Confidentiality of Medical Records Policy

Purpose

To protect and limit access to employee medical and other sensitive personal information, and to comply with applicable law (including the ADA and workers' compensation law).

A note on HIPAA: the HIPAA Privacy Rule generally does not apply to an employer's own employment records (for example, medical notes, accommodation paperwork, or workers'-compensation-related medical information an employer holds in its capacity as an employer) — those records are not "protected health information" under HIPAA merely because they contain health information. HIPAA instead applies to the Company where it acts as a "covered entity" in its own right — for example, if it sponsors a self-insured group health plan, operates an on-site health clinic that bills electronically, or otherwise conducts HIPAA-covered transactions — and, even then, only to the records generated in that capacity (such as group health plan records), not to the separate employment/personnel-medical-file records this policy addresses. This policy's confidentiality and separate-file rules apply regardless of HIPAA's technical applicability, and are independently required for disability-related and workers'-compensation medical information under the ADA and similar law. Where the Company does sponsor a covered group health plan, consult Legal on the plan's separate HIPAA privacy/security obligations, which are broader than — and administered separately from — this employment-records policy.

Policy

The Company keeps employee medical records confidential and separate from personnel files, and limits their use and disclosure to what is necessary and legally permitted.

Storage

Employee medical records must be kept in a locked file, physically and electronically separate from the general personnel file — ideally maintained by an occupational health/medical function where one exists. Where there is no dedicated medical function at a location, a designated HR representative or manager is responsible for maintaining a separate, locked, confidential medical file.

Confidentiality

  • Medical information not related to an employee's ability to perform the essential functions of their job must remain confidential, even where the employee is being treated or counseled by a Company-affiliated health professional.
  • Medical information that is related to an employee's ability to perform their job may be communicated to the employee's manager, but only by HR or an occupational health professional, and only to the extent necessary — for example, the nature of any work restriction, and the expected duration, without unnecessary diagnostic detail.
  • No medical record information may be disclosed to anyone else unless the employee has released it in writing, or Legal and HR have authorized disclosure under one of the permitted circumstances below.
  • Consult Legal for guidance whenever a disclosure request is not clearly covered by this policy.

Permitted access

Medical information with a work-related component may be shared on a need-to-know basis with:

  • Occupational health/medical personnel
  • HR
  • The employee's manager (limited to job-relevant information, as above)
  • Individuals who need the information to respond to a medical emergency
  • The employee (with written release, where release is otherwise required)

Access should generally be limited to these situations:

  • Situations affecting the safety of others
  • Disability/accommodation case management
  • Workers' compensation administration
  • Regulatory (e.g., OSHA) requests
  • Emergency response
  • Job-accommodation and return-to-work decisions
  • Other legal purposes, with Legal's authorization

Only the medical or sensitive personal information necessary for the specific situation should be shared — not the full record.

Responsibilities

RoleResponsibilities
HR leadershipOverall policy implementation.
Human ResourcesDay-to-day administration of these guidelines.
Occupational health / medical functionMaintain and safeguard medical files; provide job-relevant guidance to managers as needed.
LegalProvide guidance on disclosure requests and regulatory compliance.

References

  • Human Resource Records Policy
  • ADA / Reasonable Accommodation policy
  • Workers' Compensation policy
  • OSHA recordkeeping and medical-records-access rules

General information, not legal advice. Treat this as a drafting starting point, not a finished policy — employment law varies by jurisdiction and changes often, so have a licensed attorney tailor it to your situation before you rely on it.

AI Policy Drafter

Need to draft your own Confidentiality of Medical Records policy? Do it here — free

Free access for HR professionals and corporate counsel. Complete the form below to apply.

Personal email domains (Gmail, Yahoo, etc.) are not accepted.

Submitting this form subscribes you to the ELINFONET newsletter. You may unsubscribe at any time.

Only your email address is retained after verification. All other information is used to confirm your professional credentials and then discarded.