HIPAA governs every HR function that touches Protected Health Information — self-funded health plans, FMLA certifications, ADA accommodations, and EAP contracts. These 9 requirements, ranked by OCR enforcement frequency, give HR the operational framework to stay compliant, protect employees, and close the gaps auditors find first.

HIPAA is not a healthcare-only regulation. HR departments that administer self-funded health plans, process FMLA medical certifications, coordinate ADA accommodations, or contract with employee assistance programs handle Protected Health Information (PHI) — and HIPAA applies to every one of those functions. The compliance gaps that trigger OCR enforcement actions are rarely exotic. They are process failures: missing documentation, unconfigured access controls, unsigned vendor agreements, and undertrained staff.

The nine requirements below are ranked by enforcement frequency — starting with the controls that appear most often in OCR audit findings and corrective action plans. For the broader data security and privacy context, see how small HR teams can fix broken operations without burning out, 11 warning signs your inherited HR operation is bleeding money, and HRIS required fields vs. manual data validation.

1. Conduct and Document an Annual Risk Assessment

The risk assessment is the single most audited HIPAA control. OCR enforcement actions consistently cite its absence or inadequacy as the primary or contributing violation. A documented risk assessment identifies where PHI exists in your environment, what threats could compromise it, and what safeguards are already in place.

• Scope: Cover every system, workflow, and storage location where PHI is created, received, maintained, or transmitted — including paper files, email, HRIS platforms, and cloud storage.
• Frequency: Annually at minimum, and after any significant operational change: new technology, acquisitions, remote work expansion, or workforce restructuring.
• Output: A written risk analysis report with identified risks rated by likelihood and impact, existing controls documented, and a remediation plan with owners and deadlines.
• Common failure mode: Conducting an assessment but not documenting it, or documenting it without updating it after major changes.

No other HIPAA control compensates for a missing or stale risk assessment. This is where every compliance review starts — and where most enforcement actions end.

The HR triage risk mapping framework provides a structured approach for prioritizing the remediation work that follows a completed assessment.

2. Map Every PHI Data Flow Before Writing a Single Policy

You cannot protect data you cannot locate. A PHI data flow map documents where health information enters HR’s environment, how it moves through systems and workflows, who touches it, and where it exits or is stored long-term.

• Entry points to document: FMLA certification forms, ADA accommodation requests, benefits enrollment data containing diagnosis codes, EAP referral records, workers’ compensation medical documentation, biometric screening results from wellness programs.
• Common hidden flows: PHI transmitted via unsecured email, stored in shared drives with broad access, or captured in fields within general-purpose HR software not evaluated for HIPAA.
• Map format: A system-level inventory (what stores it) paired with a workflow-level map (who touches it and when) gives auditors what they need and gives HR a remediation roadmap.
• Integration point: The data map feeds directly into the risk assessment (Requirement 1) and access control design (Requirement 4).

A data map is not a compliance document — it is an operational tool that makes every other HIPAA requirement achievable. Without it, policies describe systems that no one has verified.

3. Apply the Minimum Necessary Standard to Every PHI Access Decision

The minimum necessary standard prohibits HR from using, disclosing, or requesting more PHI than is needed for the specific purpose at hand. This is the requirement HR most frequently violates — not through bad intent, but through over-permissioned access configurations.

• Manager communications: A manager approving FMLA leave needs the approved duration and any work restrictions — not the underlying diagnosis or medical records.
• HRIS access configurations: Role-based permissions that grant a benefits administrator simultaneous access to ADA files, FMLA documentation, and EAP referral notes exceed what any single role requires.
• Internal HR requests: When one HR team member requests PHI from another, the request should specify the purpose — and the recipient should disclose only what that purpose requires.
• Documentation requirement: Policies must define standard access levels by role and include a process for requesting access beyond those defaults with documented justification.

Audit your HRIS permission configurations against actual job functions. Most organizations find misalignment within the first review. The 9 HRIS configuration defaults every small HR team should change covers specific permission settings that create HIPAA exposure.

4. Execute Business Associate Agreements Before Any Vendor Touches PHI

A Business Associate Agreement (BAA) is a legally required contract between your organization and any vendor that creates, receives, maintains, or transmits PHI on your behalf. No BAA means no HIPAA-compliant vendor relationship — regardless of how secure the vendor’s platform claims to be.

• Vendors that require a BAA: Benefits administration platforms, EAP providers, wellness program vendors, HRIS platforms configured to store PHI, background check services that process medical information, and any cloud storage provider holding PHI.
• BAA must include: Permitted uses and disclosures of PHI, vendor’s obligation to safeguard PHI, breach notification obligations to your organization, and provisions for returning or destroying PHI at contract termination.
• Enforcement pattern: OCR has pursued covered entities for vendor breaches where no BAA existed — the covered entity bears liability even when the vendor caused the breach.
• Process fix: Add BAA execution to your vendor onboarding checklist. No BAA signed means no system access.

Run a BAA audit across your current vendor stack. Missing agreements with active vendors are an immediate remediation priority.

