The simple answer is no.  HIPAA is one of the most misunderstood laws.  Everyone is used to signing HIPAA privacy documents at the doctor’s office and, therefore, a misunderstanding seems to have developed that ALL health information is protected by HIPAA privacy laws.  HIPAA only applies to what are known as “covered entities.”  These entities include hospitals, doctor’s offices, and health plans – but HIPAA specifically excludes medical information held by employers in the context of an employment relationship (e.g. doctor’s excuses, FMLA paperwork or the like).  So, if your employee says they will sue you for HIPAA violations, they don’t understand the law.  That does not mean that employers should feel free to carelessly handle employee health information.  The American’s with Disabilities Act (ADA) does mandate that employee health information should be kept private and confidential.  The ADA further establishes that such information should not be kept in the employee’s personnel file.  Best practices mandate that all such information be kept under “lock and key” and only be available to those individuals within the employer who have a legitimate need to know.  Also, keep in mind that employer health plans are covered by HIPAA, so employers should generally not try to obtain specific employee health information from any such plan.