HIPAA and Employers: What It Does—and Doesn’t—Allow in the Workplace

HIPAA Applicability to Employers

What HIPAA covers—and what it doesn’t

HIPAA’s Privacy and Security Rules apply to a Covered Entity—health plans, most health care providers, and health care clearinghouses—and to their business associates. Simply being an employer does not make you a covered entity. HIPAA regulates how those entities handle Protected Health Information (PHI), not how every organization handles any health-related detail.

In day-to-day HR operations, most information you collect directly from employees—like work restrictions, vaccination status, or return-to-work notes—are employment records, not PHI. HIPAA therefore usually does not govern those records, though other laws still impose strong confidentiality duties.

Common employer scenarios

• Asking whether an employee can safely perform essential job functions is generally outside HIPAA, but ADA rules still apply.
• Receiving a doctor’s note directly from an employee typically creates an employment record, not PHI.
• Receiving claim or eligibility data from your group health plan can be PHI and triggers HIPAA plan-sponsor obligations.

Employment Records and HIPAA

HIPAA expressly excludes employment records held by an employer, even when they contain medical information. That exclusion covers most HR files: pre-employment medical inquiries, fitness-for-duty notes, leave certifications, and workers’ compensation documentation maintained for employment purposes.

Those records must still be handled under Americans with Disabilities Act Compliance requirements—kept confidential, stored separately from personnel files, shared only on a strict need-to-know basis—and aligned with Family and Medical Leave Act Confidentiality rules for leave certifications and related medical data.

Practical steps for HR

• Collect only what you need to make the employment decision or administer leave.
• Maintain separate, access-restricted medical files; limit access to designated staff.
• Disclose internally only as permitted (e.g., supervisors for work restrictions; first aid/safety personnel if emergency treatment may be required).
• Apply consistent retention schedules and secure disposal practices.

Exceptions When HIPAA Applies

While employers themselves are usually outside HIPAA, several situations bring HIPAA into play because PHI flows through a covered channel.

On-site clinics, EAPs, and occupational health providers

If you operate an on-site clinic, contract with an Employee Assistance Program that bills health plans, or engage an occupational health provider, those entities are likely covered entities or business associates. PHI they create is subject to HIPAA, and its use/disclosure to the employer is tightly limited.

Disclosures for workplace safety and compliance

Health care providers may disclose certain findings to an employer for OSHA or workplace medical surveillance purposes if specific notice conditions are met. In these cases, HIPAA governs the provider’s disclosure; it does not generally transform the employer into a covered entity.

Employee authorizations

An employee can sign a HIPAA authorization permitting a provider or health plan to share defined PHI with the employer. Even with authorization, you should collect the minimum necessary and safeguard what you receive under your internal confidentiality rules.

Employer's Role in Group Health Plans

Fully insured versus self-funded

When you sponsor a fully insured health plan, the insurer (as the covered entity) handles most PHI. Employers typically receive enrollment and summary information, not detailed claims data, unless plan documents and authorizations permit limited access. By contrast, a Self-Funded Group Health Plan sponsored by the employer is itself a covered entity. As plan sponsor, you must implement HIPAA-compliant policies and procedures for PHI handled for plan administration.

Firewalls for PHI

Plan sponsors must establish clear firewalls for PHI—segregating plan administration work from employment decision-making. Only personnel performing plan functions may access PHI, and you must define and document who those people are, what they can access, and for what purposes.

Documentation, vendors, and security

• Amend plan documents to permit limited PHI use for plan administration and to prohibit improper employment uses.
• Execute business associate agreements with TPAs and vendors that create, receive, or maintain PHI.
• Designate a privacy official, provide workforce training, manage breach notification, and apply the Security Rule to electronic PHI.

Other Federal Laws Protecting Employee Health Information

Americans with Disabilities Act Compliance

The ADA limits disability-related inquiries and medical exams and requires confidentiality for all employee medical information. Store medical data separately, disclose only in narrow circumstances, and restrict supervisors’ access to information about functional limitations—not diagnoses.

