Employer Obligations for Employee Health Records (US & UK)

TL;DR

Separate the file — Keep medical and health information in a confidential file apart from the personnel file (ADA, US; security principle under UK GDPR, UK).
Collect only what you need — Limit collection to information that is job-related and necessary; the UK adds a special-category processing condition on top.
Restrict access tightly — Managers receive adjustments and restrictions, not diagnoses; access stays strictly need-to-know.
Retain to the longest applicable rule — Up to duration of employment plus 30 years (OSHA, US) and 40 years (COSHH, UK) for exposure and surveillance records.
Report breaches fast — 72 hours to the ICO for qualifying breaches (UK); HIPAA notification timelines where it applies (US).

Employers must keep employee health records confidential and separate from personnel files, collect only what is necessary, restrict access to those with a genuine need, and retain records for legally required periods — up to 30 years under OSHA in the US and 40 years under COSHH for UK health-surveillance records. Health data is treated as especially sensitive in both regimes.

Not legal advice. This article reflects general HSE professional understanding of US and UK requirements as of 2026. Specific compliance questions, enforcement situations, or prosecution risk should go to qualified legal counsel in the applicable jurisdiction.

Not medical advice. Content touching health surveillance, exposure, or fitness-for-work is for HSE practitioner reference. Occupational-health clinical judgment rests with a qualified OH professional or occupational physician — not the employer.

A persistent myth in employer circles is that workplace health information is “covered by HIPAA” and, beyond that, can be filed like any other HR paperwork. Both halves are wrong: the US Department of Health and Human Services is explicit that HIPAA generally does not reach the health records an employer holds in its capacity as an employer, and the records that do apply carry duties most personnel filing systems never account for.

That gap matters because health data sits at the sharp end of both data-protection law and discrimination law, where the penalties are real and the reputational damage worse. This guide sets out the employer obligations for employee health records across the full lifecycle — what you may collect, how to store and restrict it, how long to keep it, when you may share it, what employees can demand back, and what to do when something leaks — with US and UK requirements running side by side.

Circular diagram showing six steps of the Employee Health-Record Obligation Cycle, with a central security shield, illustrating best practices for collecting, storing, accessing, and sharing employee health information.

What Counts as an “Employee Health Record” — and Why the Definition Decides Everything

A “health record” is not one artifact, and the confidentiality rule attaches differently depending on which type you hold. The most consequential distinction — one most law-firm explainers skip — is between a health record that carries no clinical detail and a confidential clinical record that does.

In UK occupational-health practice, the health record can sit alongside personnel files because it records only that surveillance happened and the fitness conclusion; the clinical record, holding diagnosis and medical detail, stays with the OH professional. That split is not bureaucratic neatness. It reflects the ILO Occupational Health Services Convention, 1985 (No. 161), Article 15 (International), under which personal health data is confidential and the conclusions passed to an employer must omit clinical detail.

The most common failure I see in the published guidance and audit patterns is treating an OH referral report as a single document to drop whole into the HR file. The OH professional should release only the fitness-for-work and adjustments conclusion — the underlying diagnosis was never the employer’s to hold.

The categories an employer typically encounters, and where each belongs:

Record type	What it contains	Who should hold it
Absence / sickness record	Dates absent; ideally bare absence, not diagnosis	HR, separated from clinical detail
Injury / incident record	Workplace injury facts	HR / safety, confidential file
OH referral report	Fitness and adjustments conclusion only	HR (conclusion); clinician keeps detail
Health-surveillance result	Fitness outcome of statutory surveillance	Health record with HR; clinical record with OH
Fitness-for-work assessment	Capability conclusion	HR, restricted access
Vaccination / immunisation status	Special-category health data	Confidential file, strict access

The ICO’s practical steer is worth internalising: prefer bare absence records over detailed sickness records wherever you can, and keep any sickness or injury detail separate from the rest. As an aside on weight, the international frame is ethically strong but legally uneven — only 35 member states had ratified ILO Convention No. 161 as of June 2023 (Health and Care Workers Policy Lab citing ILO NORMLEX, 2023).

Comparison of two medical record types: health records containing fitness conclusions stored with personnel files, and clinical records with full medical details managed by occupational health professionals.

