• Paul Peter Nicolai

Protecting Employee Health Information

Employers get employee health information in several ways, like when there is a work-related injury or a request for medical leave or disability accommodation. Most employers understand this information is confidential, but may not understand what that means they should do to protect it. Many believe the Health Insurance Portability and Accountability Act (HIPAA) applies to employee health information. Mostly, it does not apply.

HIPAA applies only to (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers that electronically transmit health information. If an employer is not in one of those categories, HIPAA does not apply to it. HIPAA also does not apply to health information contained in employment records held by a covered entity in its role as an employer.


HIPAA does apply to an employer’s request for health information from a covered entity. A covered entity may not disclose protected health information to an employer without the employee’s authorization or as allowed by law. This is true even where the employee is also a patient or member of the covered entity; information maintained in that capacity may not be shared with human resources or an employee’s managers, except as expressly authorized by the employee or law.


Even when HIPAA does not apply, employers have other legal obligations to protect the confidentiality of employee health information in their possession.


The Americans with Disabilities Act (ADA) requires employers that obtain disability-related medical information about an employee to maintain it in a confidential medical file that is kept separate from the personnel file. Such information may be disclosed only in limited situations and to (1) supervisors and managers who need to know about necessary work restrictions or accommodations; (2) first aid and safety personnel, if a disability might require emergency treatment; and (3) government officials investigating compliance with the ADA.

The Genetic Information Nondiscrimination Act (GINA) requires employers that acquire an employee’s genetic information to treat it as a confidential medical record in a separate medical file. It can be maintained in the same confidential medical file as disability-related information. Different rules on when and to whom genetic information may be disclosed apply. Supervisors, managers, or first aid or safety personnel cannot have access to this information.


Employers may disclose employee health information with the employee’s express authorization. Generally best to get this in writing. Employers also may, if legal requirements are met, disclose the information in response to subpoenas, court orders, or other legally authorized requests, These disclosures should be only to the extent specifically requested and authorized by the employee or applicable law.