Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.

Error message details.

Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.

What are the confidentiality rules for employee medical information?

The  primary federal employment laws regarding confidentiality of medical information are the Americans with Disabilities Act (ADA) and the Health Insurance Portability and Accountability Act (HIPAA). Which law applies will depend on the source of the medical information.

Even when not specifically protected by law, it is a recommended practice to keep all employee medical information confidential. 


The ADA requires employers to maintain the confidentiality of employee medical information obtained from a medical inquiry or examination, including medical information from voluntary health or wellness programs. The Equal Employment Opportunity Commission (EEOC) provides the following examples of when medical information may be shared:

  • To supervisors and managers when they need medical information in order to provide a reasonable accommodation or to meet an employee's work restrictions.
  • To first aid and safety personnel if an employee needs emergency treatment or would require some other assistance (such as help during an emergency evacuation) because of a medical condition.
  • To individuals investigating compliance with the ADA and with similar state and local laws.
  • To a state workers' compensation office in order to evaluate a claim or for insurance purposes.

Employers must also maintain an employee's medical records separately from the employee's general personnel file, with access to such files restricted to designated officials.


The HIPAA privacy rule requires employers to maintain the confidentiality of employee medical information that was derived directly from the group health plan. This information is commonly obtained through summary claims reports from the insurance carrier or plan administrator. Health care providers and health care clearinghouses have additional requirements for patient records.

Therefore, for most employers, the group health plan will be the covered entity under HIPAA, and as the plan sponsor, the employer must ensure legal compliance. Other medical records an employer may obtain through its role as an employer, such as sick leave notes or workers' compensation records provided directly by employees or physicians, are not covered under HIPAA, but would be covered under the ADA. 

For example, if the company human resources director reads in the health benefits plan quarterly report that an employee has pancreatitis, this information is protected under the HIPAA privacy rule and should not be shared with others without the employee's permission. On the other hand, information about an employee who complains of migraines to her supervisor and requests time off from work is not a HIPAA privacy rule matter, but it would be covered by the ADA confidentiality rules.

State Laws

Many states have their own confidentiality rules for employee medical information that may be more restrictive than federal laws. Employers should be familiar with these rules in the states where employees are working. See SHRM's Multistate Law Comparison Tool



​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.