5. Implement the Privacy Rule’s Core Employee Rights Obligations

The HIPAA Privacy Rule grants employees specific rights over their PHI when your organization is a covered entity or business associate. HR must build workflows to honor these rights within mandated timeframes.

• Right of access: Employees can request a copy of their PHI. The covered entity must provide it within 30 days (with one 30-day extension if needed). Denials require written explanation and must follow a defined review process.
• Right to amend: Employees can request corrections to PHI they believe is inaccurate. HR must accept, deny with written reasoning, or initiate an amendment process — within 60 days.
• Right to accounting of disclosures: Employees can request a list of disclosures made outside treatment, payment, and healthcare operations for the prior six years.
• Right to restrict disclosures: Employees can request restrictions on certain uses or disclosures. HR must have a documented process for evaluating and responding to these requests.
• Notices of Privacy Practices: A compliant NPP must be provided to employees at enrollment and made available upon request. It must accurately describe how PHI is used and disclosed.

The most common failure here is not bad policy — it is no workflow. Rights that exist on paper but have no intake process, no assigned owner, and no documented response timeline are rights that will be violated when an employee actually exercises them.

6. Implement Technical Safeguards for Electronic PHI

The HIPAA Security Rule requires specific technical controls for any electronic PHI (ePHI). These are not aspirational — they are required safeguards, and their absence is directly auditable.

• Access controls: Unique user IDs for every person accessing ePHI, automatic logoff from inactive sessions, and encryption or equivalent controls for data at rest.
• Audit controls: Hardware, software, or procedural mechanisms that record and examine activity in systems containing ePHI. Logs must be reviewable and retained.
• Transmission security: ePHI transmitted over any network must be encrypted. This includes email — standard unencrypted email is not a compliant transmission method for PHI.
• Authentication: Procedures to verify that a person seeking access to ePHI is who they claim to be. Multi-factor authentication satisfies this requirement for most systems.
• Device controls: Policies governing the use of workstations and mobile devices that access ePHI, including remote wipe capability for mobile devices.

The $27K overpayment case study illustrates what happens when HR data systems lack adequate access and validation controls — the same system vulnerabilities that create HIPAA exposure also create payroll exposure.

7. Train Every Workforce Member Who Handles PHI — and Document It

The HIPAA Security Rule requires covered entities to train all workforce members on security policies and procedures. The Privacy Rule requires training appropriate to each person’s role. Both require documentation that training occurred.

• Who requires training: Any workforce member who creates, accesses, maintains, or transmits PHI — including HR staff, benefits administrators, payroll personnel who touch medical leave data, and managers who receive accommodation or restriction notices.
• Training must cover: What constitutes PHI, minimum necessary standard in practice, how to recognize phishing and social engineering targeting health data, how to handle a potential breach (who to notify, what not to do), and the specific policies governing their role.
• Frequency: Upon hire, annually thereafter, and upon any material change to policies or systems.
• Documentation: Training completion records with dates, content covered, and employee acknowledgment. OCR requests these records in every compliance review.
• Common gap: Training managers separately on what they can and cannot do with employee health information they receive. Managers are frequently the source of minimum necessary violations because they were never trained on what the standard requires of them.

For HR teams managing training alongside a full operational load, the real reason small HR teams burn out explains why compliance training routinely gets deferred — and what structural fixes prevent it.

8. Build and Test a Breach Notification Procedure

HIPAA’s Breach Notification Rule requires covered entities to notify affected individuals, the Secretary of HHS, and in some cases the media when unsecured PHI is breached. The requirement is not just to notify — it is to notify within specific timeframes with specific content.

• Individual notification: Within 60 days of discovering a breach affecting any number of individuals. Notice must include what happened, what PHI was involved, what the organization is doing, and what individuals can do to protect themselves.
• HHS notification: Breaches affecting 500 or more individuals must be reported to HHS within 60 days of discovery. Breaches affecting fewer than 500 individuals are logged and reported to HHS annually.
• Media notification: Breaches affecting 500 or more individuals in a state or jurisdiction require notification to prominent media outlets in that area within 60 days.
• Business associate notification: If a vendor (business associate) discovers a breach, they must notify the covered entity without unreasonable delay and no later than 60 days after discovery. This obligation belongs in every BAA.
• Breach risk assessment: Not every unauthorized access is a reportable breach. HIPAA provides a four-factor risk assessment to determine whether unauthorized PHI access poses a significant risk of harm. Document this assessment for every incident — including those that do not meet the breach threshold.

The procedure that exists only in a policy document will fail during an actual breach. Tabletop exercises — walking through a simulated breach from discovery to notification — identify gaps before they become enforcement problems.

9. Establish PHI Retention and Secure Disposal Controls

HIPAA does not set uniform retention periods for all PHI — federal law defers to state law for medical records in many cases, while the HIPAA Security Rule requires covered entities to retain documentation of security policies and procedures for six years. HR must navigate overlapping retention obligations and ensure that disposal is secure.

