FMLA and HIPAA Explained: What Employers Can Ask and How Your Medical Privacy Is Protected

Employer Rights Under FMLA

Under the Family and Medical Leave Act, you may request enough information to decide whether an absence qualifies for leave and how much time is needed. You can ask for a Medical Certification that verifies a serious health condition and supports the need for leave, without demanding a specific diagnosis.

• Require timely notice and compliance with your usual call-in rules unless impracticable.
• Request an initial Medical Certification and, when appropriate, recertification to confirm continuing need for leave.
• Seek a second (and if needed, third) medical opinion at your expense when the certification is in doubt.
• Contact the health care provider to authenticate or clarify the form through HR or a leave administrator, and only with the employee’s permission.
• Require a fitness-for-duty release tied to essential job functions before return to work, if applied uniformly.
• Count qualifying absences as FMLA leave and coordinate with paid time off and disability benefits consistent with your policies.

Keep direct supervisors out of provider contacts, limit questions to what the FMLA allows, and avoid probing for unnecessary details. Using the Department of Labor’s model forms helps you stay within the law while gathering what you need.

Medical Certification Requirements

A proper Medical Certification should include the provider’s contact information and specialty, when the condition began, the probable duration, and appropriate medical facts. It should also state that the employee cannot perform one or more essential job functions or needs to care for a family member, and—if leave is intermittent—the expected frequency and duration of episodes.

• Timing: Give at least 15 calendar days to return the certification; allow more if not practicable despite the employee’s diligent efforts.
• Incomplete forms: Specify in writing what is missing and allow seven days to cure the deficiency.
• Recertification: Generally no more often than every 30 days in connection with an absence, or sooner if circumstances change or information casts doubt; for long-term conditions, every six months with an absence is typical.
• Second/third opinions: Permitted at your cost when reliability is in question.
• Fitness-for-duty: Limit requests to job-related, essential functions and apply the requirement across similar roles.

Focus on “appropriate medical facts” rather than a diagnosis, and capture only what you need to determine eligibility and schedule management. This keeps your Confidentiality Requirements tight and reduces risk.

Confidentiality of Medical Records

Treat all leave-related and Disability-Related Medical Information as confidential. Maintain it in a medical file separate from personnel records, restrict access to a need-to-know basis, and store it securely in paper or electronic form.

You may share limited information with supervisors about work restrictions or accommodations and with first-aid or safety staff when necessary. Retain FMLA records, including certifications and recertifications, for at least three years as part of your compliance files.

Limit references in routine HR systems to dates and leave type rather than Protected Health Information. Clear protocols reduce inadvertent disclosures and help you meet applicable Confidentiality Requirements.

Employer Obligations Under HIPAA

HIPAA’s Privacy Rule primarily governs covered entities like health plans and health care providers, not employers in their role as employers. Employment records—such as FMLA forms you hold for attendance and leave decisions—are not PHI under HIPAA, though they remain subject to confidentiality under other laws.

If you sponsor a group health plan and receive PHI for plan administration, HIPAA applies. You must use or disclose only the minimum necessary PHI, never use PHI for hiring, firing, or discipline without a valid authorization, and follow the Security Rule’s safeguards for electronic PHI along with breach notification duties.

Train the limited workforce members who handle PHI, apply sanctions for violations, and document your policies. Aligning internal processes with the Privacy Rule keeps patient-level data out of employment decisions.

Group Health Plan PHI Handling

As a plan sponsor, structure Group Health Plan Administration to keep Protected Health Information siloed from employment functions. Update plan documents to authorize PHI disclosures solely for payment and health care operations, and identify which workforce members may access PHI.

• Implement administrative, physical, and technical safeguards, including access controls, encryption for ePHI, and audit logging.
• Enter Business Associate Agreements with TPAs and vendors that handle PHI.
• Provide a Notice of Privacy Practices to participants and honor individual rights such as access and amendments.
• Apply the minimum necessary standard to routine disclosures and use summary or de-identified data whenever possible.
• Follow Breach Notification Rule timelines, including 60-day individual notices and required regulator or media notices when thresholds are met.

When leaders need data for budgeting or plan design, use summary health information rather than identifiable PHI. This preserves privacy while enabling sound plan management.

ADA and GINA Protections

The Americans with Disabilities Act limits disability-related inquiries and medical exams to those that are job-related and consistent with business necessity. All Disability-Related Medical Information must be kept confidential in a separate file, with narrow exceptions for supervisors (work restrictions), first aid/safety, and government investigations.

The Genetic Information Nondiscrimination Act bars you from requesting, requiring, or purchasing genetic information—including family medical history—except for narrow exceptions. Never use genetic information in employment decisions, and include GINA “safe harbor” language on medical requests to instruct providers not to supply genetic details.

When certifying leave to care for a family member, you may receive the information necessary to verify the need for leave. Even then, ask only for what is required and avoid broader family history. Strong Confidentiality Requirements apply to any data you receive.

Compliance Best Practices

• Standardize: Use DOL model certifications, define who may request information, and script communications to providers.
• Separate: Keep FMLA, ADA, and workers’ compensation files apart from personnel records; restrict access and track it.
• Minimize: Collect only what you need, apply the minimum necessary standard, and avoid diagnoses unless essential.
• Authorize: Obtain HIPAA-compliant authorizations when contacting providers for clarification; never route requests through supervisors.
• Secure: Encrypt ePHI, lock paper files, and adopt breach response playbooks with clear reporting timelines.
• Train: Educate managers and HR on FMLA eligibility, Medical Certification boundaries, ADA confidentiality, and the Privacy Rule.
• Coordinate: Align FMLA with paid leave, disability benefits, and state leave laws; calendar recertification and fitness-for-duty dates.
• Govern: Update plan documents for Group Health Plan Administration, maintain BAAs, and audit vendor safeguards.

Conclusion

Use FMLA to verify legitimate leave through targeted Medical Certification, protect confidentiality under the ADA, and reserve HIPAA duties for your group health plan’s PHI. Clear roles, minimal data collection, and disciplined processes let you manage leave lawfully while safeguarding employee privacy.

FAQs

What medical information can employers request under FMLA?

You may ask for Medical Certification showing when the condition began, its expected duration, appropriate medical facts, and why the employee cannot perform essential functions or must care for a family member. For intermittent leave, you can request expected frequency and duration. Avoid demanding a diagnosis and limit follow-up to authentication or clarification through HR with the employee’s permission.

How must employers handle medical records under HIPAA?

Employment records you hold for leave or accommodation are not PHI under HIPAA. HIPAA applies when you, as plan sponsor, receive PHI from the group health plan for administration. In that role, follow the Privacy Rule, Security Rule, and Breach Notification Rule, restrict access to designated staff, and never use PHI for employment decisions without an authorization.

What protections does ADA provide for employee medical information?

The ADA requires you to keep Disability-Related Medical Information confidential and in a separate file, share only with those who need to know, and limit medical inquiries or exams to situations that are job-related and consistent with business necessity. Supervisors may learn about restrictions or accommodations, not diagnoses.

How does GINA restrict employer inquiries?

GINA prohibits requesting, requiring, purchasing, or using genetic information—including family medical history—for employment decisions, with narrow exceptions. Include safe-harbor language on forms to discourage providers from sending genetic information, and avoid soliciting family history except when necessary for leave certification under applicable laws.