HIPAA and Employee Health Records: What Employers Can and Cannot Access

HIPAA Applicability to Employers

HIPAA regulates how certain organizations handle Protected Health Information, or PHI. It applies to each Covered Entity—health plans, most health care providers that transmit information electronically, and health care clearinghouses—and to their business associates. Employers, in their role as employers, are generally outside HIPAA’s scope.

The HIPAA Privacy Rule and Security Rule protect PHI held by Covered Entities and business associates. PHI is individually identifiable health information created or received by a provider, health plan, or clearinghouse. By contrast, health details you collect and keep solely as an employer (for HR or management purposes) are not PHI under HIPAA, even if they are medical in nature.

Where employers do touch HIPAA is typically through benefits. If you sponsor a Self-Insured Health Plan or operate an onsite clinic that bills electronically, HIPAA obligations attach to that plan or provider component, not to the employer’s broader HR function.

Employment Records Exclusion

HIPAA expressly excludes “employment records” maintained by an employer in its capacity as an employer. That means items like doctor’s notes for sick leave, vaccination cards submitted to HR, accommodation paperwork, drug-test results, and fitness-for-duty certifications are not PHI when kept in HR files.

This exclusion does not make those records free-for-all. Other laws—such as the ADA, GINA, and state privacy statutes—impose strict confidentiality and limit who may see them. Keep these records separate from personnel files and restrict access to a need-to-know basis.

Employer Access to Health Information

As an employer, your access to health information depends on the source and purpose. Below are common scenarios and boundaries you should observe.

With employee authorization

• You may receive PHI from a provider or health plan if the employee signs a valid HIPAA authorization naming your organization, describing the information and purpose, and acknowledging the right to revoke.
• Ask only for the minimum information needed to make the decision at hand; the disclosing Covered Entity applies the Privacy Rule’s minimum necessary standard.

Health plan administration

• Plan sponsors can receive “summary health information” (de-identified at the individual level) to obtain premium bids or modify plan design.
• If your workforce performs plan administration for a Self-Insured Health Plan, the plan documents must be amended to restrict PHI use and access to designated staff.

Workplace safety and workers’ compensation

• Occupational health providers may disclose limited information to you for workplace medical surveillance or work-related injury/illness reporting, typically with written notice to the employee.
• Disclosures for workers’ compensation occur as authorized by state law. Receive only what is necessary to manage the claim.

Leave, accommodations, and fitness for duty

• Under Family and Medical Leave Act Requirements, you may request certification forms completed by a health care provider. Keep them confidential and separate from personnel files.
• For Americans with Disabilities Act Compliance, you may obtain documentation sufficient to support a reasonable accommodation or a fitness-for-duty determination—nothing more.

Drug and alcohol testing

• Results may be shared with you if consistent with your policy, federal program rules, and applicable state law. Treat results as confidential employment records.

Good practices when requesting information

• Define the purpose and scope in writing before you request records.
• Seek targeted information (restrictions, work limitations, expected duration) rather than diagnoses.
• Store received information in secure medical files, not the personnel file.

Employer as Covered Entity

Most employers are not Covered Entities. However, you may assume HIPAA duties when you operate components that are covered. Two common examples are:

• Self-Insured Health Plan: The plan is the Covered Entity and must comply with the HIPAA Privacy Rule and Security Rule for all PHI and ePHI. As the plan sponsor, you must erect “firewalls” so only designated staff access PHI for plan administration, and you must update plan documents accordingly.
• Onsite clinic or EAP that bills electronically: If a clinic or employee assistance program provides health care and transmits standard transactions, that component must comply with HIPAA. Its records remain HIPAA PHI and must not flow into general HR files.

Safeguards you should implement

• Limit PHI access to specific roles performing plan administration.
• Apply Security Rule controls to ePHI: risk analysis, access controls, encryption where appropriate, audit logs, and incident response.
• Maintain business associate agreements for vendors supporting the plan (e.g., TPAs, PBMs, wellness vendors) when required.
• Adopt breach notification procedures and workforce training tailored to plan-related PHI.

Alternative Legal Protections

Even when HIPAA does not apply, other laws protect employee health information you hold as an employer.

