Skip to content
LeaveRights Project
FMLA

Don't Sign That HIPAA Form: Protecting Your Medical Privacy During FMLA

14 min read
By LeaveRights Staff·
Share:
On this page

Your employer - or more likely, a third-party leave administrator like Sedgwick, MetLife, The Hartford, Lincoln Financial, or Unum - just sent you a stack of FMLA paperwork. There is the designation notice. There is the WH-380 medical certification form for your doctor to fill out. And then, tucked in with the rest of the packet, there is something else: a HIPAA authorization form asking you to sign over access to your medical records.

It looks official. It is printed on company letterhead, or on the third-party administrator's branded forms, which look even more legitimate because they come from an insurance or benefits company. It might say "required" somewhere on the page. The claims representative might tell you that everything in the packet needs to be completed before your leave can be processed.

Here is what they are not telling you: that HIPAA authorization is not required for FMLA. Federal law does not require it. The Department of Labor does not require it. Your doctor does not need it to fill out the certification form. And signing it can give your employer access to far more medical information than they are legally entitled to see.

The key rule: FMLA certification does not require a HIPAA authorization. Your doctor fills out the WH-380 form and gives it to you, the patient. You then provide it to your employer. Because you are the one handing it over, no HIPAA authorization is needed for the initial certification process.

What FMLA Actually Requires from Your Doctor

The FMLA certification process is intentionally narrow. The Department of Labor designed the WH-380 forms (WH-380-E for the employee's own condition, WH-380-F for family member care) to collect only what the employer needs to determine whether the leave qualifies. Under 29 CFR § 825.306, the certification must include:

What the WH-380 Form Actually Asks

  • Healthcare provider information: Name, specialty, contact information
  • When the condition began: The approximate date of onset or commencement of treatment
  • Probable duration: How long the condition is expected to last
  • Appropriate medical facts: The form says these "may include symptoms, diagnosis, hospitalization, doctor visits, whether medication has been prescribed, referrals for evaluation or treatment, or any other regimen of continuing treatment." The word "may" is key. A diagnosis is one possible way to support the certification, but it is not required. Your provider can describe symptoms, treatment, and functional limitations without ever naming the condition.
  • Statement of inability to work: Whether you are unable to perform your job functions

That is it. The form does not ask for your full medical history. It does not ask for records from other providers. It does not ask about unrelated conditions. And critically, 29 CFR § 825.306(b) explicitly prohibits employers from requiring information beyond what the certification form asks for.

Your employer cannot demand a specific diagnosis. The WH-380 form lists diagnosis as one possible type of "appropriate medical fact," but it is not a required field. Your healthcare provider can satisfy the certification by describing symptoms, treatment, and your inability to perform job functions without ever naming the condition. This matters for people with mental health conditions, addiction, or other sensitive diagnoses who do not want that label in their employer's files. If an employer insists on a diagnosis, they are asking for more than the law allows (29 CFR § 825.306(b)).

The ADA provides a separate layer of protection here. Under 42 U.S.C. § 12112(d)(4), employers cannot make medical inquiries of employees unless they are "job-related and consistent with business necessity." When your FMLA leave involves a condition that also qualifies as a disability under the ADA, the employer must comply with both laws. Where the ADA is more restrictive (and it generally is regarding the scope of medical inquiry), the ADA restriction controls. Medical information your employer does receive must be kept in a separate confidential file, not in your personnel file (29 CFR § 1630.14(c)(1)).

What the HIPAA Authorization Really Does

To understand why signing the HIPAA authorization is dangerous, you need to understand what it actually is. A HIPAA authorization under 45 CFR § 164.508 is a legal document that gives a named party - in this case, your employer - permission to obtain your protected health information (PHI) from your healthcare providers.

The scope of the authorization depends entirely on what language is written into it. A properly drafted, narrow authorization might limit access to a specific provider, a specific condition, and a specific time period. But many employer-provided HIPAA authorizations are not narrow. They are written as broadly as possible.

