Skip to content
LeaveRights Project
Privacy

Protecting Your Medical Records from Employer Overreach

Third-party leave administrators routinely request records beyond what the law requires. For survivors of childhood abuse, this can expose your most private history to people who have no right to see it. Here is how to protect yourself.

18 min read
By LeaveRights Staff·
Share:
On this page

Two Incidents You Should Know About

A worker applied for FMLA leave through their employer's third-party administrator, Matrix Absence Management. Without the worker's knowledge, Matrix contacted their healthcare provider directly and requested the full medical file, not just the FMLA certification form. The worker found out only when their provider mentioned it at a follow-up appointment.

In a separate case, MetLife closed a worker's FMLA leave, stating the reason for leave was "no longer covered under the leave program." The closure letter gave no clinical explanation, just a directive that absences after the effective date would not be job-protected. The worker had been on approved leave for just over five weeks.

These are not isolated stories. They reflect standard practices at many third-party administrators. The companies named in this guide (Matrix, MetLife, Sedgwick, Lincoln Financial, The Hartford, and Unum) are among the largest in the industry. Together, they process millions of FMLA and disability claims every year.

If you are a survivor of childhood trauma, what follows is a practical guide to understanding the danger, knowing your rights, and protecting your records step by step.

The Core Danger

When you request FMLA leave or disability benefits, your employer (or their third-party administrator) is legally allowed to request a medical certification. That part is normal and expected. The problem is the gap between what the law requires and what these companies actually request.

What the law requires

The FMLA certification form (WH-380-E for the employee's own condition, WH-380-F for family member care) asks for a limited set of information:

  • The condition being treated
  • Whether it requires inpatient care or continuing treatment
  • The probable duration
  • Whether intermittent leave is needed

That is it. Two pages. A checkbox form with a provider signature.

What the law does NOT require

  • Your full medical history
  • Your therapy notes
  • Your psychiatric intake assessment
  • Your childhood trauma history
  • Records from other providers
FMLA certification requires a healthcare provider to confirm you have a serious health condition. It does not require your employer or their administrator to see your full medical records.

Why this matters more for survivors

For survivors of childhood abuse, the stakes are higher than they are for most people. A full psychiatric record may contain:

  • Abuse disclosures and details of traumatic events
  • Family history, including perpetrator information
  • Substance use history
  • Hospitalization records
  • Suicidal ideation documentation
  • Diagnoses related to the abuse (C-PTSD, dissociative disorders, personality disorders)

None of this is relevant to whether you qualify for FMLA leave. But once it is in the hands of a third-party administrator, it can be shared with your employer, used to deny claims, or stored in files that dozens of claims processors can access.

What the FMLA Certification Actually Requires

The WH-380-E form is the standard Department of Labor form for certifying an employee's own serious health condition. Here is what each section asks for:

  • Section 1: The employee's name, the condition being treated, and approximate date the condition began
  • Section 2: Whether inpatient care (overnight hospital stay) was required, and the dates
  • Section 3: The nature of the "serious health condition." This is the section most relevant to privacy. It asks whether the condition involves continuing treatment, chronic conditions, or permanent/long-term incapacity. It does NOT ask for a full history of the condition
  • Section 4: Whether intermittent leave is needed, estimated frequency and duration of episodes
  • Section 5: Provider signature, contact information, and practice type

The form can be completed without disclosing your specific diagnosis if the provider describes the condition in general terms. For example, "serious health condition requiring ongoing treatment" is a valid description. "PTSD secondary to childhood sexual abuse" is far more than the form requires.

Your employer does have the right to ask your healthcare provider to clarify or authenticate the certification 29 CFR § 825.307. But there is a restriction: the person who contacts your provider cannot be your direct supervisor. It must be an HR professional, a leave administrator, or a healthcare provider working for the employer.

Your employer has the right to a completed WH-380 form. They do not have the right to your treatment notes, your diagnosis history, or your therapy records.

