off therecord











Sep 03, 2020

Protection of Employee Health Information

By: Allison Mann

Employers come into the possession of employee health information in a number of ways. For example, an employee providing a doctor’s note to use sick leave, obtain workers’ compensation, participate in wellness programs or health insurance, and to gain access to disability accommodations. Employers that receive such information should be aware of how certain laws require that information to be stored and when it can be disclosed.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA’s Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral; this information is called “protected health information” (PHI). Generally, HIPAA does not apply to employee health information that is held by an employer. However, an employer is considered a covered entity and must comply with HIPAA laws if it operates as a health plan, a health care clearing house, or a healthcare provider.

A covered entity under HIPAA may not use or disclose PHI unless the individual who is the subject of the information (or the individual’s personal representative) is requesting the information or authorizes it in writing that it may be used or disclosed, or if it is being disclosed or requested by the United States Department of Health and Human Services when it is undertaking a compliance investigation or review or enforcement action.

If the PHI is being stored electronically, a covered entity must implement safeguards to protect, detect, contain, and correct security violations for electronic PHI. These safeguards include:

    (1) Performing a risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity.
    (2) Implementing risk management strategies to reduce risks and vulnerabilities.
    (3) Applying appropriate sanctions against workforce members who fail to comply with the security policies and procedures.
    (4) Implementing procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Additionally, a covered entity must implement policies and procedures for authorizing access to electronic PHI, such as those for granting access to a workstation, transaction, program, process, or other mechanism that handles or holds the PHI.

Americans with Disabilities Act (ADA)

The ADA addresses the confidentiality of employee medical information. An employer that obtains employee or prospective employee medical information during a permitted medical examination or inquiry must maintain the information in a confidential medical file. This file must be kept separate from the employee’s or prospective employee’s personnel file. Such information may be disclosed only in limited situations. For example:

    (1) Supervisors and managers may be made aware of necessary restrictions on the work or duties of the employee to provide necessary accommodations;
    (2) Safety personnel may be informed, when appropriate, if the disability might require emergency treatment; and
    (3) Government officials investigating compliance with the ADA can be provided relevant information on request.
Additionally, the Equal Employment Opportunity Commission’s (EEOC) “Enforcement Guidance: Workers’ Compensation and the ADA” provides that employers may also disclose medical information to workers’ compensation insurance carries and state workers’ compensation offices in accordance with workers’ compensation laws, and “may use medical information for insurance purposes.”

The Takeaway:

An employer that obtains an employee’s protected health information or any medical records must maintain the confidentiality of those records. Some employers may have heightened obligations if they are considered a “covered entity” under HIPPA. Actions that may ensure compliance include:

    - Conducting a risk assessment to determine whether HIPPA applies to the employer;
    - Adopting a written privacy policy addressing standards to ensure confidentiality of medical information;
    - Keeping confidential medical records separate and distinct from an employee’s regular personnel file;
    - Providing training to the individuals that have access to employee medical information and PHI; and
    - Ensure compliance with adopted policies by reviewing them regularly.
Our Interest in Serving You:

Our law firm’s goal is to give understandable information and to foster discussion about real-life issues facing human resource professionals. If we are not achieving that goal or if you would like us to address other employment law issues, please email us at or We promise to take your comments and ideas to heart.

(Otherwise known as “the fine print”)

We make a serious effort to be accurate in these writings. These articles are not exhaustive treatises, though, so do not consider them complete or authoritative. Providing this information to you does not create an attorney-client relationship. Do not act upon the contents of this or of any article on our homepage or consider it a replacement for professional advice.

Reprinted with permission from an article submitted for publication in the September, 2020 Southwest Area Human Resource Association newsletter.