All glossary posts

HIPAA

Learn HIPAA basics for small businesses, HR teams, and employees, including privacy rules, compliance duties, and how benefits platforms can help.
Written by
SimplyHRA.com
Published on
January 28, 2027

Introduction

HIPAA is one of those acronyms that gets tossed around whenever health benefits come up, usually followed by an awkward pause and someone asking, “Wait… are we compliant?” If you’re a small business owner, HR manager, or employee, HIPAA can feel intimidating, overly legal, or frankly meant for hospitals and big insurance companies—not you. The truth sits somewhere in the middle. HIPAA absolutely matters in the small business health benefits world, but once you understand the basics, it’s far more manageable than it sounds.

I’m Saif Akhtar, co-founder of SimplyHRA, and I’ve spent years helping small teams navigate health benefits without tripping over regulations. Let’s break HIPAA down in plain English, from what it is to why it matters and how it shows up in day-to-day benefits administration.

What HIPAA Actually Is (and Isn’t)

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It’s a federal law enforced primarily by the U.S. Department of Health and Human Services (HHS). At its core, HIPAA is about protecting people’s health information and setting rules for how that information can be used and shared.

What HIPAA is:

  • A privacy and security framework for health information
  • A compliance obligation for certain employers and benefits administrators
  • A set of employee rights around their medical data

What HIPAA is not:

  • A rule that says you can’t talk to employees about benefits
  • A law that applies to every piece of health-related information everywhere
  • A one-size-fits-all compliance checklist

HIPAA focuses on protected health information, often shortened to PHI. According to HHS.gov, PHI includes identifiable information related to an individual’s health condition, treatment, or payment for healthcare.

Why HIPAA Matters to Small Businesses

The Employer Perspective

Small businesses often assume HIPAA doesn’t apply to them because they’re not doctors or insurers. That’s partly true, but not the whole story. If you sponsor a health plan or administer health benefits, parts of HIPAA can apply to you.

Common HIPAA touchpoints for employers include:

  • Handling employee enrollment or eligibility information
  • Managing reimbursements for medical expenses
  • Communicating with brokers, carriers, or benefits platforms

If you’re exposed to PHI through your role as an employer, HIPAA expects you to safeguard it. That means limiting access, avoiding casual sharing, and using systems that don’t leave sensitive data floating around in email inboxes.

The HR Manager Perspective

HR is usually on the front lines of HIPAA compliance, whether they signed up for that job or not. An employee asking about a denied claim, a dependent’s eligibility, or a reimbursement request can all involve PHI.

HIPAA best practices for HR teams include:

  • Separating personnel files from health plan information
  • Sharing only the minimum necessary information
  • Using secure platforms instead of spreadsheets or email

This isn’t about paranoia. It’s about reducing risk and respecting employee trust.

HIPAA From the Employee’s Point of View

Employees mostly experience HIPAA as a promise: their health information won’t be used against them or shared casually at work. HIPAA gives employees specific rights, including:

  • The right to access their health information
  • The right to request corrections
  • The right to know how their information is used

An employee shouldn’t worry that their manager knows about a diagnosis or prescription just because they submitted a benefits request. When HIPAA is done right, those boundaries stay intact.

HIPAA and Health Reimbursement Arrangements

Where HIPAA Shows Up With HRAs

If your business offers an HRA, including an Individual Coverage HRA, HIPAA is very much in the room. Reimbursement requests often include PHI, like insurance premiums or explanation of benefits documents.

HIPAA compliance in this context usually means:

  • Secure storage of reimbursement documentation
  • Limited access to sensitive data
  • Clear processes for handling employee information

The IRS governs HRAs from a tax perspective, but HIPAA governs how the health information involved must be handled. Different rules, same program.

Why Technology Matters for HIPAA

Manually managing reimbursements through email or shared drives is where small businesses get into trouble. Not because they mean to violate HIPAA, but because the process itself is risky.

Using a benefits platform designed with HIPAA in mind helps:

  • Encrypt and protect employee data
  • Create audit trails
  • Reduce human error

This is one of those cases where good software isn’t about convenience—it’s about compliance and peace of mind.

Common HIPAA Misunderstandings

HIPAA confusion is widespread, so let’s clear up a few myths that come up all the time.

  • HIPAA doesn’t stop employers from knowing who is enrolled in a health plan.
  • HIPAA doesn’t apply to employment records unrelated to health plans.
  • HIPAA violations aren’t limited to intentional misconduct; accidental exposure counts too.

