HIPAA Requirements for Health Screenings: What Screening Vendors Need to Know
If you collect biometric data at employer health screenings, you handle protected health information (PHI). That makes you a business associate under HIPAA, with specific legal obligations for how you collect, store, transmit, and dispose of that data. This guide explains what HIPAA requires of screening vendors in practical terms.
Are You a Business Associate?
If you collect health data on behalf of an employer or their wellness program, the answer is yes. Biometric measurements -- blood pressure, cholesterol, glucose, BMI -- are PHI under HIPAA. The moment you record a participant's name alongside their screening results, you are handling individually identifiable health information.
This applies regardless of your company size. A two-person screening company collecting fingerstick results at a 50-employee wellness fair has the same HIPAA obligations as a national vendor running 500 events per year. The law does not scale its requirements based on how many participants you see.
Even aggregate reports can contain PHI if the population is small enough for individuals to be identified. A report that says "average BMI for the 3 employees in the Boise office" effectively discloses individual data.
The Three HIPAA Rules That Apply to Screening Vendors
1. The Privacy Rule
The Privacy Rule governs what PHI you can collect, how you can use it, and who you can share it with.
Minimum necessary standard. You may only collect and access the minimum amount of PHI needed to perform your screening services. If your contract is for a lipid panel and blood pressure, you should not be collecting mental health history or medication lists "just in case."
Permitted disclosures. You can share PHI with the participant (their own results), with the covered entity you have a BAA with (the employer's wellness program administrator), and with other business associates as needed for treatment, payment, or healthcare operations. You cannot share individual results with the employer's HR department unless the participant has provided written authorization.
Participant rights. Participants have the right to request access to their health data, request corrections, and request an accounting of disclosures. Your screening software should make it straightforward to fulfill these requests.
2. The Security Rule
The Security Rule requires specific safeguards for electronic PHI (ePHI). These fall into three categories:
Technical safeguards. Data must be encrypted both at rest (stored on servers) and in transit (moving between devices and servers). Every user who accesses PHI needs a unique login -- no shared accounts. You need audit trails that log who accessed what data and when. Automatic session timeouts should lock unattended devices.
Physical safeguards. At screening events, devices displaying PHI must be positioned so other participants cannot see the screen. Devices must be password-protected and encrypted. If you use portable drives or printed materials, they must be physically secured during transport and storage.
Administrative safeguards. Your workforce must be trained on PHI handling procedures. You must conduct a risk assessment at least annually to identify vulnerabilities. You need a documented incident response plan that your team knows how to execute. You must designate a security officer responsible for HIPAA compliance.
3. The Breach Notification Rule
A breach is any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. If a breach occurs, you have specific notification obligations:
- Notify the covered entity (your client) without unreasonable delay, no later than 60 days after discovering the breach
- Notify affected individuals in writing within 60 days if more than 500 individuals are affected
- Notify HHS (the Department of Health and Human Services) -- immediately for breaches affecting 500+ individuals, or annually for smaller breaches
- Notify media if the breach affects more than 500 residents of a single state or jurisdiction
Many states have their own breach notification laws with shorter timelines or additional requirements. California, for example, requires notification within 15 days for health data breaches.
Business Associate Agreements (BAAs)
A BAA is a legal contract between a covered entity (or another business associate) and you that establishes what PHI you can access, how you must protect it, and what happens if there is a breach. Without a BAA, you are operating in violation of HIPAA regardless of how good your security practices are.
You need a BAA with:
- Your screening software vendor -- they store participant data on your behalf
- Lab partners (LabCorp, CoreMedica, Quest, etc.) -- they process and return lab results
- Cloud storage or hosting providers -- Amazon AWS, Google Cloud, Microsoft Azure all offer BAAs
- Third-party administrators who receive your data for benefits administration
- Email service providers if you send PHI via email (most standard email is not HIPAA-compliant)
What a BAA should include:
- Permitted uses and disclosures of PHI
- Requirements to implement appropriate safeguards
- Requirements to report breaches and security incidents
- Requirements to ensure subcontractors also agree to the same protections
- Requirements to return or destroy PHI at the end of the contract
- Termination provisions for material breach
Consequences of not having one: Fines range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. In 2024, OCR (the Office for Civil Rights) increased enforcement actions against business associates specifically, with several settlements exceeding $1 million for missing or inadequate BAAs.
HITRUST vs. HIPAA: What's the Difference?
These two terms come up in almost every vendor evaluation, and they are frequently confused. They are not the same thing.
HIPAA is a federal law. Compliance is mandatory for anyone handling PHI. There is no official "HIPAA certification" -- compliance is demonstrated through policies, procedures, risk assessments, and the ability to pass an audit. You either comply with HIPAA or you are in violation of it.