Your HIPAA Rights

HIPAA (the Health Insurance Portability and Accountability Act) restricts who can access your protected health information (PHI). The core rule is simple: your healthcare provider cannot release records to your employer or a third-party administrator without your signed authorization.

But here is where it gets tricky. Many third-party administrators send authorization forms alongside the FMLA certification paperwork. These authorizations are often written very broadly, allowing the administrator to request ANY records from ANY provider for ANY time period. They look official. They come in the same envelope. Most people sign them without reading them.

Some administrators go further. They bundle HIPAA authorization language into the online portal sign-up process itself. When you create an account on the TPA's website to file your claim, the terms you agree to during registration may include a broad medical records release buried in the fine print. Sometimes the authorization is presented as a required step. Sometimes it is simply hidden in a block of terms and conditions that most people scroll past. Either way, agreeing to it is not required to file your FMLA claim. Read every screen carefully during portal registration. If you spot authorization language that goes beyond the FMLA certification, decline it, uncheck it, or submit your WH-380-E certification by mail, fax, or email instead.

You are NOT required to sign these broad authorizations to get FMLA leave. The law only requires the WH-380 certification. The authorization form is separate, whether it comes in an envelope or is embedded in a portal sign-up flow. It is voluntary. And if you sign it, you may be giving a for-profit company access to decades of private health records. For a detailed breakdown of the legal mechanics, see our guide: Don't Sign That HIPAA Form: Protecting Your Medical Privacy During FMLA.

If you already signed a broad authorization, you can revoke it in writing at any time. The revocation applies going forward (records already obtained cannot be retrieved), but it stops the bleeding.

Your specific rights under HIPAA

Under 45 CFR § 164.508, you have the right to:

  • Refuse to sign any authorization for the release of medical records
  • Limit the scope of any authorization (specific records, specific date ranges, specific providers only)
  • Revoke any authorization in writing at any time
  • Request an accounting of disclosures from your providers (a list of who has received your records in the past six years)
  • Require your provider to comply with your restrictions and document them
If a third-party administrator sends you an authorization form requesting your full medical records, you do not have to sign it. The FMLA only requires the WH-380 certification form.

What Third-Party Administrators Actually Do

The companies that process most FMLA and disability claims in the United States include Matrix Absence Management, Sedgwick, MetLife, Lincoln Financial, The Hartford, and Unum. Your employer pays them to manage leave and disability claims. They are not neutral parties. They are paid to process claims efficiently, and denials are efficient.

Common practices that exceed legal requirements

  • Bundling broad authorization forms with FMLA paperwork. The forms look like they are part of the same packet. They are not. The FMLA certification is required. The authorization is not. Some TPAs embed this authorization language in their online portal registration, either presenting it as a required step or hiding it in the terms and conditions. Read every screen during sign-up.
  • Requesting records from ALL treating providers. The certification only needs to come from one provider. Some administrators request records from every doctor, therapist, and specialist you have seen.
  • Requesting years of records. Some forms request records "since the onset of the condition." For someone with depression related to childhood trauma, that could mean your entire life history.
  • Contacting providers directly without telling you. This is what happened in the Matrix example above. The administrator went straight to the provider and requested the full file.
  • Requesting therapy and session notes. Psychotherapy notes receive extra protection under HIPAA 45 CFR § 164.508(a)(2). They require a separate, specific authorization. Many employees do not know this.
  • Sharing information with the employer beyond what is needed. The administrator is supposed to share only the leave determination (approved or denied) and the dates. In practice, some share diagnosis information, treatment details, or flags about "concerning" findings.
  • Using independent medical examinations (IMEs). The administrator can require you to see a doctor of their choosing for a second opinion. These doctors are selected and paid by the administrator. The results frequently contradict the employee's own provider.

