HIPAA and Workers' Compensation: What You Can Share and What Stays Private

When a workplace injury triggers a claim, you have to balance workers' compensation laws with health information privacy. This guide explains what Protected Health Information (PHI) can be released, who may receive it, and how the Minimum Necessary Rule keeps disclosures limited and targeted.

HIPAA Privacy Rule and Workers' Compensation

The HIPAA Privacy Rule permits covered entities—health care providers, health plans, and clearinghouses—to disclose PHI for workers' compensation purposes as allowed by applicable Workers' Compensation Laws. These disclosures help determine eligibility, coordinate treatment, and process benefits while maintaining Health Information Privacy.

What disclosures are typically permitted

• Basic facts about the work-related injury or illness, including diagnosis related to the claim.
• Treatment dates, services rendered, and functional limitations relevant to job duties.
• Work restrictions, return-to-work status, and prognosis for recovery or maximum medical improvement.
• Causation opinions and impairment ratings when needed to adjudicate the claim.

What generally stays private without further authority

• Unrelated medical history, routine preventive care records, and non-occupational conditions.
• Psychotherapy notes, substance use treatment records, and other specially protected data.
• Genetic information and highly sensitive results (such as HIV status) that are not relevant to the injury.

Key point: If a disclosure is required by law, you release what the law specifies. If it is merely permitted or requested, you apply the Minimum Necessary Rule to limit what you share.

Minimum Necessary Standard

The Minimum Necessary Rule requires you to disclose only the least amount of PHI needed to accomplish the workers' compensation purpose. It does not allow blanket chart releases when a narrower summary will do.

How to apply the standard in practice

• Tailor your response to the specific request—e.g., provide work restrictions and treatment dates rather than the full record.
• Use role-based criteria so staff share only information necessary for claims administration.
• De-identify or redact unrelated entries (medications, diagnoses, or history) that do not affect causation, disability, or return-to-work.
• Document why the disclosed items were needed to comply with Workers' Compensation Laws or a valid request.

State Laws and HIPAA

HIPAA sets a nationwide floor for Health Information Privacy, but State Disclosure Requirements in workers' compensation can be more specific. If a state statute, rule, or order requires certain PHI for a claim, HIPAA allows you to provide exactly what that law mandates.

Reconciling different rules

• When a state law requires disclosure, release the specified items—no more, no less.
• When a state law merely authorizes disclosure, you still apply the Minimum Necessary Rule.
• When a state privacy law is more protective (for example, regarding HIV or mental health), follow the stricter rule unless a workers' compensation requirement clearly overrides it.
• For subpoenas and orders, verify scope and validity; do not treat a broad request as permission to share unrelated PHI.

Authorization Requirements for PHI Disclosure

A PHI Authorization from the injured worker is needed when a requested disclosure is not required by state workers' compensation law and is not otherwise permitted under HIPAA. Authorizations must be voluntary, specific, and time-limited.

Elements of a valid PHI Authorization

• What will be disclosed: a clear description of the information (e.g., records relating only to the 1/15/2026 back injury).
• Who may disclose and who may receive the information (e.g., treating clinic to the insurer/third-party administrator).
• Purpose of disclosure (workers' compensation claim administration).
• Expiration date or event and instructions on revocation.
• A statement about the potential for re-disclosure by non-covered recipients, if applicable.

Encourage narrowly tailored authorizations that match the claim’s scope. Avoid “any and all records” language unless required by law or truly necessary for the claim.

Employer Access to PHI

Employers are not HIPAA covered entities in their role as employers. They can receive PHI relevant to a workers' compensation claim when provided by a covered entity under a workers' compensation permission or with a valid PHI Authorization.

Limits on what employers can see

• Employers cannot access all health information by default; they receive only PHI necessary for claim adjudication or as required by law.
• Employment records held by the employer are not PHI, but any PHI the employer receives must be used only for the claim and safeguarded from general personnel use.
• When the employer sponsors a health plan, plan PHI must be walled off and used solely for plan administration unless the worker authorizes broader sharing.

Practical tip: Request summaries focused on functional capacity and restrictions. This meets business needs without over-collecting PHI.

Health Care Provider Obligations

As a provider, you must protect Health Information Privacy while supporting legitimate claim needs. That means verifying each request, identifying its legal basis, and documenting your decision to disclose or withhold.

Provider checklist

• Verify the requester’s identity and authority (insurer, state agency, employer, or representative).
• Determine whether the disclosure is required by law, permitted with the Minimum Necessary Rule, or needs a PHI Authorization.
• Disclose only information tied to the work injury; redact unrelated conditions.
• Maintain an accounting of disclosures when required and retain copies of requests, authorizations, and what you released.
• Train staff and use role-based access so only authorized team members handle workers' compensation requests.

Limits on Sharing Sensitive Information

Certain categories of PHI receive heightened protection. Unless a workers' compensation law specifically compels disclosure, you should not release these without explicit, narrowly tailored authorization.

Specially protected data

• Psychotherapy notes: kept separate from the medical record and require patient authorization to disclose.
• Substance use disorder treatment records: may be subject to additional federal confidentiality rules that demand specific consent or a qualifying order.
• HIV and other STI information: many states impose strict limits and require special authorization or de-identification.
• Genetic information: the Minimum Necessary Rule and other protections restrict sharing genetic test results unrelated to the injury.
• Reproductive and other highly sensitive health data: disclose only if clearly required or directly relevant to causation, treatment, or disability for the claim.

Key takeaways

• Share only what the claim needs and what the law requires; keep everything else private.
• Use the Minimum Necessary Rule to narrow disclosures and protect Health Information Privacy.
• When in doubt—or when requests are broad—seek a specific PHI Authorization or clarification of legal authority.

FAQs

What PHI can be disclosed under workers' compensation laws?

Information directly related to the work injury—such as diagnosis, treatment dates, work restrictions, impairment ratings, causation opinions, and return-to-work status—may be disclosed to the insurer, employer, or state agency when required or permitted by Workers' Compensation Laws. Unrelated medical history and sensitive categories typically remain confidential unless specifically compelled or authorized.

How does HIPAA limit the amount of information shared?

HIPAA’s Minimum Necessary Rule requires covered entities to disclose only the least amount of PHI needed for the claim. If a disclosure is required by law, you provide what the law specifies; otherwise, you narrow the response to what is relevant to adjudicate benefits, pay bills, or determine work capacity.

Can employers access all health information for workers' compensation claims?

No. Employers receive only PHI necessary to manage the claim or what a law or valid authorization permits. They should not obtain an entire medical chart or unrelated diagnoses and must keep claim-related PHI separate from general personnel files.

What are the provider obligations under HIPAA in these cases?

Providers must verify each requester’s authority, identify the legal basis for disclosure, apply the Minimum Necessary Rule, limit releases to claim-related PHI, and document disclosures as required. They should obtain a PHI Authorization when the law does not require or clearly permit the requested information.