What Your HR Team Needs to Know About HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was created to protect patients’ protected health information (PHI). Over time, HIPAA rules have expanded, requiring both covered entities and business associates to comply. Even companies outside these categories often handle employee PHI, making awareness and proper HIPAA training for HR teams essential to ensure compliance and safeguard sensitive information.

Why this matters: Violations can result in serious legal consequences for your business and staff. HR teams must be trained in HIPAA compliance procedures, ensuring your organization meets regulatory standards and protects sensitive information.

Covered Entities and Business Associates

Initially, HIPAA lacked detailed privacy rules, resulting in frequent PHI breaches. The Privacy Rule, established in 1999, protects all personally identifiable health information. PHI includes any information related to a person’s health or payment for healthcare that could identify the individual.

Key point: Even HR professionals outside IT must understand these rules to prevent violations.

Covered entities include:

• Health Plans: Individual or group plans providing medical coverage.

• Health Care Clearinghouses: Entities that process health information from other sources in nonstandard formats.

• Health Care Providers: Anyone who furnishes, bills, or is paid for health care services.

Business associates are entities that handle PHI on behalf of a covered entity, including:

• Medical billing or collection agencies

• Health information exchanges (HIEs)

• E-prescribing gateways

• Third-party administrators

• Pharmacy benefit managers

• Accounting firms, auditors, and law firms

• Shredding or data management companies

What is PHI?

PHI includes any information about an individual’s past, present, or future health, healthcare services received, or payment for healthcare. It can be transmitted electronically or in other formats.

Common PHI identifiers:

• Name, address, email, phone numbers

• Social Security or medical record numbers

• Account, device, or IP addresses

• Biometric identifiers (fingerprints, face scans)

• Full-face photographs

• Health plan beneficiary numbers

HR must understand PHI to help implement proper safeguards and HIPAA training protocols.

HR’s Role in HIPAA Compliance

Many HR departments mistakenly rely solely on IT for HIPAA compliance. While IT handles technical security, HR controls employee policies and procedures. HR decisions affect:

• Employee access to PHI

• Training programs for HIPAA compliance

• Written HIPAA policies

• Enforcement of sanctions for breaches

Collaboration between HR and IT ensures effective protection and compliance.

HR and the Security Rule

The HIPAA Security Rule requires safeguarding the confidentiality, integrity, and availability of electronic PHI (ePHI):

• Confidentiality: Prevent unauthorized disclosure

• Integrity: Ensure PHI is not altered or destroyed without authorization

• Availability: Make PHI accessible to authorized personnel

HR contributes by helping assess risks, implementing security measures, and managing policies alongside IT.

Key HR Responsibilities

1. Updating Agreements and Documents

• Ensure business associate agreements include safeguards for ePHI

• Update plan documents to comply with HIPAA Security Rule

2. Nominating a Security Official

• Appoint an individual responsible for ePHI security

• Preferably separate from the Privacy Officer role

3. Security Awareness Training

• Collaborate with IT to create employee training programs

• Identify staff needing specialized training

• Document participation and schedule regular refreshers (at least annually)

4. Gatekeeping ePHI Access

• Catalog ePHI usage and sharing

• Define access control and update access lists

• Coordinate with IT to remove access for terminated employees

5. Creating Written Policies
HR helps draft policies covering:

• ePHI access

• Complaint investigation

• Employee training

• Data destruction and breach handling

6. Employee Education
HR ensures employees understand:

• What constitutes a HIPAA violation

• Mobile device security

• Encryption and dual authentication

• Proper document disposal

HIPAA Training for HR Professionals

HR staff must undergo HIPAA training to effectively safeguard PHI. Proper training ensures HR can implement policies, oversee access, and maintain compliance confidently.

RSI Security offers a comprehensive HIPAA security awareness training program that equips HR teams to protect sensitive information and uphold regulatory standards.

Download Our HIPPA Checklist