According to HHS, penalties for HIPAA violations can range from corrective action plans to significant fines, depending on severity and intent. Small businesses aren’t immune, even if enforcement tends to focus on larger patterns of noncompliance.

Practical HIPAA Tips for Small Teams

You don’t need a legal department to respect HIPAA. A few grounded habits go a long way.

  • Train HR staff on basic privacy rules
  • Avoid storing PHI on personal devices
  • Use vendors that sign Business Associate Agreements (BAAs)
  • When in doubt, share less, not more

These steps aren’t flashy, but they’re effective. Most HIPAA issues I see stem from informal processes that grew over time without guardrails.

HIPAA Basics Don’t Have to Be Overwhelming

HIPAA can sound heavy, but in practice, it’s about common sense backed by structure. Protect sensitive information, limit access, and use systems built for the job. When small businesses do that, compliance becomes part of the background instead of a constant worry.

Why SimplyHRA Makes HIPAA Easier for Everyone

SimplyHRA was built to help small businesses handle health benefits without getting buried in compliance details like HIPAA. Our platform limits employer exposure to protected health information, automates secure reimbursement workflows, and keeps HR teams out of the data they shouldn’t be handling. For small business owners, HR managers, and employees alike, that means fewer risks, clearer boundaries, and a benefits experience that actually feels modern. If you need help navigating HIPAA as it relates to your health benefits, reach out to SimplyHRA for a consultation by emailing info@simplyhra.com or scheduling a call at https://www.simplyhra.com/contact.

The HIPAA Privacy Rule vs. the Security Rule

One area that often gets glossed over is that HIPAA isn’t a single rule—it’s a bundle of them. Two matter most for small businesses offering health benefits: the Privacy Rule and the Security Rule. They sound similar, but they deal with different risks.

The Privacy Rule focuses on who can access protected health information and when. It’s about intent and boundaries. For example, HR can’t casually share an employee’s medical expense details with a manager, even if the manager is “just curious.”

The Security Rule is more technical. It’s about how electronic protected health information (ePHI) is stored, transmitted, and protected. This includes:

  • Password controls and access permissions
  • Data encryption
  • Secure backups and audit logs

For small teams, the Security Rule is where informal processes break down. A forwarded email, a shared Google Drive folder, or a lost laptop can all create exposure, even if no one meant harm.

Business Associate Agreements and Why They Matter

What Is a Business Associate?

Under HIPAA, a business associate is any vendor that handles protected health information on your behalf. This could include:

  • Benefits administration platforms
  • Payroll providers involved in benefits deductions
  • Brokers or consultants accessing enrollment data

HIPAA requires covered entities to have a Business Associate Agreement, commonly called a BAA, with these vendors. A BAA spells out who is responsible for protecting data and what happens if something goes wrong.

The Risk of Skipping the BAA

Many small businesses don’t realize that using a vendor without a BAA can create liability. If PHI is mishandled, regulators won’t just look at the vendor—they’ll look at the employer too.

Using vendors that proactively provide BAAs is a quiet but critical compliance win. It’s one of those “boring” documents that can save you a massive headache later.

HIPAA in a Remote and Hybrid Work World

Remote work has changed how HIPAA risk shows up for small businesses. HR teams now approve benefits, review reimbursements, and communicate with employees from home offices, coffee shops, or shared coworking spaces.

Common remote-work HIPAA risks include:

  • Viewing PHI on unsecured Wi-Fi
  • Downloading sensitive files to personal devices
  • Discussing benefits issues within earshot of others

HIPAA doesn’t prohibit remote work, but it does require reasonable safeguards. That usually means company-managed devices, secure logins, and clear expectations around handling health information outside the office.

What Counts as a HIPAA Breach?

A HIPAA breach isn’t limited to hacking or ransomware. According to HHS guidance, a breach is any impermissible use or disclosure of PHI that compromises its privacy or security.

Examples relevant to small businesses include:

  • Sending reimbursement details to the wrong employee
  • Uploading documents to an unsecured folder
  • Allowing terminated employees to retain system access

Some breaches require notification to affected individuals and, in certain cases, to HHS. Even when notification isn’t required, documenting what happened and how it was addressed is considered best practice.

Training Isn’t Optional—It’s Preventive Care

HIPAA training doesn’t need to be a multi-day seminar, but it does need to exist. Employees who touch benefits data should understand:

  • What qualifies as protected health information
  • When it’s okay to access it
  • When to escalate questions instead of guessing

Think of training like preventive care for compliance. A short, clear explanation upfront can prevent months of cleanup later.

