HIPAA for HR: Managing Employee Health Information

Human resources professionals routinely encounter employee health information: medical certifications for FMLA leave, doctor’s notes for absences, accommodation requests under the Americans with Disabilities Act, workers’ compensation records, health insurance enrollment information, and wellness program data. The question of how this information should be protected — and what legal framework governs its handling — is one that trips up many HR departments and small business owners. The answer is often counterintuitive: HIPAA, which most people assume applies to all health information, actually has a much narrower scope in the employment context than many people realize.

The Common Misunderstanding: HIPAA and Employers

HIPAA applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and to their business associates. Most employers are not covered entities simply by virtue of being employers. When an employer administers an employee health insurance plan, the plan itself may be a covered entity, but the employer acting in its capacity as an employer typically is not. This means that the health information an employer collects directly from employees in connection with employment — doctor’s notes, ADA accommodation requests, FMLA certifications, and similar documents — is generally not protected health information under HIPAA.

This does not mean employee health information is unprotected. It means that other laws govern its protection. The Americans with Disabilities Act, the Family and Medical Leave Act, Title VII of the Civil Rights Act, state medical leave laws, state disability discrimination laws, and general principles of employment law all impose obligations on employers that handle employee health information. But the specific requirements of HIPAA — the minimum necessary standard, the Privacy Rule’s use and disclosure framework, the right to access and amend — generally do not apply to employee medical information collected in the employment context.

When HIPAA Does Apply in the Employment Context

There are two significant circumstances in which HIPAA does apply to employer handling of employee health information. The first is when the employer sponsors a self-insured group health plan. If an employer operates its own health plan — paying claims directly rather than through an insurance company — that plan is a covered entity under HIPAA, and the plan must comply with the Privacy Rule and Security Rule when handling plan members’ protected health information. The employer must maintain a strict firewall between its health plan and its employment functions. Plan PHI cannot be used for employment decisions, and access to plan records must be restricted to those employees who administer the plan.

The second circumstance arises when an employer is also a healthcare provider. If your business provides healthcare services to patients — a physician practice, a dental office, a physical therapy clinic — HIPAA applies to the health information of your patients, including any employees who are also your patients. The distinction is between health information you receive as a provider (which is PHI subject to HIPAA) and health information you receive as an employer (which is governed by employment law).

ADA Requirements for Employee Medical Information

The Americans with Disabilities Act imposes strict requirements on the confidentiality of employee medical information that are independent of HIPAA. Under the ADA, information about the medical condition or medical history of an employee obtained through any lawful means must be collected and maintained on separate forms and in separate medical files, apart from the employee’s general personnel file. Access to the medical file must be strictly limited.

Supervisors and managers may be informed of necessary restrictions on an employee’s duties or necessary accommodations. First aid and safety personnel may be informed if the employee’s condition may require emergency treatment. Government officials investigating compliance with the ADA may be given access. Beyond these specific situations, medical information must be kept strictly confidential. Sharing an employee’s medical information with other employees, with the employee’s manager beyond what is necessary to implement an accommodation, or with third parties who have no legitimate need for it violates the ADA’s confidentiality requirements.

Employers who receive medical information in connection with ADA accommodation requests, FMLA leave requests, fitness-for-duty evaluations, or pre-employment post-offer medical examinations should maintain that information in a dedicated medical file, separate from the employee’s regular personnel file, with restricted access. Even the existence of the medical file and the fact that an employee has a medical condition should be treated as confidential.

FMLA and Medical Certification

The Family and Medical Leave Act entitles eligible employees to take up to 12 weeks of unpaid leave for qualifying medical reasons, and it allows employers to require medical certification of the qualifying condition. The certification process involves the employee obtaining medical documentation from their healthcare provider. Employers are entitled to information about whether the employee (or the family member requiring care) has a serious health condition, the probable duration, and the employee’s ability to perform their job functions. Employers are not entitled to know the specific diagnosis.

FMLA medical certifications should be maintained confidentially, in the employee’s medical file rather than their personnel file. The information in certifications should be shared only on a need-to-know basis. Using information from an FMLA certification for purposes other than administering the leave — for example, using knowledge of an employee’s serious health condition in a termination or performance management decision — creates serious exposure to FMLA retaliation claims.

Workers’ Compensation Records

Workers’ compensation records contain detailed health information, including the nature of a work-related injury or illness, treatment received, and any temporary or permanent limitations on the employee’s ability to work. These records are governed by a mix of state workers’ compensation statutes, the ADA, and general employment law privacy principles. Workers’ compensation information should be maintained separately from general personnel records and should not be used in employment decisions unrelated to the legitimate administration of the claim or the employee’s work restrictions.

Employers who use workers’ compensation information in making decisions about layoffs, restructuring, or discipline create significant legal exposure. Courts have recognized that retaliating against an employee for filing a workers’ compensation claim is a violation of public policy in most states, even in at-will employment states. Maintaining the confidentiality of workers’ compensation records and carefully managing decisions that coincide with active claims is important for managing this risk.

Employer-Sponsored Wellness Programs

Many employers offer wellness programs that encourage employees to engage in health-promoting behaviors through incentives or rewards. When these programs involve health screenings, biometric measurements, or health risk assessments, they collect significant health data about employees. The ADA imposes conditions on the voluntariness of wellness programs that include medical examinations or disability-related inquiries: the program must be voluntary, which the EEOC has interpreted to mean that incentives for participation may not be so large as to effectively coerce participation.

Health data collected through wellness programs should be handled with the same confidentiality that applies to other employee medical information. Wellness program vendors will typically qualify as business associates if the employer’s health plan is involved in the wellness program, or may be subject to other contractual confidentiality requirements if the program is operated outside the health plan. Employers should review their wellness program structures and vendor agreements to ensure appropriate confidentiality protections are in place.

Best Practices for HR Handling of Employee Health Information

Regardless of the specific legal framework that applies to any particular type of employee health information, the practical approach for HR departments should be consistent: collect only the health information you actually need for the specific business purpose, maintain all health information separately from general personnel files, restrict access strictly to those with a legitimate need, never use employee health information in employment decisions beyond the specific accommodation or leave administration purpose, and train all managers and supervisors on the confidentiality obligations that apply to employee medical information.

Managers frequently make well-intentioned but legally problematic disclosures of employee medical information — informing team members why an employee is absent, sharing information about a colleague’s condition with other employees who are curious, or including medical information in a performance improvement plan where it does not belong. Training managers to understand that employee health information is confidential and that sharing it broadly is both legally risky and harmful to the employment relationship is one of the most important things HR can do to manage medical privacy obligations in the workplace.