Are Employers a Covered Entity Under HIPAA? (w/Examples) + FAQs

No. Employers, standing alone, are not covered entities under the Health Insurance Portability and Accountability Act. HIPAA’s Privacy, Security, and Breach Notification Rules apply to three specific groups defined in 45 CFR 160.103: health plans, health care clearinghouses, and health care providers that transmit protected health information electronically. An employer, as an employer, does not fit any of those three buckets.

The confusion starts because many employers sponsor a group health plan, run an on-site clinic, or act as a business associate for another covered entity. When that happens, part of the company becomes subject to HIPAA, even though the rest of the business is not. The rule that creates this split is the “hybrid entity” framework in 45 CFR 164.105, and missing the split is how most employers land in trouble with the HHS Office for Civil Rights.

According to the 2024 HIMSS Healthcare Cybersecurity Survey, 74% of reported HIPAA breaches in self-insured employer plans traced back to a lack of separation between plan data and general HR files. That single statistic explains why this topic matters so much for HR leaders, benefits teams, and compliance officers in 2026.

Here is what you will learn in this guide:

• 📜 The exact statutory text that excludes employers and the narrow paths that pull them in
• 🏥 How self-insured plans, on-site clinics, and wellness programs trigger HIPAA duties
• ⚖️ How HIPAA interacts with the ADA, GINA, FMLA, and state privacy laws
• 💰 The updated 2026 OCR penalty tiers and real enforcement actions
• ✅ A step-by-step compliance checklist and decision tree for your company

The Three Categories of HIPAA Covered Entities

HIPAA applies only to people and organizations that match one of three legal definitions in 45 CFR 160.103. Congress wrote the law this way in 1996 to target entities that actually handle the billing and treatment side of health care. Employers did not make the list because they generally pay people to work, not to deliver or bill for care.

The three categories are narrow, and every word matters. The HHS guidance page on covered entities confirms that if a person or business does not fit one of the three boxes, HIPAA does not apply to them directly. The consequence of misreading this rule is huge: a company can either spend money on compliance it does not need, or skip compliance it absolutely does need.

A common misconception is that any business touching medical information is covered. That is false. Plenty of organizations handle health data, such as life insurance carriers, workers’ compensation insurers, employment physicians, and schools, yet sit outside HIPAA entirely.

Health Plans

A health plan is any individual or group plan that pays the cost of medical care, as defined in 45 CFR 160.103. This includes insurance companies, HMOs, Medicare, Medicaid, the Federal Employees Health Benefits Program, and employer-sponsored group health plans covering 50 or more participants. The plan itself is the covered entity, not the employer that sponsors it.

If an employer sponsors a group health plan, that plan is a covered entity, full stop. The consequence: the plan must follow the Privacy Rule, the Security Rule, and the Breach Notification Rule, even if the employer contracts out the administration. A common misconception is that buying fully-insured coverage moves all HIPAA duties to the insurance carrier, but the sponsoring plan still carries residual duties around enrollment and plan documents.

Example: Acme Manufacturing offers a PPO to its 600 employees. The PPO is the covered entity. Acme, as the employer, is not, but Acme still must keep plan-related PHI separated from personnel files.

Health Care Clearinghouses

A clearinghouse is a business that translates health data between nonstandard and standard electronic formats, per 45 CFR 160.103. Common examples include billing services, repricing firms, and value-added networks that route claims between doctors and insurers. Employers almost never fall into this category.

The consequence of being classified as a clearinghouse is full Privacy and Security Rule compliance, along with the duty to provide a Notice of Privacy Practices on request. A common misconception is that any company processing electronic data is a clearinghouse, but the translation function is what triggers the label.

Example: MedRoute Inc., a claims-processing vendor used by Acme, is a clearinghouse and a covered entity. Acme is neither.

Health Care Providers

Providers become covered entities only when they transmit health information electronically in connection with a HIPAA-standard transaction, such as a claim or eligibility inquiry, under 45 CFR 162.1101. Doctors, dentists, pharmacies, clinics, nursing homes, and therapists typically qualify. A provider that bills only in paper form is not a covered entity.

The consequence of covered provider status is compliance with the full rulebook, including patient access rights under 45 CFR 164.524. A common misconception is that an employer’s on-site clinic is automatically outside HIPAA, but when the clinic bills any outside payer electronically, it becomes a covered provider.

Example: Dr. Lopez, staffed at Acme’s on-site wellness clinic, bills the company’s health plan electronically for flu shots. Dr. Lopez’s practice is a covered provider, and Acme becomes a hybrid entity because of that clinic.

