9 HIPAA Compliance Requirements HR Must Master to Secure Employee Health Data

HIPAA is not a healthcare-only regulation. HR departments that administer self-funded health plans, process FMLA medical certifications, coordinate ADA accommodations, or contract with employee assistance programs handle Protected Health Information (PHI) — and HIPAA applies to every one of those functions. The framework that governs this is the parent topic covered in depth in Secure HR Data: Compliance, AI Risks, and Privacy Frameworks. This satellite focuses on the nine specific HIPAA requirements HR must operationalize to stay compliant, protect employees, and avoid OCR enforcement.

The nine requirements below are ranked by enforcement frequency — starting with the controls that appear most often in OCR audit findings and corrective action plans, moving toward controls that are critical but less commonly cited as the primary violation.

1. Conduct and Document an Annual Risk Assessment

The risk assessment is the single most audited HIPAA control. OCR enforcement actions consistently cite its absence or inadequacy as the primary or contributing violation. A documented risk assessment identifies where PHI exists in your environment, what threats could compromise it, and what safeguards are already in place.

• Scope: Cover every system, workflow, and storage location where PHI is created, received, maintained, or transmitted — including paper files, email, HRIS platforms, and cloud storage.
• Frequency: Annually at minimum, and after any significant operational change: new technology, acquisitions, remote work expansion, or workforce restructuring.
• Output: A written risk analysis report with identified risks rated by likelihood and impact, existing controls documented, and a remediation plan with owners and deadlines.
• Common failure mode: Conducting an assessment but not documenting it, or documenting it without updating it after major changes.

Verdict: No other HIPAA control compensates for a missing or stale risk assessment. Start here.

2. Map Every PHI Data Flow Before Writing a Single Policy

You cannot protect data you cannot locate. A PHI data flow map documents where health information enters HR’s environment, how it moves through systems and workflows, who touches it, and where it exits or is stored long-term.

• Entry points to document: FMLA certification forms, ADA accommodation requests, benefits enrollment data containing diagnosis codes, EAP referral records, workers’ compensation medical documentation, biometric screening results from wellness programs.
• Common hidden flows: PHI transmitted via unsecured email, stored in shared drives with broad access, or captured in fields within general-purpose HR software not evaluated for HIPAA.
• Map format: A system-level inventory (what stores it) paired with a workflow-level map (who touches it and when) gives auditors what they need and gives HR a remediation roadmap.
• Integration point: The data map feeds directly into the risk assessment (Requirement 1) and access control design (Requirement 4).

Verdict: A data map is not a compliance document — it is an operational tool that makes every other HIPAA requirement achievable.

3. Apply the Minimum Necessary Standard to Every PHI Access Decision

The minimum necessary standard prohibits HR from using, disclosing, or requesting more PHI than is needed for the specific purpose at hand. This is the requirement HR most frequently violates — not through bad intent, but through over-permissioned access configurations.

• Manager communications: A manager approving FMLA leave needs the approved duration and any work restrictions — not the underlying diagnosis or medical records.
• HRIS access configurations: Role-based permissions that grant a benefits administrator simultaneous access to ADA files, FMLA documentation, and EAP referral notes exceed what any single role requires.
• Internal HR requests: When one HR team member requests PHI from another, the request should specify the purpose — and the recipient should disclose only what that purpose requires.
• Documentation requirement: Policies must define standard access levels by role and include a process for requesting access beyond those defaults with documented justification.

Verdict: Audit your HRIS permission configurations against actual job functions. Most organizations will find misalignment within the first review.

4. Execute Business Associate Agreements Before Any Vendor Touches PHI

A Business Associate Agreement (BAA) is a legally required contract between your organization and any vendor that creates, receives, maintains, or transmits PHI on your behalf. No BAA means no HIPAA-compliant vendor relationship — regardless of how secure the vendor’s platform is.

• Vendors that require a BAA: Benefits administration platforms, EAP providers, wellness program vendors, HRIS platforms configured to store PHI, background check services that process medical information, and any cloud storage provider holding PHI.
• BAA must include: Permitted uses and disclosures of PHI, vendor’s obligation to safeguard PHI, breach notification obligations to your organization, and provisions for returning or destroying PHI at contract termination.
• Enforcement pattern: OCR has pursued covered entities for vendor breaches where no BAA existed — the covered entity bears liability even when the vendor caused the breach.
• Process fix: Add BAA execution to your vendor onboarding checklist. No BAA signed = no system access. See the broader guidance on third-party HR data security and vendor risk management.

Verdict: Run a BAA audit across your current vendor stack. Missing agreements with active vendors are an immediate remediation priority.

