Patient Privacy and Employer Inquiries: What Employers Can and Can’t Ask Under HIPAA, ADA, and FMLA

HIPAA Applicability to Employers

HIPAA protects health information held by covered entities such as healthcare providers, health plans, and their business associates. Most employers, in their role as employers, are not covered entities. That means HIPAA usually does not govern routine Employment Records Privacy decisions like attendance, performance, or leave administration.

However, an employer’s group health plan is a covered entity separate from the employer. Protected Health Information from the plan may not be used for hiring, firing, or other employment actions. Plan sponsors may receive only limited data for plan administration and cannot access employee-level medical details without a valid, written authorization.

HIPAA does not stop an employer from asking you for information, but it prevents your healthcare provider or health plan from disclosing your medical details to your employer without your authorization, except for narrow, legally defined exceptions. Other laws—especially the ADA, FMLA, and GINA—set the boundaries for what employers may ask and how they must handle any information they receive.

Employer Access to Medical Information

Employers may request medical information only when a law permits it or when it is truly job-related and consistent with business necessity. Ask for the minimum necessary details, focusing on functional limits and ability to work rather than diagnoses. This approach aligns with the Business Necessity Standard and promotes sound Employment Records Privacy.

• What employers can request: information about work restrictions to evaluate reasonable accommodation under the ADA; FMLA medical certification for a serious health condition; fitness-for-duty certifications limited to whether you can perform essential functions; results of Job-Related Medical Examinations required by law (for example, safety or regulatory exams), limited to work-related conclusions.
• What employers should not request: broad diagnostic histories, complete medical files, or family medical history. Requests untethered to job duties, workplace safety, or a specific leave entitlement fall outside permissible bounds.

Whenever medical information is collected, the employer must limit access and maintain Confidential Medical Information Storage separate from personnel files. State privacy laws may impose additional limits or retention requirements.

ADA Restrictions on Medical Inquiries

The ADA tightly regulates Disability-Related Inquiries and medical exams. The rules differ across three stages: before a job offer, after a conditional offer, and during employment. Throughout, the touchstone is whether the request is job-related and consistent with business necessity.

• Pre-offer: employers may not ask about disabilities, medical conditions, or prior workers’ compensation claims. They may ask about the ability to perform essential functions and may request a demonstration of those tasks.
• Post-offer (prior to start): employers may require medical inquiries or exams if all entering employees in the same job category are subject to them. They may withdraw an offer only if the findings show the applicant cannot perform essential functions (with or without accommodation) or would pose a direct threat, based on objective evidence.
• During employment: medical inquiries or exams are allowed only if they are job-related and consistent with business necessity—for example, when there is reliable evidence a condition may be impairing performance, creating safety risks, or when verifying the need for accommodation or fitness for duty.

Focus requests on functional capacity, restrictions, and accommodation needs, not diagnoses. Any results from Job-Related Medical Examinations must be kept confidential and used solely for legitimate employment purposes recognized by the ADA.

FMLA Medical Certification

Under the FMLA, employers may require a medical certification to support leave for a serious health condition affecting you or a qualifying family member. You typically have at least 15 calendar days to return a complete and sufficient certification. Employers must limit questions to what the FMLA allows and may not demand full medical records.

For Medical Certification Verification, an employer may contact the healthcare provider to authenticate or clarify the certification—but only through HR, a leave administrator, or another designated official, not your direct supervisor. The contact must be limited to verifying authenticity or understanding the entries on the form; it cannot seek new medical information beyond what the FMLA permits.

Employers may seek a second (and if needed, third) opinion at their expense. They may also request recertification in specific circumstances, such as changed facts or patterns suggesting the need for updated information. Before you return from leave, a fitness-for-duty certification can be required if applied uniformly and limited to confirming you can perform essential job functions.

When leave involves care for a family member, employers should avoid collecting family medical history to steer clear of GINA issues. The certification should capture only the facts necessary to confirm the serious health condition and the need for leave.