• Retention schedule requirements: FMLA records: three years. ADA accommodation records: duration of employment plus one year (longer under some state laws). I-9 records: three years from hire or one year after termination, whichever is later. Benefits plan records: six years under ERISA. Security-related HIPAA documentation: six years from creation or last effective date.
• Secure disposal for paper PHI: Cross-cut shredding or certified destruction by a vendor with a BAA. Recycling bins and standard trash are not compliant disposal methods for documents containing PHI.
• Secure disposal for electronic PHI: Wiping or physical destruction of storage media. Deleting files from a hard drive does not constitute secure disposal. Decommissioned devices require certified erasure or destruction.
• Retention schedule documentation: A written retention schedule that maps each PHI record category to its required retention period, storage location, and disposal method. This document must be accessible during an audit.

For HR teams that inherited records from a prior HR leader or system without a documented retention structure, the HR of one survival FAQ addresses how to approach inherited compliance gaps systematically.

How These 9 Requirements Work Together

Each requirement reinforces the others. The risk assessment (1) cannot be complete without the data flow map (2). Access controls (3, 6) are only configurable once you know where PHI lives (2). BAAs (4) determine which vendor breach incidents trigger the notification procedure (8). Training (7) is what makes the minimum necessary standard (3) operational rather than theoretical.

Organizations that treat these as nine separate tasks — checking them off sequentially and independently — end up with compliance gaps at the seams. The requirement that was fully documented two years ago drifts out of compliance when a new HRIS is deployed, because the data map was never updated. The BAA that was signed at vendor onboarding was never updated to reflect the vendor’s expanded data processing scope.

HIPAA compliance is a continuous operational state, not a project with a completion date. The HR teams that maintain it sustainably are the ones that build it into standard operating procedures — vendor onboarding, system changes, role configuration, annual reviews — rather than treating it as a compliance project separate from daily work.

The 90-day HR triage plan framework provides a sequenced approach for HR teams that need to address multiple compliance gaps simultaneously without stalling on any single one.

Frequently Asked Questions

Does HIPAA apply to all employers, or only healthcare organizations?

HIPAA applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers — and their business associates. Employers become covered entities when they sponsor self-funded health plans. HR functions that administer those plans, process FMLA certifications, manage ADA accommodations using medical documentation, or contract with EAP providers handle PHI subject to HIPAA. Standard employer-employee relationships outside these specific functions are generally governed by other privacy frameworks, not HIPAA directly.

What is the difference between PHI and regular employee health information?

PHI (Protected Health Information) is health information that identifies an individual and is created, received, maintained, or transmitted by a covered entity or business associate. An employee’s general sick day usage tracked in payroll is not PHI. An FMLA certification that includes a diagnosis, treatment plan, or medical provider information is PHI. The distinction determines which protections apply.

What triggers an OCR investigation?

OCR investigates based on complaints filed by individuals and breach reports submitted by covered entities. Breach reports involving 500 or more individuals trigger immediate investigation. Smaller breaches are reviewed periodically. OCR also conducts proactive audits of covered entities and business associates. The most common complaint triggers are failures to provide individuals with access to their PHI and impermissible disclosures.

Is encrypted email sufficient for transmitting PHI?

Yes — encrypted email that meets NIST standards satisfies HIPAA’s transmission security requirement for ePHI. Standard unencrypted email does not. HR teams that send medical certifications, accommodation letters, or benefits records via standard email are out of compliance with the Security Rule’s transmission security standard.

How long must HR retain HIPAA-related documentation?

The HIPAA Security Rule requires covered entities to retain documentation of security policies, procedures, and their implementation for six years from the date of creation or the date it was last in effect, whichever is later. This applies to risk assessments, training records, BAAs, breach incident documentation, and policy documents. Retention of actual PHI follows applicable state law and the specific record type’s requirements.

Additional Reading

• Drowning in Admin: How Solo and Small HR Teams Can Fix Broken HR Operations Without Burning Out
• 11 Warning Signs Your Inherited HR Operation Is Bleeding Money
• HRIS Required Fields vs Manual Data Validation: Which Is Safer for Small HR Teams?
• 9 HRIS Configuration Defaults Every Small HR Team Should Change
• What Is HR Triage Risk Mapping? How HR Leaders Prioritize Inherited Messes
• How to Build a 90-Day HR Triage Plan Your CEO Will Sign
• HR of One Survival FAQ: Inherited Operations Questions Answered
• The $27K Overpayment: How One HRIS Data Entry Mistake Cost a Manufacturer a Year of Salary
• The Real Reason Small HR Teams Burn Out: It’s Not the Workload
• In-House HR Cleanup vs Fractional HR Consultant: 2026 Decision Guide
• What Is a Minimum Viable HR Process? A Plain-Language Definition
• How to Audit Inherited I-9 Records Without Creating New Violations
• How to Reconcile a Broken Benefits Carrier Feed: Step by Step
• 9 EEOC AI Compliance Requirements HR Teams Must Meet in 2026
• How HR Can Fix Broken Hiring Processes: Reducing Candidate Frustration Without Slowing Down the Business