Managing Employee Medical Information: Best Practices Every Business Should Follow

Employers routinely come into contact with employee medical information, whether it’s a doctor’s note for an absence, a request for accommodation, or documentation for medical leave. But handling that information the wrong way can create legal exposure, damage trust, and lead to costly compliance issues.

Navigating the patchwork of laws governing medical data - like the ADA, FMLA, and various state sick leave rules - can be daunting. But with the right practices in place, businesses can protect employee privacy while keeping operations compliant.

Here are key best practices every employer should know:

1. Only Ask When It’s Necessary—and Job-Related

Avoid asking candidates or employees about their medical conditions unless it’s directly relevant to the job and legally allowed. During the hiring process, focus questions on whether the applicant can perform essential job duties, with or without reasonable accommodation. After an offer is made—or during employment—medical information should only be requested when it's consistent with business necessity, such as fitness-for-duty exams or accommodation requests.

2. Use the Right Documentation for Medical Leave

When employees request time off under the Family and Medical Leave Act (FMLA) or state equivalents, employers can require supporting documentation—but only within strict boundaries. Stick to the Department of Labor’s FMLA forms and avoid asking for unnecessary details that could violate privacy protections or trigger retaliation claims. Some state laws also limit the type of documentation you can request for paid sick leave.

3. Keep Medical Records Separate and Secure

Medical information should never be stored in regular personnel files. Instead, maintain a separate, confidential file with limited access—only those who need to know, such as HR or safety personnel, should see it. This separation isn’t just a best practice, it’s actually a requirement under the ADA and other laws.

4. Know Who Can—and Can’t—Access Medical Info

Don’t share medical details with supervisors or coworkers unless there's a specific, lawful reason to do so, like implementing a necessary accommodation. Disclosures should be limited, and only made to those who truly need the information to do their jobs.

5. Get Familiar with Record Retention Rules

Federal and state laws vary widely in how long you need to keep medical records. For example, workers’ comp laws often require longer retention periods than your standard HR documents. Don’t assume one-size-fits-all timelines: review the laws that apply to your business and update your document retention policies accordingly.

6. Don’t Assume HIPAA Applies

Here’s a common misconception: that HIPAA governs all employee medical information. In most cases, it doesn’t. HIPAA applies to healthcare providers, health plans, and their business associates…not employers in their role as employers. Instead, laws like the ADA and FMLA are what govern most employment-related health data.

7. Put It in Writing

Have clear written policies for how medical information is collected, stored, used, and shared. Communicate those policies to managers and train them on what to ask, and what to avoid. Written procedures help ensure consistency, reduce risk, and create a strong defense if questions ever arise.

Need help reviewing your current practices or creating better systems? Our HR MRI Assessment® takes a deep dive into all aspects of your HR compliance—including how you manage sensitive employee data. It’s a no-cost, comprehensive review that gives you a clear roadmap for improvement. Reach out today to learn more.