Managing health benefits as a small business in California comes with a long list of responsibilities—from choosing the right California insurance plans to making sure you’re answering employee questions during open enrollment. But one critical area that’s often overlooked? HIPAA compliance.
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that sets national standards for protecting individuals’ medical records and other personal health information. For small businesses offering group health coverage, it’s not optional—it’s the law.
In this blog, we’ll walk you through what HIPAA means for your small business, how it connects with CA employee coverage and group plan providers, and practical ways to avoid costly violations while staying on top of California compliance rules.
What Is HIPAA—and Why Does It Matter to Small Employers?
HIPAA governs how Protected Health Information (PHI) is collected, stored, and shared. Even if you don’t think of yourself as a “healthcare provider,” you’re still subject to HIPAA if you sponsor California insurance plans for your team.
PHI includes:
- Medical diagnoses or treatment information
- Prescription or lab results
- Health insurance enrollment data
- Any personally identifiable health information (including in emails or documents)
Common HIPAA Violations Small Businesses Should Watch For
HIPAA violations can happen unintentionally. Here are some of the most common issues small employers in California face:
| Violation | What It Looks Like |
| Sending PHI via unsecured email | Emailing an employee’s health form to a manager without encryption |
| Talking about an employee’s health in public | Discussing someone’s diagnosis in the break room or during a team meeting |
| Mishandling enrollment forms | Leaving completed forms on a shared desk or storing them in unlocked cabinets |
| Improper document disposal | Throwing PHI documents in the trash instead of shredding |
| Sharing PHI with unauthorized staff | Giving access to employee health info to non-HR managers or admins |
Learn more from HHS.gov – HIPAA Privacy Rule
The Role of Group Plan Providers in HIPAA Compliance
Your group plan providers, such as insurance carriers and third-party administrators, are also responsible for maintaining HIPAA compliance. But that doesn’t mean you’re off the hook.
As the plan sponsor, your small business must:
- Ensure that only authorized personnel can view enrollment or medical information
- Sign Business Associate Agreements (BAAs) with vendors who access PHI
- Store, transmit, and dispose of documents containing PHI securely
If your plan is self-funded, the compliance burden is even greater, since you may handle claims data directly. For fully insured California insurance plans, your responsibilities still include secure employee communications and handling enrollment documents appropriately.
What Does This Mean for CA Employee Coverage?
During open enrollment, employees are naturally full of questions about their health benefits. But it’s easy to cross a line into a HIPAA violation—especially if HR or management discusses health information in ways they shouldn’t.
Here’s how to stay compliant:
- Never discuss personal health details in front of others
- Don’t email or text plan enrollment info with identifying details unless it’s encrypted
- Use a secure platform for benefits enrollment and storage
- Train anyone involved in administering CA employee coverage on HIPAA basics
HIPAA-Safe vs. Risky Behaviors During Open Enrollment
| Scenario | Compliant? | Why? |
| HR stores enrollment forms in a locked cabinet | Yes | Protects physical PHI |
| Manager discusses an employee’s illness in Slack | No | Unauthorized disclosure of PHI |
| Employee emails medical question to HR via Gmail | No | Unsecured channel for PHI |
| HR uses a secure portal for open enrollment questions | Yes | Proper encryption and access controls |
HIPAA and California Compliance: Where State Meets Federal
California law adds another layer of protection through statutes like the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA). While HIPAA sets the federal baseline, California often goes a step further—so staying in compliance means meeting both sets of standards.
For example:
- CMIA protects employee medical info even when it’s not covered under HIPAA
- CCPA gives employees rights to request and delete their personal data—including benefits-related data
To learn more about California-specific protections.
How to Set Your Small Business Up for HIPAA Success
You don’t need a legal team to stay HIPAA-compliant, you just need a solid plan. Here’s what we recommend:
- Train your team: Anyone who handles benefits should receive basic HIPAA training at least once a year.
- Use secure tools: Work with group plan providers that offer secure online portals and encrypted communications.
- Limit access: Only give benefits-related data to people who absolutely need it.
- Audit regularly: Review how enrollment forms, medical emails, and other PHI are handled.
- Work with experienced brokers: A good insurance broker will help keep you compliant while offering employee-friendly California insurance plans.
Protect Your Team by Meeting HIPAA Requirements
If your small business offers health coverage, you’re responsible for protecting your team’s medical privacy—even if it’s just a few employees. By following simple best practices, partnering with trustworthy group plan providers, and making smart decisions during open enrollment, you can stay in line with both HIPAA and California compliance laws.
At Regency West Insurance, we work with small businesses across California to deliver California insurance plans that are secure, personalized, and fully compliant. We help employers navigate HIPAA requirements, educate staff, and streamline CA employee coverage—so you can focus on running your business.
Schedule a HIPAA-ready benefits consultation with Regency West Insurance
Frequently Asked Questions
1. I only have a few employees. Does HIPAA still apply to me?
Yes. If your business provides CA employee coverage through a group health plan—even if it’s just a few people—you are subject to certain HIPAA requirements. While fully insured small group plans handled entirely by your insurance carrier reduce your exposure, you’re still responsible for protecting any health-related data you collect or store (such as enrollment forms, claims info, or employee questions during open enrollment).
2. What types of documents contain PHI and need to be protected?
Protected Health Information (PHI) goes beyond medical records. It includes anything that can be used to identify an individual and relates to their health status, treatment, or insurance.
Common examples include:
- Enrollment or waiver forms
- Doctor’s notes submitted for FMLA or leave
- Claim appeals or reimbursement requests
- Prescription records or health questionnaires
Make sure all these documents are stored securely and shared only on a need-to-know basis.
3. Can I discuss an employee’s medical condition with their supervisor or other team members?
No. Unless the employee has given explicit, written permission, you may not disclose medical information—even in casual conversation or with good intentions. Sharing an employee’s health details (even something as simple as “John is out with a back injury”) could constitute a HIPAA violation and violate California privacy laws like CMIA.
Supervisors can be told that an employee is unavailable or on approved leave—but not why—unless medically necessary for accommodations or workplace safety, and only with proper documentation.
4. What are the penalties for HIPAA violations?
HIPAA penalties can range from $100 to $50,000 per violation, with an annual maximum of $1.5 million for each type of violation. Violations can result from careless handling of PHI, failure to train staff, or not having the right administrative safeguards in place.
In California, additional penalties may apply under CMIA and the California Consumer Privacy Act (CCPA), particularly if employees’ personal data is exposed due to poor security measures.
5. Can I use email to communicate health benefits information with my employees?
Yes, but with conditions. General benefits information like plan summaries or enrollment deadlines can be emailed freely. However, any communication that contains personal health information (e.g., medical conditions, prescriptions, claims, etc.) must be encrypted and sent securely.
Better yet, use secure portals or HR platforms provided by your insurance carrier or benefits administrator to handle enrollment and claims support. This ensures both HIPAA compliance and California compliance under state data protection laws.