HIPAA and ADA Overlap Explained: Privacy, Medical Information, and Workplace Accommodations

HIPAA Applicability in Healthcare and Employment

What HIPAA covers

The HIPAA Privacy Rule protects protected health information (PHI) held by covered entities—healthcare providers, health plans, and healthcare clearinghouses—and by their business associates. It governs how PHI is used, disclosed, and safeguarded.

How HIPAA touches the workplace

Employers, acting as employers, are generally not covered entities. However, an employer’s group health plan is a covered entity, and wellness programs integrated with that plan must follow HIPAA. PHI from your doctor or health plan is protected; the same medical details kept by HR as employment records are usually not PHI.

Separating PHI from employment files

Employment Medical Records you maintain for hiring, leave, or accommodations are typically outside HIPAA but remain sensitive. Treat them with strong Confidentiality Safeguards and manage access on a strict need-to-know basis to align with your Employer Compliance Obligations.

ADA Confidentiality Requirements for Employers

Core duty: ADA medical confidentiality

The ADA requires you to keep all disability-related information and results of medical exams confidential. Store these records separately from personnel files, limit access, and share only what supervisors must know to implement accommodations or work restrictions.

Scope of information

ADA Medical Confidentiality applies to information obtained through disability-related inquiries, post-offer or fitness-for-duty exams, and Work Accommodation Documentation. When you request documentation, ask only for functional limitations and needed adjustments—not detailed diagnoses unless truly job-related.

Practical safeguards

• Maintain locked cabinets or restricted folders with role-based permissions.
• Use unique access controls, audit logs, and clear retention schedules.
• Train managers on what they may see and how to keep it confidential.

Exceptions to ADA Medical Information Confidentiality

Medical information disclosure exceptions

• Supervisors and managers may be informed about necessary work restrictions or accommodations.
• First-aid and safety personnel may be told if a condition could require emergency treatment.
• Government officials investigating ADA compliance may access relevant information upon request.

Additional lawful disclosures

In limited situations, other laws may require disclosure (for example, compliant responses to subpoenas or legally mandated insurance reporting). Share only what is necessary, document the legal basis, and notify the employee when appropriate.

Handling and Storage of Medical Records

File architecture and retention

Keep Employment Medical Records and Work Accommodation Documentation in a standalone medical file, separate from performance or general HR files. Retain only as long as needed to meet business needs and legal retention rules, then dispose of records securely.

Confidentiality safeguards in practice

• Use least-access principles, encryption for digital repositories, and secure transmission methods.
• Label files clearly as confidential medical records to prevent casual access.
• Limit what you collect; avoid storing unneeded test results or full charts.
• Shred paper records and securely wipe media at end of life.

Manager communications

When informing supervisors, provide only actionable details—work restrictions, schedule changes, or equipment needs—without revealing diagnoses. This honors ADA Medical Confidentiality while enabling day-to-day management.

Employer Compliance with HIPAA and ADA Standards

HIPAA program essentials (for group health plans)

• Adopt written policies on permitted uses/disclosures and “minimum necessary.”
• Designate a privacy official, train staff, and implement incident response procedures.
• Execute business associate agreements where required and manage vendor risk.
• If PHI is breached, follow notification rules and corrective action steps.

ADA program essentials

• Limit medical inquiries to those that are job-related and consistent with business necessity.
• Run a documented interactive process for accommodations, capturing only relevant details.
• Keep strict segregation of medical files and define clear need-to-know access.
• Educate managers on confidentiality and retaliation prohibitions.

Unifying your approach

Create one privacy playbook that maps data flows across hiring, leave, benefits, and return-to-work. Align Confidentiality Safeguards to your Employer Compliance Obligations, assign owners, audit regularly, and fix gaps quickly.

Disclosure and Access to Medical Information

Who may see what

Employees have rights under the HIPAA Privacy Rule to access and request copies of their PHI from healthcare providers and health plans. Access to Employment Medical Records held by the employer is not a HIPAA right; allow appropriate review consistent with your policies and applicable laws.

Authorizations and minimum sharing

When you need medical information to evaluate accommodations or leave, request only what you need and, where applicable, obtain a written authorization. Avoid blanket releases, set clear expiration dates, and explain how the information will be used.

Third-party and legal requests

Verify the requester’s authority, limit disclosures to what is necessary, and record the rationale. For subpoenas or audits, route requests through your privacy or legal contact before releasing any medical information.

Employee Rights and Privacy Protections

Rights under the ADA

You have the right to confidentiality of disability-related information, to reasonable accommodations for qualifying disabilities, and to be free from retaliation for exercising these rights. Employers must restrict who sees your medical details and use them only for legitimate, limited purposes.

Rights under HIPAA

You can access and get copies of PHI held by your health plan or provider, request corrections, and ask for restrictions on certain uses or disclosures. These rights apply to PHI managed by covered entities, not to employment files maintained by your employer.

Putting it together

The HIPAA and ADA overlap centers on protecting medical privacy while enabling safe, effective work accommodations. Separate records, share sparingly, and document decisions. This balanced approach fulfills Employer Compliance Obligations and builds trust with your workforce.

FAQs

How does HIPAA apply to employers?

HIPAA generally does not apply to employers acting as employers. It applies to your group health plan and any wellness program integrated with that plan. PHI from providers or the plan is protected, while employment medical files are typically outside HIPAA but still confidential under the ADA.

What are employer obligations under the ADA for medical information?

Employers must keep disability-related information confidential, store it separately from personnel files, limit access to need-to-know personnel, and request only information that is job-related and necessary. They must also use the data solely to implement accommodations or manage work restrictions.

When can medical information be disclosed under the ADA?

Disclosure is allowed to supervisors for necessary work restrictions or accommodations, to first-aid and safety staff when emergency treatment may be needed, and to government officials investigating ADA compliance. Other disclosures should occur only when required by law and be narrowly tailored.

How should employers store employee medical records?

Maintain a dedicated, confidential medical file with strict access controls, separate from HR personnel records. Apply strong Confidentiality Safeguards—limited access, encryption or locked storage, audit logs, defined retention, and secure disposal—and keep only the minimum information needed for Work Accommodation Documentation.