• Americans with Disabilities Act Compliance: Medical information obtained through disability-related inquiries or exams must be kept confidential, stored separately, and shared only with those who need to know (e.g., supervisors on work restrictions, safety personnel in emergencies).
• Genetic Information Nondiscrimination Act (GINA): Limits acquisition of genetic information and requires confidentiality if inadvertently received (such as family medical history).
• Family and Medical Leave Act Requirements: FMLA certifications must be kept confidential, separate from personnel files, and handled by designated staff.
• Substance use confidentiality and state laws: Certain substance use disorder records have heightened confidentiality; state medical privacy, consumer privacy, and workers’ compensation laws may impose additional limits and retention rules.
• OSHA and safety rules: Some records (e.g., exposure monitoring, medical surveillance) have access and retention obligations but still require careful confidentiality.

What this means for your policies

• Centralize medical and leave records in a secure repository with access logging.
• Limit what you collect; prefer functional limitations over diagnoses.
• Train managers never to request or store medical details beyond their role.
• Apply consistent retention and destruction schedules aligned with legal requirements.

Disclosure of Medical Records

“Disclosure” rules depend on who holds the records. Providers and health plans disclose PHI under the Privacy Rule; employers disclose employment records under other laws and internal policy.

From providers/health plans to employers

• Authorization-driven: Most disclosures to an employer require the employee’s HIPAA authorization specifying recipient, purpose, scope, and expiration.
• Permitted without authorization (limited): Work-related medical surveillance, reporting of work-related illness or injury, and workers’ compensation disclosures as allowed by law—often with notice to the employee.
• Minimum necessary: Covered Entities must limit disclosures to what is reasonably necessary, except when the employee authorizes a broader release.

From employers to others

• Employment records are not PHI, but you must respect ADA, GINA, FMLA, and state confidentiality rules.
• Share only with those who have a legitimate business need (e.g., supervisors on restrictions, HR for benefits, safety staff for emergency response).
• Respond to subpoenas and court orders carefully; narrow the scope and notify the employee when appropriate.

Employee rights and expectations

• Employees can request access to their PHI from providers or health plans. Employers should facilitate, not obstruct, those requests.
• If your health plan or clinic experiences a breach of unsecured PHI, follow HIPAA breach notification procedures; if an HR file is compromised, follow applicable state breach laws.

Health Information in Employment Records

Health information you maintain as an employer—such as accommodation notes, FMLA certifications, drug-test results, or vaccination attestations—is part of the employment record and not PHI under HIPAA. Still, treat it as highly sensitive.

Practical handling standards

• Collect only what you truly need to make a decision (work restrictions, duration, essential function limitations).
• Store in a separate medical file with limited access; maintain audit trails for viewing or printing.
• Define retention schedules and secure destruction methods aligned with legal requirements.
• For multi-state employers, map state-specific rules that may be stricter than federal baselines.

Conclusion

HIPAA protects PHI held by Covered Entities and their business associates, not the employment records you keep as an employer. Your HIPAA touchpoints usually arise through a Self-Insured Health Plan or a provider component, where the Privacy Rule and Security Rule apply.

For HR-held medical information, confidentiality flows from the ADA, GINA, FMLA, workers’ compensation, and state privacy laws. Limit what you collect, confine access to need-to-know, and separate medical files from personnel records to meet these obligations and build employee trust.

FAQs.

Can employers access employee medical records without authorization?

No. Employers cannot obtain PHI from a provider or health plan without a valid HIPAA authorization, unless a narrow legal exception applies (such as workers’ compensation or workplace medical surveillance with required notice). Employers may, however, use information the employee voluntarily provides, subject to confidentiality rules.

Does HIPAA protect health information in employment records?

Generally no. HIPAA excludes employment records maintained by an employer. Those records are governed by other laws, including Americans with Disabilities Act Compliance, Genetic Information Nondiscrimination Act requirements, and Family and Medical Leave Act Requirements, as well as state privacy laws.

When is an employer considered a covered entity under HIPAA?

Rarely. An employer becomes subject to HIPAA when operating a Covered Entity component, such as a Self-Insured Health Plan or an onsite clinic/EAP that transmits standard electronic transactions. In those cases, the plan or provider component must comply with the Privacy Rule and Security Rule, and the employer must restrict PHI access to designated plan-administration personnel.

What laws protect employee health information besides HIPAA?

Key protections include the ADA (confidentiality and limits on medical inquiries), GINA (limits on genetic information), FMLA (confidential handling of leave certifications), workers’ compensation laws, OSHA-related rules, and state medical or consumer privacy statutes. Together, these laws require strict segregation, limited access, and secure handling of employment medical records.