Does HIPAA Apply to FMLA? Privacy Rules for Medical Leave Explained

HIPAA Applicability to Employers

The HIPAA Privacy Rule protects Protected Health Information when it is created or held by a covered entity, such as a health plan or healthcare provider. Under the covered entity definition, most employers are not covered entities simply by being employers. As a result, HIPAA usually does not apply to an employer’s handling of leave-related paperwork.

Employment records—Even when they include medical details like an FMLA medical certification—are generally not PHI under HIPAA. Still, you must treat them with strict employment records confidentiality and limit access to a need-to-know basis. Separate these records from personnel files and manage them under FMLA, the Americans with Disabilities Act, and company policy.

If your organization sponsors a group health plan, that plan is a HIPAA covered entity. PHI received in the plan-sponsor role is protected by HIPAA and cannot be used for employment decisions, including FMLA administration, unless a proper authorization permits it.

FMLA Medical Certification Requirements

You may request FMLA medical certification to substantiate a serious health condition for the employee or an eligible family member. The certification typically addresses when the condition began, expected duration, relevant medical facts, and the need for leave or work restrictions. A diagnosis is not required, but sufficient medical facts are.

Employees are generally given up to 15 calendar days to return a complete certification. You may seek recertification at appropriate intervals, particularly when circumstances change or absences extend over time. When questions remain, you may require second or third opinions at the employer’s expense.

For intermittent or reduced schedule leave, the certification should estimate frequency and duration of episodes. Keep requests narrow, consistent with FMLA rules, and avoid asking for comprehensive medical records unrelated to leave needs.

Handling of FMLA Medical Records

Maintain all FMLA medical records as confidential and separate from regular personnel files. Treat them as Americans with Disabilities Act medical files, stored securely with limited, role-based access. Keep a clear chain of custody for who can view, copy, or transmit these records.

Adopt practical safeguards: store digital files in restricted folders, encrypt data in transit and at rest, and avoid sending forms via unsecured email. Train managers and leave administrators on employment records confidentiality, and follow a written retention and secure-destruction schedule that aligns with FMLA recordkeeping requirements.

Do not mix FMLA documentation with workers’ compensation, ADA accommodation files, or group health plan PHI. Clear separation reduces risk and reinforces the different legal standards that apply to each record set.

Employer's Role as Covered Entity under HIPAA

While an employer is not a covered entity, its group health plan is. HIPAA allows a plan to share PHI with the employer only for limited plan-administration purposes and only if plan documents are amended and “firewalls” restrict who may access PHI. Using PHI for employment actions—such as hiring, discipline, or FMLA decisions—is prohibited without a valid authorization.

FMLA administration is an employment function, not a health plan function. Keep FMLA medical certification and related notes outside of HIPAA-regulated plan records. If PHI must flow from a provider or plan to the employer for FMLA, obtain a HIPAA-compliant authorization and disclose only the minimum necessary.

Confidentiality Obligations under FMLA

FMLA requires that medical certifications and related documents be kept confidential and shared only on a need-to-know basis. Supervisors may be told about approved schedules or work restrictions, but not detailed medical facts. First-aid and safety personnel may receive relevant information if a medical condition could require emergency treatment.

Limit internal discussions to leave-eligibility and scheduling topics. Provide access to government officials investigating compliance when required, and otherwise keep details tightly controlled. Align practices with ADA confidentiality standards to ensure consistent protection.

Employer Access to Medical Information

Employers may contact an employee’s healthcare provider only to authenticate or clarify an FMLA medical certification. This contact must be made by HR, a leave administrator, or a designated management official—never by the direct supervisor. You may not request additional information beyond what FMLA allows or seek broad medical records.

Because providers are subject to HIPAA, they may require a signed authorization before discussing details. When more certainty is needed, rely on FMLA tools such as second or third opinions and recertification windows rather than open-ended data requests. Keep any received information limited, relevant, and securely stored.

Genetic Information Nondiscrimination Act Compliance

The Genetic Information Nondiscrimination Act prohibits employers from requesting, requiring, or purchasing genetic information, including family medical history, except in narrow circumstances. When seeking medical information for an employee’s own FMLA leave, instruct providers not to include genetic information. Use “safe harbor” language in requests to minimize inadvertent acquisition.

When certifying leave to care for a family member, limited family medical history may be obtained as necessary under FMLA. Handle any such information with heightened care, store it with Americans with Disabilities Act medical files, and restrict access. Strong separation from group health plan PHI and consistent employment records confidentiality help you stay compliant.

FAQs.

Does HIPAA protect medical records obtained for FMLA leave?

Generally, no. FMLA medical certifications kept by the employer are employment records, not HIPAA PHI. Still, they must be safeguarded under FMLA and ADA confidentiality rules and disclosed only to those who need the information to administer leave or ensure workplace safety.

How must employers keep FMLA medical information confidential?

Store FMLA medical files separately from personnel records, restrict access to HR or designated leave administrators, and disclose only what is necessary for scheduling or safety. Protect data in transit and at rest, follow a clear retention schedule, and train managers on confidentiality obligations.

Can an employer contact an employee's healthcare provider about FMLA certification?

Yes, but only to authenticate or clarify the certification and only through HR, a leave administrator, or another designated official—not the supervisor. You cannot request additional medical details beyond what FMLA permits, and providers may require a HIPAA authorization before speaking.

What are the employer's responsibilities under GINA related to medical information?

Do not request, require, or purchase genetic information, including family medical history, except where a narrow FMLA-related exception applies for a family member’s leave. Use safe-harbor language in requests, avoid collecting genetic details for an employee’s own leave, and store any acquired data confidentially with ADA medical files.