Are Employee Records and Financial Data Protected by HIPAA? Requirements Explained

You often hear “HIPAA” used to justify keeping workplace information confidential, but the law has a very specific scope. Understanding when HIPAA applies—and when other rules control—is essential to protecting employees, meeting confidentiality requirements, and avoiding penalties.

This guide explains how HIPAA treats employee records and financial data, when an employer is treated as a covered entity, why health information must be segregated, which alternative laws apply, and how to align privacy rule compliance with your information security policies.

HIPAA Coverage of Employee Records

What counts as Protected Health Information (PHI)

Under HIPAA, Protected Health Information is individually identifiable health information created or received by a covered entity or its business associate that relates to a person’s health, healthcare, or payment for healthcare. PHI is about context: who holds the information and for what purpose.

Personnel files versus PHI

Most employee personnel records—such as job applications, performance reviews, salary data, I-9 forms, and routine HR notes—are not PHI because the employer (as an employer) is not a covered entity. Even medical details inside personnel files (e.g., notes about accommodations) are generally not HIPAA-governed; instead, they must be handled under other confidentiality requirements discussed below.

When employee medical data can be PHI

• PHI at the source: If a healthcare provider, health plan, employee assistance program (EAP), or onsite clinic creates or receives the data, it is PHI in that environment.
• Employer copies: When the employer receives health information for employment purposes (fitness-for-duty, drug testing results, vaccination status for workplace safety), the employer’s copy usually is not PHI; however, stricter rules under the Americans with Disabilities Act may apply.
• Plan administration: If the employer accesses health information to perform Health Plan Administrator functions for a group health plan, that information is PHI and triggers HIPAA Privacy Rule compliance for that plan component.

HIPAA Coverage of Financial Data

Financial data by itself is not PHI

Bank account numbers, payroll details, direct-deposit authorization forms, and expense reimbursements are not PHI when handled by an employer for employment or payroll purposes. They are sensitive personal data, but HIPAA does not cover them in that context.

When financial information becomes PHI

Payment and billing information related to healthcare—claims, explanations of benefits, premium billing, and amounts owed to providers—are PHI when created or maintained by a health plan or provider. The same exact financial details kept for non-health purposes (for example, payroll deductions or general accounting) are not PHI.

Practical takeaways

• Keep payroll and reimbursement records outside HIPAA systems.
• Treat plan-related billing and claims data as PHI when accessed for plan administration.
• Apply robust information security policies to all financial data, even when HIPAA does not apply.

Employer as Covered Entity Status

When an employer is—and isn’t—a covered entity

Employers are not covered entities merely because they employ people. A covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits certain transactions electronically. However, an employer’s group health plan is a covered entity, and an employer operating an onsite clinic or EAP may be a “hybrid entity” with specific health care components subject to HIPAA.

Plan sponsor and Health Plan Administrator roles

As the plan sponsor, an employer may perform Health Plan Administrator functions (e.g., enrollment, eligibility determinations, appeals). When doing so, any PHI it receives from the plan is subject to HIPAA. To obtain PHI from the plan, the employer must amend plan documents, certify restrictions on use and disclosure, and limit access to designated workforce members who perform plan functions.

Business associate considerations

If the employer provides services to another covered entity involving PHI, it may act as a business associate and must follow contractual and regulatory safeguards. For its own plan, the employer is a plan sponsor, not a business associate.

Segregation of Health Information

Firewalls between employment and plan data

HIPAA requires strict segregation of plan PHI from employment records. Only workforce members assigned to plan administration may access PHI, and they may use it solely for plan purposes—not for hiring, discipline, or other employment decisions.

Operational controls for Privacy Rule compliance

• Access control: Limit PHI access to the minimum necessary workforce performing plan functions.
• Data separation: Maintain plan PHI in systems separate from HR personnel files and general corporate drives.
• Training and procedures: Train designated staff on permitted uses/disclosures and incident response.
• Documentation: Amend plan documents, maintain certifications, and execute business associate agreements with vendors that handle PHI.
• Information Security Policies: Apply encryption, strong authentication, audit logging, and retention/destruction rules tailored to PHI.