What Health Information Can an Employer Lawfully Collect?

The obligation starts at the front door, not the filing cabinet: you may only collect health information that is necessary and proportionate to a stated purpose. Both regimes restrict collection before any storage question arises.

The requirement under the ADA (42 U.S.C. §12112(d), US) is that medical inquiries and examinations of employees be job-related and consistent with business necessity — a threshold that rules out fishing expeditions and “nice to know” curiosity. The UK frames the same instinct differently and more heavily.

United Kingdom

Two layers of lawful basis — Health data needs an Article 6 lawful basis plus an Article 9 special-category condition (commonly “employment, social security and social protection law”), with a matching Schedule 1 DPA 2018 condition and an Appropriate Policy Document.
Recruitment limits — The Equality Act 2010, s.60, restricts health and disability questions before a job offer, narrowing what you may even ask at the hiring stage.
A live moving target — The Data (Use and Access) Act 2025 came into force on 19 June 2025, placing the ICO’s workers’ health information guidance under review; treat that guidance as current but expect refinement.

United States

Job-relatedness test — The ADA confines employee medical inquiries to those genuinely tied to the role or to business necessity.
Genetic information off-limits — GINA bars acquisition of genetic information, including family medical history, outside narrow exceptions.

Both jurisdictions — Apply data minimisation: take the minimum needed for the purpose, and no more.

In practice, the trap is rarely the formal collection — it is the informal one. The moment a manager records a health detail in an email thread, a notebook, or a meeting minute, that becomes processing of special-category data with no lawful basis behind it, and it inherits every obligation the formal record carries.

Four key guidelines for collecting health data: collect only job-related and necessary information, identify a lawful basis first, limit pre-offer health questions, and gather only the minimum required data.

How Must Employee Health Records Be Stored and Kept Confidential?

The core storage obligation is the same on both sides of the Atlantic, expressed two ways: medical information must be singled out for stronger protection than ordinary HR data and held apart from it. This is where storing employee medical information becomes a concrete duty rather than a principle.

In the US, the ADA requires medical information to sit on separate forms in a confidential file, separate from the personnel file — and FMLA (29 CFR 825.500(g)) and GINA reinforce that separation. The field reading of these clauses is blunt: a co-mingled file, where a manager flipping through performance paperwork also sees a diagnosis, is a compliance failure waiting to be cited.

The UK reaches the same place through the security principle. Because health data is special category data, the ICO expects a higher level of security than ordinary HR records attract — stronger access controls, encryption, and logging applied specifically to it.

Who Is Allowed to See an Employee’s Health Information?

The default answer is narrower than most managers assume: access is need-to-know, and a line manager’s “need” almost never includes the diagnosis. What a manager should receive is the output — the restrictions and adjustments required to keep the person safe and productive — not the clinical reason behind them.

Line managers — Told the adjustments and restrictions needed, not the underlying condition, unless disclosure is genuinely required for safety.
First-aid, safety, and emergency personnel — May be informed where necessary for treatment or emergency response.
Third parties (insurers, regulators, other staff) — Only with consent or a clear, specific legal basis.

A minimum security baseline that satisfies both regimes:

Physical and logical separation — Health data held apart from personnel files, locked or access-walled.
Role-based access — Permissions mapped to genuine business need, reviewed when roles change.
Encryption — At rest and in transit for any electronic health record.
Audit logging — A record of who opened what, and when.

The recurring breach pattern here is the authorised-but-curious viewer: a staff member who can technically open a record doing so without a business reason. Regulators increasingly treat that internal snooping as a reportable breach, not a minor housekeeping slip — which is precisely why audit logging earns its place on the list above.

Infographic showing four key components of minimum health-record security baseline: separating records from personnel files, implementing role-based access controls, encrypting data at rest and in transit, and logging all record access events.

How Long Must Employers Keep Medical Records?

Thirty years and forty years — those two numbers are where employee medical record retention quietly catches organisations out. Retention periods diverge sharply by record type and jurisdiction, and the safe rule is to default to the longest statutory period that could apply.