The difference between the WH-380 certification and a HIPAA authorization is the difference between your doctor answering a specific question and handing over your entire medical file.

WH-380 Certification

Your doctor answers specific, limited questions about one condition

  • • Limited to the condition causing leave
  • • Does not require access to medical records
  • • Employer sees only the completed form
  • • Required by law - no additional authorization needed
HIPAA Authorization

You sign over permission for your employer to access your health records directly

  • • Can cover all conditions, all providers
  • • Gives employer direct access to medical records
  • • Employer can see diagnoses, prescriptions, visit notes
  • • NOT required for FMLA - entirely optional

The "All-Inclusive" HIPAA Trap

Many employers bundle an overbroad HIPAA authorization form right into the FMLA packet, making it look like just another required document. Some go further and print it on the same pages as the legitimate forms. The implicit message is clear: sign everything or your leave will not be processed.

Here is what an overbroad HIPAA authorization typically looks like. If you see language similar to this in your FMLA packet, treat it as a red flag:

Red Flag: Overbroad HIPAA Authorization

AUTHORIZATION FOR RELEASE OF HEALTH INFORMATION

I, __________________, hereby authorize any and all healthcare providers, hospitals, clinics, pharmacies, laboratories, and other medical facilities that have provided me with treatment or services to release my complete medical records, including but not limited to:

  • All diagnoses, treatment plans, and medical histories
  • Mental health and psychiatric records
  • Substance abuse treatment records
  • HIV/AIDS testing and status
  • Prescription and medication histories
  • Genetic testing results

This authorization shall remain in effect for the duration of employment or until revoked in writing.

Signature: __________________   Date: __________

You do NOT have to sign this. This form is not required by FMLA, and signing it gives your employer access to your entire medical history - including conditions completely unrelated to your leave.

Look at what that form does. It covers all providers, not just the doctor treating your leave condition. It asks for all diagnoses and medical histories, not just the one relevant to your FMLA request. It includes mental health records, substance abuse treatment, HIV status, and genetic testing - categories that receive extra federal and state protections precisely because they are so sensitive. And it lasts for the duration of your employment, which means the employer can use it to pull your records long after this particular leave is over.

This is not the kind of information FMLA entitles your employer to see. The regulations at 29 CFR § 825.306(b) are clear: the employer cannot require information beyond what the certification asks for.

The Third-Party Administrator Problem

Here is what makes this worse: many employees never deal with their employer's HR department directly for FMLA at all. Large employers outsource leave administration to third-party companies - Sedgwick, MetLife, The Hartford, Lincoln Financial, Unum, and others. These companies manage your FMLA claim from intake to return-to-work, and they send you the paperwork.

When a HIPAA authorization comes from one of these companies, it feels even more official. It arrives on the letterhead of an insurance or benefits company. It is presented as part of a structured claims process. The representative on the phone sounds professional and matter-of-fact: "We just need you to sign the authorization so we can process your claim." It does not feel like your employer fishing for information. It feels like a routine administrative step.

But the legal analysis is exactly the same. A third-party administrator acting on behalf of your employer is still bound by the same FMLA regulations. They cannot require information beyond what 29 CFR § 825.306 permits. They cannot condition your leave on signing a HIPAA authorization that the law does not require. The fact that Sedgwick or MetLife is asking instead of your HR manager does not change your rights.

Third-party leave administrators like Sedgwick, MetLife, The Hartford, Lincoln Financial, and Unum act on behalf of your employer. They are bound by the same FMLA rules. If they send you a HIPAA authorization form, you have the same right to refuse or narrow it as you would with any form from your employer's HR department.

The Online Portal Trap

Some third-party leave administrators take this a step further. When your employer directs you to file your FMLA claim through an online portal, the HIPAA authorization is often built right into the account registration or intake process. You click through a series of screens, agree to terms, and somewhere in that flow there is a HIPAA authorization checkbox or electronic signature field. It is designed to look like a required step. The portal may not let you proceed without completing it.