Why they do this

These companies profit by managing claims volume at the lowest possible cost. More information gives them more reasons to deny, delay, or limit a claim. A childhood trauma history can be used to argue "pre-existing condition," to question the severity of a current diagnosis, or to suggest that the condition is "longstanding" and therefore not work-related.

Some of these practices may violate HIPAA, state privacy laws, or FMLA regulations. The problem is that most employees do not know their rights and comply with everything requested. The administrator counts on that.

How to Protect Yourself

These steps are general guidance based on federal regulations. Your situation may involve state-specific laws or employer policies that affect your options. If you are facing a records dispute, consider consulting with an employment attorney. Many of the resources in our Finding the Right Attorney guide offer free consultations.
  1. Talk to your healthcare provider BEFORE filing for leave.

    Before you submit any FMLA paperwork, have a direct conversation with your provider. Explain that you plan to request FMLA leave and that you want to control what information is shared. Ask them to:

    • Complete only the WH-380-E form (nothing more)
    • Not release additional records to anyone without speaking to you first
    • Flag your chart so that any outside records request triggers a call to you before anything is sent

    Most providers will cooperate. They have HIPAA obligations too, and a patient who explicitly sets boundaries makes their compliance easier, not harder.

  2. Complete the WH-380-E form carefully.

    Work with your provider to fill out the form in a way that is truthful but does not over-disclose. The form asks for a description of the condition, not a full history.

    "Major depressive disorder requiring ongoing treatment" is sufficient. "Major depressive disorder secondary to childhood physical and sexual abuse with comorbid PTSD and alcohol use disorder" is far more than the form requires. Both are truthful. Only one protects your privacy.

    Your provider may need to be reminded that the form asks for the minimum information needed to establish a serious health condition. Over-documentation is a habit in clinical settings. For this form, less is better.

  3. Do NOT sign broad records authorization forms.

    If the third-party administrator sends an authorization form requesting your full medical records, do not sign it. You have several options:

    • Return only the completed WH-380-E form and nothing else
    • Write on the authorization form that you are limiting the scope to the WH-380-E certification only
    • Send a separate letter stating that you do not authorize the release of any records beyond the certification form
    • If the administrator says they cannot process your claim without the authorization, respond in writing. Ask them to identify the specific legal authority that requires records beyond the WH-380-E certification.

    An important nuance: Under 29 CFR § 825.307(a), if the employer finds your certification incomplete or insufficient, they can contact your provider for clarification. If your provider requires a signed authorization before speaking with the administrator, and you refuse to provide one, the employer could use that refusal to delay or deny leave. The safest path is: (1) ask your provider to cure any deficiency directly, so the administrator never needs to contact them, or (2) sign a strictly narrowed authorization that limits disclosure to the specific condition on the WH-380-E, a single named provider, and a short time window (e.g., 90 days). Cross out any broad language and initial each change.

    Keep copies of everything. Send correspondence by certified mail or email with delivery confirmation.

  4. If you already signed a broad authorization, revoke it.

    Write a letter to every provider you authorized records from. State that you are revoking authorization for the release of records to the administrator, effective immediately. Include:

    • Your name, date of birth, and patient ID if you have it
    • The name of the third-party administrator you are revoking authorization for
    • A clear statement: "I revoke all prior authorizations for the release of my medical records to [company name], effective immediately"
    • Your signature and the date

    Send it certified mail. Keep copies. The revocation cannot undo records already sent, but it prevents further disclosure.

  5. Request an accounting of disclosures from your providers.

    Under HIPAA, you can ask each healthcare provider to tell you who has received your records in the past six years. This is called an "accounting of disclosures." The provider must respond within 60 days.

    This tells you whether the administrator has already obtained records you did not want shared. If they did, you now have documentation of what was disclosed and to whom.

  6. Document everything.

    Keep copies of every form, letter, and communication related to your leave request. Write down dates and times of phone calls, the name of the person you spoke with, and what was said. Save emails. Screenshot online portals.