Compare the headline obligations: OSHA’s access to employee medical records standard (29 CFR 1910.1020, US) requires medical records kept for the duration of employment plus 30 years and exposure records for 30 years, while the UK’s COSHH Regulations 2002 require a health-surveillance record kept for at least 40 years from the date of last entry. Where periods conflict, the longer governs.

Record type	Jurisdiction	Retention period	Governing rule
Employee medical record	US	Employment + 30 years	OSHA 29 CFR 1910.1020
Exposure record	US	30 years	OSHA 29 CFR 1910.1020
Health-surveillance record	UK	40 years from last entry	COSHH Reg 11
General OH / clinical record	UK	Shorter periods, but surveillance duty overrides	OH professional standards + COSHH

The “set-and-forget” failure is the one I flag most often when reviewing retention practice. An organisation runs a generic HR destruction schedule — say, six years post-employment — and quietly shreds exposure or surveillance records decades before a 30- or 40-year obligation expires, often without anyone realising a statutory duty was breached until a former worker’s late-onset claim surfaces.

The judgment call for any employer subject to both regimes, or unsure which applies, is straightforward once stated: treat the COSHH 40-year figure as the conservative default for surveillance records and the OSHA 30-year-plus rule for US exposure and medical records. Never apply a short generic HR schedule to either.

Chart showing minimum record retention requirements: US medical records (employment plus 30 years), US exposure records (30 years), UK surveillance (40 years from last entry), with guidance to keep longest when uncertain.

When Can an Employer Share Employee Health Information?

Disclosure is where most enforcement risk lives, and the default is restrictive: beyond fitness-for-work conclusions and legally required information, sharing needs the employee’s specific, informed consent. The lawful exceptions are narrow and should be treated as exceptions, not routes around consent.

The permitted-disclosure scenarios, in practical order:

Occupational-health referral — Passing relevant information to an OH provider engaged to assess fitness or adjustments.
Legal claims and statutory obligations — Where a court, tribunal, or statute compels disclosure.
Vital interests / emergency — Sharing what a first responder or clinician needs to treat the person in a genuine emergency.
Specific informed consent — Anything outside the above, including disclosure to insurers, requires the employee’s clear agreement.

Two jurisdiction-specific points sharpen this. When an employer wants a report from the worker’s own clinician, the UK Access to Medical Reports Act 1988 governs the process — consent is required, and the worker has the right to see and correct the report before it is released.

On the US side, the persistent confusion is HIPAA. The Privacy Rule constrains how a health plan or provider shares data with an employer; it generally does not cover the employment records the employer holds in its employer capacity — a distinction the HHS workplace guidance sets out plainly. A newer wrinkle: the revised 42 CFR Part 2 rules for substance-use-disorder records took effect on 16 February 2026 (US), tightening confidentiality for a category of data employers may encounter through EAPs or accommodation requests.

The benign-intentions trap is over-sharing. Circulating an OH report or a medical detail to colleagues who have no role in the decision breaches data minimisation even when no one meant harm — the breach is the unnecessary exposure, not the motive.

Flowchart showing four allowed scenarios for sharing health data: occupational-health referral, legal or statutory obligation, emergency or vital interests, and specific informed consent, with default policy of no sharing.

Employee Rights to Access Their Own Health Records

Obligations run both directions: employees can demand to see the health records you hold about them, and you must respond within a defined window. This is a right, not a courtesy, and missing the deadline is itself a breach.

The clearest timeline is statutory in the US. Under OSHA 29 CFR 1910.1020(e) (US), an employer must provide access to medical and exposure records within 15 working days of a request, and a designated representative needs written authorisation before release.

United States — Access within 15 working days under OSHA; representatives require written authorisation.
United Kingdom — Subject access rights under UK GDPR let workers request their personal data; where a doctor’s report is involved, the Access to Medical Reports Act 1988 adds rights to see and correct it.
Both — Verify identity before release, and confirm a representative’s authorisation in writing.

The applied point worth holding onto: identity and authorisation checks are not friction to be minimised. Releasing a health record to the wrong person — an impersonator, or a representative without proper authority — converts a routine access request into the very confidentiality breach the whole framework exists to prevent.

What Happens If an Employer Breaches Health-Record Confidentiality?