Genetic Information Nondiscrimination Act

GINA bars requesting, requiring, or purchasing genetic information (including family medical history) for employment decisions, and mandates strict confidentiality if such information is inadvertently received. Wellness programs must be designed to avoid collecting genetic information unless narrow conditions are met.

Family and Medical Leave Act Confidentiality

FMLA medical certifications and related records must be kept confidential and separate from personnel files. Share them only with managers and officials who genuinely need the information to administer leave or ensure appropriate accommodations.

Beyond federal frameworks, state privacy and personnel-records laws may impose additional duties. Align your practices to the most protective applicable standard.

HIPAA and Workplace Wellness Programs

When HIPAA applies

If a wellness program is offered as part of your group health plan or uses plan vendors to handle PHI, HIPAA applies. The program must follow the Privacy, Security, and Breach Notification Rules, limit employer access to PHI, and ensure vendors act as business associates.

When other laws take the lead

Wellness programs offered outside the health plan may fall primarily under the ADA and GINA. Programs must be voluntary, avoid disability-related inquiries or medical exams unless justified and properly structured, and never condition employment decisions on participation or results.

Design and data-handling best practices

• Collect the minimum necessary data; prefer aggregate or de-identified reports to the employer.
• Offer reasonable alternatives for health-contingent programs and ensure incentive structures meet HIPAA/ACA nondiscrimination standards.
• Give clear privacy notices to participants and contractually require vendors to safeguard information.

Employer's Access to Employee Health Information

What you may request

You can request documentation needed to run your workplace: fitness-for-duty releases, work restrictions, FMLA certifications, workers’ compensation reports, and proof of vaccination or testing status. Treat these materials as confidential employment records, not as general personnel documents.

What requires extra caution or authorization

Do not seek detailed diagnoses or full medical charts unless strictly necessary and lawful. If information must come from a provider or plan, rely on employee authorizations or plan-sponsor provisions that permit limited use for plan administration—and never for hiring, promotion, or discipline.

Key takeaways

• HIPAA chiefly regulates health plans and providers; most employer-held medical data are employment records outside HIPAA.
• Group health plan activities—especially in a self-funded arrangement—trigger HIPAA duties and require firewalls for PHI.
• ADA, GINA, and FMLA supply powerful confidentiality and nondiscrimination protections for employee health information.

FAQs.

Does HIPAA apply to all employer-collected health information?

No. HIPAA covers PHI held by covered entities and their business associates, not typical employment records you collect directly. Most HR medical files fall outside HIPAA but must be protected under Americans with Disabilities Act Compliance, Genetic Information Nondiscrimination Act requirements, and Family and Medical Leave Act Confidentiality obligations.

Can employers disclose employee health information without authorization?

PHI obtained through a group health plan may be used or disclosed only for plan administration as permitted by plan documents and HIPAA’s minimum-necessary standard. Employment records may be shared internally only in narrow situations (for example, informing supervisors about work restrictions or first aid/safety personnel about potential emergencies) or as required by law. Broad disclosures without authorization are not permitted.

How does HIPAA affect employer-sponsored wellness programs?

If your wellness program is part of a group health plan or uses plan vendors to handle PHI, HIPAA applies and you must limit employer access to identifiable results, safeguard data, and manage vendor compliance. If the program sits outside the plan, HIPAA may not apply, but the ADA and GINA still regulate what you can ask and how incentives are structured.

Are employers allowed to require COVID-19 vaccination status disclosure?

Yes. Asking for or requiring proof of vaccination is generally not a HIPAA issue because it involves employment records, not PHI held by a covered entity. However, you must keep the information confidential, avoid unnecessary medical questioning, and consider accommodations for disabilities (ADA) and sincerely held religious beliefs (Title VII) where applicable.