Employer HIPAA Compliance: When You Need Employee Authorization to Share PHI

HIPAA Authorization Requirement

HIPAA protects individually identifiable health information—called Protected Health Information (PHI)—held by covered entities (health plans, most providers) and their business associates. In employer HIPAA compliance, you need an employee’s written authorization whenever a use or disclosure of PHI is not otherwise permitted by HIPAA or another law.

Common situations requiring a PHI Disclosure Authorization include sharing group health plan claims data with HR for a personnel action, disclosing pharmacy records to a manager, or releasing EAP notes for non-plan purposes. If the purpose is unrelated to treatment, payment, health care operations, or another explicit permission, get an authorization first.

Elements of a valid authorization

• Specific description of the PHI to be used or disclosed and the purpose.
• Who may disclose the PHI and who may receive it (by name or role).
• Expiration date or event, plus the employee’s signature and date.
• Statements about the right to revoke, potential for re-disclosure, and any applicable conditioning notices.

Authorizations must be voluntary, written in plain language, and separate from other acknowledgments. Keep a record of each authorization and any revocation. Although the Minimum Necessary Rule does not apply to disclosures made pursuant to an authorization, you should still limit what you request or share to what is reasonably needed.

Permitted Disclosures Without Authorization

HIPAA allows certain uses and disclosures of PHI without an employee’s authorization. Knowing these narrow lanes helps you avoid over-collecting or misusing health data.

Core permissions

• Treatment, payment, and health care operations by the plan or provider.
• Disclosures to the individual (employee) about their own PHI.
• Required-by-law disclosures (for example, to comply with a court order).
• Health oversight, law enforcement, and judicial/administrative proceedings, as permitted.
• Workers’ compensation and similar programs, to the extent authorized by such laws.
• Public Health Emergency Disclosures (for example, to public health authorities or to avert a serious threat).

Plan sponsor–specific permissions

• Enrollment and disenrollment information from the group health plan to the employer.
• Summary health information to the plan sponsor for obtaining premium bids or amending, modifying, or terminating the plan.
• PHI for plan administration if the plan documents are amended and appropriate safeguards are in place (separating plan functions from employment decisions).

Outside these permissions, do not disclose PHI to supervisors or other staff without a valid authorization. De-identified data and limited data sets (with a data use agreement) are alternatives when individual-level information is not necessary.

Employee Health Information Exemption

Not all employee health-related information is PHI. HIPAA excludes “employment records” held by an employer in its role as employer. Examples include drug test results, workplace injury reports kept by HR, ADA accommodation files, FMLA certifications stored in personnel systems, and fitness-for-duty notes provided to HR.

These employment records are not PHI—even if they contain medical details—because they are not maintained by a covered entity or its business associate for health care functions. However, they remain subject to other rules (e.g., ADA confidentiality, OSHA, and State Privacy Laws). Maintain separate files and access controls so employment records never mingle with Employee Benefit Plan Records.

Minimum Necessary Standard

The Minimum Necessary Standard (often called the Minimum Necessary Rule) requires you to limit uses, disclosures, and requests for PHI to the least amount needed to accomplish the purpose. Apply it through role-based access, data segmentation, and documented approval paths for non-routine disclosures.

• Routine disclosures: adopt policies that pre-define what data elements may be used or shared.
• Non-routine disclosures: assess each request individually and document the rationale.
• Exceptions: the standard does not apply to disclosures to the individual, for treatment, or when made pursuant to a valid authorization.

Build practical guardrails—need-to-know training, identity verification, and audit trails—to demonstrate compliance and prevent overexposure.

State Laws and Additional Requirements

HIPAA sets a national baseline. When State Privacy Laws are more stringent—such as stronger protections for mental health, substance use disorder, HIV, genetic, or reproductive health information—you must follow the stricter rule. Multi-state employers should map requirements state by state and standardize to the highest common denominator where feasible.

During emergencies, state or local public health orders may require or permit specific disclosures. Align your HIPAA analysis with these directives and memorialize your basis for any Public Health Emergency Disclosures.

Employer's Role as Business Associate

Employers are generally not business associates of their own group health plans; instead, plan documents must be amended to allow the plan sponsor to receive PHI for plan administration with proper safeguards. Third-party administrators and vendors that handle plan PHI must sign a Business Associate Agreement (BAA) with the plan.

An employer does become a business associate if it provides services to an external covered entity involving PHI (for example, a company clinic managing care for an unaffiliated provider). In that case, the employer’s service unit must execute a BAA and implement the administrative, physical, and technical safeguards required for business associates, including breach notification processes.

Good practices for BA engagements

• Limit the scope of services and the PHI involved to the Minimum Necessary Rule.
• Segment BA operations from HR and employment functions to avoid impermissible cross-use.
• Maintain vendor oversight, data maps, and incident response playbooks.

Employee's Right to Access PHI

Employees have the right to access, inspect, and obtain copies of their PHI held by a covered entity in a designated record set, including Employee Benefit Plan Records such as claims, EOBs, eligibility, and enrollment data maintained by the plan or its vendors. Requests should specify the format (electronic or paper), and reasonable, cost-based fees may apply for copies.

Timing matters: the plan or provider must respond within applicable deadlines, with a narrow extension allowed when necessary. This right does not extend to employment records held by the employer in its role as employer. If a request mixes plan PHI and non-PHI employment files, separate the streams and process only the PHI under HIPAA.

Conclusion

In practice, you need employee authorization to share PHI whenever a disclosure falls outside HIPAA’s defined permissions. Keep employment records separate from plan PHI, apply the Minimum Necessary Standard, respect stronger State Privacy Laws, and use Business Associate Agreements where required. These habits make employer HIPAA compliance actionable, auditable, and resilient—especially during public health emergencies.

FAQs.

When is employee authorization required to share PHI?

You need a written PHI Disclosure Authorization whenever the use or disclosure is not expressly permitted by HIPAA (for example, sending plan claims data to a supervisor for a personnel decision). If in doubt, default to obtaining authorization and limit the disclosure to the minimum reasonably necessary.

Can employers disclose PHI without employee consent?

Yes, but only within HIPAA’s narrow allowances—such as treatment, payment, health care operations, required-by-law disclosures, certain public health and safety situations, workers’ compensation, and limited plan sponsor communications (enrollment, summary health information, and plan administration with proper safeguards). Anything outside these lanes requires authorization.

What records are exempt from HIPAA in employment?

Employment records held by the employer in its role as employer—like drug test results, ADA accommodation files, FMLA certifications, and routine HR injury reports—are not PHI. They remain protected by other laws and company policy, but HIPAA’s PHI rules do not apply to those employment records.

How should employers handle PHI during public health emergencies?

Use HIPAA’s permitted Public Health Emergency Disclosures to share only what is necessary with public health authorities or to prevent a serious and imminent threat. Keep disclosures targeted, document your legal basis, apply the Minimum Necessary Rule, and continue separating plan PHI from employment records while following any stricter state or local directives.