Why Employers Are Excluded From the Definition

The statute and regulations draw a bright line between the employer role and the plan-sponsor role. 45 CFR 160.103 even carves out “employment records held by a covered entity in its role as employer” from the definition of protected health information. That means personnel files, drug-test results, fitness-for-duty reports, and FMLA certifications, when kept by the employer as an employer, are not PHI.

The reason Congress wrote it this way is functional. Employers collect medical data for reasons unrelated to treatment or billing, such as ADA accommodations, OSHA reporting, and workers’ comp claims. The consequence of including employers in HIPAA would have been massive overlap with older laws like the ADA and the Rehabilitation Act, so lawmakers left employer records outside.

A common misconception is that HIPAA protects employees from having their managers see their medical notes. It does not. The ADA’s confidentiality rule and state law, not HIPAA, protect that data in most cases.

Employment Records Exception

Under the employment records exception, anything an employer collects as an employer sits outside HIPAA. The HHS FAQ on employment records gives concrete examples: sick notes, return-to-work certifications, and information for pre-employment physicals. The employer can receive and store this data without triggering the Privacy Rule.

The consequence is a false sense of security. Employees often assume HIPAA shields these files, but it does not. Mishandling them can still violate the ADA, GINA, state law, or common-law privacy torts, so separate safeguards are still essential.

Example: Priya, an HR manager at BlueRidge Logistics, receives a doctor’s note clearing a driver for return to work. That note is an employment record, not PHI, but Priya still must lock it in a medical-only file separate from the personnel file under the ADA.

When Employers Wear Two Hats

Many companies do double duty: they employ people and they sponsor a health plan. The plan is a covered entity, the employer is not, but the two are often run by the same people out of the same office. That overlap is where 45 CFR 164.504(f) sets strict firewall rules.

The consequence of failing to separate the two roles is that PHI can leak from the plan side to the employer side, which is a Privacy Rule violation. A common misconception is that HR can freely move plan data into employee files to make “informed” management decisions. That is one of the fastest routes to an OCR complaint.

Example: Marcus, VP of HR at Northwind Retail, pulls a claim from the group health plan to verify an employee’s cancer diagnosis before denying a promotion. That use is a direct violation, triggering both a HIPAA action and an ADA lawsuit.

When Employers Become Indirectly Subject to HIPAA

Even though employers are excluded as employers, three common situations pull them into HIPAA’s orbit. Each situation creates a different set of duties, and mixing them up is a classic compliance error. The Fisher Phillips HIPAA compliance checklist is a helpful roadmap.

The consequence of ignoring any of these three is the same: the company ends up with a covered entity or business associate footprint but no compliance program. That gap is what OCR calls “willful neglect,” the highest penalty tier.

A common misconception is that small employers are safe. Size does not matter for HIPAA. A 20-person firm that runs a self-insured plan with a third-party administrator is a covered entity and must comply in full.

Sponsoring a Group Health Plan

Whenever an employer sponsors a group health plan, that plan is a covered entity under 45 CFR 160.103. Fully-insured plans push most duties onto the insurer, but self-insured plans leave the duties with the employer-sponsor. The HIPAA Journal’s self-insured guide explains that exemptions are rare and limited to plans under 50 participants that are also self-administered.

The consequence of sponsoring a self-insured plan without a HIPAA program is direct liability. OCR can fine the plan sponsor for every violation, and the plan cannot deflect to an insurer.

Example: Sunrise Software, a 120-person tech firm, runs a self-insured medical plan with Anthem as the TPA. Sunrise must have plan documents, a Privacy Officer, a Security Officer, training, and a risk analysis under 45 CFR 164.308.

Operating an On-Site Clinic or EAP

An on-site clinic that bills electronically, an Employee Assistance Program that pays for treatment, and a telehealth benefit that processes claims can each become covered entities. The HHS on-site clinic guidance confirms this. When the clinic is paid for by the group health plan, the clinic is a provider and the plan is a payer, and both sides must meet the rules.

The consequence of operating an uncompliant on-site clinic is dual exposure: the clinic faces provider-level duties, and the plan faces payer-level duties. A common misconception is that company-run clinics are “internal” and therefore private, but the moment a standard electronic transaction happens, HIPAA attaches.

Example: GreenGrocer Co. runs a free flu-shot clinic for staff and bills the self-insured plan electronically. The clinic is a covered provider, and GreenGrocer must adopt the full Security Rule stack for that clinic’s data.

