Does HIPAA Apply to You as a Business Owner? Here’s What You Really Need to Know

If your company collects or stores employee medical information, you’ve probably wondered: Do we need to comply with HIPAA? It’s a smart question…but often, it’s the wrong one.

The truth is, most employers aren’t actually subject to HIPAA’s privacy rules in the way they think they are. But that doesn’t mean you're in the clear. In fact, there are plenty of other laws—federal, state, and local—that govern how you collect, store, and share employee health information. And getting it wrong can come with serious legal consequences.

Let’s break it down.

HIPAA vs. Employer Obligations

HIPAA—the Health Insurance Portability and Accountability Act—is designed to protect health data. But it only applies to certain types of entities: health care providers, insurance plans, and others that handle patient health information. Employers are not considered “covered entities” under HIPAA just because they maintain employee health records. If you receive medical documentation because someone’s taking leave, asking for an accommodation, or had a workplace injury, HIPAA typically doesn’t apply.

Still, that information must be handled with care—and here’s where many businesses run into trouble.

What Really Governs Employee Health Info

Instead of HIPAA, your responsibilities are more likely governed by laws like the Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA), and an expanding patchwork of state-specific medical leave and privacy laws.

These laws dictate:

When you can request medical information (hint: not during interviews),
What kind of documentation is acceptable,
How that information should be stored, and
Who can see it (spoiler: it’s a very short list).

For example, the ADA restricts employers from asking disability-related questions unless it's job-related and consistent with business necessity. The FMLA allows you to request medical certification—but only using compliant forms and processes.

And if you’re in a state with its own leave laws? You may have even more boxes to check.

Not Sure Where You Stand?

If you're unsure whether your current practices measure up, you're not alone. Many businesses discover they’re out of compliance only after there’s an issue. That’s why we offer our HR MRI Assessment®—a no-cost, expert-led evaluation that takes a comprehensive look at your HR practices, including how you manage employee health data.

Think of it as a check-up before there's a problem. Because when it comes to compliance, "we didn't know" isn’t a defense.

Ready to get proactive? Let’s take a look—before a regulator does.

Learn more

Compliance, Employment LawJacquelyn GernaeyJuly 31, 2025Does HIPAA Apply to You as a Business Owner? Here’s What You Really Need to Know, 2025, ComplianceComment