HIPAA and Union Negotiations: What Employers and Unions Can (and Can’t) Share

HIPAA Applicability to Employers

Who HIPAA actually regulates

HIPAA regulates Covered Entities—health plans, health care clearinghouses, and health care providers that transmit certain transactions electronically—and their Business Associates. An employer is not a Covered Entity simply because it has employees. However, your employer-sponsored group health plan is a Covered Entity, and that matters when negotiations touch plan data.

When HIPAA touches the workplace

If you receive protected health information (PHI) from your group health plan for plan administration, HIPAA applies to how you handle that PHI. By contrast, employment records you maintain in your role as employer—such as accommodation notes or leave forms—are not PHI under HIPAA, though other laws may govern them.

PHI versus employment records

PHI relates to an individual’s health status, care, or payment for care held by a Covered Entity or Business Associate. Employment records, even if they include medical details, are separate. During negotiations, treat plan PHI under HIPAA and treat employment medical files under applicable labor, disability, and privacy laws.

Employer Obligations Under HIPAA

Plan sponsor boundaries

As a plan sponsor, you must create a firewall between your plan and employment functions. Use plan PHI only for plan administration unless you have Employee Authorization that is voluntary, specific, and time-limited. Do not use PHI for hiring, firing, or discipline.

Privacy and security requirements

Adopt written policies, designate a privacy official, train staff with access to PHI, and apply the “minimum necessary” standard. Implement administrative, technical, and physical safeguards, including access controls, encryption, and secure transmission, to support Medical Records Confidentiality.

Working with vendors

Execute Business Associate Agreements with brokers, TPAs, and consultants who handle PHI for your plan. Include breach reporting duties, permitted uses, de-identification standards, and return-or-destroy clauses at contract end.

Union Rights to Information

The NLRA relevance standard

Under the National Labor Relations Act, a union is entitled to information that is relevant and necessary to perform Collective Bargaining and administer the agreement. Relevance is interpreted broadly, but it does not automatically override privacy interests in medical data.

Examples of negotiable, non-identifying data

You can generally share plan design terms, premiums, employer and employee contribution levels, networks, and aggregated claims experience presented as De-identified Information. Safety statistics, injury rates, and leave usage can also be shared when properly anonymized.

Balancing confidentiality

When requests implicate identifiable medical details, explore alternatives: summaries, redactions, or de-identified datasets. If the union needs greater detail, consider protective arrangements that preserve confidentiality while meeting bargaining needs.

Employer's Duty to Provide Information

Responding in good faith

You must respond promptly to relevant information requests and explain any partial denials. If medical privacy is at stake, identify the concern and propose narrower scopes, anonymization, or controlled review rather than a flat refusal.

Practical process you can follow

• Clarify the bargaining purpose and the exact data fields requested.
• Assess whether the data is PHI, employment medical data, or non-medical business data.
• Offer De-identified Information or aggregated reports when possible.
• Use protective measures for sensitive disclosures, such as secure data rooms and need-to-know access.
• Document requests, responses, and the rationale for any limits you apply.

Medical Information Disclosure

When disclosure is permissible

Disclose identifiable plan PHI only with valid Employee Authorization or if a HIPAA permission applies, such as for plan administration or when required by law. Even then, use the minimum necessary information to achieve the purpose.

Preferred alternatives to PHI

Whenever feasible, provide De-identified Information, aggregated claims trends, or benefit design comparisons. During negotiations, you rarely need diagnoses, treatment dates, or provider names tied to specific employees.

Other legal intersections

Separate statutes—like disability, leave, and workers’ compensation laws—may require certain medical documentation but still expect Medical Records Confidentiality. Keep those disclosures distinct from Collective Bargaining data exchanges.

Confidentiality of Medical Records

Structural safeguards

Store plan PHI and employment medical files separately from personnel files. Limit access to trained staff, use role-based permissions, and keep an audit trail of who viewed what and when.

Operational discipline

Standardize redaction protocols, retention schedules, and secure destruction. For negotiations, prepare pre-approved anonymized report templates so you can respond quickly without risking over-disclosure.

Secure collaboration

Use controlled environments for document exchange, disable downloads where possible, and watermark sensitive summaries. Confirm the union’s own handling commitments when sharing confidential material.

Employer's Responsibility in Data Breaches

Data Breach Prevention

Conduct risk analyses, deploy encryption at rest and in transit, enforce multi-factor authentication, and patch systems promptly. Train staff to recognize phishing and verify identity before releasing any medical or benefits data.

If a breach occurs

Activate your incident response plan, investigate scope, and contain exposure. For breaches of unsecured PHI within the health plan, follow HIPAA breach notification rules; for non-HIPAA employment records, follow applicable state breach laws and contractual duties.

Communication during bargaining

Notify affected individuals and, when appropriate, brief the union on impacts to the bargaining unit without revealing new identifiable medical details. Coordinate remediation steps and reinforce safeguards to prevent recurrence.

Conclusion

In union negotiations, share what is relevant for Collective Bargaining while protecting privacy through De-identified Information, tight access controls, and fit-for-purpose summaries. Treat plan PHI under HIPAA, employment medical files under other laws, and document a good-faith process from request to response.

FAQs.

Does HIPAA apply directly to employers during union negotiations?

Not generally. HIPAA applies to Covered Entities and their Business Associates. Your group health plan is a Covered Entity, and HIPAA governs plan PHI. As an employer, you handle plan PHI only for plan administration unless you have valid Employee Authorization.

What information can employers legally share with unions?

You can share data relevant to bargaining—plan design, contribution levels, networks, and aggregated claims trends—preferably as De-identified Information. Avoid identifiable medical details unless a lawful basis exists and you apply the minimum necessary standard.

How must employers protect employee medical information during bargaining?

Keep PHI and employment medical files separate, restrict access, train authorized staff, and use encryption and controlled document sharing. Provide anonymized summaries whenever possible, and use protective measures for any necessary review of sensitive material.