Skip to content

Business Guidance

HIPAA Privacy and Security Compliance Toolkit

2 minute read time

This toolkit is intended to help employers that sponsor group health plans understand their compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA). It also provides sample resources to help employers comply with HIPAA's documentation requirements for their group health plans.

What this toolkit covers

HIPAA is a broad federal law that includes rules for protecting the privacy and security of certain health information, which is called protected health information (PHI). HIPAA also includes notification requirements following a breach of PHI. This toolkit discusses the following rules, which are collectively referred to as the HIPAA Rules:

HIPAA Privacy Rule HIPAA Security Rule HIPAA Breach Notification Rule
  • Sets national standards for when PHI may be used or disclosed
  • Gives individuals certain rights with respect to their PHI
  • Includes standards that covered entities must implement to protect their electronic PHI (ePHI)
  • Requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS) and, in some cases, the media, following a breach of unsecured PHI

While employers are not directly regulated by the HIPAA Rules, most employer‐sponsored group health plans are subject to the HIPAA Rules' requirements to some degree. This means that employers that sponsor group health plans for their employees will usually have compliance obligations under the HIPAA Rules with respect to their group health plans. The extent of an employer's compliance obligations under the HIPAA Rules mainly depends on two factors:

  • Whether the employer's health plan is self‐funded or fully insured; and
  • If the health plan is fully insured, whether the employer has access to PHI from the health insurance issuer (other than certain limited types of PHI).

Key points

  • If an employer receives PHI from its health plan (for example, from the issuer or benefits administrator), the employer takes on significant responsibilities with respect to that PHI.
  • Employers that sponsor fully insured health plans and do not have access to PHI (other than certain limited types) from their issuers have minimal compliance obligations under the HIPAA Rules.

Click here to download the comprehensive HIPAA Privacy and Security Compliance Toolkit.