HIPAA Employee Rights Requirements and Workplace Boundaries: What HR Must Know

HIPAA Applicability to Employers

What HIPAA regulates—and what it doesn’t

HIPAA regulates how Covered Entities—health care providers, health plans, and health care clearinghouses—and their Business Associates use and disclose Protected Health Information. Most employers are not Covered Entities. As a result, HIPAA generally does not apply to employment records an employer maintains in its role as an employer, such as leave requests, accommodation paperwork, or drug test results stored in personnel files.

Key boundary: plan data vs. employment records

When an employer sponsors a health plan, the plan is the HIPAA-regulated entity, not the employer itself. PHI held by the plan administrator, insurer, or third-party administrator is subject to HIPAA; the same information held by HR as an employment record is usually not PHI. Your compliance posture must reflect this separation and ensure HR does not treat plan-originated PHI as general HR data.

Practical implications for HR

• Do not access or use plan PHI for hiring, discipline, promotion, or termination decisions.
• Route plan-related requests through the plan administrator, not general HR mailboxes.
• Keep employment medical records separate from personnel files and apply strong confidentiality requirements to both.

Employer-Sponsored Health Plans

Fully insured vs. Self-Insured Group Health Plans

Employer-Sponsored Health Plans are Covered Entities. In fully insured arrangements, the insurer typically handles HIPAA compliance operations (e.g., notices, individual rights), while the plan sponsor must maintain appropriate plan-document “firewalls.” In Self-Insured Group Health Plans, the employer’s plan assumes direct responsibility for HIPAA Privacy and Security compliance, often delegating operations to a third-party administrator via Business Associate Agreements.

Core HIPAA obligations for plans

• Issue a Notice of Privacy Practices explaining permitted uses, disclosures, and individual rights.
• Limit PHI use and disclosure to treatment, payment, and health care operations or obtain an Authorization for Disclosure when a use falls outside those purposes.
• Implement PHI Security Measures under the Security Rule, including risk analysis, access controls, encryption where reasonable and appropriate, and workforce training.
• Execute Business Associate Agreements with vendors that handle PHI and monitor their performance.
• Adopt and enforce “minimum necessary” standards and administrative, physical, and technical safeguards.
• Follow breach notification requirements and maintain documentation to demonstrate compliance.

Plan sponsor “adequate separation”

Plan documents must restrict which employees can access plan PHI and for what reasons. Those workforce members may use PHI only for plan administration, not for employment actions. Establish written boundaries, periodic access reviews, and audit trails to verify that plan PHI never migrates into HR’s general employment systems.

Handling of Employee Health Information

Distinguishing PHI from non-PHI in HR files

PHI is individually identifiable health information created or received by a Covered Entity. Many HR records—FMLA certifications, ADA accommodation documentation, fitness-for-duty notes, or workers’ compensation materials—may be medical in nature but are not PHI if maintained by the employer in its employment capacity. Despite not being PHI, these records are subject to stringent confidentiality requirements under other laws.

Secure handling practices

• Store employment-related medical records in confidential medical files, separate from personnel files.
• Restrict access to a need-to-know basis and log disclosures.
• Apply PHI Security Measures to sensitive HR medical records even when HIPAA does not apply (encryption, MFA, role-based access, retention controls).
• Train supervisors to avoid soliciting diagnosis details and to route medical information to HR.

Coordination with the health plan

When information originates from the plan (e.g., claims data), treat it as PHI. If HR needs limited data to administer benefits, obtain it through the plan administrator under the minimum necessary rule. Avoid combining plan PHI with employment medical files, and never repurpose plan data for performance or disciplinary decisions.

Legal Protections Beyond HIPAA

Americans with Disabilities Act

The Americans with Disabilities Act requires employers to keep disability-related information confidential, stored separately, and disclosed only in narrow circumstances (e.g., emergency care, supervisors for necessary restrictions, compliance officials). ADA also limits disability-related inquiries and medical exams to those that are job-related and consistent with business necessity.

GINA, FMLA, workers’ compensation, and state laws

• GINA prohibits acquiring or using genetic information, including family medical history, for employment decisions; include “safe harbor” language on all medical requests to avoid receiving genetic information.
• FMLA certification processes allow employers to request sufficient information for leave administration without demanding a diagnosis.
• Workers’ compensation programs permit limited disclosures as required by applicable laws, but employers should still apply strict confidentiality.
• State privacy and data-security laws may impose additional duties (e.g., breach notifications, data minimization). Align your program to the most protective applicable standard.