How HIPAA Intersects With Trust and Company Culture

Beyond regulations and fines, HIPAA plays a role in employee trust. Health benefits are personal. When employees feel their information is handled carelessly, it erodes confidence—not just in HR, but in leadership.

On the flip side, strong HIPAA practices quietly reinforce a culture of respect. Employees may never say it out loud, but they notice when boundaries are honored and systems feel secure.

HIPAA Isn’t Static—It Evolves

HIPAA guidance continues to evolve as technology changes. HHS regularly updates recommendations around cybersecurity, mobile access, and third-party risk. Small businesses don’t need to monitor every update, but they do need partners who do.

This is where modern benefits administration matters. Compliance isn’t just about knowing the rules once—it’s about staying aligned as expectations shift.

Why SimplyHRA Is Built With HIPAA Reality in Mind

At SimplyHRA, we design our platform around how small businesses actually operate, not how regulations are written in theory. By minimizing employer exposure to protected health information, securing reimbursement workflows, and acting as a compliant business associate, we help teams stay on the right side of HIPAA without slowing them down. If you want support navigating HIPAA in the real world of small business health benefits, contact SimplyHRA for a consultation by emailing info@simplyhra.com or scheduling a call at https://www.simplyhra.com/contact.

Frequently Asked Questions (FAQs) about HIPAA:

Q: Does HIPAA apply to all small businesses, even if we don’t offer health insurance?

A: Not necessarily. HIPAA generally applies when a business sponsors a health plan or handles protected health information as part of benefits administration. If you don’t offer health benefits and don’t receive or manage employee medical information, HIPAA may not apply. That said, some state privacy laws can still impose obligations, so it’s smart to confirm your specific situation.

Q: Are owners and executives subject to HIPAA rules inside their own company?

A: Yes, if they have access to protected health information through a health plan. Title or seniority doesn’t grant extra access under HIPAA. Owners, founders, and executives must follow the same minimum-necessary standards as HR staff when it comes to employee health data.

Q: Can an employee’s spouse or family member request health information from HR?

A: Generally no. HIPAA restricts disclosure of protected health information to the individual or an authorized representative. Even if a spouse is covered under the same plan, HR typically cannot share information without proper written authorization.

Q: Does HIPAA apply to conversations, or only written records?

A: HIPAA applies to verbal disclosures as well as electronic and paper records. Discussing an employee’s health situation in a public or non-private setting can be a violation if others can overhear identifiable information.

Q: How long should employers retain health-related records under HIPAA?

A: HIPAA requires certain documentation, such as policies and procedures, to be retained for at least six years. Other records may have different retention rules under IRS or employment laws, so employers should align HIPAA retention with broader recordkeeping requirements.

Q: Can managers ever receive employee health information?

A: Only in very limited circumstances. Managers may receive high-level information related to accommodations, leave, or safety restrictions, but not specific diagnoses or treatment details. The information shared should be the minimum necessary to perform their role.

Q: Does HIPAA prevent employers from requiring a doctor’s note?

A: No. HIPAA does not prohibit employers from requesting medical certification for legitimate employment purposes, such as sick leave or accommodations. However, any medical information received must be handled and stored in compliance with HIPAA and other employment laws.

Q: What’s the difference between HIPAA and the ADA when it comes to medical information?

A: HIPAA governs how health information is used and disclosed by health plans and related entities. The Americans with Disabilities Act (ADA) governs how employers collect and use medical information for employment decisions. Both can apply at the same time, but they serve different legal purposes.

Q: If an employee voluntarily shares medical details, does HIPAA still apply?

A: If the information is shared informally and not as part of the health plan, HIPAA may not apply. However, once that information is documented or used in connection with benefits administration, privacy and confidentiality obligations can still arise.

Q: Are penalties automatic if a HIPAA violation occurs?

A: No. Enforcement depends on factors like intent, severity, and corrective action. Demonstrating good-faith efforts, training, and prompt remediation can significantly reduce penalties if an issue arises.

Q: How can small businesses stay current on HIPAA guidance without a compliance team?

A: The most practical approach is to work with benefits and HR vendors that actively monitor HIPAA updates and bake compliance into their systems. Relying on reputable partners and periodic reviews is often more effective than trying to track regulatory changes alone.

Q: Does HIPAA apply differently to part-time, seasonal, or contract workers?

A: HIPAA protections apply to individuals who are enrolled in or eligible for a health plan, regardless of whether they are full-time, part-time, or seasonal. Independent contractors are generally not covered unless they participate in the employer’s health plan or the employer handles their protected health information through a benefits arrangement.

Q: Can HR store health benefits information in our main HRIS system?

