Does HIPAA apply to employers? A guide for businesses

Even if your company isn’t directly involved in the healthcare industry, you may still be subject to HIPAA rules, which safeguard a person’s health data. 

As a result, it’s important to know what your responsibilities are — if any. In this article, we’ll explain what HIPAA is, who it applies to, and what happens if you don’t comply. We’ll also look at what you should do if you have a global and/or remote workforce.

So let’s jump straight in.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 US law that establishes national standards for protecting sensitive patient health information.

It ensures that healthcare providers, insurers, and their business associates implement measures to:

• Safeguard the privacy and security of health data

• Ensure data integrity

• Prevent unauthorized access

HIPAA also provides individuals with rights over their health information, including the right to obtain a copy of their records and request corrections.

Does HIPAA apply to employers?

HIPAA applies to two types of organization: covered entities, and business associates. 

Here’s how to tell if your business falls into one of these categories.

Covered entities

HIPAA regulations group covered entities into three types:

1. Healthcare providers, such as hospitals, dental clinics, and pharmacies.

2. Health plan providers, including private insurance companies, health maintenance organizations (HMOs), and employer-sponsored and government-sponsored insurance agencies (e.g., Medicaid).

3. Healthcare clearinghouses or organizations responsible for transmitting electronic medical claims and billing data to insurance carriers.

Business associates

A business associate is any business that provides services related to protected health information (PHI), either to covered entities or to other business associates. 

A business is considered a business associate if its services include creating, using, maintaining, transmitting, disclosing, or destroying PHI.

Business associates can include the following:

• Contract billing companies

• Claims processing organizations

• Data processing or analysis firms

• Documentation storage or disposal companies

• External auditors or consultants

• Accountants, lawyers, or IT firms in contact with PHI

• External medical transcription or translation services

According to the US Department of Health and Human Services (HHS), businesses that do not meet the criteria of a covered entity or business associate do not have to comply with HIPAA.

However, if your business provides employees with a self-funded health insurance plan, you are subject to HIPAA. This is because you are technically operating a covered entity, which is the health plan. And while your business isn’t subject to HIPAA regulations, the health plan is.

How do you comply with HIPAA?

If you think your business may be subject to HIPAA rules, it’s important to know which steps to take.

HIPAA compliance checklist

The first step is to create a compliance checklist. This is an easy way to ensure that your business remains aligned with the relevant rules and regulations, and should look something like this:

1. Determine if your company is a covered entity, business associate, or neither.

2. If your organization is a covered entity or business associate, identify which HIPAA rules apply to your situation.

The HIPAA Privacy Rule details the process required for any covered entity to safeguard patient information, and ensure the privacy of their PHI. 

This rule places strict limitations on the type of PHI that can be shared without the owner’s permission. Under it, individuals can also request copies or send health records to third-party businesses.

The HIPAA Security Rule relates to a covered entity’s responsibility to protect any electronic PHI, including safeguarding patient confidentiality and ensuring robust data security and storage.

The HIPAA Breach Notification Rule applies to data security and storage through covered entities and business associates. If a data breach occurs, businesses are required to notify the affected individuals of the date and extent of the breach.

3. Once you know which rules apply to you, appoint a privacy officer to oversee, manage, and enforce HIPAA compliance throughout your organization.

4. Your privacy officer should determine the types of PHI your business is responsible for handling, maintaining, using, or disposing of. 

They should identify when and how PHI is used to spot possible areas of infraction or inadvertent violations. This puts your business in a better position to take actionable measures to prevent these issues.

5. Provide mandatory HIPAA training for all employees who have access to PHI to maintain compliance. Establish written policies and procedures for reference.

6. Use robust security and encryption systems to safeguard your employees’ and clients’ PHI. Inform your remote workers of possible scenarios that could incur violations, such as using insecure or public WiFi.

7. Provide clear and accessible avenues for employees to report HIPAA violations, whether they involve inadvertent device security or data breaches. Outline your employees’ next steps regarding violation reports, including timelines for responding and following up.

8. Stay informed on the latest changes and updates to HIPAA rules and regulations. Notify your employees, provide additional training, and update your written references accordingly.

HIPAA compliance best practices

As well as following the above steps, there are also several best practices you can adopt to ensure your compliance measures are robust.

Consult professionals for assurance

Consider reaching out to a HIPAA consulting firm for guidance, especially if you’re unfamiliar with the law. These firms specialize in HIPAA rules, regulations, and associated legislation, and, while they can’t guarantee complete protection against HIPAA violations, they can be helpful if one does occur.

Some law firms also specialize in HIPAA compliance and enforcement. They can provide a variety of services, including policy recommendations, issue resolution, and legal representation.

Establish clear policies and procedures

Under your HIPAA privacy officer, develop clear policies and procedures around HIPAA compliance.

One of these should be a comprehensive Notice of Privacy Practices policy, outlining the measures you’re taking to protect individual PHI. Distribute these notices to your team members and (if relevant) clients with PHI accessible within your organization. Obtain a signature or initials upon receipt so you know the notices were provided.

You should also establish a proper and comprehensive offboarding process. When an employee leaves, be sure to collect their company equipment and restrict future access to PHI data files for these individuals.