42 CFR Part 2 and substance use records

Certain federally assisted substance use disorder treatment records are subject to heightened confidentiality rules. If such records arise, consult plan counsel and maintain strict segregation, minimum necessary access, and clear documentation of lawful disclosures.

Employer Inquiries About Health Information

Pre-offer, post-offer, and employment-stage rules

• Pre-offer: Do not ask disability-related questions or require medical exams.
• Post-offer: Medical inquiries and exams may be permitted if required of all entering employees in the same job category, with results kept confidential.
• During employment: Inquiries must be job-related and consistent with business necessity (e.g., verifying ability to perform essential functions or assessing a direct threat).

Targeted documentation, not diagnoses

When you need information, request functional limitations, restrictions, and expected duration—not a diagnosis. Provide forms that specify the job’s essential functions and ask the provider to address only the employee’s ability to meet them.

Authorization for Disclosure

If information must come from a health plan or provider for non-routine purposes, obtain an employee-signed Authorization for Disclosure that is specific, time-limited, and voluntary. Do not request blanket authorizations, and never condition employment benefits on authorizations that are not legally required. Exclude genetic information to comply with GINA.

Employee Rights Regarding Health Information

Rights under the health plan (HIPAA)

• Access: Employees may request copies of PHI held by the plan or its Business Associates.
• Amendment: Employees may request corrections to plan records if they believe information is inaccurate or incomplete.
• Accounting of disclosures: Employees may receive a record of certain non-routine disclosures.
• Restrictions and confidential communications: Employees may request limits on certain uses/disclosures and alternate contact methods.
• Complaints: Employees may file privacy complaints with the plan privacy officer or federal authorities without retaliation.

Rights for employment-held medical records (non-PHI)

For medical records kept as employment files, HIPAA rights typically do not apply, but employees still benefit from confidentiality under the ADA and related laws. Employees may also have access and correction rights under applicable state laws or company policies. Communicate clearly which process applies based on where the information is maintained.

Best Practices for HR Departments

Program design and governance

• Map data flows to identify where PHI and non-PHI reside and who can access each data set.
• Designate privacy and security leads for the health plan and a separate HR confidentiality lead.
• Update plan documents to reflect “adequate separation” and role-based access to plan PHI.

Operational controls

• Adopt written confidentiality requirements for HR medical files and PHI Security Measures for plan systems.
• Use secure channels (encrypted email/portals) for any health information you transmit or receive.
• Maintain retention schedules that meet legal requirements and minimize data kept beyond necessity.
• Train HR, managers, and supervisors annually on HIPAA boundaries, ADA/GINA rules, and minimum necessary practices.
• Vet vendors carefully and execute Business Associate Agreements where needed; monitor performance and incident handling.

Incident readiness

• Establish intake channels for suspected privacy incidents affecting plan PHI or HR medical files.
• Run tabletop exercises covering breach assessment, notifications, and employee communications.
• Document decisions and remedial actions to demonstrate compliance.

Conclusion

HIPAA Employee Rights Requirements and Workplace Boundaries hinge on a clear line between plan PHI and employment records, disciplined access, and strong confidentiality controls. By aligning health plan compliance with ADA/GINA safeguards and enforcing need-to-know handling, HR can protect employee trust, meet legal obligations, and avoid improper use of health information in the workplace.

FAQs.

What are an employee's rights under HIPAA in the workplace?

Employees’ HIPAA rights exist through the employer-sponsored health plan, not the employer itself. Through the plan, employees can access and request amendments to their PHI, obtain an accounting of certain disclosures, request restrictions and confidential communications, and file complaints without retaliation. For medical records kept by the employer as employment files, HIPAA typically does not apply, but ADA and similar laws impose strict confidentiality requirements.

How does HIPAA apply to employer-sponsored health plans?

The health plan is a Covered Entity that must follow HIPAA’s Privacy, Security, and Breach Notification Rules. Fully insured plans rely heavily on the insurer for operations, while Self-Insured Group Health Plans must implement their own compliance program, enter into Business Associate Agreements with vendors, issue a Notice of Privacy Practices, apply minimum necessary standards, and maintain PHI Security Measures and incident response procedures.

What must HR do to protect employee health information?

Maintain strict separation between plan PHI and employment medical records, limit access to defined roles, and never use plan PHI for employment decisions. Implement confidentiality requirements for HR medical files, ensure secure transmission and storage, train staff on ADA/GINA/HIPAA boundaries, use targeted requests rather than diagnoses, avoid genetic information, obtain valid Authorization for Disclosure when necessary, and maintain a documented incident response process.