HITRUST CSF (Common Security Framework) is a voluntary certification program that incorporates HIPAA requirements plus controls from NIST, ISO 27001, PCI DSS, and other frameworks. It is more comprehensive, more prescriptive, and significantly more expensive to obtain (typically $50,000-$200,000 for the assessment process alone, plus the cost of remediation).
| Dimension | HIPAA | HITRUST |
|---|---|---|
| Type | Federal law | Voluntary certification framework |
| Required? | Yes, for anyone handling PHI | No, but some clients require it |
| Certification | No official certification exists | Formal certification with validated assessment |
| Cost | Internal compliance costs (policies, training, risk assessments) | $50,000-$200,000+ for assessment and remediation |
| Scope | PHI-specific privacy and security requirements | Comprehensive security framework (includes HIPAA + NIST + ISO + more) |
| Who requires it | Federal government (mandatory) | Some large employers, health plans, and TPAs (contractual) |
Practical guidance: If you are a screening vendor serving small to mid-size employers, HIPAA compliance with a signed BAA meets the legal requirements for the vast majority of contracts. HITRUST becomes relevant when you start working with Fortune 500 employers, large health plans, or hospital systems that include HITRUST as a contractual requirement in their RFPs. Do not invest in HITRUST certification until you have contracts that require it.
Common HIPAA Violations at Screening Events
Most HIPAA violations at screening events are not the result of sophisticated data breaches. They are the result of operational carelessness that is entirely preventable.
Leaving devices unlocked and unattended. A screener steps away from their laptop to help with participant flow, leaving a screen full of PHI visible to anyone walking by. Every device should have a 2-minute auto-lock timeout, and screeners should be trained to lock their screen (Ctrl+L or Cmd+L) every time they stand up.
Sharing login credentials. Two screeners using the same account eliminates your audit trail. If there is a data issue, you cannot determine which screener accessed or modified the record. Every screener needs their own login.
Transmitting PHI via unencrypted email. Sending a participant's lab results via standard Gmail or Outlook is a HIPAA violation. Email must be encrypted end-to-end, or results should be delivered through a secure portal.
Not having a BAA with your software vendor. This is the most common structural violation. Many screening vendors use software platforms without verifying that a BAA is in place. If your software vendor will not sign a BAA, that is a clear signal to find a different vendor.
Improper disposal of paper forms. Paper forms with PHI must be cross-cut shredded, not thrown in a recycling bin. This applies to any paper that contains a participant's name, date of birth, or health data -- including sign-in sheets that list participant names alongside appointment times.
Screen visibility to other participants. When a screening station is set up in an open area, other participants in line can sometimes see the screen. Position monitors so they face a wall or partition, not the waiting area.
How to Evaluate Your Software Vendor's HIPAA Compliance
Your screening software stores the most concentrated collection of PHI in your operation. Evaluating your vendor's HIPAA posture is not optional -- it is due diligence that protects your business.
Questions to ask:
- Will you sign a BAA? If the answer is no or "we don't do that," walk away. This is non-negotiable.
- Is data encrypted at rest and in transit? Look for AES-256 encryption at rest and TLS 1.2+ in transit. Ask for specifics, not just "yes, we encrypt."
- Do you have row-level data isolation? This means one screening company cannot accidentally access another company's participant data, even if they share the same platform. Without it, a misconfigured query could expose data across accounts.
- What is your incident response process? Ask for their written incident response plan. How quickly will they notify you of a breach? Do they have a designated security officer?
- How do you handle data deletion requests? Participants have the right to request deletion of their data. Your vendor should have a documented process for this.
- Where is data hosted? US-based hosting is generally required for HIPAA compliance. Verify that data is not stored in or routed through foreign jurisdictions.
- Do you conduct regular penetration testing? Annual penetration tests by a third party are a strong indicator of security maturity.
Practical HIPAA Checklist for Screening Vendors
Use this checklist to evaluate your current compliance posture. Every item should be in place before your next screening event.
- BAA in place with every vendor that touches PHI (software, lab, hosting, email)
- Staff trained on PHI handling, breach reporting, and device security within the last 12 months
- Devices password-protected with auto-lock timeout of 2 minutes or less
- Data encrypted at rest and in transit across all systems
- Unique user accounts for every screener (no shared logins)
- Audit trail enabled in your screening software, logging all access and modifications
- Risk assessment completed within the last 12 months, documenting identified risks and mitigation steps
- Incident response plan documented and known to all staff who handle PHI
- Paper forms securely destroyed via cross-cut shredding after digitization
- Screen positioning at events prevents other participants from viewing PHI
- Data deletion process documented for handling participant requests
- Email encryption in place if PHI is ever transmitted via email
Frequently Asked Questions
Do biometric screening vendors need to be HIPAA compliant?
Yes. If you collect, store, or transmit protected health information (PHI) -- which includes biometric screening results -- you are a business associate under HIPAA and must comply with its requirements.
What is a BAA and do I need one?
A Business Associate Agreement (BAA) is a legal contract between you and any vendor that handles PHI on your behalf. You need a BAA with your screening software vendor, your lab partner, and any third party that accesses participant health data.
Is HITRUST required for health screenings?
No. HITRUST certification is a voluntary security framework that goes beyond HIPAA requirements. Some large employers and health plans require it, but HIPAA compliance with a signed BAA meets the legal requirements for most screening programs.
Can I use paper forms and still be HIPAA compliant?
Technically yes, but it is significantly harder. Paper forms must be physically secured, transported safely, stored in locked facilities, and properly destroyed. Digital systems with encryption, access controls, and audit trails make HIPAA compliance much more manageable.
Clovi is HIPAA-compliant biometric screening software with encrypted data storage, row-level isolation, audit trails, and a signed BAA included with every account. No shared logins, no unencrypted data, no compliance gray areas.