Protecting Employee Health Information Under HIPAA: Employer Responsibilities and Best Practices

HIPAA Applicability to Employers

HIPAA protects Protected Health Information (PHI) held by covered entities (health plans, certain providers, and clearinghouses) and their business associates. As an employer, you are not a covered entity simply because you employ people. HIPAA applies to you when you operate or sponsor a group health plan, run an on‑site clinic that bills health plans, or receive PHI from the plan for approved plan administration purposes.

To meet your Confidentiality Obligations, create a clear firewall between employment functions and plan administration. Limit PHI use to plan tasks (e.g., eligibility, enrollment, claims support), not hiring, performance, or discipline. Document “minimum necessary” rules, appoint a privacy official for the plan, and update plan documents and certifications to reflect Group Health Plan Compliance requirements.

• Do not condition job decisions on access to PHI from the plan.
• Channel manager requests for “medical details” through HR and share only what is necessary (often de‑identified details).
• Coordinate with vendors as business associates and execute appropriate agreements.

Employment Records and HIPAA

Most workplace medical materials you handle as an employer—doctor’s notes for sick leave, ADA accommodation documents, drug test results, vaccination verification used for work, and workers’ compensation records—are employment records. They are not PHI under HIPAA, even though they contain health information.

These records are governed by other rules, especially the Americans with Disabilities Act, which requires you to store medical information separately from the personnel file and restrict access. Apply Health Information Security controls to these records: maintain locked physical storage, use restricted folders in your HRIS, and keep a clean, documented chain of custody for any paper or scanned files.

• Keep medical files separate and labeled; limit access to designated HR staff.
• Share only “need‑to‑know” fitness‑for‑duty outcomes with supervisors (e.g., “cleared with restrictions”), not diagnoses.
• Follow retention and disposal schedules aligned to legal requirements and internal policy.

Employer-Sponsored Health Plans

Your group health plan is a covered entity under HIPAA. That means the plan must meet Group Health Plan Compliance standards: adopt privacy and security policies, provide a Notice of Privacy Practices, name a privacy official, train plan workforce members, and implement administrative, physical, and technical safeguards.

Identify the plan’s vendors (TPAs, COBRA/FSA/HSA administrators, brokers, wellness platforms) and execute business associate agreements that specify permitted uses, safeguards, and breach reporting. Amend plan documents to certify that the plan sponsor will protect PHI, use it only for plan administration, and maintain a firewall from employment decisions.

• Apply “minimum necessary” to all plan disclosures; use de‑identification where feasible.
• Log disclosures, manage member rights (access, accounting, amendments), and monitor vendors.
• Prepare for Privacy Rule Enforcement by documenting policies, training, risk analyses, and corrective actions.

Other Relevant Privacy Laws

The Americans with Disabilities Act requires strict confidentiality for employee medical information, stored separately with access limited to HR and safety personnel. Disclosures are allowed only in narrow circumstances such as emergency treatment or necessary accommodations.

The Genetic Information Nondiscrimination Act (GINA) bars requesting, purchasing, or using genetic information—including family medical history—for employment decisions. Build intake forms and vendor flows to avoid collecting genetic data unless a legal exception applies.

Additional frameworks may affect you: the Family and Medical Leave Act (confidential handling of medical certifications), state privacy statutes (e.g., consent, access, and retention rules), workers’ compensation laws (required disclosures), and, for certain clinics, 42 CFR Part 2 for substance use disorder records. Harmonize these rules so your Confidentiality Obligations are consistent across all record types.

Implementing Secure Storage

Strong Health Information Security starts with data minimization and secure storage. Collect only what you need, keep it only as long as required, and protect it end to end—physical to digital.

Physical safeguards

• Store medical files in locked cabinets in restricted HR areas; maintain key or badge logs.
• Use cover sheets and sealed envelopes for intra‑office transport; avoid unattended printers.
• Shred or securely destroy media at end of retention; document disposal.

Technical safeguards

• Encrypt data at rest and in transit; enable MFA and device controls on all HR and plan systems.
• Use role‑based access controls (RBAC), audit logs, and data loss prevention for email and file sharing.
• Segment HR/plan drives from general corporate storage; disable local downloads for sensitive folders.

Administrative safeguards

• Maintain an inventory of systems and vendors handling health information.
• Adopt retention schedules with legal holds; review at least annually.
• Test incident response and breach notification playbooks with tabletop exercises.

Restricting Access to Health Information

Access should be limited to the smallest set of people and the smallest amount of data necessary to perform a task. Define who can see what, why, and for how long, and enforce it with RBAC and approvals.

• Map roles (e.g., benefits admin, leave specialist) to specific data elements and systems.
• Require documented requests for exceptional access with time‑bound, auditable approvals (“break‑glass”).
• Share only functional outcomes with managers (e.g., restrictions or return‑to‑work dates), not diagnoses or treatment details.
• Review access rights on job changes and quarterly; disable access immediately on separation.

Providing Training and Oversight

Train all plan workforce members and relevant HR staff at onboarding and at least annually. Cover HIPAA basics, ADA and GINA rules, minimum‑necessary practices, secure handling, incident reporting, and phishing awareness. Keep attendance, materials, and comprehension checks as evidence.

Build oversight through written policies, an internal reporting channel, periodic audits, and vendor monitoring. Enforce sanctions for violations, remediate promptly, and document corrective actions—key for demonstrating accountability in any Privacy Rule Enforcement review.

Conclusion

Protecting employee health information under HIPAA requires clear boundaries between employment and plan roles, disciplined Group Health Plan Compliance, and practical safeguards for storage, access, training, and oversight. By applying minimum‑necessary principles, honoring your Confidentiality Obligations, and strengthening Health Information Security, you reduce risk while supporting a compliant, trustworthy workplace.

FAQs.

Does HIPAA apply directly to employers?

No. HIPAA applies to covered entities and their business associates, not employers in their role as employers. It applies to you when you operate a group health plan, receive PHI for plan administration, or run a clinic that bills health plans; otherwise, employment records fall outside HIPAA and are governed by other laws.

What health information is protected under HIPAA at the workplace?

PHI handled by your group health plan or an on‑site clinic that transacts with health plans is protected under HIPAA. Doctor’s notes used for leave, accommodation files, or drug test results maintained as employment records are not PHI under HIPAA, though they must still be kept confidential under other rules.

How do other laws like ADA and GINA affect employee health privacy?

The Americans with Disabilities Act requires you to store employee medical information separately, limit access, and disclose only when necessary (e.g., accommodations or emergencies). The Genetic Information Nondiscrimination Act prohibits requesting or using genetic information—including family medical history—for employment decisions, with narrow exceptions.

What are best practices for employers to safeguard health information?

Minimize collection, separate medical from personnel files, use RBAC and encryption, log access, and enforce retention and secure disposal. Train HR and plan staff, formalize incident response, monitor vendors with business associate agreements, and keep policies, audits, and training records to demonstrate compliance and readiness for Privacy Rule Enforcement.