Provide regular HIPAA training 

HIPAA training should be mandatory for all your team members, especially for new hires during onboarding.

It should also be easily accessible. For instance, place HIPAA training modules in shared workspaces for both your in-office and remote workers, and send communications reminding your team to complete them. Upon finishing the course, have each individual sign, date, and upload their certificates of completion.

Use secure software 

To protect your PHI, ensure you use robust software that utilizes data encryption and robust security measures.

Remote, for instance, is ISO27001 Certified and SOC 2 Compliant. All sensitive information is encrypted and follows data security best practices, significantly reducing the chances of a breach.

“HR partners like Remote can help organizations grow secure global teams, while also ensuring they are compliant with local and international data protection laws in the markets they operate in. This frees them to focus on managing and growing their business.”

Marcelo Lebre, co-founder and CTO at Remote

Learn more about how Remote protects your employee data.

What are some common HIPAA violations?

It’s important to understand which actions can potentially result in the violation of HIPAA rules and regulations.

Here are some of the most common ways that businesses do so:

• Failing to promptly report data breaches to consumers.

• Failing to properly secure and store devices, resulting in theft, damage, or loss.

• Giving unauthorized users access to PHI (due, for instance, to inadvertently leaving a device unattended).

• Leaving PHI data unencrypted, making it susceptible to theft.

• Improperly caring for, handling, transmitting, or disposing of written or electronic records.

• Disclosing PHI without the individual’s consent.

What happens if an employer commits a HIPAA violation?

If found in violation of a HIPAA rule or regulation, businesses can expect to face consequences. The Office for Civil Rights judges HIPAA violations using four ascending tiers of severity:

Tier 1: The covered entity or business associate didn’t know about and could not have realistically avoided the violation, even if they had taken reasonable care.

Tier 2: While the covered entity or business associate should have known about the possible violation, they could not have avoided it even with reasonable care.

Tier 3: The covered entity or business associate demonstrated willful neglect of HIPAA rules but evidently tried to correct the issue.

Tier 4: The covered entity or business associate demonstrated willful neglect of HIPAA rules and did not attempt to correct the issue within 30 days.

While the Office for Civil Rights is the primary enforcer, state attorneys and the Food and Drug Administration (FDA) can also enforce HIPAA rules. The latter is typically involved if the violation includes a medical device.

Minor violations — which are usually rooted in a lack of understanding or awareness — may lead to the implementation of HIPAA-specific guidance and training. However, major violations (or chronic widespread noncompliance) can result in serious fines and penalties.

Consider the following two real-world examples:

California Correctional Health Care Services

In 2022, California Correctional Health Care Services was found in violation of HIPAA when a staff member inadvertently emailed an attachment to an unauthorized recipient. The attachment included PHI, including personal and medical information. 

The employee was provided with additional training for privacy and information security awareness.

Banner Health

In 2023, Banner Health, a nonprofit health system, reported a data breach that affected the PHI of 2.8 million patients. 

Banner was found to have demonstrated multiple violations in the leadup to the breach, including failure to implement adequate security measures for patient PHI.

As a result, the organization was fined $1.25 million and ordered to implement a corrective action plan.

Does HIPAA apply to global or remote employers?

If you employ global or remote workers, you have additional considerations to keep in mind regarding HIPAA compliance.

Global employees

If your business is based outside the US, but you handle PHI for your US-based employees, you are considered a business associate of a covered entity. Therefore, you are still subject to all HIPAA rules and regulations.

For example, a business that provides cloud storage of PHI for a US-based healthcare provider must be HIPAA-compliant.

Note that, if you are based in the US and handle PHI for your international employees (who are non-US citizens), you are also still subject to HIPAA.

Remote employees

If you have remote employees — whether based domestically, abroad, or both — the rules are the same as above. However, there are some additional measures you must implement to stay HIPAA-compliant:

• Outline the security and safeguarding measures for handling PHI out of the office when it comes to paper and electronic records. These include transmitting, storing, and disposing of PHI properly.

• Provide HIPAA compliance training, protocols, and procedures for the safe and secure handling of PHI. Ensure your process is available in written form and easily accessible to all employees if they have future questions or concerns.

• Clarify the process employees should use to report possible HIPAA concerns or violations.

• Enforce the consistent use of secure internet services and authorized devices when employees have access to PHI.

Comply with HIPAA through Remote

Understanding HIPAA goes a long way toward protecting your business from costly fines and penalties — not to mention frustration, reputational damage, and a loss of employee or customer trust.

Having an allocated HIPAA expert in your team is a great starting point, but it’s equally important to ensure that the software you’re using to handle your employees’ data is safe, secure, and robust.

This doesn’t just extend to HIPAA, either; it’s crucial to ensure that all elements of your HR platform are protected, including payroll and other sensitive employee information.

Remote protects your business and your employees’ sensitive data with industry-leading security and compliance. Our practices are regularly audited and verified by independent third-party assessors, giving you peace of mind.

To learn more about how we protect your employees’ information — while making your entire HR processes quicker, easier, and more cost-effective — speak to one of our friendly experts today.

Hire and pay your global team with maximum speed and safety

Start onboarding employees and contractors in minutes with Remote, G2’s top-ranked multi-country payroll software.

Get started nowSchedule a demo