Confidentiality of Medical Information

All medical information obtained under HIPAA exceptions, the ADA, the FMLA, or workers’ compensation must be stored separately from personnel files in secure, limited-access systems—often referred to as Confidential Medical Information Storage. Only staff with a legitimate need to know may view it.

• Managers may learn only the restrictions or accommodations they must implement—not your diagnosis.
• First-aid and safety personnel may be told if a condition could require emergency treatment or special procedures.
• Government officials investigating compliance may access records upon request.

Adopt tight access controls, minimize retention to what the law requires, and document who views records and why. These practices strengthen Employment Records Privacy and reduce legal risk.

Employer Communication with Healthcare Providers

Direct employer–provider contact is restricted. For FMLA purposes, only HR or a designated leave official may contact a provider and solely to authenticate or clarify a certification. Supervisors may not do so, and the discussion must not expand into broader medical details.

Outside the FMLA context, providers generally need your written authorization before speaking with your employer. Limited exceptions exist—for example, when an employer retains a clinician to perform a workplace exam or surveillance required by safety laws; even then, disclosures should be restricted to work-related conclusions (such as “fit with restrictions”) rather than diagnoses.

• Use written authorizations when discussions could go beyond the face of a form.
• Request only functional limitations and expected duration, not diagnoses or treatment plans.
• Channel communications through occupational health or HR to preserve Employment Records Privacy.
• Document requests and responses to maintain a compliant audit trail.

Genetic Information Nondiscrimination Act (GINA)

GINA prohibits employers from requesting, requiring, purchasing, or using genetic information—including family medical history—in employment decisions. This Genetic Information Nondiscrimination rule means you should never be asked for your family history to justify leave, accommodation, or fitness-for-duty.

When collecting medical information (for example, FMLA certifications or ADA accommodation documentation), employers should expressly instruct providers and employees not to supply genetic information. If genetic information is inadvertently obtained, it must not be used and must be kept confidential as part of the medical record, separate from personnel files.

Common pitfalls to avoid include asking about diseases that “run in your family,” requesting results of genetic tests, or embedding family-history questions in standard forms. Keep requests tightly focused on current functional capacity and work-related restrictions.

Taken together, these rules form a clear framework: HIPAA rarely allows employer access to medical details; the ADA limits Disability-Related Inquiries to job-related, necessity-based needs; the FMLA controls what can be requested to verify leave; and GINA bars genetic information entirely. Collect only what you truly need, store it securely, and use it only for lawful, work-related purposes.

FAQs

What medical information can employers legally request under HIPAA?

HIPAA usually does not regulate an employer’s questions to you, but it prevents your provider or health plan from sharing Protected Health Information with your employer without your written authorization, except for narrow legal exceptions. Employers can lawfully request limited information allowed by other laws (for example, an FMLA certification, a fitness-for-duty letter, or functional limitations for an ADA accommodation). Requests should be minimal and focused on ability to work, not diagnoses.

How does the ADA regulate disability-related inquiries by employers?

Before an offer, employers may not ask about disabilities or require medical exams. After a conditional offer, they may require exams for all entrants in the same job category. During employment, medical questions or exams are allowed only if job-related and consistent with business necessity—such as verifying safety concerns, confirming fitness for duty, or evaluating accommodations. Results must be kept confidential and used only for legitimate employment purposes.

When can employers request medical certification under the FMLA?

An employer may require certification when you seek FMLA leave for a serious health condition affecting you or a qualifying family member. You generally have at least 15 calendar days to return a complete and sufficient form. Employers may authenticate or clarify the certification through HR or a leave administrator, may request second or third opinions at their expense, and may require recertification in limited situations. Fitness-for-duty certification can be required at return if applied uniformly and limited to essential functions.

Are employers allowed to contact healthcare providers directly for employee medical information?

Only in limited, rule-bound ways. For FMLA, HR or a leave administrator—not a supervisor—may contact a provider solely to verify authenticity or clarify the certification’s entries. Beyond that, providers typically need your HIPAA-compliant authorization before discussing details with your employer. When an employer arranges a job-related exam, the disclosure back to the employer should be limited to work-related conclusions and restrictions, not diagnoses or full medical records.