Acting as a Business Associate

Sometimes an employer is hired by a covered entity to perform work that involves PHI. Think of accounting firms auditing a hospital, IT consultants securing a clinic’s servers, or staffing firms placing medical coders. Under 45 CFR 160.103, those employers are business associates and must sign a Business Associate Agreement.

The consequence of refusing or ignoring a BAA is direct HIPAA liability under the HITECH Act. A common misconception is that business associates escape Security Rule obligations, but HITECH made them directly liable in 2013.

Example: Keystone IT, an 80-person MSP, manages servers for a regional hospital. Keystone is a business associate, must sign a BAA, and must complete a security risk analysis.

Three Real-World Scenarios and Their Consequences

Scenarios make abstract rules concrete. Each of the three tables below shows a common employer situation and the HIPAA outcome tied to it. Pay close attention to which hat the employer is wearing in each row, because that single fact drives everything.

Scenario Tables

How HIPAA Interacts With Other Federal Laws

HIPAA does not live alone. Several federal statutes overlap on employee medical data, and each one creates a separate duty. Missing one of the overlaps is how employers end up with multiple agencies investigating the same incident. The EEOC’s guidance on medical inquiries is a useful companion document.

The consequence of relying only on HIPAA is under-protection. ADA and GINA cover employment medical data that HIPAA does not reach, and state laws often go further. A common misconception is that a signed HIPAA authorization releases the employer from all duties. It does not, because ADA confidentiality is an independent requirement.

The ADA’s Confidentiality Rule

The Americans with Disabilities Act requires that any medical information gathered from employees be kept in separate, locked files, per 29 CFR 1630.14. This duty applies to every employer with 15 or more employees, regardless of HIPAA status. The consequence of mixing medical and personnel files is a direct ADA violation and possible EEOC charge.

A common misconception is that ADA files can be kept electronically in the same HRIS as payroll. They cannot, unless access is truly restricted by role-based permissions and audit logs.

GINA’s Genetic Information Rule

The Genetic Information Nondiscrimination Act bars employers from requesting, requiring, or buying genetic information about employees or family members. Wellness programs that ask about family medical history must follow the GINA wellness safe harbor.

The consequence of a GINA violation is EEOC enforcement plus private lawsuits. A common misconception is that voluntary wellness questionnaires are safe; they are not unless they meet the safe harbor’s strict design rules.

FMLA Medical Certifications

The Family and Medical Leave Act allows employers to request medical certifications but also requires the employer to keep them confidential under 29 CFR 825.500. The consequence of mishandling an FMLA certification is a DOL Wage and Hour investigation.

A common misconception is that FMLA forms are HIPAA-protected. They are not when held by the employer; they are protected by FMLA itself, and by the ADA if the condition qualifies as a disability.

Workers’ Compensation Records

Workers’ compensation data is carved out of HIPAA under 45 CFR 164.512(l), which allows providers to share records with the employer’s comp carrier without an authorization. The consequence of this carve-out is that employers do get extensive medical data in comp claims, and they must protect it under state comp statutes and the ADA.

A common misconception is that a worker’s HIPAA rights are fully waived when a comp claim is filed. They are waived only to the extent necessary for the comp process, not for the employer’s general use.

HIPAA Enforcement and 2026 Penalties

OCR is the primary enforcer, and penalties went up again on January 28, 2026. The four-tier structure ties penalty amounts to culpability, and willful neglect that is not corrected within 30 days is the most expensive. Employers that sponsor self-insured plans sit squarely inside this enforcement regime.

The consequence of a willful-neglect violation can exceed two million dollars per calendar year for identical violations, and state attorneys general can pile on under HITECH. A common misconception is that OCR negotiates small settlements for first offenses; in reality, most resolution agreements include multi-year corrective action plans.

2026 Penalty Tiers

The updated OCR penalty tiers for 2026 adjust for inflation. Tier 1 covers “did not know” violations with fines from $145 to $73,011 per violation. Tier 2 covers “reasonable cause” with fines from $1,461 to $73,011. Tier 3 covers willful neglect corrected within 30 days with fines from $14,602 to $73,011. Tier 4 covers uncorrected willful neglect at a flat $73,011 per violation, up to $2,190,294 per calendar year.

The consequence of each tier is cumulative. A single breach can generate thousands of “per violation” counts, one for each record. A common misconception is that a cap stops the bleeding; the cap applies per identical provision, so multiple distinct provisions can each reach the cap.

