It is confidential, and disclosure by the employer may violate state laws, but the HIPAA privacy rule does
not apply to an employer, even with records related to a FMLA claim. HIPAA privacy rule applies to the health care provider, and group health plan administrator (the insurance company) as covered entities, but not the employer.
The information is confidential and it should nevertheless be stored separately in a confidential file for the employee.
It should be physically secured and not scanned into a digital representation.
Just because the employer is not covered by HIPAA, does not mean there is no liability, or that the employee won't sue them over damages resulting from negligent treatment of confidential records.
That is not entirely correct. Technically, as a "business associate" of the health plan (assuming that the health plan is through the employer) then they have the same obligations as the health plan administrator themselves when obtaining information for an FMLA claim, and information obtained must be done through a health care provider acting on behalf of the employer. This is a reason why many large employers (like the one I worked for) have on staff occupational nurses to act in this capacity.