5. Implement the Privacy Rule’s Core Employee Rights Obligations

The HIPAA Privacy Rule grants employees specific rights over their PHI when your organization is a covered entity or business associate. HR must build workflows to honor these rights within mandated timeframes.

• Right of access: Employees may request copies of their PHI held by the health plan. Requests must be fulfilled within 30 days, with one 30-day extension permitted if the employee is notified.
• Right to amend: Employees may request corrections to PHI they believe is inaccurate. HR must accept, deny with written explanation, or forward to the originating covered entity within 60 days.
• Right to an accounting of disclosures: Employees may request a log of non-routine PHI disclosures for the past six years. HR must maintain this log proactively — it cannot be reconstructed after the fact.
• Notice of Privacy Practices (NPP): Your self-funded health plan must distribute a current NPP to all plan participants and make it available upon request.

Verdict: These are not aspirational rights — they are enforceable obligations with specific timeframes. Build response workflows into your HR operations before you receive the first request.

6. Deploy Administrative Safeguards Across HR’s PHI Workflows

Administrative safeguards are the policies, procedures, and people-side controls that govern how PHI is managed day-to-day. They form the backbone of HIPAA’s Security Rule for HR teams.

• Designated Security Official: HIPAA requires a named individual responsible for developing and implementing security policies. In HR-specific contexts, this person coordinates with the organization’s broader Privacy Officer.
• Workforce training: All HR staff with access to PHI must receive HIPAA training at hire and at least annually thereafter. Training records must be retained for six years.
• Sanction policy: Written sanctions for HIPAA violations must exist and be applied consistently. Documented, consistent enforcement is the standard — not discretionary case-by-case responses.
• Contingency planning: HR must have a documented plan for maintaining access to PHI during emergencies, including data backup procedures and disaster recovery protocols for systems holding ePHI.

Verdict: Administrative safeguards are where most HIPAA programs have the largest documentation gaps. Written policies that are never trained on, or sanctions that exist on paper but are applied inconsistently, create enforcement risk.

7. Enforce Physical Safeguards for PHI in HR Workspaces

Physical safeguards address the tangible environments where PHI is stored or accessed — both paper-based and electronic. Remote and hybrid work has expanded the physical safeguard perimeter beyond the HR office.

• Facility access controls: Spaces where PHI is stored — file rooms, HR offices, server rooms — must have controlled access. Visitor logs and keycard records provide the audit trail.
• Workstation use policies: HR workstations accessing ePHI must have screen lock policies, positioned to prevent unauthorized viewing, and clear desk protocols for paper PHI.
• Device and media controls: Policies governing the use of laptops, USB drives, and mobile devices that may access or store ePHI — including encryption requirements and remote wipe capability for lost or stolen devices.
• Remote work extension: HR staff working from home access ePHI from environments your organization does not physically control. Policies must address home network security, screen privacy, and secure document handling for paper PHI.

Verdict: Physical safeguards often lag behind technical controls in HR environments. Remote work has made this gap more consequential — not less.

8. Deploy Technical Safeguards to Protect ePHI at Rest and in Transit

Technical safeguards are the technology controls required to protect electronic PHI. HIPAA specifies required and addressable implementation specifications — but “addressable” does not mean optional; it means you must implement or document why an equivalent alternative was chosen instead.

• Access controls (required): Unique user IDs for all HR staff accessing ePHI. Automatic logoff after inactivity. Emergency access procedures for system outages.
• Audit controls (required): Hardware, software, and procedural mechanisms that log access to ePHI. Logs must be retained and reviewed — not just collected.
• Encryption (addressable): ePHI in transit must be encrypted. At-rest encryption for stored ePHI is addressable but widely adopted as the de facto standard. Unencrypted PHI on a lost laptop triggers automatic breach notification obligations.
• Transmission security (addressable): Email containing PHI must use encrypted messaging or secure portal delivery — standard email is not HIPAA-compliant for PHI transmission.

Verdict: Technical safeguards are the area where HR most frequently depends on IT or vendor controls without verifying those controls meet HIPAA requirements. Verify — do not assume.

9. Execute the Breach Notification Rule on a Defined Response Timeline

When a breach of unsecured PHI occurs, the Breach Notification Rule dictates exactly who must be notified, when, and how. Delayed or incomplete notification is itself a HIPAA violation.

• Individual notification: Written notice to each affected individual within 60 calendar days of discovery. Must include: description of what happened, types of PHI involved, steps taken to mitigate harm, and steps individuals can take to protect themselves.
• HHS notification — large breaches: Breaches affecting 500 or more individuals in a state require simultaneous notification to HHS and prominent media outlets in that state within 60 days of discovery.
• HHS notification — small breaches: Breaches affecting fewer than 500 individuals are logged in a breach log and reported to HHS annually, no later than 60 days after the end of the calendar year.
• Breach response plan requirement: HR must have a documented breach response plan before a breach occurs — not written in response to one. The plan should designate a response team, define notification workflows, and include template communications.
• Safe harbor — encryption: Encrypted PHI that is lost or stolen does not trigger breach notification obligations, provided the encryption key was not also compromised. This is the strongest operational argument for full encryption of ePHI at rest.

