Employer Guide: HIPAA Requirements vs. Personnel Records and HR Documents

This employer guide clarifies when the HIPAA Privacy Rule applies and how it differs from rules governing personnel records and HR documents. You will learn practical steps for Covered Entity Compliance, Medical Record Retention, Personnel File Confidentiality, and Health Plan Administration, so your practices are consistent, lawful, and auditable.

HIPAA Applicability to Personnel Records

HIPAA protects protected health information (PHI) held by covered entities and their business associates. Most day-to-day HR files—such as leave requests, accommodation notes, drug test results, or doctor’s notes collected for attendance—are employment records, not PHI, when held by you in your role as an employer. As a result, they are typically outside HIPAA but still subject to the Americans with Disabilities Act, FMLA, OSHA, workers’ compensation rules, and state privacy laws.

By contrast, PHI maintained by a group health plan (or an onsite clinic that qualifies as a covered entity) is subject to HIPAA. If your HR team receives PHI from the plan, it may use it only for authorized Health Plan Administration purposes and must keep it segregated from personnel records.

Medical Information Handling

The Americans with Disabilities Act requires you to keep employee medical information confidential, stored separately from the personnel file, and shared only on a strict need‑to‑know basis. Collect only what is necessary to make an employment decision, administer benefits, or meet a legal duty, and avoid retaining extraneous diagnosis details.

Good practices include the following:

• Store medical documents (e.g., accommodation notes, FMLA certifications, fitness‑for‑duty, vaccination records) in a confidential “medical” file, not the personnel file.
• Limit access to HR, benefits, and safety personnel who require it to perform their duties; keep a written access protocol and audit trail.
• Use role‑based permissions, encryption, and secure transmission; avoid email threads containing diagnoses where possible.
• Document decisions and Privacy Training Documentation so you can prove consistent handling.

Employer as Covered Entity

Your company is usually not itself a HIPAA covered entity; however, your group health plan is. If you sponsor a self‑insured plan or administer benefits in‑house, you may handle PHI for Health Plan Administration. In that capacity, HIPAA’s requirements apply to the plan (and to your workforce performing plan functions), not to the employment records you keep as an employer.

Core Covered Entity Compliance actions for a plan include:

• Amend plan documents to permit disclosure of PHI to the plan sponsor strictly for plan administration, and erect “firewalls” separating plan and employment functions.
• Designate a privacy official and security official; adopt written HIPAA policies and procedures and maintain Privacy Training Documentation.
• Apply minimum necessary access, maintain safeguards, and execute business associate agreements with vendors.
• Provide a Notice of Privacy Practices to plan participants and follow breach notification procedures when required.
• Retain required HIPAA documentation for at least six years from the date of creation or last effective date, whichever is later.

Record Retention Periods

Medical Record Retention and HR recordkeeping are governed by multiple laws. HIPAA sets a six‑year retention rule for HIPAA‑required documentation (e.g., policies, notices, logs); it does not impose a universal medical record retention period on employers. Use the longest applicable period when laws overlap and implement litigation holds when disputes arise.

• HIPAA (plan documents, policies, acknowledgments, logs): retain at least six years.
• FMLA records (eligibility, notices, certifications): retain at least three years.
• EEO/ADA/Title VII (applications, hiring, termination, accommodation records): retain at least one year; longer if a charge or lawsuit is pending.
• ADEA/FLSA payroll and related records: retain at least three years; some supporting documents at least two years.
• OSHA injury/illness logs (300/301/300A): retain five years; employee exposure and medical surveillance records: retain up to 30 years depending on the hazard.
• Form I‑9: retain three years after hire or one year after termination, whichever is later.
• ERISA health plan records (SPDs, claims, appeals): retain at least six years after the filing date of the relevant plan-year report and longer if needed to determine benefits.
• Workers’ compensation: follow state‑specific rules and insurer requirements; keep records at least through claim closure and any appeal period, and align with OSHA’s 30‑year rule if toxic exposures are involved.

Confidentiality of Personnel Files

Personnel File Confidentiality depends on controlling access and content. Keep only job‑related documents in the personnel file (e.g., offer letters, performance reviews) and never commingle medical details. Supervisors may know work restrictions but should not see diagnoses or lab results.

• Grant least‑privilege access to HR and legal; log every access and disclosure of sensitive items.
• Secure storage: locked cabinets for paper; encryption, multi‑factor authentication, and restricted folders for digital files.
• Redact SSNs and medical details when responding to internal requests; route subpoenas or law enforcement requests through counsel.
• Shred or securely wipe records at the end of their retention period and document destruction.

Separation of Medical and Personnel Files

Maintain a distinct “medical file” for each employee to meet ADA confidentiality requirements and avoid accidental use of medical data in employment decisions. This separation also supports HIPAA compliance when the same workforce performs plan and employment functions.

• Place the following in the confidential medical file: pre‑employment and post‑offer medical exams, vaccination records, accommodation and work restriction notes, FMLA certifications, drug/alcohol test results, workers’ compensation medical reports, and exposure monitoring records.
• Keep the personnel file free of diagnoses or treatment details; you may include a simple note indicating approved restrictions or leave dates.
• For health plan PHI, store under plan administration files with controls and labels indicating HIPAA protections.

Access to Personnel Files

No federal law creates a universal right for employees to view their personnel file, and access rules vary by state. Establish a written process that honors state requirements, protects confidentiality, and distinguishes between personnel files, confidential medical files, and plan PHI.

• Verify identity, review for third‑party privacy, and redact sensitive data before providing access.
• If a request involves medical or exposure records, follow OSHA’s access timelines and documentation rules.
• If a request involves PHI, direct the individual to the health plan’s HIPAA request process.
• Track requests and responses, apply consistent fees where permitted, and never retaliate for lawful requests.

In summary, the HIPAA Privacy Rule governs PHI held for Health Plan Administration, while employment records are governed by other laws. Keep medical and personnel files separate, apply need‑to‑know access, and adopt a retention schedule that defaults to the longest applicable requirement.

FAQs

Does HIPAA protect all employee personnel records?

No. HIPAA generally does not cover employment records, even if they contain health information. HIPAA applies to PHI held by a covered entity (such as your group health plan) or its business associates. Employment records are instead governed by the Americans with Disabilities Act and other workplace laws, plus state privacy rules.

How should employers store medical information separate from personnel files?

Keep a confidential medical file apart from the personnel file. Limit access to HR, benefits, or safety staff with a need to know; store paper files in locked cabinets and digital files in restricted, encrypted folders; label plan PHI as HIPAA‑protected; and maintain Privacy Training Documentation and an access log.

What obligations do employers have when administering their own group health plan?

When you handle PHI for plan purposes, the plan must follow Covered Entity Compliance: amend plan documents, provide a Notice of Privacy Practices, appoint privacy and security officials, implement safeguards, execute business associate agreements, train workforce members, maintain required documentation for at least six years, and follow breach notification rules.

How long must medical records for workers' compensation claims be retained?

Retention periods are set by state law and insurer requirements. Keep records at least through claim closure and any appeal period, honor litigation holds, and align with longer federal rules when applicable—for example, retain exposure and medical surveillance records for extended periods under OSHA where toxic exposures are involved.