HIPAA sets a sharp privacy boundary between the employer and the health plan, so employers cannot simply walk in and access employee health information. An employer can sponsor a health plan, pay part of the premium, select vendors, and help administer benefits, but that does not mean every claim, diagnosis, medication, treatment note, or benefits record is ordinary HR information.
HIPAA generally does not regulate the employer in its capacity as employer, but HHS explains “The Privacy Rule controls how a health plan or a covered health care provider shares your protected health information with an employer.” The reason for this protection is the fact that health plan data can hold very personal information, chronic conditions, reproductive care, mental health treatment, prescriptions, surgeries, dependents' care, and high-cost claims.
The employer's separation from the health plan
Workplace health programs can raise serious privacy and discrimination concerns when employees do not clearly see, understand, or trust the legal protections around their data. Recent enforcement points in the same direction. As a Public Health Genomics study explains, “Employees considering participation in wGT as part of workplace wellness programs should be aware of legal protections of their personal genetic information.”
The employer and the health plan must remain separate. Even if the employer pays for, sponsors, or helps run the plan, the plan and the employer must work as separate privacy zones. The health plan could have protected health information because it needs that information to pay claims, coordinate benefits, manage appeals, and operate healthcare operations. The employer’s function is very different. It employs staff, manages performance, manages discipline, approves leave, and makes staffing decisions. HIPAA does not allow those roles to morph into one open pipeline for employee health data.
Plan documents must restrict the use of protected health information (PHI) by the plan sponsor, restrict access to such information within the sponsor’s business, and maintain an adequate separation between plan administration staff and the employer’s other workplace functions. The firewall matters. The person who is paying the wages should not be aware of any medical claims that might affect employment decisions.
When employers can access plan data
Employers can access health plan data only in narrowly defined circumstances based on their roles. HIPAA allows a group health plan to disclose PHI to a plan sponsor only when the data is for plan administration. Even then, the plan documents must first set forth clear limitations, and the sponsor must certify that it will protect the information.
The legislative requirements created a clear line that the sponsor cannot cross or use protected health information for employment-related actions or decisions. Under 45 CFR § 164.504(f), the plan documents must create a clear privacy boundary between the group health plan and the employer-side plan sponsor. The regulation requires the plan documents to:
- Set out the permitted and required uses and disclosures of protected health information by the plan sponsor.
- Require the plan sponsor to certify that it will protect the information before the group health plan discloses protected health information to it.
- Prohibit the plan sponsor from using or disclosing protected health information for employment-related actions or decisions.
- Require the plan sponsor to ensure that agents or subcontractors follow the same restrictions when they receive protected health information.
- Require the sponsor to report improper uses or disclosures that do not follow the plan document rules.
- Create adequate separation between the group health plan and the plan sponsor.
- Identify which employees or classes of employees may access protected health information.
- Limit those employees’ access to plan administration functions only.
- Create a mechanism to resolve noncompliance if someone with access violates the rules.
Employers may also obtain summary health information for limited purposes, such as obtaining premium bids or determining whether to modify, amend, or terminate a health plan. They might get details about enrolling and dropping out, like whether an employee is signed up for the plan. A BMC Health Services Research study notes, “the complexity of the healthcare ecosystem, comprising diverse covered entities that collect, produce, store, and transmit PHI, creates persistent risks of unauthorized access and misuse.”
Why fully insured vs self-insured plans make a difference
The (Star Group LLP) SG Health Plan resolution shows why self-funded plans should not treat HIPAA as only a provider or insurer problem. HHS alleged that SG Health Plan impermissibly disclosed protected health information and failed to conduct an accurate and thorough risk assessment after a ransomware attack. Self-insurance can create control, but control brings compliance responsibility.
Fully insured and self-insured plans shape how much PHI the employer-side plan sponsor is likely to touch. In a fully insured plan, the employer buys coverage from an insurance carrier. The insurer usually handles claims, payments, provider networks, and much of the protected health information. A fully insured plan that receives only summary health information and enrollment or disenrollment information may be exempt from many administrative Privacy Rule duties, although key restrictions still apply.
A self-insured plan creates a much sharper risk profile. The employer, through the plan, effectively funds claims and often works closely with third-party administrators, pharmacy benefit managers, stop-loss carriers, consultants, and benefits vendors. The structure can give the employer-side plan sponsor more operational exposure to claims, payment data, and plan administration records. The more exposure the sponsor has, the stronger the safeguards need to be.
Where wellness programs fit in
Wellness programs fit into this issue because they sit at a sensitive intersection: work, benefits, health data, incentives, and trust. A Business Insider in a Google-exclusive reported that they were worried about having to provide personal information to the AI-powered benefits tool in order to access their benefits. Google later said employees could opt out and still get all the benefits. Wellness programs are meant to foster health, but a bad privacy setup can quickly make them feel coercive.
HIPAA’s role depends on how the wellness program is structured. When an employer offers the program through a group health plan, individually identifiable health information collected from or created about participants becomes protected health information under HIPAA. In that setup, the employer, as plan sponsor, cannot freely access the data. It may access only the protected health information needed for plan administration and only when the required plan-document restrictions, certifications, safeguards, and separation rules are in place.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
Can an employer receive summary claims data?
Yes. A group health plan may share summary health information with the plan sponsor for limited purposes such as obtaining premium bids or modifying, amending, or terminating the plan.
Can a doctor give health information directly to an employer?
Usually, no. An employer asks a healthcare provider directly for information about an employee, the provider generally cannot give the employer that information without the employee’s authorization unless another law requires the disclosure.
Are human resources health records protected by HIPAA?
Not usually. HIPAA does not protect employment records, even when those records contain health-related information. For example, a doctor’s note kept in an HR file may be an employment record, not protected health information under HIPAA.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Mara Ellis
