A Guide to Disclosures to Plan Sponsors for Your Employee Health Plan (45 CFR § 164.504(f))

Executive Summary

When employers sponsor group health plans for their workforce, HIPAA establishes strict rules governing how protected health information (PHI) can be disclosed to the plan sponsor (i.e., the employer). Section 164.504(f) outlines when and how such disclosures are permitted—and what documentation must be in place to make them lawful. This article breaks down the rules for small- and mid-sized employers offering health benefits, explaining what information can be shared, the safeguards required, and how to ensure the privacy of employees is not compromised in the process.

Introduction

If your business offers health insurance to employees through a group health plan, you may need to access certain health information to manage benefits. However, as an employer, you are not automatically entitled to access your employees’ PHI. HIPAA makes a clear distinction between the plan sponsor (employer) and the group health plan (a covered entity).

Section 164.504(f) governs when and what kind of PHI may be disclosed to an employer who sponsors a health plan, and under what conditions those disclosures are permitted. For small companies, not knowing these rules can lead to unauthorized disclosures, privacy complaints, or even federal enforcement.

This article provides an actionable guide for small plan sponsors to understand and comply with the disclosure requirements under HIPAA.

What is a Plan Sponsor under HIPAA icon

What is a Plan Sponsor under HIPAA?

A plan sponsor is typically the employer that establishes and maintains a group health plan for its employees. The plan itself, usually a self-insured health plan or insurance policy, is a covered entity under HIPAA.

The employer (sponsor) and the plan are legally distinct. HIPAA limits the flow of PHI between them to protect employee privacy, except under specific conditions.

When Can a Group Health Plan Disclose PHI to the Employer?

Section 164.504(f) allows PHI to be disclosed to the plan sponsor only when:

  1. The health plan documents have been amended to permit and restrict such disclosures
  2. The sponsor certifies in writing that the plan has implemented HIPAA-compliant safeguards
  3. The PHI is being used for plan administration purposes only

Let’s explore each of these conditions.

1. Amending the Plan Document

Before any PHI can be shared with the employer, the group health plan must amend its plan documents to specify:

  • The permitted uses and disclosures of PHI by the plan sponsor
  • The agreement of the sponsor to restrict use of PHI solely for plan administration
  • The mechanisms the sponsor will use to protect PHI, including firewalls between HR and other business units

This amendment must be signed and kept on file.

2. Plan Sponsor Certification Requirements

The employer must certify in writing that they agree to:

  • Not use PHI for employment-related actions or decisions
  • Not use PHI in connection with any other employee benefit plan or business interest
  • Provide for adequate separation between the plan and the sponsor (e.g., designate HR staff only)
  • Ensure all staff who access PHI receive HIPAA training
  • Report any misuse or breaches of PHI to the plan

Without this certification, no PHI can be shared beyond what is permitted for enrollment or summary health information.

3. Allowable Disclosures for Plan Administration

If all requirements are met, the plan may disclose PHI to the sponsor only for purposes related to plan administration, including:

  • Claims processing oversight
  • Vendor coordination
  • Appeals or dispute resolution
  • Ensuring coverage eligibility
What is not allowed:
  • Using PHI to make hiring, firing, or disciplinary decisions
  • Using PHI to market other products or services
  • Sharing PHI with unrelated business departments
What PHI Can Be Disclosed Without Certification icon

What PHI Can Be Disclosed Without Certification?

Certain disclosures do not require an amendment or certification:

PHI Type Disclosure Allowed? Certification Required?
Enrollment/Disenrollment Data Yes No
Summary Health Information (e.g., aggregate data for plan design) Yes No
Identifiable PHI for Claims Review Yes Yes
PHI for Employment Decisions No No

Summary health information is de-identified at the individual level, but may include demographic breakdowns and cost/utilization trends for plan design.

Case Study: Improper Use of PHI for HR Discipline

A small logistics company offered a self-insured health plan to its 38 employees. One HR staffer, who had access to PHI as a plan administrator, noticed a pattern of absenteeism and claims submissions related to substance use disorder from one employee.

Without proper authorization, the HR representative alerted the operations manager, who then terminated the employee for “behavioral concerns.”

The employee filed a HIPAA complaint, and the OCR launched an investigation. The employer was found to have used PHI for employment purposes, in violation of § 164.504(f), and lacked:

  • Plan document amendments
  • Plan sponsor certifications
  • Firewalls between HR and supervisors

The result was a resolution agreement, required training, and public listing of the breach on the OCR portal.

Lesson: Even in small businesses, PHI must be segregated from employment decisions unless a legal exception applies.

How to Stay Compliant as a Small Plan Sponsor icon

How to Stay Compliant as a Small Plan Sponsor

1. Review Your Plan Documents

Ask your insurance provider or plan administrator:

  • Has the plan document been amended to allow disclosures?
  • Do we have a certification on file?
  • What types of PHI can we access, and for what purposes?

2. Create an Access Control Matrix

Identify and document:

  • Who in your organization has access to PHI
  • Their job function related to the plan
  • What type of PHI they can access
  • When and how they are trained

3. Train HR and Plan Admin Staff

Make sure every employee with access to PHI understands:

  • The limits of permissible use
  • How to report privacy violations
  • That using PHI for hiring or firing is a violation

4. Use Business Associate Agreements for Vendors

If your plan works with third parties (TPAs, brokers, COBRA administrators), ensure you have valid Business Associate Agreements (BAAs) that limit their use and disclosure of PHI in line with HIPAA.

5. Document Everything

Keep records of:

  • Plan document amendments
  • Certification letters from the plan sponsor
  • HIPAA training logs
  • Role-based access assignments

OCR does not accept verbal confirmation — you must have written, dated records ready for review.

HIPAA Compliance Checklist for Plan Sponsors

Task Responsible Party
Amend plan documents to allow PHI disclosure Benefits Manager
Obtain and store sponsor certification HR Director
Define allowable PHI use for plan admin only Compliance Officer
Train HR and plan administrators on PHI use limits Office Manager
Restrict access to enrollment and summary health data Plan Admin
Prohibit employment-related use of PHI Legal Counsel

Authority and Regulatory References

Final Takeaways and Recommendations

As a small employer sponsoring a health plan, you do not have blanket rights to your employees’ health information. HIPAA’s § 164.504(f) ensures that PHI is only disclosed to plan sponsors under strict conditions, with formal documentation and access limitations in place.

To protect both your employees and your organization:

  • Amend your plan documents
  • Restrict PHI access to plan administration use only
  • Prohibit HR from using PHI in employment actions
  • Keep written certifications and training logs
  • Stay up to date on HHS guidance and plan changes

Following these steps will help you offer valuable health benefits without compromising employee privacy or incurring compliance penalties.

Great care is simple. Compliance should be too. Check how we fixed that