ADA and FMLA medical files

Medical information obtained for employment purposes must be stored in confidential medical files separate from personnel files, with access limited to a need-to-know basis. These confidentiality requirements arise primarily under the Americans with Disabilities Act and the Family Medical Leave Act, not HIPAA.

Alternative Legal Protections

ADA confidentiality

The ADA requires that medical information about applicants and employees be collected only when permitted, kept confidential, and stored separately. Supervisors may learn about necessary work restrictions or accommodations—but not diagnoses—on a need-to-know basis.

FMLA medical certifications

Under the FMLA, medical certifications and related documents must be kept confidential and separate from personnel files. Only those administering leave may access them.

Other applicable laws and standards

• State privacy and breach-notification laws can impose stricter rules and faster reporting timelines than HIPAA.
• Consumer protection and financial privacy laws may govern non-health financial data even when HIPAA does not.
• Internal confidentiality requirements and information security policies should provide a consistent baseline across all sensitive data.

Penalties for HIPAA Violations

Civil enforcement

The Department of Health and Human Services can impose tiered civil monetary penalties per violation, with amounts and annual caps that scale based on the organization’s level of culpability (from lack of knowledge to willful neglect). Corrective action plans and ongoing monitoring are common.

Criminal enforcement

Intentionally obtaining or disclosing PHI in violation of HIPAA can trigger criminal penalties, which increase when actions involve false pretenses or intent for personal gain or malicious harm.

When employers face HIPAA liability

Employers incur HIPAA risk when handling PHI for their group health plan or other covered health components (e.g., onsite clinics, EAPs) or when acting as a business associate. Using plan PHI for employment decisions or failing to safeguard PHI are common pitfalls.

Compliance with State Regulations

HIPAA preemption and “more stringent” state laws

HIPAA sets a national floor. If a state law is more protective of individual privacy, that state rule generally controls. Many states also impose separate breach-notification duties that apply to both PHI and non-PHI personal data.

Multi-state employer strategy

• Inventory data flows: Identify where PHI, medical employment records, and financial data reside and who accesses them.
• Map requirements: Layer state rules onto HIPAA, highlighting stricter consent, access, or notification standards.
• Standardize controls: Use common policies with state-specific addenda to minimize operational complexity.
• Test readiness: Run tabletop exercises for privacy incidents affecting both PHI and non-PHI data sets.

Conclusion

Personnel records and standalone financial data are usually outside HIPAA, while health plan and provider records are PHI subject to Privacy Rule compliance. Employers become regulated when they administer plan functions or operate covered health components—and must segregate PHI, restrict access, and enforce strong information security policies. For everything else, the ADA, FMLA, and state laws supply the confidentiality requirements you still need to meet.

FAQs.

Does HIPAA protect employee personnel records?

Generally no. Personnel records kept by an employer are not PHI under HIPAA. However, medical information in those files must be kept confidential and stored separately under the ADA and, when applicable, the FMLA.

Is financial data considered protected under HIPAA?

Not by itself. Payroll, direct-deposit, and reimbursement records are not PHI. Financial information tied to healthcare payment or claims, when held by a health plan or provider, is PHI and must be protected under HIPAA.

When is an employer treated as a covered entity?

Employers are not covered entities merely by employing people. HIPAA applies when the employer operates a covered health component (e.g., a group health plan, onsite clinic, or EAP) or accesses PHI to perform Health Plan Administrator functions for its plan.

What are the penalties for HIPAA non-compliance by employers?

HHS can impose tiered civil monetary penalties per violation, potentially alongside corrective action plans. Knowing or malicious misuse of PHI can also lead to criminal penalties. Liability arises when the employer handles PHI for a covered plan or health component or acts as a business associate.