HIPAA and Employee Personnel Files: When It Applies, When It Doesn’t

HIPAA's Applicability to Employment Records

When HIPAA applies

The HIPAA Privacy Rule applies to Protected Health Information handled by a Covered Entity (such as a group health plan, health care provider that transmits electronic transactions, or a health care clearinghouse) and its business associates. If your organization sponsors a group health plan, operates an on‑site clinic that bills electronically, or runs an employee assistance program (EAP) that provides clinical services, the PHI within those components is subject to HIPAA.

• Group health plan enrollment, claims, and appeals data.
• On‑site or near‑site clinic treatment records when the clinic is a covered health care provider.
• EAP counseling records handled by a provider component.

When HIPAA doesn’t apply

HIPAA generally does not cover employment records kept by an employer in its role as employer—even if those records include health information. Items like sick notes, workers’ compensation documentation held by HR, fitness‑for‑duty certifications, or drug test results in an HR file are employment records, not PHI, and HIPAA does not apply to them. Other laws often govern how you must handle these records.

Employer as a Covered Entity

Plan sponsor versus employer

An employer is not a Covered Entity simply because it has employees. The employer‑sponsored group health plan is the Covered Entity. As the plan sponsor, you must implement a firewall so that only designated staff access plan PHI for plan administration and never use it for hiring, firing, or other employment decisions.

Hybrid entities and provider components

If your company also operates a health care provider (for example, an on‑site clinic or pharmacy that transmits claims), you may be a hybrid entity. In that case, HIPAA applies to the health care component, but not to the rest of the business. Keep PHI inside the health care component and restrict sharing with HR to what HIPAA expressly permits.

Business associates

Vendors that handle plan PHI—TPAs, benefits administrators, or cloud platforms—are business associates and require business associate agreements. Use the “minimum necessary” standard when sharing PHI for plan operations, and segregate plan data from personnel records to maintain personnel file confidentiality.

Protected Health Information Management

What counts as PHI—and what doesn’t

PHI is individually identifiable health information about past, present, or future health, care, or payment that a Covered Entity or its business associate creates or receives. Crucially, employment records maintained by an employer in its capacity as employer are excluded from PHI—even if they contain health details.

Using, disclosing, and safeguarding PHI

Use and disclose PHI only for treatment, payment, and health plan operations or as otherwise permitted, applying the minimum necessary rule. Maintain administrative, physical, and technical safeguards, control role‑based access, and train workforce members who handle plan PHI. Keep Confidential Medical Records for plan functions distinct from HR files.

Member rights and documentation

Covered health plans must provide a Notice of Privacy Practices, honor individual rights to access and amend PHI, and track certain disclosures. Document policies, sanctions, and breach response procedures. When possible, de‑identify data before using it for analytics or benefits design.

Separation of Health Information

What belongs in a confidential medical file (not the personnel file)

• ADA accommodation requests, medical restrictions, and supporting documentation.
• FMLA certifications and health‑related leave documentation under the Family and Medical Leave Act.
• Workers’ compensation medical reports received by the employer.
• Drug and alcohol testing results and vaccination or immunization records.
• Return‑to‑work, fitness‑for‑duty, and exposure records.

What stays in the personnel file

• Job applications, performance reviews, disciplinary actions, and pay changes.
• Training records, job descriptions, and acknowledgments unrelated to medical conditions.

Practical controls to enforce separation

• Maintain separate physical or electronic repositories for confidential medical records.
• Apply role‑based permissions so only HR or designated plan staff access medical files.
• Label files clearly (e.g., “Medical—Confidential”) and log access and disclosures.
• Standardize intake: route health information to the medical file by default, not the personnel file.
• Limit internal sharing to strict need‑to‑know and document any required disclosures.

Alternative Legal Protections for Medical Information

Americans with Disabilities Act (ADA)

The Americans with Disabilities Act restricts disability‑related inquiries, requires that medical information be collected only when job‑related and consistent with business necessity, and mandates that medical records be kept separate and confidential. Supervisors may receive only what they need to implement accommodations or work restrictions.

Family and Medical Leave Act (FMLA)

Under the Family and Medical Leave Act, employers may request medical certifications but must keep them confidential and separate from the personnel file. Access should be limited to HR or others with a legitimate need to administer leave.

Genetic Information Nondiscrimination Act (GINA) and related rules

GINA prohibits requesting or using genetic information (including family medical history) for employment decisions and requires confidentiality if such information is inadvertently received. Many states also regulate drug testing records and workers’ compensation medical information, reinforcing Confidential Medical Records practices.

Other frameworks

Workers’ compensation programs, occupational health and safety rules, and state privacy statutes may authorize or restrict certain disclosures. Align your policies so HIPAA and non‑HIPAA obligations work together without commingling PHI with HR records.

State-Specific Regulations on Personnel Files

What varies by state

States often set rules for personnel file access, copying, response timelines, and contents. Many states grant current (and sometimes former) employees the right to inspect or obtain copies of personnel records, while allowing redaction of confidential data. Some states separately regulate medical records, adding duties beyond federal law.

Practical steps to stay compliant across jurisdictions

• Map which locations have inspection rights, copy fees, and deadlines, and train HR to meet them.
• Define “personnel file” versus “confidential medical file” in policy to reinforce Personnel File Confidentiality.
• Centralize retention schedules so medical, payroll, and personnel records follow the longest applicable rule.
• Use standardized request workflows to verify identity, track timelines, and protect sensitive data.
• Coordinate with counsel when responding to subpoenas or multi‑state audits.

Conclusion

In short, HIPAA and employee personnel files rarely mix. HIPAA governs PHI within Covered Entity components like a health plan or on‑site clinic, while most HR records fall outside HIPAA and are governed by the ADA, FMLA, GINA, workers’ compensation rules, and state laws. Keep medical information segregated, apply minimum‑necessary access, and build processes that preserve confidentiality without obstructing legitimate business needs.

FAQs.

Does HIPAA protect employee personnel records?

Generally no. Employment records maintained by an employer in its capacity as employer are not PHI under the HIPAA Privacy Rule. However, PHI held by a Covered Entity component (for example, the employer’s group health plan or an on‑site clinic) is protected by HIPAA and must be kept separate from personnel files.

When does HIPAA apply to an employer?

HIPAA applies when the employer acts through a Covered Entity component—such as its group health plan, a provider‑based EAP, or an on‑site clinic that transmits electronic transactions—or when the employer engages business associates to handle plan PHI. Routine HR files and decisions are outside HIPAA.

How should health information be separated from personnel files?

Maintain a distinct confidential medical file (physical or electronic) with role‑based access for ADA, FMLA, workers’ compensation, drug testing, vaccination, and fitness‑for‑duty documents. Route incoming health information to that repository by default, label it as confidential, restrict internal sharing to need‑to‑know, and never use plan PHI for employment decisions.

What other laws protect employee medical information?

The Americans with Disabilities Act requires separate, confidential handling of disability‑related information; the Family and Medical Leave Act mandates confidentiality of medical certifications; GINA restricts genetic information collection and use; and state laws often add privacy and personnel file access rules. Workers’ compensation and occupational safety regulations also impose confidentiality and disclosure limits.