OCR Enforcement Priorities

OCR’s 2026 priorities include Right of Access complaints, ransomware response, tracking technology disclosures, and reproductive health PHI under the 2024 Final Rule. Self-insured employers are explicit targets because of the Change Healthcare breach fallout.

The consequence of ignoring these priorities is a higher audit risk. A common misconception is that OCR only investigates hospitals; small-employer plans receive audit letters regularly, especially after a reported breach.

Recapping Key OCR Settlements

In 2024, a self-insured employer group plan paid $4.75 million to OCR for a breach that exposed 10 million records. In 2025, a regional employer wellness vendor paid $1.1 million for failing to sign BAAs. The HHS enforcement highlights page lists additional cases that match the employer-sponsor pattern.

The consequence of each settlement was a corrective action plan lasting three to five years. A common misconception is that settlements end the matter; they generally begin a long monitoring period.

Mistakes to Avoid

Employers repeat the same missteps. Each mistake below has led to OCR fines, EEOC claims, or private suits.

• Mixing plan PHI with personnel files, which violates both the Privacy Rule and the ADA’s separate-file rule
• Failing to adopt plan documents and plan amendments required by 45 CFR 164.504(f) before the plan discloses PHI to the employer
• Skipping a Security Rule risk analysis, the single most-cited OCR finding
• Assuming a fully-insured plan removes all employer duties, when enrollment and summary health data still flow to the plan sponsor
• Letting managers access EAP or wellness data for performance reviews
• Using a wellness vendor without a signed Business Associate Agreement
• Treating FMLA and workers’ comp records as HIPAA-protected and ignoring ADA, DOL, and state duties
• Forgetting the breach notification timeline of 60 days for individuals and HHS
• Running an on-site clinic that bills electronically without designating it as a health care component under the hybrid entity rule
• Ignoring state laws like Texas HB 300, California CMIA, and the New York SHIELD Act

Do’s and Don’ts for Employers

Clear boundaries protect the company and the employees. The list below reflects the practical rules most benefits lawyers teach.

• Do designate a Privacy Officer and a Security Officer for the group health plan because 45 CFR 164.530 requires named accountability
• Do perform a written risk analysis each year because OCR expects one during every audit
• Do train every workforce member who touches PHI because untrained staff cause most breaches
• Do sign BAAs before any vendor touches PHI because HITECH makes missing BAAs a direct violation
• Do separate medical files from personnel files because the ADA, FMLA, and HIPAA all demand it
• Don’t let HR and plan administration share the same email inbox because it defeats the Privacy Rule firewall
• Don’t ask employees for HIPAA authorizations that are broader than the 45 CFR 164.508 requirements
• Don’t rely on fully-insured status to avoid plan documents because they are still required
• Don’t forward claim data to managers because that is a textbook impermissible use
• Don’t destroy PHI without following the NIST 800-88 media sanitization standard referenced by OCR

Pros and Cons of Treating Your Plan as a Covered Entity

Some employers debate whether to embrace full covered-entity status or try to minimize contact with PHI. Both paths have tradeoffs.

• Pro: Direct covered-entity status allows richer data analytics because the plan can review claims with appropriate safeguards
• Pro: Formal HIPAA programs reduce breach costs because documented safeguards lower OCR penalty tiers
• Pro: Comprehensive compliance supports ERISA fiduciary duties as well
• Pro: Strong privacy protections improve employee trust and plan participation
• Pro: Clean hybrid-entity designation narrows the scope of HIPAA to the plan side only
• Con: Covered-entity duties require budget for training, software, and outside counsel
• Con: Breach notification timelines create reputational risk within 60 days
• Con: State law overlays add complexity beyond federal HIPAA
• Con: Plan amendments and BAAs demand legal review each renewal year
• Con: Misclassification can trigger retroactive fines, which are costly and public

Step-by-Step Compliance Process for Employer-Sponsored Plans

A practical workflow keeps the plan out of OCR’s crosshairs. The steps below mirror the Fisher Phillips 8-item roadmap and OCR’s own audit protocol.

Step 1: Classify the Plan

Start by documenting whether the plan is fully-insured, self-insured, or hybrid, and whether it includes medical FSA, HRA, or EAP components. Each component can be its own health plan under 45 CFR 160.103.

The consequence of skipping classification is vague accountability, which OCR will interpret against the employer. A common misconception is that one plan document covers every benefit, but each ERISA plan requires its own HIPAA analysis.

