HIPAA Compliance for HR Departments: What's Changed, What's Coming, and What to Do Now

OCR collected $9.9 million in HIPAA fines in 2024. The average penalty was $579,000. In March 2025, HHS confirmed Phase 3 compliance audits were still underway — 50 covered entities and business associates selected for review.

If your HR team is still treating HIPAA as someone else's problem, that number is worth sitting with.

Does HIPAA Actually Apply to HR?

The short answer: it depends on what your organization does with employee health data.

HIPAA's Privacy Rule doesn't regulate employer-employee relationships directly. It governs how health plans and providers handle protected health information (PHI) — not how employers store vacation requests or routine sick day notes.

But that boundary blurs fast. If your organization administers a self-insured health plan, your HR department is almost certainly handling PHI — and HIPAA requirements apply. The same is true if HR staff access health plan records to administer benefits, process accommodation requests, or manage workers' compensation claims that involve diagnosis or treatment data.

The practical rule: if HR touches data generated through your company's sponsored health plan, HIPAA governs how that data is stored, shared, and protected.

A Quick Glossary (The Terms That Actually Matter)

PHI: Any data relating to a person's physical or mental health, treatment, or payment for care. Names, Social Security numbers, medical records, and insurance IDs all qualify when linked to health information.

Covered Entity: An organization that handles PHI — health plans, healthcare providers, clearinghouses. If your company runs a self-insured plan, that plan is a covered entity even if your broader company isn't.

Business Associate Agreement (BAA): The contract required when a covered entity shares PHI with a third party. Any vendor or platform that touches PHI — including email providers and file-sharing tools — needs one. As a practical note, Virtru has a BAA for HIPAA compliance. 

Privacy Rule: Governs individual rights and PHI access across all formats — paper, digital, verbal.

Security Rule: Specifically covers electronic PHI (ePHI) and requires technical, physical, and administrative safeguards to protect it.

The Security Rule Is About to Get Significantly Stricter

In January 2025, HHS published a sweeping proposed overhaul of the HIPAA Security Rule — the first major revision since 2003. The comment period closed in March 2025. A final rule is expected in 2026, with a compliance window likely 180 days after publication.

HR teams and their organizations should start preparing now, not after the final rule drops, as it contains substantial changes.

Encryption becomes mandatory. The current Security Rule treats encryption as "addressable" — organizations can decide whether it's reasonable given their risk analysis. The proposed rule eliminates that flexibility. Encryption of ePHI both at rest and in transit would be required, with no exceptions.

Multi-factor authentication. MFA would be required across all systems that access or process ePHI.

Annual compliance audits. Covered entities and business associates would need to conduct internal HIPAA compliance audits at least once every 12 months.

Scheduled vulnerability testing. Vulnerability scans every six months, penetration tests annually.

Technology asset inventories. Organizations would need to maintain a documented inventory of all technology assets that handle ePHI, reviewed annually.

The bigger structural shift is that the proposed rule removes the "required vs. addressable" distinction entirely. What was once optional guidance becomes mandatory baseline.

What HR Teams Need to Protect Right Now

Whether or not the proposed rule is finalized as written, current Security Rule requirements already cover the ground where most HR teams have gaps. Three safeguards matter most for how HR actually handles data day-to-day:

Access controls. Systems holding ePHI should restrict access to employees who need it for specific job functions. Not everyone in HR needs access to health plan records. Audit who has access and whether it's still warranted.

Audit controls. Logging system activity involving ePHI is what makes breach detection possible after the fact. If you can't reconstruct what happened to a file or email containing PHI, you can't demonstrate compliance.

Transmission security. When ePHI moves — through email, file transfers, or shared drives — it must be protected in transit. Unencrypted email is not HIPAA-compliant. A standard shared link with broad access permissions is not HIPAA-compliant.

Where HR Teams Often Slip: Email and File Sharing

The most common compliance gaps aren't in the policy — they're in the daily workflow. Benefits paperwork emailed to employees. Insurance documents sent to third-party administrators. Medical leave documentation shared via a standard file link.

These feel routine because they are. That's exactly why they're where PHI exposure happens.

Email. Standard Gmail and Outlook messages don't satisfy HIPAA's transmission security requirements on their own. Any workflow where HR sends PHI externally — to carriers, TPAs, or providers — needs encryption in place.

Jason Karn, Chief Compliance Officer at Total HIPAA, described this well: "Just having data encrypted point-to-point doesn't solve the problem. If that's all it took, then Gmail, Google Workspace, and Office 365 would be sufficient. The real issue is, ‘What do you do when you send PHI to the wrong person?’ Virtru is a minimal expense for the security and safety it provides."

Virtru for Gmail and Virtru for Outlook let HR teams send encrypted messages directly from tools they already use. Recipients open protected messages without installing software or creating a new account. Access can be revoked after the fact, and every message carries a persistent, auditable policy — not just a one-time encryption event.

File sharing. PHI travels in attachments, shared drives, and collaboration platforms. Standard sharing links don't give you control after sending — anyone with the link can access the file indefinitely.

Virtru Secure Share wraps encryption around individual files rather than relying on platform-level permissions. HR teams can share PHI through Microsoft OneDrive, SharePoint, Teams, or Google Drive and retain the ability to revoke access, set expiration dates, and track who has viewed what. Recipients access the file through their browser — no software installation, no new account.

Don't Forget the HIPAA BAA

If your HR team uses any external platform to process or share PHI — email, file storage, HR information systems, third-party administrators — a signed BAA is a hard requirement, not a best practice. Virtru executes BAAs as part of its standard HIPAA-eligible offerings, covering both Virtru for Email and Virtru Secure Share.

What to Do Before the New Security Rule Lands

The proposed Security Rule won't be finalized overnight. But the enforcement environment is already serious — nearly $10 million in fines last year, and Phase 3 audits actively underway. Organizations that wait for final rulemaking to start closing gaps are organizations that fail compliance reviews.

Start with the basics: document what PHI your HR team touches, who has access to it, and how it moves. Then close the email and file-sharing gaps. The proposed rule's encryption mandate reflects where OCR's enforcement focus has been pointing for years. Getting ahead of it will make the difference between managing risk and reacting to it.

See how Virtru protects PHI across email and file sharing. Book a demo with our team today.