Do not sign a HIPAA authorization electronically as part of a portal sign-up process. The fact that a website makes something look mandatory does not mean it is legally required. Portal design choices are made by the third-party administrator, not by federal regulators. The FMLA regulations have not changed just because the paperwork moved online.

If the portal will not let you submit your FMLA claim without signing the HIPAA authorization, you have options. Contact the third-party administrator in writing (email is best, so you have a record) and explain that you are requesting FMLA leave and want to complete the intake process without signing the HIPAA authorization. State that you will provide the completed WH-380 medical certification as required by 29 CFR § 825.306, and that a HIPAA authorization is not a legal prerequisite for FMLA leave.

You can also notify your employer's HR department directly. Let them know that the third-party portal is blocking your FMLA submission behind a HIPAA authorization that federal law does not require. Put it in writing. This creates a record that you attempted to file your claim in good faith, and that any delay was caused by the administrator's portal design, not by your failure to cooperate.

If a third-party portal requires you to sign a HIPAA authorization before you can submit your FMLA claim, do not sign it. Contact the administrator and your HR department in writing to request access without the authorization. Document everything. A portal's design choices do not override your rights under federal law.

Red Flags to Watch For

"Any and all providers" - A legitimate request would be limited to the specific provider treating your leave condition.
"Complete medical records" - FMLA only requires the answers on the WH-380 form. Your full records are never required.
No expiration date or "duration of employment" - Authorizations should be limited to a specific, reasonable time period.
Bundled with required FMLA forms - Making it look like a mandatory part of the packet when it is entirely separate and voluntary.
Includes mental health, substance abuse, or HIV records - These categories have additional federal protections (42 CFR Part 2 for substance abuse; many states protect HIV status).
Sent by a third-party administrator (Sedgwick, MetLife, etc.) - These forms look more official because they come from insurance companies, but the same FMLA limits apply. A third-party administrator cannot require more than your employer could.
Built into an online portal sign-up - Some third-party administrators embed the HIPAA authorization into their website registration flow, making it appear mandatory. A portal's design does not change what federal law requires. Do not e-sign it.

Your Right to Refuse or Narrow the Authorization

Federal regulations protect you in two important ways here. First, 45 CFR § 164.508(b)(4) - the HIPAA compound authorization rule - prohibits healthcare providers and health plans from conditioning treatment or benefits on signing an authorization. While employers are not directly covered by this provision (HIPAA regulates healthcare entities, not employers), the principle matters: a HIPAA authorization is always voluntary. Your employer cannot make it a condition of FMLA leave because FMLA does not require one.

Second, 29 CFR § 825.306(b) prohibits employers from requiring medical information beyond what the certification form asks for. This is a hard limit. If your employer says they need a HIPAA authorization to "complete the FMLA process," that statement is not supported by the regulations.

You have several options:

Option 1: Simply Don't Sign It

Return the completed WH-380 certification and the other required FMLA forms. Do not return the HIPAA authorization. If asked, explain in writing that FMLA does not require a HIPAA authorization and that the certification provides all the medical information the law requires. This is the cleanest approach.

Option 2: Narrow It

If you feel pressured to sign something, you can cross out the overbroad language and limit the authorization. Restrict it to one named provider, one specific condition, and a short time window (e.g., 90 days). Cross out categories like mental health records, substance abuse, and HIV/genetic testing if they are not relevant. Initial each change. This gives the employer something on paper while protecting you from a fishing expedition.

Option 3: Revoke a Previously Signed Authorization

If you already signed an overbroad authorization, you can revoke it. Under 45 CFR § 164.508(b)(5), you have the right to revoke any HIPAA authorization in writing at any time. The revocation applies to future disclosures - it cannot undo information already released, but it stops the flow going forward. Send the revocation to both your employer and the healthcare provider(s) named on the form.