    If the administrator contacts your provider without your knowledge or authorization, that is potentially a HIPAA violation. Document it thoroughly. You may need this evidence later.

  7. File complaints if your rights are violated.

    If an administrator or employer crosses the line, you have multiple complaint options:

    • HIPAA violations: File with the HHS Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint
    • FMLA violations: File with the DOL Wage and Hour Division at webapps.dol.gov/contactwhd
    • State privacy violations: Check your state's attorney general website for health privacy complaint procedures. Many states have privacy laws that are stronger than HIPAA.

    You do not need an attorney to file any of these complaints. The federal complaint forms are free and can be submitted online.

The Law on Your Side

Multiple federal laws restrict what your employer and their administrators can request, access, and do with your medical information. Here is a summary of each.

FMLA Regulations

29 CFR § 825.306 and 29 CFR § 825.307 limit what employers can require for medical certification. The regulation states that an employer may request a medical certification from a healthcare provider. It does not authorize the employer to demand the underlying medical records, treatment notes, or full patient file. The certification form itself is the required documentation.

If the employer has reason to doubt the certification, it may request a second opinion from a provider of its choosing 29 CFR § 825.307(b). If the first and second opinions conflict, the employer may request a third opinion from a provider agreed upon by both parties. But even in this process, the employer is seeking a medical opinion, not unrestricted access to your records.

HIPAA

45 CFR § 164.508 requires specific, informed authorization for any release of protected health information. An authorization must describe the information to be disclosed, identify who will receive it, state the purpose, include an expiration date, and inform the individual of their right to revoke. Authorizations must be voluntary. Authorization cannot be made a condition of employment, treatment, or eligibility for benefits (with narrow exceptions for research and underwriting).

Psychotherapy notes receive extra protection. A general medical records authorization does not cover psychotherapy notes. A separate, specific authorization is required for their release 45 CFR § 164.508(a)(2).

ADA

The Americans with Disabilities Act limits medical inquiries by employers. An employer may require medical documentation to support a reasonable accommodation request, but the inquiry must be job-related and consistent with business necessity 42 U.S.C. § 12112(d). Blanket requests for full medical histories are difficult to justify under this standard.

The ADA also requires employers to keep medical information in separate, confidential files, apart from regular personnel records. Supervisors may be told only what they need to know about work restrictions or accommodations, not the underlying diagnosis.

GINA (Genetic Information Nondiscrimination Act)

GINA prohibits employers from requesting, requiring, or purchasing genetic information about employees or their family members. Genetic information includes family medical history. If your childhood trauma records contain information about a parent's psychiatric conditions, substance use disorders, or other family health history, GINA provides an additional layer of protection against employers accessing that information.

State Laws

Many states have health privacy protections that go beyond HIPAA. California's Confidentiality of Medical Information Act (CMIA) provides a private right of action for unauthorized disclosures. New York has specific protections for mental health records. Illinois BIPA protects biometric data. Several other states have enacted their own health data privacy statutes in recent years.

If you believe your records were shared without proper authorization, check your state's specific laws in addition to filing a federal HIPAA complaint. State laws sometimes provide stronger remedies, including the ability to sue for damages.

Federal law is clear: your employer is entitled to a medical certification confirming you have a qualifying condition. They are not entitled to your therapy notes, your trauma history, or your full medical file.

The Bottom Line

You have the right to keep your private history private. The FMLA certification process requires a two-page form, not your life story. If a third-party administrator asks for more, you can say no.

Talk to your provider before filing. Fill out the WH-380 carefully. Do not sign broad authorizations. If you already did, revoke them. Document everything. And if your rights are violated, file a complaint.

You survived something that should never have happened. You should not have to hand the details of that experience to a claims processor at a company you have never heard of, just to take medical leave from work.

Finding the Right AttorneyPhysical Symptoms of Trauma
Free Rights CheckLetter Templates