Cybersecurity and HIPAA: What HR Must Know to Protect Employee Data

HR must lead the way when it comes to cybersecurity strategy. In an era where cybercrime is growing more sophisticated and frequent, HR professionals are increasingly becoming the first line of defense in protecting employee data — especially health-related information governed by the Health Insurance Portability and Accountability Act (HIPAA), said compliance experts Natashia Wright and Jason Sheffield of The Baldwin Group during a session at SHRM25 in San Diego.  

Wright and Sheffield outlined the direct risks cyberattacks pose to health plans and employee well-being. They explained that when a breach happens, HR needs to be involved in the response, instead of ceding the responsibility to IT. From benefit administration disruptions to regulatory exposure, the consequences of inaction are too great to ignore.

Here are critical takeaways every HR professional should know.

You May Be a Covered Entity and Not Know It

It’s easy to assume HIPAA is only a concern for hospitals and insurance carriers. However, if your organization sponsors a self-insured health plan, it is legally considered a “covered entity” under HIPAA, making you responsible for protecting electronic protected health information (ePHI), Wright and Sheffield said. That includes reviewing claims, conducting audits, or even helping employees navigate benefit enrollment. 

The HIPAA Security Rule specifically outlines requirements around the creation, receipt, maintenance, and transmission of ePHI. HR departments routinely touch all four elements covered by the rule, yet many organizations still lack formal HIPAA compliance programs or underestimate their obligations. Wright emphasized the need for risk assessments tailored to HR functions and collaboration between HR, benefits administrators, and IT security teams.

“If you’re reviewing appeals, maintaining employee medical certifications, or transmitting data to vendors, HIPAA applies to you,” she said.

Cyberattacks Aren’t Just Possible; They’re Inevitable

In 2023, the global cost of cybercrime reached $8 trillion, and it is expected to surpass $10.5 trillion by 2025. Health-care-related data breaches — such as the massive Change Healthcare ransomware attack in 2024 — have affected up to 1 in 3 Americans. While these headlines may seem remote, they have immediate consequences for employers.

Wright shared a real-life scenario where a ransomware attack locked employees out of their benefits data, suspending claims payments and delaying care. “A data breach doesn’t just impact your system — it disrupts employees’ lives,” she said. “Suddenly, they can’t access care, verify benefits, or get prescriptions filled.”

Organizations with remote workforces or multiple office locations are particularly vulnerable, as distributed data access increases risk vectors. Mobile devices, phishing emails, and weak passwords continue to be common entry points. 

Cybersecurity is no longer a technical issue alone. It is a people issue. HR’s role is to ensure employees are trained, supported, and vigilant — because the first sign of a breach often comes from a team member noticing something is wrong.

HIPAA Security Rule Provides a Playbook

The HIPAA Security Rule is a framework for organizational resilience. Its requirements offer a practical road map for preventing, detecting, and responding to cyberthreats. At the core is the Security Risk Assessment (SRA), which every covered entity must perform regularly. Yet many HR teams are unsure how often to conduct one, or whether one has even been done.

“You can’t protect what you haven’t analyzed,” Wright stressed. “The SRA is your starting point, not a check-the-box item.”

From there, HR should work with IT and legal teams to implement the following:

• Designated privacy and security officers, which are often split between IT and HR.

• Access controls limiting who can view or modify ePHI.

• Malware detection systems and encryption protocols.

• Incident response plans that include clear roles, contacts, and escalation steps. 

• Training programs for all employees — not just IT staff.

Perhaps most importantly, there is a need for cybersecurity to be cyclical, not static. HIPAA compliance is not a one-and-done exercise. “It’s like waves,” Wright said. “You implement safeguards, test them, adjust them, and repeat.”

Prepare Now for New Federal Requirements

There’s a looming regulatory shift, as a proposed overhaul of the HIPAA Security Rule could significantly increase compliance burdens for employers. Though currently paused under administrative review, the rule could be enacted quickly and would require updates to existing policies, procedures, and documentation. HR leaders should begin internal audits and scenario planning now to avoid scrambling when the rule becomes final.

Practical Tips for HR Leaders

Wright and Sheffield offered some critical security tips for HR departments: 

• Send quarterly security reminder emails to employees.

• Implement complex passphrases.

• Lock devices after three minutes of inactivity.

• Secure mobile devices with encryption and strong authentication. 

• Avoid paying to remove ransomware without first contacting the FBI, due to sanctions risks.

HR professionals have a unique lens into how data flows within an organization — from onboarding forms to benefits portals. By proactively partnering with IT, ensuring staff training, and championing HIPAA compliance, HR can help lead their organizations through today’s cyberthreat landscape.

As Sheffield summed it up, “Anticipate that a breach will happen. The difference is how prepared you are when it does.”