Can Your Employer Contact Your Doctor?

Employers sometimes use the HIPAA authorization as a workaround: if you sign it, they can go directly to your doctor and request whatever they want. But even without the authorization, there are rules about when and how your employer can contact your healthcare provider during the FMLA process.

Under 29 CFR § 825.307(a), employer contact with your doctor is strictly limited:

Rules for Employer Contact with Your Doctor

  • Purpose is limited: Contact is permitted only for "authentication or clarification" of the medical certification - not to request additional information, not to get your full records, not to ask about other conditions.
  • Your direct supervisor cannot make the call: Contact must be made by an HR professional, a leave administrator, a management official, or a healthcare provider representing the employer. Your direct supervisor is explicitly prohibited from contacting your doctor.
  • You get a chance to fix it first: Before the employer contacts your healthcare provider, they must give you an opportunity to cure any deficiency in the certification. They cannot skip straight to calling your doctor.
  • Authentication means verification only: The employer can verify that the form was actually completed by your healthcare provider and that the information on it is genuine. That is all "authentication" means.
  • Clarification is not a backdoor: Clarification means the employer can ask the healthcare provider to explain information already on the certification. It does not mean they can ask for new information beyond the scope of the form.
If your manager or direct supervisor calls your doctor about your FMLA leave, that is a violation of 29 CFR § 825.307(a). Document it immediately - the date, what was discussed, and who made the call. This kind of violation can support claims of FMLA interference.

What to Do If Your Employer (or Their Leave Administrator) Pushes Back

Some employers - or their third-party leave administrators - will not take your refusal quietly. HR might tell you that the HIPAA authorization is "company policy." A Sedgwick or MetLife claims representative might say your leave "cannot be processed" without it. Here is how to handle the pushback, step by step.

Document every interaction. Every conversation about the HIPAA form should be in writing, or followed up with a confirmation email. "Per our conversation today, I am confirming that you stated my FMLA leave cannot be processed without the HIPAA authorization form. I respectfully disagree and am providing the completed WH-380 certification as required by federal law."

Request the specific legal basis. Ask HR to identify the specific federal regulation that requires a HIPAA authorization for FMLA. They will not be able to, because it does not exist. Putting this request in writing forces them to either back down or make a claim they cannot support.

Submit the WH-380 and nothing else. Make it clear in writing that you are providing the medical certification required by 29 CFR § 825.306 and that you consider this to be full compliance with the FMLA certification requirements.

Cite the regulations. You do not need to be a lawyer to reference the rules. A simple statement is effective: "Under 29 CFR § 825.306(b), an employer may not require information beyond the medical certification. The WH-380 form is completed by my healthcare provider and provided to me as the patient, so no HIPAA authorization is required for this process."

Escalate if necessary. If HR continues to insist, or if your leave is denied or delayed because you refused to sign, you can file a complaint with the Department of Labor's Wage and Hour Division. FMLA interference - including conditioning leave on signing unnecessary documents - is a violation of 29 U.S.C. § 2615.

Sample Language You Can Use

Below are specific phrases you can use in emails or write directly on the HIPAA authorization form. Adapt them to your situation.

When Declining to Sign

"I am providing the completed WH-380 medical certification as required by 29 CFR § 825.306. Federal FMLA regulations do not require a HIPAA authorization for the certification process, and 45 CFR § 164.512(a) permits my healthcare provider to disclose the certification information without one. I am therefore declining to sign the HIPAA authorization form included in the leave packet. Please process my FMLA leave request based on the enclosed certification."

When Narrowing the Authorization

"I am limiting this authorization to records from [Dr. Name] at [Practice Name] related solely to [specific condition], for the time period of [start date] through [end date]. All other provisions, including references to 'any and all providers' and categories of records not related to the stated condition, are hereby crossed out and excluded. This authorization expires on [date, no more than 90 days]."