Verdict: The 60-day clock starts at discovery — not at the completion of your investigation. Build your breach response capability now, not after the incident.

Putting All 9 Requirements Together

HIPAA compliance for HR is not a one-time project — it is an ongoing operational discipline. The nine requirements above interlock: the risk assessment reveals gaps in data mapping; the data map informs access controls; access controls feed into technical safeguards; and the breach response plan depends on all of the above being functional before an incident occurs.

For a broader view of how HIPAA sits within your organization’s full HR data security posture, the proactive HR data security blueprint covers the structural controls that complement HIPAA-specific requirements. For organizations building their privacy culture beyond regulatory compliance, see the guidance on building a data privacy culture in HR. When evaluating vendors who will handle PHI, the framework for vetting HR software vendors for data security compliance provides the due diligence structure.

The essential HR data security practices for protecting PII covers the broader PII landscape that overlaps with HIPAA but extends to non-health data categories HR also manages. For organizations subject to state-level privacy laws alongside HIPAA, the HR data audits for compliance and risk reduction guide provides the assessment methodology to track all obligations in parallel.

HIPAA compliance is not separate from HR’s broader data security obligations — it is the most legally specific layer of them. Getting the nine requirements above right protects employees, limits organizational liability, and builds the trust that makes every other HR function more effective.

Frequently Asked Questions

Does HIPAA apply to HR departments?

Yes — when an HR department handles Protected Health Information on behalf of a self-funded employer health plan, it operates under HIPAA obligations equivalent to those of a covered entity. HR also triggers HIPAA when it acts as a business associate by receiving PHI from a covered entity to perform HR functions.

What employee health records are considered PHI under HIPAA?

PHI includes any individually identifiable health information tied to past, present, or future physical or mental health conditions. In HR contexts, this covers FMLA medical certifications, ADA accommodation documentation, EAP records, workers’ compensation medical records, and health benefits enrollment data that includes diagnosis or treatment information.

What is the minimum necessary standard in HIPAA?

The minimum necessary standard requires covered entities and business associates to limit PHI use, disclosure, and requests to the smallest amount needed to accomplish the intended purpose. For HR, this means an employee’s direct manager should not have access to the specific medical diagnosis behind an approved FMLA leave — only the approval status and duration.

What happens if an HR department violates HIPAA?

Civil penalties range from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category. Willful neglect that is not corrected can result in criminal referrals. Beyond financial penalties, OCR-mandated corrective action plans impose multi-year compliance obligations on the organization.

What is a Business Associate Agreement and when does HR need one?

A Business Associate Agreement (BAA) is a legally required contract between a covered entity or employer health plan and any vendor that creates, receives, maintains, or transmits PHI on its behalf. HR must obtain a BAA before deploying any HRIS, benefits administration platform, or EAP provider that will handle PHI.

How long does HR have to report a HIPAA breach?

Under the Breach Notification Rule, affected individuals must be notified within 60 calendar days of discovering a breach. Breaches affecting 500 or more individuals in a single state must be reported to HHS and prominent media outlets in that state simultaneously. Smaller breaches are logged and reported to HHS annually.

How often should HR conduct a HIPAA risk assessment?

HHS guidance and OCR enforcement patterns indicate that risk assessments should be conducted at least annually and after any significant operational change — new technology deployments, acquisitions, workforce restructuring, or a shift to remote or hybrid work models that changes how ePHI is stored or transmitted.

Can HR share an employee’s medical information with their manager?

Generally, no. HIPAA’s minimum necessary standard prohibits HR from disclosing specific medical diagnoses or treatment details to managers. HR may communicate work restrictions, leave duration, or accommodation requirements without disclosing the underlying medical condition.

What physical safeguards does HIPAA require for HR?

Physical safeguards include facility access controls that limit who can enter spaces where PHI is stored, workstation use policies that prevent unauthorized viewing of ePHI, and device and media controls governing how PHI is stored on laptops or removable media and how those devices are disposed of or reused.

Does HIPAA apply to wellness programs HR administers?

Yes, when a wellness program collects health information — biometric screenings, health risk assessments, or disease management data — and is tied to the employer’s group health plan, the data collected is PHI subject to HIPAA. HR must ensure the program vendor has a valid BAA and that data is handled under HIPAA-compliant protocols.