When HR and HIPAA Collide: What’s Legal, What’s Not

HIPAA (Health Insurance Portability and Accountability Act) and HR (Human Resources) do cross paths—but they operate under very different rules. And yes, sharing health information with HR can absolutely be a HIPAA violation, depending on who is doing the sharing and how they got the info.

Here’s where they intersect and when it crosses the line:

Where HIPAA and HR Cross Paths

1. Employer-sponsored health plans: If an employer provides health insurance, the health plan is subject to HIPAA. So if someone in HR also administers that health plan (e.g., benefits coordinator), they’re bound by HIPAA when handling medical claims, enrollments, etc.

2. Employee medical records: If the employer collects health info as a healthcare provider or health plan sponsor, that info is protected by HIPAA.

3. Leave management (FMLA, ADA, Workers' Comp): HR often receives medical documentation. Some of it might fall under HIPAA—but most of it is governed by other privacy laws like the ADA, FMLA, or state laws, not HIPAA. The confusion comes because people think any medical info = HIPAA. Not always.

When Sharing with HR Is a HIPAA Violation

HIPAA violations happen only when a covered entity (like a doctor, hospital, health plan, or business associate) improperly discloses protected health information (PHI) to an unauthorized party—like HR—without consent or a valid reason.

Examples of Violations:

• A nurse at an on-site clinic shares an employee's diagnosis with HR without that employee's permission.

• A health plan administrator tells HR that an employee is in substance abuse treatment.

• A third-party benefits administrator sends medical records to HR without authorization.

Translation? If someone got the info because they’re part of a covered entity, they can’t just hand it over to HR like gossip at the water cooler.

When It’s Not a HIPAA Violation

• If the employee voluntarily gives medical info to HR (e.g., doctor’s note for sick leave), that’s not HIPAA-covered—it’s employee-employer communication, not a health plan/provider issue.

• If HR gets the info as part of workers' comp, FMLA, or ADA compliance (with proper consent), it’s governed by those laws—not HIPAA.

• If the info is shared by a third party with proper written consent from the employee, it’s not a HIPAA violation.

Bottom Line:

HIPAA kicks in only when a covered entity shares PHI without permission. If HR gets health info from the employee directly, it’s usually not HIPAA territory—but it may still need to be kept confidential under state laws, ADA, or general privacy practices.

Call to action for HR folks:

• Know when you’re in HIPAA waters vs. just “confidential info” territory.

• Don’t accept or request employee health info unless it’s essential—and when you do, lock it up like it's gold.

• Train your benefits and wellness program partners to handle PHI like it’s nuclear waste—one wrong move and you’re in violation city.