Employee Medical Record Shredding: ADA, FMLA, and HIPAA Document Disposal

Employee medical record shredding ADA FMLA HIPAA compliance
/ Uncategorized / By

Employee medical records represent some of the most sensitive and legally protected documents that any organization maintains. For HR departments and employers across New York City, properly handling these records—from creation through final destruction—is a multi-law compliance obligation. The Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA), and HIPAA each impose specific requirements on how employers must store, protect, and ultimately dispose of employee health-related information. Employee medical record shredding under ADA and FMLA requirements is not just a matter of good HR practice—it is a federally mandated obligation with significant enforcement consequences for non-compliant organizations.

Understanding the interplay between these three federal frameworks—and how New York State’s additional employment laws layer on top—is essential for any NYC employer with more than a handful of employees. Whether you manage HR for a 20-person financial services firm in Midtown or a 300-person healthcare organization in Queens, your obligations regarding employee medical records are clear, specific, and non-negotiable. This guide provides practical guidance on what the law requires and how to build a compliant employee medical record disposal program.

Employee medical record shredding ADA FMLA HIPAA compliance

ADA Requirements: Confidentiality and Disposal of Employee Medical Information

The Americans with Disabilities Act imposes strict confidentiality requirements on medical information collected from employees or job applicants. Under the ADA, any medical information obtained during the employment process—through medical examinations, voluntary disclosures, or accommodation request processes—must be kept in separate, confidential files, apart from general personnel records. This physical separation requirement extends through the entire life of the record, including at the point of disposal.

The ADA’s confidentiality provisions apply to a broad range of employment-related medical information:

  • Results of post-offer, pre-employment medical examinations
  • Documentation supporting requests for reasonable accommodations
  • Medical certifications related to leave requests or restrictions
  • Workers’ compensation claims and related medical documentation
  • Information about an employee’s medical condition shared voluntarily or in response to employer inquiry

When these records are no longer needed—after the retention period has expired—they must be disposed of in a manner that protects their confidentiality. Simply placing ADA-related medical files in a recycling bin violates the law’s confidentiality mandate. Certified shredding is the appropriate disposal method. For more on ADA-compliant record management, visit our compliance resources.

FMLA Documentation: What HR Must Keep, and How Long

The Family and Medical Leave Act creates its own set of record-keeping and confidentiality obligations for covered employers. Employers with 50 or more employees must retain FMLA-related records for at least three years. However, because FMLA leave often involves medical certifications that contain protected health information, these records must be maintained separately from general personnel files—in the same confidential files as ADA medical records.

FMLA records that require secure retention and eventual certified disposal include:

  • Employee leave request forms and approvals
  • Medical certifications from healthcare providers
  • Recertification requests and responses
  • Notices of designation and employee notification letters
  • Records of leave taken, including dates and hours if intermittent leave was used

After the three-year retention period expires—or longer if litigation hold obligations exist—these documents must be destroyed through certified shredding. An HR department that simply throws FMLA medical certifications in the trash is creating significant legal exposure for the organization. Our scheduled shredding service provides a simple, reliable way to handle routine disposal of expired FMLA and ADA records on a predictable schedule.

HIPAA and Employee Health Records: When the Privacy Rule Applies to Employers

The relationship between HIPAA and employer-maintained employee health records is frequently misunderstood. HIPAA’s Privacy Rule primarily governs covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. Most employers are not HIPAA-covered entities simply by virtue of employing people. However, employers that self-fund their health plans, or that operate an employee health clinic, may be acting as a covered entity for HIPAA purposes with respect to those specific functions.

Even when an employer is not technically a HIPAA-covered entity, ADA and FMLA confidentiality requirements effectively impose similar standards for employee medical records. And for NYC employers in the healthcare industry, the overlap between employer-as-entity and covered entity functions requires particular care. Key HIPAA disposal requirements for applicable employers include:

  • Protected health information must be rendered effectively unreadable, indecipherable, and otherwise incapable of being reconstructed
  • Paper PHI must be shredded or burned—basic recycling is not sufficient
  • Business Associate Agreements must be in place with any shredding vendor handling PHI
  • Certificates of Destruction must be retained as proof of compliant disposal

How Long Must Employers Retain Employee Medical Records?

Before any document can be destroyed, it must have reached the end of its required retention period. For employee medical records, retention requirements vary by law and by the type of record involved. NYC employers must navigate multiple, overlapping retention schedules to ensure they neither destroy records prematurely nor retain them longer than required (creating unnecessary liability exposure).

  1. ADA Medical Records: The EEOC recommends retaining any records relating to an ADA accommodation request or medical examination for the duration of employment plus one year. If the employee files a charge, the records must be retained until final disposition of the charge or lawsuit.
  2. FMLA Records: Federal regulations require a minimum three-year retention period for FMLA documentation.
  3. OSHA Medical Records: If medical records are required under OSHA standards (e.g., exposure records), they must be retained for 30 years after termination of employment.
  4. New York State Workers’ Compensation Records: Employers must retain workers’ compensation records for 18 years from the date of injury.
  5. General Employee Health Records: New York State Department of Labor recommends retaining personnel records (which may include health-related information) for at least six years.

Building an Employee Medical Record Disposal Program for NYC Businesses

Given the complexity of retention and disposal obligations for employee medical records, NYC employers benefit from a systematic, documented program rather than ad hoc decisions about when and how to destroy individual files. A strong employee medical record disposal program includes clear policies, staff training, secure interim storage, and a certified shredding partner. Contact New York Shredding to discuss how we can help you design a program that meets all applicable requirements.

Key elements of an effective program include:

  • A written retention schedule that specifies holding periods for each category of employee health record
  • Separate, locked storage for employee medical records, physically separated from general HR files
  • Annual or semi-annual review of records eligible for disposal based on the retention schedule
  • Locked shredding consoles in HR areas for routine secure disposal of minor health-related documents
  • Scheduled or purge shredding services for bulk disposal of eligible records
  • Certificate of Destruction retained as proof of compliance for each shredding event

Why New York Businesses Choose New York Shredding

For over a decade, New York Shredding Document Destruction, Inc. has helped businesses across New York City, Long Island, Westchester, and the Hudson Valley protect their sensitive information through certified, HIPAA-compliant shredding services. Our industrial-grade shredding equipment, locked on-site consoles, and Certificate of Destruction give your business the proof it needs for any compliance audit.

Whether you need scheduled shredding, a one-time purge, or hard drive destruction, we serve all five boroughs and surrounding areas with fast, reliable service. Request a free quote today and get your office on a shredding schedule that keeps you protected year-round.

Ready to get started? Contact New York Shredding for a free quote, or explore our full range of shredding services.

Scroll to Top