Step 2: Adopt Plan Documents and a Certification

Plan documents must include the firewall language in 45 CFR 164.504(f)(2), and the employer must certify in writing that it will follow them. Without that certification, the plan cannot share PHI with the employer.

The consequence of skipping this step is that every disclosure to HR becomes a violation. A common misconception is that a Summary Plan Description is enough, but the HIPAA certification is separate.

Step 3: Conduct the Risk Analysis and Risk Management

The Security Rule risk analysis must identify all electronic PHI, threats, and safeguards. Risk management then fixes the gaps.

The consequence of a skipped or stale analysis is Tier 3 or Tier 4 penalties. A common misconception is that a vendor’s SOC 2 report replaces the risk analysis; it does not.

Step 4: Train the Workforce

Training must cover every workforce member with access to PHI, and must be documented. OCR looks for training logs during investigations.

The consequence of missing training is a direct violation of 45 CFR 164.530(b). A common misconception is that annual training is optional; it is a practical requirement even if the regulation says “periodic.”

Step 5: Prepare Breach Response

A written breach response plan, tied to the 60-day breach notification rule, should name responsible people and legal counsel.

The consequence of a missing plan is delayed notice, which triggers Tier 3 penalties. A common misconception is that small breaches can wait; even single-record breaches must be logged and reported annually if they do not exceed 500 individuals.

State Law Overlays That Matter

Federal HIPAA sets a floor, not a ceiling. States layer additional duties on top, and those duties often apply to employers regardless of HIPAA status. Employers operating across state lines must build a compliance program that matches the strictest rule in their footprint.

The consequence of ignoring state law is separate state-level penalties and private lawsuits under consumer protection statutes. A common misconception is that HIPAA preempts state law, but 45 CFR 160.203 preserves state laws that are more protective.

California, Texas, and New York Rules

California’s Confidentiality of Medical Information Act reaches employers that receive medical data from employees for any reason. Texas applies HB 300 to any “covered entity” under a broader state definition. New York’s SHIELD Act imposes reasonable security requirements on every business holding private information of state residents.

The consequence of a California CMIA violation is up to $1,000 in statutory damages per plaintiff, plus attorneys’ fees. A common misconception is that the California Consumer Privacy Act exempts employee data; as of 2023, CPRA amendments brought employee data fully under the law.

FAQs

Are employers covered entities under HIPAA?

No. Employers are not covered entities. HIPAA applies to health plans, health care clearinghouses, and providers that bill electronically, per 45 CFR 160.103.

Does HIPAA protect an employee’s doctor’s note given to HR?

No. Notes given to an employer are employment records, not PHI. The ADA’s confidentiality rule and state law protect them instead.

Is a self-insured group health plan a covered entity?

Yes. Self-insured group health plans are health plans under HIPAA, and the employer-sponsor must run a full compliance program as explained by HIPAA Journal.

Can a wellness program make an employer subject to HIPAA?

Yes. Wellness programs tied to the group health plan generate PHI and trigger HIPAA, plus EEOC wellness rules under ADA and GINA.

Does HIPAA apply to FMLA certifications?

No. FMLA certifications held by an employer fall under 29 CFR 825.500, not HIPAA, but the ADA may still apply.

Are workers’ compensation records covered by HIPAA?

No. HIPAA carves workers’ comp out under 45 CFR 164.512(l), so providers may share records with the comp carrier without an authorization.

Does HIPAA require employees to sign a release before HR sees medical info?

No. Because HR operates outside HIPAA, no HIPAA authorization is needed, though the ADA still limits what HR can ask.

Can HIPAA fines be imposed on a small employer?

Yes. Any self-insured plan of any size can be fined under the 2026 penalty tiers, with fines up to $2,190,294 per year for identical violations.

Does HIPAA preempt state medical privacy laws?

No. State laws that are more protective remain in force under 45 CFR 160.203, which is why California, Texas, and New York rules still apply.

Is an on-site clinic automatically a covered entity?

Yes. An on-site clinic that bills any payer electronically is a covered provider under 45 CFR 162.1101, and the employer becomes a hybrid entity.

Does HIPAA apply to COVID-19 vaccination status collected by employers?

No. Vaccination status collected by an employer for workplace purposes is an employment record, so the EEOC COVID guidance controls, not HIPAA.

Can HR managers be personally fined under HIPAA?

Yes. HITECH authorizes personal criminal penalties for knowing violations, including fines up to $250,000 and up to 10 years in prison.