Whether you’re a covered entity with an HR department or a third-party HR consultant looking to make your clients HIPAA compliant, Human resources and HIPAA compliance interact in numerous ways–and can be a challenge to properly integrate.


HIPAA pertains to the privacy and security of protected health information (PHI), which includes patient health data such as names, dates of birth, social security numbers, and financial information. Many businesses handle this kind of sensitive data as a necessary component of operations, usually processed by HR departments.

But when it comes to the privacy and security of this data, what role do human resources professionals need to play to maintain HIPAA compliance?

To answer this question, we need to break down the particulars of HIPAA regulation to understand the responsibility that employers and human resources professionals have in maintaining data privacy and security.

HIPAA for Employers and Protected Health Information

The HIPAA Privacy Rule determines how a health plan or covered entity may share PHI. The Privacy Rule lays out specific guidelines for exactly how and when an employer is lawfully allowed to access an employee’s PHI.

First, it’s important to realize that the Privacy Rule does not extend privacy protections to an employee’s employment records. This applies even if some of the information stored in those records is health-related. Under most circumstances, the Privacy Rule is not applicable to actions an employer takes in regards to employment records.

Human resources departments that maintain employment records are not beholden to the HIPAA Privacy Rule and do not need to maintain federal privacy standards when handling, creating, or storing an employee’s records.

Even if the employer maintaining these records is a health plan or covered entity, the Privacy Rule does not extend protections to employee records in this compliance HR relationship.

If an employee also happens to be a patient of the provider or member of the health plan they work at, Privacy Rule standards will apply to their PHI in the same way it would apply to any patient or member they do business with.

Human Resources HIPAA Compliance

The rule of thumb to remember here is that, in general, the HIPAA Privacy Rule applies to how and when a health care provider may disclose patient information, not to requests made by an HR professional.

In certain cases, HR departments are in fact allowed to access an employee’s PHI as outlined in the HIPAA Privacy Rule. HR and HIPAA compliance means that employers may request a doctor’s note or other health information if it’s required for:

  • processing sick leave
  • worker’s compensation benefits
  • wellness programs
  • health insurance

It’s important to note, though, that even though HR professionals may request this information from an employee’s health care provider, the provider cannot provide the information without the employee’s authorization.

Security, Privacy, and Compliance Officers

According to HIPAA regulation, covered entities must assign staff members to head their various compliance efforts. This includes appointing a HIPAA Security Officer, HIPAA Privacy Officer, and Compliance Officer.

HR professionals and departments in charge of staffing and hiring can have an important role in appointing employees to these positions.

Security, Privacy, and Compliance Officers will act as administrators of the HIPAA rules within their organization. They are responsible for ensuring that policies and procedures are being properly managed, in addition to specific regulatory requirements of the HIPAA Privacy and Security Rules.

In the event of a HIPAA investigation, these officers will be in charge of contact with government auditors to provide documentation of their organization’s HIPAA compliance. Officers should therefore have a history of leadership and experience with health care administration.

Sometimes, the responsibility of assigning these roles will be relegated to an IT department. If an HR professional is on staff though, they can easily take on this responsibility in addition to the compliance work they already do.

Simplifying HR and HIPAA Compliance

Compliancy Group gives health care professionals confidence in their HIPAA compliance with The Guard™ HR software. The Guard is a web-based HIPAA compliance software for HR professionals, built by former auditors to help simplify compliance.

Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance.  The Guard HR compliance software is built to address the full extent of HIPAA regulation, including policies regarding employee health data and the HIPAA Privacy Rule.

With The Guard HR compliance software, health care professionals can focus on running their practice while keeping their patients’ data protected and secure.

Find out more about how Compliancy Group can help simplify your Human Resources HIPAA Compliance today!

HIPAA and Human Resources

See How It Works