In 2023, a mid-sized employer's HR department forwarded an employee's medical certification for FMLA leave to the employee's direct supervisor — unredacted, with full diagnosis details. The employee filed a complaint, and what followed was a painful lesson in HIPAA HR compliance that cost the organization both financially and reputationally. HR teams handle protected health information more often than most realize, and the regulatory consequences of getting it wrong are severe.

Where HIPAA HR Compliance Actually Applies — and Where It Doesn't

One of the most persistent misconceptions I encounter in my work with covered entities is the belief that HIPAA doesn't apply to HR departments. The reality is more nuanced. HIPAA applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their business associates.

Here's where HR gets pulled in: most employers of any significant size sponsor a group health plan, making them a covered entity under HIPAA with respect to that plan. The Privacy Rule at 45 CFR §164.504(f) specifically addresses the use and disclosure of protected health information (PHI) by employer-sponsored group health plans. Your HR staff who administer that plan are handling PHI — and they're subject to HIPAA's full requirements.

Even when HIPAA doesn't technically apply — such as employment records maintained under the ADA or FMLA — HR departments still benefit from treating employee health data with HIPAA-level rigor. OCR enforcement actions have repeatedly demonstrated that sloppy health data practices invite regulatory scrutiny across multiple federal statutes.

The Five PHI Touchpoints Every HR Team Must Audit

HR departments interact with employee health information at more points than most compliance officers initially identify. A thorough audit should examine at least these five areas:

  • Group health plan administration: Enrollment forms, claims disputes, premium payment records, and coordination of benefits all involve PHI governed by the Privacy Rule.
  • FMLA and ADA documentation: Medical certifications, fitness-for-duty evaluations, and reasonable accommodation requests contain sensitive health data that must be stored separately from general personnel files.
  • Workers' compensation records: While workers' comp is generally exempt from HIPAA, the health information within these records often overlaps with group health plan data.
  • Wellness program data: Biometric screenings, health risk assessments, and incentive program records can constitute PHI when connected to the group health plan.
  • Employee Assistance Program (EAP) referrals: If your EAP is part of the group health plan rather than a standalone employer benefit, participant information is PHI.

Your organization should map every point where HR personnel access, store, or transmit health information. This exercise is foundational to the risk analysis required under the HIPAA Security Rule at 45 CFR §164.308(a)(1).

Firewall Requirements Between HR and the Group Health Plan

The Privacy Rule requires what's commonly called a "firewall" between the group health plan and the employer-sponsor. Under 45 CFR §164.504(f)(2), plan documents must restrict access to PHI to only those employees who need it for plan administration functions.

In practice, this means your organization must identify — by name or by job title — every HR employee authorized to access PHI from the group health plan. Those individuals must receive specific training on permissible uses and disclosures. Unauthorized employees who access plan PHI create a HIPAA violation, regardless of intent.

Healthcare organizations consistently struggle with this firewall when HR generalists wear multiple hats. If the same person handles benefits enrollment and performance management, you need documented policies that prevent PHI from bleeding into employment decisions. OCR has made clear in guidance documents that the minimum necessary standard applies: HR staff should access only the PHI needed for the specific plan administration task at hand.

The Workforce Training Requirement Most HR Departments Underestimate

Under 45 CFR §164.530(b), covered entities must train all workforce members on HIPAA policies and procedures. For HR departments, this isn't a one-time onboarding checkbox. Training must occur when employees join the organization, when roles change, and when policies are materially revised.

The biggest gap I see is HR departments that train clinical staff rigorously but treat administrative workforce training as an afterthought. Your HR team members who administer the group health plan need role-specific HIPAA training — not a generic overview deck from 2018. Comprehensive HIPAA training and certification programs should cover the Privacy Rule obligations specific to plan administration, breach identification, and the minimum necessary standard.

Documentation matters enormously here. OCR investigators routinely request training records during compliance reviews. If you cannot produce evidence that every HR employee with PHI access completed appropriate training, you've handed investigators a finding on a silver platter.

Breach Notification Obligations HR Teams Cannot Ignore

When an HR employee impermissibly discloses PHI — even internally — it triggers the breach analysis process under the Breach Notification Rule at 45 CFR §§164.400-414. The 2013 Omnibus Rule shifted the burden of proof: an impermissible use or disclosure is presumed to be a breach unless your organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI was compromised.

Common HR-originated breaches include misdirected emails containing benefits information, unsecured filing cabinets with medical certifications, and verbal disclosures of health conditions to unauthorized managers. Each of these requires documented analysis, and breaches affecting 500 or more individuals must be reported to OCR within 60 days.

Penalties are not theoretical. OCR's enforcement database shows settlements regularly reaching six and seven figures for systemic failures. Even smaller breaches, if they reveal a pattern of non-compliance, can trigger corrective action plans that consume HR resources for years.

Building a Sustainable HIPAA HR Compliance Program

Effective HIPAA HR compliance requires more than policies on a shelf. It demands ongoing operational discipline:

  • Conduct annual risk analyses that specifically address HR's handling of PHI from the group health plan.
  • Maintain a current Notice of Privacy Practices for the group health plan and ensure it's distributed to participants as required.
  • Establish incident response procedures so HR staff know exactly what to do when a potential breach occurs — who to notify, how to document, and what timelines apply.
  • Audit access logs quarterly to verify that only authorized HR personnel are accessing plan PHI.
  • Partner with business associates carefully. Your benefits brokers, third-party administrators, and payroll vendors who access PHI must have current business associate agreements in place.

If your organization is looking to build a culture of compliance across your entire workforce — not just clinical staff — investing in a structured workforce HIPAA compliance program is the most effective starting point. It signals to OCR that your organization takes its obligations seriously and gives your HR team the knowledge they need to handle PHI correctly every day.

Stop Treating HR as a HIPAA Afterthought

The regulatory landscape around HIPAA HR compliance is not getting simpler. OCR continues to expand its enforcement focus beyond clinical settings, and HR departments that handle group health plan data without adequate safeguards are increasingly in the crosshairs. Audit your PHI touchpoints, train your people with role-specific rigor, and document everything. Your HR team deserves the same compliance infrastructure you'd build for any department handling protected health information.