Consequences are what make these obligations bite, and they split into two streams: a duty to report the breach, and exposure to liability for it. Health-data breaches draw heightened regulatory scrutiny precisely because the data is special category.

Notification duties

United Kingdom — A personal-data breach likely to risk individuals’ rights must be reported to the ICO within 72 hours; special-category breaches attract heightened scrutiny.
United States — Where HIPAA applies, affected individuals are notified within 60 days, and breaches affecting 500 or more trigger simultaneous notification to the Office for Civil Rights.

Liability exposure

Discrimination claims — Mishandled health data can feed ADA claims (US) or Equality Act 2010 claims (UK).
Breach-of-confidence and contract — Civil exposure independent of data-protection law.
Regulatory penalties — Fines and enforcement action from the supervisory authority.

The pattern regulators have hardened on is internal: unauthorised viewing of medical records by staff is now routinely treated as a notifiable breach, not just external hacking. The wider risk climate supports the vigilance — UK health-sector cyber breaches affecting 1,000 or more individuals rose from 25 in 2023 to 56 in 2024 (Surfshark analysis of UK Information Commissioner’s Office data, 2025), a sector-wide trend rather than an employer-records-specific figure, but a clear signal of where the threat curve is heading.

UK health data breaches increased from 25 in 2023 to 56 in 2024, with reporting requirements to ICO within 72 hours, HIPAA notification within 60 days, and internal snooping classified as breaches.

Frequently Asked Questions

Yes. In the US the ADA — reinforced by FMLA and GINA — requires medical information in a confidential file separate from the personnel file. The UK reaches the same result through the UK GDPR security principle, which expects special-category health data to be singled out for stronger protection. The reasons are different retention rules and stricter confidentiality, so separation is both law and sound practice.

Only with your specific, informed consent. In the UK, the Access to Medical Reports Act 1988 gives you the right to see the report your own doctor prepares before it reaches your employer, and to ask for corrections. Your employer cannot bypass that process or treat refusal as automatic grounds for action, though it may affect what adjustments can be assessed.

Usually not, and this is the most common misconception. HIPAA’s Privacy Rule constrains how a health plan or provider discloses data; it generally does not cover the employment records an employer holds in its employer capacity. The HHS workplace guidance confirms this. Those records are instead governed by laws like the ADA in the US and UK GDPR in the United Kingdom.

No — not as a default. A manager should receive the recommended adjustments and restrictions, not the underlying condition, unless disclosure is genuinely necessary for safety. This reflects the ILO Convention No. 161 principle that conclusions to employers omit clinical detail. If a manager is reading your diagnosis to manage your work, something in the disclosure chain has gone wrong.

Longer than most HR schedules assume. OSHA 29 CFR 1910.1020 requires US exposure records kept for 30 years and medical records for employment plus 30 years. UK COSHH requires health-surveillance records kept for at least 40 years from the last entry. Never apply a generic short retention schedule to either — destroying these early is itself a breach.

Largely yes. UK GDPR has no small-business exemption for special-category data, so health-data duties apply regardless of headcount. In the US, some thresholds vary — the ADA generally applies to employers with 15 or more employees — but OSHA record obligations and basic confidentiality expectations reach far more broadly. Size rarely removes the core duty.

Conclusion

Strip the two regimes back to decisions and the employer obligations for employee health records reduce to a handful of choices you make repeatedly. Separate the confidential file from the personnel file; collect only what the role genuinely needs; give managers the adjustments, never the diagnosis; and let the longest statutory retention period — 30 years under OSHA, 40 under COSHH — govern when a short HR schedule and a long surveillance duty collide.

Two of those decisions carry the most enforcement weight, so treat them as non-negotiable. Restrict access to a real business need and log it, because regulators now count a curious internal viewer as a reportable breach. And when something does leak, move on the clock — 72 hours to the ICO in the UK, HIPAA timelines in the US — rather than waiting to see whether anyone noticed.

The single change that pays off most is auditing what you already hold against these rules, not drafting a new policy. With the Data (Use and Access) Act 2025 reshaping UK guidance and the revised 42 CFR Part 2 rules live as of February 2026, the regulatory floor is moving — and a co-mingled file or a forgotten retention schedule is a far more likely cause of your next breach than any outside attacker.