If you’re an employer, you’re going to deal with employee medical information—there’s just no way around it. Whether it’s through FMLA requests, workers’ comp claims, or disability accommodations, health information becomes part of the job. But here’s what catches many employers off guard: HIPAA doesn’t work the way most people think it does in the workplace.
The key is knowing what you can ask for, how to handle it, and where the boundaries are. Focus on what employees can actually do at work rather than diving into their medical diagnoses. Keep medical records locked away separately from regular personnel files. And make sure only the people who genuinely need access can get to them. When it comes to workers’ compensation, you can share injury-specific information. For ADA compliance, you need to understand someone’s functional limitations so you can provide reasonable accommodations. Getting these protocols right isn’t just about avoiding expensive violations—it’s about respecting your employees’ privacy while still meeting your legal obligations.
HIPAA doesn’t apply to you (probably)
Let’s clear up the biggest misconception first: HIPAA wasn’t written for typical employers. It regulates healthcare providers, insurance companies, and health plan administrators—not your average workplace. So if you think you need to worry about HIPAA every time you handle an employee’s doctor’s note, take a breath.
That said, you’re still going to encounter protected health information in specific situations. Think FMLA medical certifications, workers’ comp paperwork, fitness-for-duty exams, and return-to-work evaluations. When any of these come across your desk, you need to handle that information carefully.
The golden rule here is the “minimum necessary” standard. Don’t ask for more than you actually need. If you need to know whether someone can lift 50 pounds or work overnight shifts, ask about their functional capabilities—not their complete medical history or specific diagnosis. It’s about what they can or can’t do at work, not why.
Even though HIPAA might not directly apply to you, that doesn’t give you a free pass. Other privacy laws and basic professional standards still protect employee medical information. Store medical records separately from personnel files. Restrict access to only the people who absolutely need to see them. These aren’t just best practices—they’re essential for protecting your employees and your organization.
Workers’ comp changes the game
Here’s where things get interesting: workers’ compensation cases create a major exception to the usual medical privacy rules. When one of your employees files a workers’ comp claim, HIPAA essentially steps aside and allows injury-specific medical information to flow between healthcare providers, insurance companies, and you as the employer.
But don’t get too excited—this exception has firm boundaries. You can access information that’s directly related to the workplace injury. That’s it. You don’t suddenly get access to their entire medical history, previous conditions, or unrelated health issues. The exception is narrowly tailored to the specific work-related injury at hand.
So what does this mean practically? You still need to maintain confidential filing practices. Workers’ comp medical records should be stored separately from personnel files, just like any other medical information. And here’s a critical point: you can’t use medical details from a workers’ comp claim for unrelated employment decisions. The information about someone’s back injury from lifting boxes can’t influence your decision about promoting them or disciplining them for an unrelated performance issue.
You’ll also need clear retention policies that satisfy both your state’s requirements and your insurance carrier’s documentation needs. These timelines matter, so make sure you understand what applies to your situation and stick to it.
Disability accommodations under the ADA
When does your obligation to accommodate an employee’s disability bump up against medical privacy? This comes up when employees request reasonable accommodations or present medical restrictions that affect their work.
The Americans with Disabilities Act requires you to engage in what’s called the “interactive process”—basically, a conversation about what accommodations might help the employee do their job. But here’s the thing: this process focuses on job functions, not medical diagnoses.
You can’t demand detailed medical records or expect employees to share their specific diagnosis. What you can ask for is functional information: How does the condition limit work activities? What kind of accommodations might help them perform the essential functions of their job?
The Job Accommodation Network is an excellent resource if you’re not sure how to approach these conversations or what kinds of accommodations are appropriate. Whatever you discuss during this process should be documented in confidential medical files—again, kept separate from personnel records.
Your goal is simple: understand the functional limitations so you can help the employee succeed at work. You’re not their doctor, and you don’t need their complete medical history. This approach protects their privacy while helping you meet your ADA obligations.
Building a system that actually works
Once you understand the rules, you need systems to make compliance happen consistently. Start with separate confidential medical files that are completely segregated from personnel records. These files need strong access controls—only people with a legitimate business need should be able to view medical information.
Think about storage security seriously. Locked filing cabinets for physical documents. Password-protected systems for digital files. Audit trails that track who accesses what and when. Your medical file system should include clear labeling so there’s no confusion about what’s confidential, plus retention schedules so you know when to dispose of information properly.
Develop standardized protocols for requesting medical documentation. These protocols should spell out exactly what information you’re requesting and why it’s necessary—whether for accommodation purposes or safety requirements. When everyone follows the same process, you avoid the inconsistencies that often lead to violations.
And don’t forget training. Regular training helps everyone on your team understand these procedures and prevents accidental disclosures. Even well-meaning supervisors can inadvertently violate privacy rules if they don’t understand the boundaries.
Where employers typically mess up
Even employers who genuinely want to do the right thing can stumble into costly violations. One of the most common mistakes is information overreach—asking for detailed diagnoses when you only need to know about functional limitations. Another frequent problem is documentation missteps, like having informal hallway conversations about an employee’s health condition or accidentally sharing medical information with supervisors who don’t need to know.
These violations aren’t just embarrassing—they create real liability exposure for your organization.
Effective risk management means recognizing the common pitfalls:
- Keep medical inquiries focused on job-related functional abilities, not specific diagnoses or treatment details. You need to know if someone can stand for eight hours, not whether they have diabetes or arthritis.
- Use need-to-know principles for access control. Just because someone is a manager doesn’t automatically mean they should have access to medical files. Combine this with secure storage protocols.
- Train your supervisors on boundaries. They need to understand what they can and can’t ask about, and when to loop in HR for medical-related conversations.
- Document formally instead of casually. Don’t rely on informal conversations about accommodation needs. Put it in writing and file it properly.
You can be compliant and supportive at the same time
Here’s something important: protecting employee medical privacy doesn’t mean you can’t help your employees. You don’t have to choose between strict compliance and being a supportive employer.
The trick is focusing on what employees can do, not digging into why they have limitations. When someone requests a reasonable accommodation, engage in that interactive process by discussing their capabilities and needs—not their medical diagnosis. This protects their private health information while giving you the details you need to find effective solutions.
Set up clear protocols that separate the legal compliance piece from the compassionate support piece. Train your supervisors to recognize when employees are struggling or need help, without crossing privacy boundaries. They should know when to escalate to HR rather than trying to handle medical conversations themselves.
Document accommodation discussions thoroughly, but always in those confidential medical files—never in the personnel file where any manager might stumble across them.
The bottom line: compliance isn’t about avoiding employees with health challenges. It’s about supporting them in the right way while protecting their privacy. When you get this balance right, you build trust with your workforce.
What to do next
You now have a solid framework for navigating these complex regulations. Remember the core principles: focus on functional capabilities rather than diagnoses, establish clear protocols for handling medical information, and train your team consistently. Compliance isn’t just a legal checkbox—it’s about building trust with the people who work for you. When you balance legal requirements with genuine support, you create a workplace culture where privacy is protected and everyone’s needs are met effectively.
If you’re not sure whether your current practices measure up, now’s the time to take a hard look. Review how you’re handling medical information right now. Identify gaps in your protocols. Create customized procedures that align with HIPAA, workers’ compensation rules, and ADA requirements. Don’t wait for a violation to discover where your policies fall short—be proactive about building a compliance framework that protects both your business and your employees.
Need help getting your policies in order? Kona HR specializes in helping employers develop compliant, practical approaches to employee medical information. Contact their team to review your current practices and create protocols that work for your specific organization.
