Employer Guide: HIPAA Rules for Employee Health Records and Privacy

As an employer, you handle sensitive employee health information in many contexts. This guide explains when HIPAA applies to you, what counts as Protected Health Information (PHI), and how the Privacy and Security Rules shape day-to-day practices. You’ll also see how your Group Health Plan fits into HIPAA and what State Privacy Regulations and confidentiality requirements mean for your policies.

HIPAA Applicability to Employers

HIPAA protects PHI held by Covered Entities and their business associates. For most organizations, HIPAA reaches you through your role as a plan sponsor of a Group Health Plan or if you operate a healthcare component (for example, an on-site clinic that conducts standard electronic transactions). In those settings, HIPAA’s Privacy and Security Rules govern how PHI is created, received, used, disclosed, and safeguarded.

By contrast, HIPAA generally does not regulate your ordinary employment files. When you receive health details as an employer—such as a doctor’s note for sick leave—that information is usually an employment record, not PHI. The next section explains this exclusion and its limits so you can separate HIPAA obligations from other confidentiality requirements you still owe employees.

Employment Records Exclusion

HIPAA expressly excludes “employment records” maintained by an employer, even if the employer also sponsors a health plan. Common examples include sick-leave notes, fit-for-duty evaluations, drug or alcohol testing results you receive as an employer, and documentation supporting ADA or FMLA accommodations. These records are not PHI under HIPAA.

Exclusion does not mean free use. Employment records remain sensitive and are often regulated by State Privacy Regulations, disability and labor laws, workers’ compensation rules, and internal confidentiality requirements. To stay compliant, maintain these records separately from personnel files, restrict access to those with a legitimate business need, and apply clear retention and secure destruction practices.

Employer as Covered Entity

An employer is not a Covered Entity merely because it employs people. However, a self-insured or fully insured Group Health Plan is a Covered Entity, and an on-site clinic that provides care and transmits standard transactions can be a Covered Entity or part of a “hybrid entity.” In those cases, HIPAA obligations attach to the health plan or healthcare component, not to the employer as a whole.

As a plan sponsor, you may receive PHI from the plan only for plan administration and only if plan documents are amended to permit that access. You must establish “firewalls” so PHI is not used for employment decisions, ensure business associate agreements with TPAs and vendors, designate privacy and security officials, provide a Notice of Privacy Practices to plan participants, and implement Security Rule safeguards for electronic PHI (ePHI).

Use of Employee Health Information

PHI from a Group Health Plan may be used or disclosed for treatment, payment, and healthcare operations, and for limited plan administration functions. Using PHI for hiring, promotion, discipline, or termination requires a valid employee authorization; absent that, it is prohibited. Apply the Privacy Rule’s “minimum necessary” standard and keep PHI strictly segregated from general HR files.

• Limit access to defined roles and document who can see PHI and why.
• Store PHI separately from personnel records; do not combine files.
• For ePHI, implement Security Rule controls: risk assessments, encryption, strong authentication, audit logging, and secure transmission and disposal.
• Train staff annually on permitted uses, disclosures, and incident reporting.
• Use de-identified or aggregated data whenever possible for analytics or benefits planning.

State Privacy Laws

HIPAA sets a federal floor. If State Privacy Regulations are more protective, they generally control. States may have medical privacy acts, consumer privacy statutes that may or may not cover employee data, breach notification laws, and special protections for categories such as mental health, genetic, or HIV information. Workers’ compensation regimes and public health reporting rules can also shape what you may disclose.

Build a state-by-state matrix that maps which employee health information is covered, the applicable notice and consent requirements, breach triggers, and retention rules. Ensure contracts with brokers, TPAs, and other vendors reflect these state-specific obligations, not just HIPAA’s baseline.

Confidentiality Obligations

Regardless of HIPAA status, you owe employees strong confidentiality protections. Clear, consistently enforced policies reduce risk and demonstrate reasonable safeguards for employee health information.

• Define what counts as PHI versus employment records, and route each to the correct repository.
• Apply “need-to-know” access, with approvals, monitoring, and periodic reviews.
• Adopt written policies for retention, secure destruction, and litigation holds.
• Vet vendors for Security Rule–aligned controls; execute business associate agreements when required.
• Maintain an incident response plan covering investigation, notification, and remediation for both HIPAA and state-law breaches.
• Audit regularly and document training, decisions, and corrective actions.

In short, treat plan-related PHI under HIPAA’s Privacy and Security Rules, keep employment records outside HIPAA but under strict confidentiality requirements, and overlay State Privacy Regulations where they are more protective. This disciplined separation lets you run your benefits programs effectively while respecting employee privacy.

FAQs.

Are employer-held health records subject to HIPAA?

Generally no. Employment records—such as sick notes, fitness-for-duty letters, and accommodation documentation—are not PHI under HIPAA. However, PHI held by your Group Health Plan or a healthcare component you operate is subject to HIPAA, and those records must follow the Privacy and Security Rules.

How does HIPAA apply to employer-sponsored health plans?

The Group Health Plan is the Covered Entity. It must designate privacy and security officials, provide a Notice of Privacy Practices, implement Security Rule safeguards for ePHI, limit uses and disclosures to permitted purposes, and ensure plan documents and vendor contracts allow only plan administration uses. PHI from the plan cannot be used for employment decisions without an employee’s authorization.

What state laws affect employee health information privacy?

State Privacy Regulations may include medical privacy statutes, consumer privacy laws that sometimes reach HR data, breach notification requirements, and special rules for sensitive categories like mental health, genetic, or HIV information. Workers’ compensation and public health laws can also mandate or restrict disclosures, and more protective state rules generally control.

What confidentiality practices must employers follow for health data?

Separate PHI from general HR files, restrict access to defined roles, apply the minimum necessary standard, encrypt and log access to ePHI, train staff, execute appropriate vendor agreements, and maintain incident response, retention, and secure disposal procedures. These confidentiality requirements help you comply with HIPAA where it applies and protect employee health information everywhere else.