What is PEO HIPAA?

A professional employer organization, or PEO, is a company that provides a variety of services to small and medium-sized businesses. These services include human resource consulting, safety and risk mitigation services, payroll processing, employer payroll tax filing, and health benefits administration. When a PEO operates an employer’s self-insured plan, the PEO is in effect acting as the plan, and must follow HIPAA regulations. The subject of PEO HIPAA is discussed below. 

What is PEO HIPAA? PEO Compliance with the HIPAA Privacy Rule


If the PEO is acting as the sponsor of a company’s group healthcare plan, the PEO is fully bound by the HIPAA Privacy Rule. PEO HIPAA Privacy Rule compliance has a number of components. The PEO must know how to identify protected health information (PHI), and must prevent its unauthorized use and disclosure. The PEO must ensure that any business associates with whom it enters into a relationship involving PHI are familiar with the HIPAA Privacy and Security Rules

The PEO must enter into written business associate agreements with these business associates, under which the business associate agrees to implement measures to safeguard the ePHI it creates, maintains, receives, or transmits.

In some instances, written patient authorization is required before a PEO may share information with a provider, another health plan, or a business associate. PEO HIPAA compliance requires the PEO to know when authorization is required, and when a patient can request restriction of PHI uses and disclosures.

What is PEO HIPAA? When is Written Patient Authorization Not Required?

PEO HIPAA compliance requires knowledge of when the PEO is not required to obtain patient consent to or authorization for release of PHI. If a PEO is using PHI for the purposes of payment, treatment, or healthcare operations, patient authorization is not required. A patient does, however, have the right to request that the PEO restrict uses or disclosures of PHI about the patient to carry out treatment, patient, or healthcare operations. A patient also has the right to request that the PEO restrict uses or disclosures of PHI pertaining to certain public health activities.

Let’s Simplify Compliance

Need help with PEO HIPAA compliance?

Learn More!
HIPAA Seal of Compliance

Under PEO HIPAA rules, the PEO is not required to agree to a requested restriction. If, however, the PEO does agree to the restriction, the PEO may not turn around and use or disclose PHI in violation of the restriction. There is an “emergency treatment” exception to this prohibition. If the patient who requested the restriction requires emergency treatment, and the PHI that the PEO agreed to restrict is needed to provide that treatment, the PEO may use the restricted PHI, or disclose it to a provider so the provider can provide treatment.

What is PEO HIPAA? Must a PEO Comply with the HIPAA Security Rule?

PEO HIPAA compliance requires a PEO to be fully compliant with the HIPAA Security Rule. The Security Rule requires covered entities and business associates to implement measures to safeguard the confidentiality, integrity, and availability of electronic protected health information.