processes. Training should explain when information is considered PHI, how it differs from standard personnel records, and how to avoid unnecessary sharing of health information inside the organization.

HIPAA Training for HR Department Staff

HR focused HIPAA training should follow the same structure as strong HIPAA training for employees by explaining the Privacy Rule, Security Rule, and Breach Notification Rule in practical language. HIPAA training for HR professionals should include clear definitions, examples of minimum necessary access, and step by step guidance on secure handling of email, electronic files, printed documents, and conversations. It should also address common risk points for HR, such as storing health information in shared folders, sending details to the wrong recipient, using unapproved communication tools, or discussing an employee’s health in settings where it can be overheard.

Best practice in the healthcare sector is to provide HIPAA training for HR professionals annually, and HR staff should be included in the annual cycle alongside other workforce members. Annual training reinforces expectations, updates staff on new tools and threats, and provides consistent documentation that HR employees have received ongoing training rather than a one time introduction. When HR staff receive role relevant onboarding training and complete annual refresher training, organizations reduce privacy risk, strengthen internal culture, and show that HIPAA compliance is applied consistently across all departments that may come into contact with sensitive health information.

HR and HIPAA Sanctions Policies

When an organization qualifies as a HIPAA covered entity or business associate, HR departments may be responsible for developing and enforcing HIPAA sanctions policies. Sanctions policies are required by §164.530 of the Privacy Rule and §164.308 of the Security Rule and are mandatory requirements inasmuch as not developing and enforcing a sanctions policy is a violation of HIPAA.

Importantly, the Privacy Rule standard not only requires sanctions to be applied when members of the workforce violates an employer’s HIPAA policy, but also when “members of its workforce fail to comply with […] the requirements of this subpart (the Privacy Rule) or subpart D of this part (the Breach Notification Rule)”. For this reason, it is important all members of the workforce receive HIPAA training.

Organizations that require advice on the roles of HR and HIPAA sanction policies are advised to speak with a compliance professional. The HIPAA standards that apply to self-insured group health plans can vary depending on the size of the plan and whether or not it is administered in-house or by a third party administrator, and it is not always clear which standards apply in specific circumstances.