HIPAA Employee Privacy Rights Explained: What Employers Can and Cannot Access

HIPAA Applicability to Employers

Who HIPAA regulates—and who it does not

HIPAA regulates covered entities—health plans, health care providers, and health care clearinghouses—and their Business Associate partners. Employers, acting in their role as employers, are not covered entities. Your workplace only touches HIPAA when it operates or sponsors a group health plan that handles Protected Health Information (PHI).

When the employer is a health plan sponsor

If you are a Health Plan Sponsor of a group health plan, the plan—not the company—is the covered entity. To receive PHI for plan administration, the plan documents must be amended to identify who may access PHI, restrict uses to plan administration, and prohibit use for employment decisions. You must also create a firewall separating plan functions from HR or management decisions.

Vendors and Business Associates

Third‑party administrators, benefits platforms, and brokers that handle PHI for your plan are Business Associates. The plan must have Business Associate Agreements with them and ensure they implement appropriate safeguards before any PHI is shared.

Employer Access to Employee Health Information

What you may receive

• Plan administration data: enrollment/disenrollment information and de‑identified or “summary health information” for obtaining quotes or changing plan design.
• Work‑related fitness information: a doctor’s note confirming work restrictions or fitness‑for‑duty, usually without a specific diagnosis unless the employee authorizes it.
• Legally required disclosures: limited PHI may flow to insurers or state programs for workers’ compensation as permitted by law, typically from the provider or the plan, not directly from you.

What you may not do

• Access or use plan PHI for hiring, firing, promotion, or discipline.
• Seek blanket authorizations for complete medical files unrelated to a legitimate, job‑related need.
• Ignore the minimum necessary standard when requesting information from a plan or provider; request only what is needed for the stated purpose.

Remember: most records you hold as an employer are not PHI under HIPAA, but other laws still require confidentiality and limited access.

Employment Records and HIPAA

Employment records—such as accommodation requests, return‑to‑work notes, drug test results, or leave paperwork you maintain—are not PHI, even if they contain health details. HIPAA’s Privacy Rule expressly excludes employment records held by an employer in its role as an employer.

Although HIPAA does not apply to these records, you must still protect them. Store medical and leave records separately from personnel files, limit access to those with a need to know, and disclose them only as allowed by law or with the employee’s written authorization.

Employer Obligations Under ADA

Limits on medical inquiries and exams

The ADA restricts disability‑related questions. Before a job offer, you cannot ask about disabilities. After a conditional offer, you may require a medical exam if it is required for all entering employees in the same job category. Once employed, any medical inquiry or exam must be job‑related and consistent with business necessity.

Confidential handling of medical information

All ADA medical information must be kept confidential, stored separately, and shared only with those who need to know: supervisors about work restrictions, first‑aid and safety personnel for emergency treatment, and government investigators. Implement Administrative Safeguards such as role‑based access, secure storage, and workforce training to maintain confidentiality.

State Laws Impacting Employer Access

HIPAA sets a federal floor; more protective state laws control if they are more stringent. For example, California’s Confidentiality of Medical Information Act (CMIA) strictly limits employer use and disclosure of employee medical information and requires specific authorizations, with statutory penalties for violations.

Other states impose similar or additional restrictions on medical inquiries, workers’ compensation disclosures, and leave documentation. Always evaluate the strictest applicable rule—HIPAA, ADA, FMLA, GINA, or state law—and follow that standard.

Safeguards for Employee Health Information

For plan sponsors handling PHI

• Implement HIPAA Administrative, Physical, and Technical Safeguards to protect PHI handled for plan administration.
• Amend plan documents, designate privacy/security officials, train staff with PHI access, and enforce a firewall so PHI is never used for employment decisions.
• Execute and manage Business Associate Agreements, and monitor vendors for compliance.

For employment records outside HIPAA

• Apply comparable Administrative Safeguards: separate medical files, least‑privilege access, authentication controls, and documented retention/destruction practices.
• Use secure transmission and storage practices for Medical Certification forms, fitness‑for‑duty notes, and accommodation documentation.

Employer Access Under FMLA and GINA

FMLA: requesting and handling medical certification

Under the FMLA, you may require a Medical Certification to verify a serious health condition or the need to care for a family member. HR or your leave administrator—not the employee’s direct supervisor—may contact the provider to authenticate or clarify the form, but cannot demand full medical records. Keep all FMLA medical records confidential and separate from personnel files.

GINA: limits on genetic information

The Genetic Information Nondiscrimination Act (GINA) prohibits requesting, purchasing, or using genetic information—including family medical history—for employment decisions. When requesting FMLA certifications or fitness‑for‑duty notes, include GINA safe‑harbor language instructing providers not to supply genetic information. If genetic information is inadvertently received, do not use it and maintain it confidentially.

Key takeaways

• HIPAA employee privacy rights primarily apply through the group health plan; the employer’s access to PHI is tightly limited to plan administration.
• Employment records are not PHI, but ADA and state laws require strict confidentiality and limited access.
• Use only the minimum necessary information, avoid diagnoses unless authorized, and never use PHI for employment decisions.
• FMLA permits targeted Medical Certifications; GINA bars requests for genetic information and requires safe‑harbor notices.

FAQs

Does HIPAA apply directly to employers?

No. HIPAA applies to covered entities and their Business Associates. Employers are not covered entities, but if you sponsor a group health plan, the plan is covered and your access to Protected Health Information is limited to plan‑administration purposes under strict safeguards.

What information can employers access under HIPAA?

You may receive enrollment status, de‑identified or summary health information for plan design, and PHI necessary for plan administration if plan documents permit it. You cannot access or use PHI for hiring, firing, or other employment decisions without a valid authorization and an appropriate legal basis.

How does the ADA protect employee health privacy?

The ADA restricts medical inquiries and exams to specific stages and purposes, requires that medical information be stored separately from personnel files, and limits disclosures to those with a need to know. These confidentiality rules cover most employment medical records.

Can employers request genetic information from employees?

Generally no. The Genetic Information Nondiscrimination Act prohibits requesting or using genetic information—including family medical history—for employment decisions. Use GINA safe‑harbor language on forms to avoid receiving genetic information inadvertently.

What are employer obligations under FMLA regarding medical records?

You may require a Medical Certification to substantiate leave but must limit requests to what the FMLA allows, keep the records confidential and separate, and restrict provider contacts to HR or leave administrators for authentication or clarification—not supervisors.