A: It depends on the system’s security controls and access limitations. HIPAA expects health plan information to be restricted to only those who need it. If your HRIS allows broad access to medical or benefits data, that can create compliance risk unless proper safeguards are in place.

Q: Is HIPAA violated if an employee accidentally CCs the wrong person on an email?

A: Accidental disclosures can still be HIPAA violations. The key factors are what information was disclosed, who received it, and whether the employer took prompt steps to mitigate the issue. Documenting the incident and corrective action is considered best practice.

Q: Can employers use health data to design or change benefit offerings?

A: Employers may use de-identified, aggregated health data to make plan design decisions. HIPAA generally prohibits using identifiable health information to make employment or benefit decisions about specific individuals.

Q: Does HIPAA apply to wellness programs or health screenings at work?

A: Often yes. If a wellness program collects medical information or biometric data and is connected to a health plan, HIPAA protections typically apply. Employers should ensure vendors handling this data comply with HIPAA requirements.

Q: Are text messages considered a HIPAA risk?

A: They can be. Standard SMS texting is not secure and may expose protected health information. Employers should avoid discussing specific health details via text unless a secure, compliant messaging system is used.

Q: What happens if an employee refuses to provide requested health information?

A: HIPAA allows individuals to control their information, but refusal may affect eligibility for certain benefits or reimbursements. Employers should clearly explain what information is required and why, without pressuring employees to overshare.

Q: Does HIPAA require employers to appoint a privacy officer?

A: HIPAA requires covered entities to designate someone responsible for privacy and security compliance, but for small businesses this does not have to be a formal role or full-time position. It can be part of an existing HR or operations role.

Q: Can benefits information be shared during audits or due diligence?

A: Yes, but only in a limited and controlled way. HIPAA allows disclosure for certain administrative purposes, provided safeguards are in place and only the minimum necessary information is shared.

Q: How does HIPAA interact with state privacy laws?

A: HIPAA sets a federal baseline, but state laws may impose stricter requirements. When state law is more protective of individual privacy, employers must follow the state standard in addition to HIPAA.

Q: Is verbal confirmation of coverage considered protected health information?

A: Yes, if it identifies an individual and relates to their health coverage. Even simple confirmations should be handled carefully and shared only with authorized parties.

Q: Can former employees request access to their health information?

A: Yes. Individuals retain the right to access their protected health information even after employment ends, as long as the information is maintained by the health plan or its administrators.

Bringing HIPAA Confidence to Small Business Health Benefits

HIPAA doesn’t have to be a source of stress or second-guessing for small businesses. At its heart, it’s about protecting employee trust, setting clear boundaries around health information, and using systems that reduce unnecessary exposure. When employers understand where HIPAA applies, limit access to sensitive data, and avoid informal workarounds, compliance becomes part of a healthy benefits culture rather than a constant worry.

At SimplyHRA, we’ve worked with small business owners and HR managers who were juggling benefits administration in spreadsheets, email threads, and shared folders—often without realizing how much HIPAA risk that created. We’ve been in those shoes ourselves. By centralizing reimbursements, minimizing employer contact with protected health information, and automating compliance-heavy workflows, SimplyHRA has helped teams regain confidence while giving employees a more private, respectful benefits experience.

If HIPAA concerns are slowing you down, creating uncertainty, or keeping you up at night, you don’t have to tackle it alone. SimplyHRA is built specifically for small businesses that want to offer great health benefits without compliance chaos. Reach out for a consultation by emailing info@simplyhra.com or scheduling a call at https://www.simplyhra.com/contact.

Do you want to give your employees the best health benefits experience possible? Try SimplyHRA.com!
Set up an ICHRA plan in minutes with in-house enrollment support, reimburse employees tax-free, and stay 100% compliant—without managing a group health plan—with SimplyHRA.com today!
Pricing
Free Consultation
Latest posts

Related glossaries

Interviews, tips, guides, industry best practices, and news.
View all glossary posts
Design
8 min read

Seasonal Worker

Compliant, cost-effective health benefits for seasonal workers: ACA rules, eligibility, measurement periods, and HRA options (ICHRA & QSEHRA).
Read post
Design
8 min read

S-Corp Owner

Comprehensive guide for S-Corp owners on health insurance, ICHRA, W-2 reporting, HSAs, and tax deductions to help you stay compliant.
Read post
Design
8 min read

Runout Period

Essential guide to HRA Runout Periods: deadlines, compliance, accounting, and best practices for employers, HR teams, and employees (ICHRA/QSEHRA).
Read post