Does HIPAA Protect Employee Personnel Records? What Employers Need to Know

Employers often face the question, “Does HIPAA protect employee personnel records?” In most cases, the answer is no. HIPAA safeguards Protected Health Information held by a Covered Entity, not ordinary employment files. Still, Employment Records Confidentiality is legally required under other frameworks. The guidance below is general information to help you structure compliance.

HIPAA’s Scope in Employment Records

HIPAA applies to Protected Health Information (PHI) maintained or transmitted by health plans, most health care providers, and health care clearinghouses, as well as their business associates. PHI relates to an individual’s health status, care, or payment for care when held by a Covered Entity or its agent.

Employment records that an employer keeps in its role as employer—such as sick notes, workers’ compensation forms, ADA accommodation requests, and leave documentation—are not PHI under HIPAA. Even if these records contain medical details, HIPAA does not apply because they are “employment records,” not plan or provider records.

Exception scenarios can exist. For example, an employer’s onsite clinic that bills health insurance may itself be a Covered Entity (or part of a hybrid entity). In that capacity, the clinic’s patient records are PHI, but once medical details move into the employer’s personnel file, they lose HIPAA status and become subject to non-HIPAA rules.

Employer as Covered Entity for Health Plans

An employer is not a Covered Entity simply by being an employer. The group health plan it sponsors is the Covered Entity. When you administer a self-funded plan, the plan (not the employer) must comply with HIPAA’s privacy, security, and breach notification rules. Your benefits staff may handle PHI only for plan administration functions authorized in plan documents.

• Fully insured plans: The insurer primarily holds PHI. Employers typically receive limited enrollment and summary information.
• Self-funded plans: The plan sponsor must implement HIPAA “firewalls,” amend plan documents, and restrict access to staff performing plan administration.
• Minimum necessary standard: Access to PHI must be limited to the minimum needed to perform plan duties, not employment decisions.

Separation of Health Information and Employment Records

Strong Medical Information Segregation is essential. Keep plan PHI and clinic records separate from personnel files and performance data. Restrict access to designated benefits or clinic staff and prevent supervisors from seeing medical diagnoses they do not need to know.

• Maintain separate physical and electronic files for plan PHI and for ADA/FMLA documentation.
• Use role-based access controls, need-to-know permissions, and audit logs; encrypt and limit downloads or local storage.
• Adopt clear retention schedules for medical files and distinct schedules for personnel records.
• Train HR, supervisors, and IT on Employment Records Confidentiality and escalation paths for improper access.

Restrictions on Using PHI in Employment Decisions

PHI obtained through a group health plan cannot be used for hiring, promotion, discipline, or termination. HIPAA prohibits using or disclosing plan PHI for employment purposes without a valid, voluntary authorization from the employee. Even with authorization, consider whether the Americans with Disabilities Act and other laws independently restrict use.

• Prohibited examples: Using claims data to screen applicants; sharing an employee’s diagnosis from the plan with a manager; conditioning employment on signing a plan PHI authorization.
• Permissible in limited form: De-identified or aggregated data for plan design or wellness program evaluation; summary health information for premium or plan design decisions that does not identify individuals.
• Wellness programs: If they collect medical data, ensure compliant authorizations, separation from employment decisions, and safeguards against discrimination.

Alternative Legal Protections for Employee Medical Data

While HIPAA rarely covers personnel files, several laws protect employee medical information. The Americans with Disabilities Act requires confidentiality for disability-related information and forbids discriminatory use. The Family and Medical Leave Act limits access to and use of medical certifications. GINA restricts collection and use of genetic information. State privacy and health information laws, workers’ compensation statutes, and common law privacy claims may also apply. The Equal Employment Opportunity Commission enforces many of these rules, particularly under the ADA and GINA.

ADA and Confidential Medical Files

The ADA mandates that medical information you obtain through disability-related questions, medical exams, fitness-for-duty inquiries, or accommodation processes be kept in confidential medical files—separate from personnel records. Access is strictly limited.

• Segregate ADA medical files, whether paper or electronic, from the personnel file; restrict access to HR or others with a legitimate need.
• Managers may be told only what they need to implement restrictions or accommodations—not diagnoses.
• First aid and safety personnel may be informed if a condition could require emergency treatment or special procedures.
• Share information only when legally required (e.g., government inquiries) and document the basis for any disclosure.

FMLA Confidentiality Requirements

Under the FMLA, medical certifications and related documents must be kept confidential, stored separately from personnel files, and used solely to administer leave. Supervisors should not receive diagnosis details; HR communicates only the need-to-know aspects of leave eligibility, schedules, and restrictions.

• Collect only the certification details necessary to verify a serious health condition and leave duration.
• Limit access to HR/benefits staff; do not share medical specifics with line managers.
• Securely retain and then dispose of FMLA medical records per your retention policy and applicable law.
• Apply the same Medical Information Segregation and minimum-necessary principles used for ADA files.

Conclusion

In short, HIPAA generally does not protect employee personnel records, but it does govern PHI in your group health plan and onsite clinical operations. Protect employees by separating plan PHI from employment records, never using PHI for employment decisions, and following the ADA, FMLA, GINA, and related rules to maintain confidentiality and fairness.

FAQs

Does HIPAA apply to employee personnel files?

Generally, no. Employment records kept in the employer’s capacity as an employer are not PHI and are outside HIPAA. However, PHI held by a group health plan or onsite clinic is subject to HIPAA, and separate laws like the ADA and FMLA still protect confidentiality within personnel processes.

Can employers use health information for hiring decisions?

You may not use PHI from a health plan for employment decisions without a valid authorization, and even then the ADA and GINA prohibit discriminatory use of medical or genetic information. Pre-offer disability-related questions are barred; post-offer medical exams must be job-related, consistent with business necessity, and applied uniformly.

What other laws protect employee medical information?

The Americans with Disabilities Act, the Family and Medical Leave Act, and GINA provide core protections, with enforcement by the Equal Employment Opportunity Commission. State privacy and health information laws, workers’ compensation rules, and common law privacy claims may add further obligations.

How must employers store confidential medical records?

Keep medical records in confidential files separate from personnel records, with role-based access, strong authentication, and audit trails. Apply Medical Information Segregation, limit disclosures to the minimum necessary, train staff on confidentiality, and follow defined retention and secure disposal practices.