HIPAA and Employment Records Explained: What Employers Can Share and When

HIPAA's Scope in Employment Records

The HIPAA Privacy Rule protects “protected health information” (PHI) held by covered entities and their business associates. PHI includes identifiable health data created or received by a health plan, health care provider, or health care clearinghouse. By design, HIPAA focuses on how those entities use and disclose PHI—not on ordinary employer personnel files.

Employment records maintained by an employer—such as doctor’s notes for leave, accommodation documentation, or workers’ compensation files—are not PHI, even if they contain health details. That means HIPAA generally does not apply to these files. However, you still must safeguard Employee Health Information Confidentiality under other laws and policies, including ADA Medical Records Protections, FMLA Confidentiality Standards, and state privacy statutes.

Practically, you should treat any health-related details in HR files as highly confidential, share them only on a need-to-know basis, and apply Medical Information Segregation to keep them separate from general personnel records.

Employer Access to Employee Health Information

As an employer, you typically cannot obtain PHI from a health plan or provider without the employee’s valid HIPAA authorization. Even when an employee signs an authorization, access should be limited to the minimum necessary details relevant to the stated purpose.

You may receive health information directly from the employee (for example, a medical certification for leave or an accommodation note). Once in your hands, that information is part of the employment record and is governed by ADA and FMLA rules, not by HIPAA. Apply strict Employee Health Information Confidentiality practices and disclose only to those who must know to administer benefits, accommodations, or safety measures.

Limited exceptions can apply. Health care providers may share certain results with an employer when conducting workplace medical surveillance or evaluations required by law, and workers’ compensation systems may involve disclosures authorized by statute. When administering your group health plan, you may receive summary health information or de-identified data for plan design or premium bids. Always verify the lawful basis before requesting or receiving any identifiable health data.

Employer as HIPAA Covered Entity

Most employers are not HIPAA covered entities. You become subject to HIPAA only in specific roles, such as when you operate a self-insured group health plan or an on-site clinic that transmits standard electronic transactions. In those contexts, the plan or clinic—not the entire company—must meet Covered Entity Responsibilities.

Covered Entity Responsibilities

• Designate a privacy official, implement policies, train workforce members, and apply administrative, physical, and technical safeguards.
• Use and disclose PHI only for permitted purposes, applying the minimum necessary standard.
• Execute business associate agreements with vendors that handle PHI.
• Establish a firewall between the group health plan and the employer, limiting employer access to PHI to narrow plan-administration functions and prohibiting use for employment decisions.
• Rely on de-identified data or summary health information where possible to reduce privacy risk.

Confidentiality and Medical Information Handling

Regardless of HIPAA’s scope, you must handle employee medical data with rigor. Strong confidentiality builds trust, reduces legal risk, and supports compliance with ADA Medical Records Protections and FMLA Confidentiality Standards.

Medical Information Segregation

• Maintain medical records in files separate from personnel files (physically or electronically), with access controls and audit logs.
• Limit access to a small group (for example, HR/benefits staff) with a defined business need; supervisors should receive only information about restrictions or accommodations, not diagnoses.
• Secure storage and transmission: encrypt electronic records, use secure portals for collecting documents, and avoid open email for sensitive data.
• Apply data minimization: request only what is necessary to make a decision (fitness for duty, accommodation, or leave), not full charts.
• Use clear retention schedules and disposal practices; routinely purge or archive records according to policy and legal requirements.
• Provide training and incident response procedures for any privacy breach, including prompt containment and notification as required by applicable law.

Public Health Emergency Exceptions

During public health events, covered entities (like providers and health plans) may disclose certain PHI to public health authorities without authorization, consistent with Public Health Disclosure Requirements. If you receive information from those authorities, use it only for workplace safety and compliance, and protect confidentiality.

Employers may ask employees about symptoms, exposure, testing, or vaccination status when necessary for workplace safety; HIPAA generally does not restrict these employer-to-employee inquiries because they are not made by a covered entity. Still, any responses become confidential employment records and must be safeguarded and segregated. When notifying others of potential exposure, share only what is necessary and avoid naming individuals whenever possible.

Interaction with ADA and FMLA Compliance

The ADA restricts disability-related inquiries and medical examinations to situations that are job-related and consistent with business necessity or part of a conditional job offer. It also requires strict confidentiality and Medical Information Segregation for any medical details you collect, allowing limited disclosures (for example, to supervisors about restrictions or to first-aid personnel for emergency planning). These ADA Medical Records Protections operate alongside, and often more directly than, HIPAA in the employment context.

Under the FMLA, you may request medical certifications to substantiate leave, but you must keep those records confidential and separate from personnel files. Share information only with staff who administer leave or accommodations. These FMLA Confidentiality Standards reinforce your duty to limit access and use data solely for the intended leave administration purpose.

Conclusion

HIPAA mostly governs health plans and providers, not ordinary employer files. Your day-to-day obligations stem from the HIPAA Privacy Rule when you run a covered health plan or clinic, and from ADA and FMLA rules for employment records. Ask only for what you need, keep medical data segregated and secure, and disclose narrowly for safety, leave, or accommodations.

FAQs.

Does HIPAA protect employment records containing health information?

No. Employment records held by an employer—even if they contain medical details—are not PHI and are generally outside HIPAA. However, you must still protect confidentiality under ADA Medical Records Protections, FMLA Confidentiality Standards, and applicable state laws.

When can employers access an employee’s health information?

You can receive information directly from the employee (for example, certifications or accommodation notes) and, with a valid HIPAA authorization, from a provider or health plan. Providers may disclose limited results to an employer when required for workplace medical surveillance or as required by law. For group health plans, access is restricted to permitted plan-administration functions, often using de-identified or summary health information.

How must employers handle medical information confidentiality?

Keep medical data segregated from personnel files, limit access to need-to-know staff, minimize what you collect, and secure storage and transmission. Train staff, maintain audit logs, and follow clear retention and disposal rules. These practices support Employee Health Information Confidentiality and Medical Information Segregation requirements.

What are the employer responsibilities during public health emergencies?

Rely on Public Health Disclosure Requirements to receive guidance from authorities, collect only necessary health information for safety, protect identities when notifying of exposures, and store any testing or vaccination records as confidential employment records. Continue to apply ADA and FMLA standards, sharing only what is needed to implement safety measures, leave, or accommodations.