When HIPAA Applies to Employee Records: Clarifying Boundaries and Compliance Steps

Knowing when HIPAA applies to employee records helps you safeguard privacy, meet regulatory duties, and avoid costly missteps. This guide clarifies the boundary between protected health information (PHI) and employment records, then walks you through practical compliance steps under the HIPAA Privacy Rule and HIPAA Security Rule.

Use these principles to structure policies, train staff, and coordinate HR, benefits, safety, and compliance teams without over- or under-applying HIPAA.

HIPAA Applicability to Employment Records

HIPAA protects PHI created or received by covered entities and their business associates. Most employer-held files are not PHI because of the Employment Record Exceptions, which exclude records an employer maintains in its role as employer (for example, drug tests for hiring, vaccination cards collected for workplace policy, fit-for-duty notes, ADA accommodation documentation).

However, the same information can be PHI when it lives with a covered entity (such as a group health plan, onsite clinic, or EAP providing treatment). Your first step is to identify which “hat” the organization is wearing—employer versus covered entity—and handle the record accordingly.

When HIPAA applies

• Data is created, received, or maintained by a covered entity (plan, clinic, EAP) or its business associate.
• The information is individually identifiable and relates to health status, care, or payment.
• Disclosures occur for health care operations, payment, or treatment under the Privacy Rule.

When HIPAA does not apply

• Records the employer keeps for HR purposes (hiring, leave, accommodations, return-to-work) fall under Employment Record Exceptions.
• Non-PHI is still protected by other laws and policies, including Americans with Disabilities Act Confidentiality and Family and Medical Leave Act Protections.

Employer's Role as Covered Entity

Being an employer alone does not make you a covered entity. You become one only when you operate a health plan, a health care provider that transmits standard transactions (e.g., an onsite medical clinic), or a health care clearinghouse. Many organizations designate themselves as a hybrid entity to wall off health care components from the rest of the business.

Covered Entity Obligations

• Privacy Rule: limit uses/disclosures, honor individual rights (access, amendment, accounting), apply minimum necessary, issue a Notice of Privacy Practices, train workforce, and enforce sanctions.
• Security Rule: protect ePHI with administrative, physical, and technical safeguards (risk analysis, access controls, encryption, audit logs, incident response).
• Breach notification: evaluate incidents, mitigate harm, and notify affected individuals and authorities when required.
• Business associate management: execute and oversee Business Associate Agreements for vendors handling PHI.

Employer's Role as Plan Sponsor

As a plan sponsor, you do not become a covered entity for all operations; the group health plan is. Group Health Plan Compliance hinges on erecting a firewall so the plan can share PHI only for plan administration—not for employment decisions.

Plan sponsor guardrails

• Amend plan documents to restrict employer access to PHI and identify who may receive it for plan administration.
• Obtain plan sponsor certifications before the plan shares PHI.
• Use de-identified or summary health information for premium bidding and plan design when possible.
• Limit HR access to enrollment and eligibility data unless a specific Privacy Rule basis or authorization applies.

Operational steps

• Map data flows among the plan, TPA, pharmacy benefit manager, and stop-loss partners; confirm appropriate agreements.
• Segregate plan systems/accounts from HRIS to prevent commingling with personnel files.
• Implement least-privilege access, workforce training, and audit trails tailored to the plan.

Other Legal Protections for Employee Health Information

Even when HIPAA does not apply, multiple frameworks require confidentiality and separate handling. Build your program to satisfy these regimes alongside HIPAA.

• Americans with Disabilities Act Confidentiality: keep all medical information in separate files with limited access; share only functional restrictions with supervisors.
• Family and Medical Leave Act Protections: maintain medical certifications apart from personnel records and restrict disclosure.
• GINA: avoid requesting genetic information; if received inadvertently, keep it confidential and segregated.
• Workers’ compensation and state privacy laws: allow certain disclosures for claims while imposing confidentiality and retention requirements.

Employer's Access to Employee Health Information

Your access depends on role and purpose. For plan administration, the group health plan may disclose PHI to the plan sponsor only as permitted by plan documents. For HR purposes, obtain information directly from employees or providers with a valid authorization, then treat it as an employment record subject to non-HIPAA confidentiality rules.

Permitted paths to access

• Employee authorization specifying information, purpose, and expiration.
• Plan administration functions under documented Group Health Plan Compliance controls.
• De-identified or summary health information for plan design and premium calculations.
• Legally required disclosures (e.g., workers’ compensation, public health, or safety obligations) limited to the minimum necessary.

Prohibitions and safeguards

• Do not use PHI for hiring, firing, promotion, or disciplinary decisions.
• Share only functional work restrictions with managers; keep diagnoses confidential.
• Record and review disclosures where required; train staff to route requests to the right channel.

HIPAA and OSHA Compliance

OSHA recordkeeping and medical surveillance can intersect with privacy. Injury and illness logs are not PHI, but you should still limit posted details and use privacy case designations where appropriate. Medical surveillance and exposure records require strict controls and long retention.

Practical coordination steps

• Define who handles OSHA logs versus who manages PHI; keep systems and files separate.
• Apply the minimum necessary principle when safety teams consult with clinics or the plan.
• Retain required OSHA medical and exposure records (often the employment period plus 30 years) securely and ensure employee access rights.
• For onsite medical units, apply Security Rule safeguards to ePHI and restrict disclosures to safety staff to what the standard requires.

Separation of Employment and Health Records

Separation is the single most effective control to clarify when HIPAA applies to employee records and to meet overlapping legal duties. Build structural, technical, and procedural barriers that keep health and HR data in their proper lanes.

How to separate effectively

• Maintain distinct repositories: one for personnel files, one for ADA/FMLA/fitness-for-duty records, and one for plan/clinic PHI.
• Limit access by role; supervisors receive only accommodation or restriction information, never diagnoses.
• Use unique user accounts, encryption, and audit logs for systems containing ePHI under the HIPAA Security Rule.
• Document retention schedules and destruction procedures aligned to HIPAA, OSHA, and state requirements.
• Designate privacy and security leads; run periodic access reviews and drills for misdirected requests.

Conclusion

HIPAA applies when a covered entity or its business associate handles PHI; employment records held by the employer fall under Employment Record Exceptions yet remain protected by ADA, FMLA, GINA, and other laws. By defining roles, tightening plan sponsor firewalls, coordinating with safety programs, and separating records, you meet the Privacy Rule and Security Rule while giving employees the confidentiality they expect.

FAQs.

Does HIPAA protect employee personnel records?

Generally no. Personnel files kept by the employer for HR purposes are excluded by HIPAA’s Employment Record Exceptions. Still, these records must be kept confidential under ADA, FMLA, GINA, and applicable state laws.

When can an employer access employee health information?

You may access PHI for plan administration under plan document restrictions, or receive de-identified/summary information for plan design. For HR purposes, obtain information directly from the employee or a provider with written authorization, and then treat it as a confidential employment record rather than PHI.

How must employers separate health and employment records?

Keep medical and benefits records in systems and files distinct from personnel files; restrict access to need-to-know roles; share only functional limitations with managers; apply Security Rule-style safeguards to systems holding ePHI; and follow documented retention and destruction schedules.