News / Blog

In the classic Quentin Tarantino film PULP FICTION (A Band Apart/Jersey Films 1994), one of the primary plot points revolves around main characters Jules and Vincent safeguarding a briefcase with mysterious contents.1 They go to great lengths to ensure the briefcase does not leave their possession. Just as Jules and Vincent take all necessary steps to protect the briefcase, so too must employers ensure the protection of employees’ health records. We often receive calls from employees and employers regarding protecting medical records obtained as part of an individual’s employment, and this post will provide an overview of that topic.

As an initial matter, many individuals associate medical records with the Health Insurance Portability and Accountability Act (“HIPAA”). Although it is true that HIPAA was designed to protect “sensitive patient health information from being disclosed without the patient’s consent or knowledge,” the well-known “Privacy Rule,” which addresses the use and disclosure of protected health information, applies only to “Covered Entities.” See “Health Insurance Portability and Accountability Act of 1996 (HIPAA),” Centers for Disease Control and Prevention, (last visited Nov. 17, 2021). “Covered Entities” include healthcare providers, health plans, and healthcare clearinghouses. Id.

Although an employer may also sponsor a health plan, the Privacy Rule “does not protect your employment records, even if the information in those records is health-related.” “Employers and Health Information in the Workplace,” U.S. Dep’t of Health & Human Services, (last visited Nov. 17, 2021). Generally, the “Privacy Rule” does not apply to the actions of an employer. Id. If an employer also acts as a Covered Entity, it must consider what position it played in obtaining the health information (for example, an individual may be employed by a healthcare provider and be a patient of that provider). Employers are permitted to ask employees for a note from a physician or other health information if necessary for an employment-related purpose (e.g., sick leave, workers’ compensation, wellness programs); however, if employers seek information directly from a Covered Entity, the employee’s authorization will be required. Id. As the Department of Health and Human Services notes, “[g]enerally, the Privacy Rule applies to the disclosures made by your health care provider, not the questions your employer may ask.” Id. Although HIPAA generally does not apply in the employment context, that does not mean employers can freely share an employee’s health information.

Under the Americans with Disabilities Act (“ADA”), if an employer obtains medical records regarding an employee as part of the interactive process, the employer must keep the medical records separate from the personnel file and label them as “confidential medical records.” Employers may share the information with supervisors and managers who need to know the necessary accommodations and potential restrictions on the employee’s duties; first aid and safety personnel who may need to treat the employee if an emergency arises; and government officials who need the information to investigate compliance with the ADA. Similarly, records obtained by employers for purposes of the Family and Medical Leave Act (“FMLA”) must be kept separate from the employee’s personnel file and labelled as “confidential medical records.”

Like Jules and Vincent, we are here to ensure that you know the ins and outs of keeping someone’s “briefcase” secure (or know your rights if there is a concern about someone losing your “briefcase”). If you have any questions or concerns regarding this topic, or any topic related to labor and employment law, please contact us.

1 As an interesting trivia fact, that briefcase serves as a MacGuffin, “an object, event, or character in a film or story that serves to set and keep the plot in motion despite usually lacking intrinsic importance.” In Retrieved November 5, 2021, from

Photo by National Cancer Institute on Unsplash