HIPAA and Employee Health Records: Compliance Requirements, Exceptions, and Examples

HIPAA Coverage of Employee Health Records

What HIPAA covers

HIPAA protects “Protected Health Information” (PHI): individually identifiable health information created or received by a health plan, health care provider, or health care clearinghouse. PHI includes data like diagnosis, treatment, and claims details when tied to a person.

When you sponsor a group health plan, the plan is a covered entity. PHI maintained by that plan is subject to HIPAA, whether the plan is fully insured or a Self-insured Health Plan. Your access to plan PHI is limited to legitimate Plan Administration purposes.

What HIPAA does not cover

Employment records kept by you in your role as employer are not PHI, even if they contain health-related details (for example, a doctor’s note for sick leave). Such records fall outside HIPAA but may be protected by other laws, including the Americans with Disabilities Act.

De-identified Health Information that cannot reasonably identify an individual is not PHI and may be used for analytics, trend reporting, or wellness planning without HIPAA restrictions.

Exceptions to HIPAA Coverage

Employment-record exclusion

Medical information you maintain solely as part of personnel files—attendance notes, disability accommodation paperwork, or fitness-for-duty certifications—is excluded from HIPAA as employment records. You still must safeguard this information under other laws and company policy.

De-identified and limited data

Properly De-identified Health Information falls outside HIPAA. In addition, “summary” or limited data sets the plan provides for plan design, premium bidding, or modifying benefits do not require individual authorization if identifiers are removed.

Disclosures required or permitted by law

HIPAA allows certain disclosures without authorization when required by law, such as workers’ compensation programs or occupational safety reporting. Federal agencies as employers must also consider the Privacy Act of 1974 when handling employee information.

Employer's Obligations Regarding Employee Health Information

Use and disclosure rules

Do not use plan PHI for employment decisions. Access to PHI should be restricted to staff performing Plan Administration functions, and only the minimum necessary information should be used for those tasks.

Authorization Requirement

If you need an employee’s health information for a purpose outside HIPAA’s allowances—such as evaluating a promotion—you must obtain a valid HIPAA authorization from the employee. The authorization must be specific, time-limited, and revocable.

Safeguards and segregation

Maintain strict administrative, physical, and technical safeguards for plan PHI. Keep plan PHI separate from personnel files, store ADA-related medical records in confidential files, and limit access to staff with a legitimate need to know.

Training and governance

Designate privacy contacts for the health plan, adopt written policies, train workforce members who handle PHI, and document all Plan Administration processes. Review vendor relationships and execute business associate agreements where required.

Examples of Permissible Employer Actions

• Receive de-identified or summary claims data from the health plan to evaluate premiums or redesign benefits.
• Access plan PHI by designated staff solely to resolve claims, appeals, or eligibility questions as part of Plan Administration.
• Request a fitness-for-duty certification or doctor’s note confirming ability to work, without seeking diagnosis details.
• Collect medical restriction information to provide a reasonable accommodation under the Americans with Disabilities Act and store it in a confidential file.
• Disclose limited information required by law for workers’ compensation or occupational safety reporting.
• Use aggregate wellness program outcomes that are De-identified to measure program effectiveness.

Examples of Impermissible Employer Actions

• Using plan PHI to decide hiring, firing, promotion, or discipline.
• Combining plan PHI with personnel files or sharing it with managers not involved in Plan Administration.
• Requiring employees to sign a blanket HIPAA authorization as a condition of employment or continued coverage.
• Requesting diagnosis or genetic details when only a work-capability note is needed.
• Allowing broad access to plan PHI by HR staff who do not perform Plan Administration tasks.

Distinction Between Employment Records and Medical Records

Employment records (not PHI)

Items like sick notes, return-to-work slips, drug-testing outcomes, accommodation paperwork, and leave certifications are employment records when held by the employer. They are not PHI but must be kept confidential and separate under rules such as the Americans with Disabilities Act.

Medical records (PHI) within the health plan

Claims files, explanations of benefits, enrollment information linked to health conditions, and care management notes held by the group health plan or its administrator are PHI. Access and use are tightly restricted by HIPAA.

Employer's Role as a Covered Entity

When the employer sponsors a group health plan

The group health plan is the covered entity. If fully insured, the insurer typically holds PHI; the employer-plan sponsor may receive only limited data unless plan documents permit more. For a Self-insured Health Plan, the plan sponsor may receive PHI for Plan Administration if plan documents are amended and safeguards are in place.

Walls between employment and Plan Administration

Create firewalls to ensure PHI accessed for Plan Administration is not used for employment purposes. Identify authorized roles, maintain need-to-know access, and audit regularly.

Conclusion

HIPAA protects PHI within the health plan, while most employer-held personnel medical notes are not PHI. Keep plan PHI segregated, limit access to Plan Administration, use De-identified Health Information where possible, and obtain an authorization when you need information for nonplan purposes.

FAQs

Does HIPAA apply to employee health records held by employers?

Generally no. Employment records maintained by an employer in its role as employer are not PHI. HIPAA applies to PHI within the employer-sponsored health plan and restricts how that plan—and anyone performing Plan Administration—may use and disclose it.

What are the exceptions to HIPAA coverage for employee health data?

Employment records are excluded from PHI, and properly De-identified Health Information is outside HIPAA. HIPAA also permits certain disclosures without authorization when required by law, such as workers’ compensation or public health reporting, and the Privacy Act of 1974 applies to federal agencies as employers.

How must employers handle employee health information under HIPAA?

Use and disclose plan PHI only for Plan Administration, apply the minimum necessary standard, segregate PHI from personnel files, restrict access to authorized staff, and obtain an Authorization Requirement from the employee when information is needed for nonplan purposes.

What actions can employers lawfully take using employee health information?

Employers may receive de-identified or summary data to design benefits, access PHI to resolve claims and eligibility, request fitness-for-duty confirmations without diagnosis details, manage ADA accommodations confidentially, and make disclosures required by law—all while keeping PHI separate from employment decisions.