When Revoking a Previously Signed Authorization

"Pursuant to 45 CFR § 164.508(b)(5), I am revoking the HIPAA authorization I signed on [date]. This revocation is effective immediately for any future disclosures. Please confirm receipt of this revocation in writing."

Frequently Asked Questions

Does FMLA require me to sign a HIPAA authorization?

No. The FMLA certification process uses the WH-380 form, which your healthcare provider can complete without a HIPAA authorization. Under 45 CFR § 164.512(a), the limited medical information on the certification form is a disclosure "required by law," which means your doctor is already permitted to provide it. A separate authorization is not necessary and not required by any FMLA regulation.

Can my employer deny FMLA leave if I refuse to sign a HIPAA authorization?

Generally, no. Your employer can require you to provide a completed medical certification (WH-380), and they can deny leave if you fail to provide that. But refusing to sign a blanket HIPAA authorization is not a basis for denial. The one exception: if your certification is incomplete and your doctor requires a specific, limited authorization before speaking with the employer for clarification, you should provide that narrow authorization to avoid jeopardizing your leave. If your employer denies leave solely because you refused an overbroad HIPAA form, that may constitute FMLA interference.

Can my employer call my doctor directly about my FMLA leave?

Only in very limited circumstances. Under 29 CFR § 825.307(a), the employer can contact your doctor for authentication (verifying the form is genuine) or clarification (explaining information already on the form). The contact must be made by HR, a leave administrator, or the employer's healthcare provider - never your direct supervisor. And the employer must first give you a chance to cure any deficiency in the certification before contacting your provider.

What is the difference between the WH-380 certification and a HIPAA authorization?

The WH-380 is a DOL form that collects limited, targeted information: condition onset, duration, appropriate medical facts (which may include symptoms, diagnosis, or treatment details, but a specific diagnosis is not required), and a statement about your inability to work. A HIPAA authorization is a legal document that gives someone permission to access your protected health information. An overbroad HIPAA authorization can give your employer access to your entire medical history from every provider - diagnoses, prescriptions, mental health records, and more. The WH-380 is required by law. The HIPAA authorization is not.

What if my doctor requires a HIPAA authorization before talking to my employer?

This can happen. Under 29 CFR § 825.307(a), your employer can contact your doctor for authentication or clarification of the certification, but your doctor may independently decide they want a HIPAA authorization before responding. This is the doctor's own policy, not an FMLA requirement. If it comes to this, provide a limited authorization covering only the specific condition, the specific provider, and a short time window. This is very different from signing the blanket authorization in the FMLA packet. And remember: the employer must first give you a chance to fix any deficiency in the certification yourself before contacting your doctor at all.

What should I do if my employer insists I sign a HIPAA authorization for FMLA?

Submit the completed WH-380 certification and decline the HIPAA form in writing. Cite 29 CFR § 825.306(b) (employers cannot require info beyond the certification) and 45 CFR § 164.512(a) (no authorization needed for required-by-law disclosures). If the employer retaliates or refuses to process your leave, file a complaint with the DOL Wage and Hour Division. If you previously signed an overbroad authorization, you can revoke it under 45 CFR § 164.508(b)(5).

Not Sure About Your FMLA Rights?

Check whether you are eligible for FMLA protection and learn what your employer can and cannot require. Takes under two minutes.

Check Your Rights

Related Resources

FMLA Denied? How to Appeal Steps to challenge an FMLA denial and file a DOL complaint.Fit for Duty Exam Rights What to do when HR uses a fitness-for-duty exam to block your return.Why HR Is Not Your Friend Why keeping your own records is your most powerful protection.FMLA Rights Guide Complete guide to eligibility, intermittent leave, and anti-retaliation protections.
For survivors of childhood trauma: If your psychiatric records contain abuse disclosures, childhood history, or other sensitive information, the risks described in this guide are even higher. Our Protecting Sensitive Medical and Therapy Information guide covers the specific dangers for survivors and includes a step-by-step protection plan.