Safeguarding Employee Medical Information in the Workplace

Confidentiality is a critical responsibility for employers, especially when it involves sensitive employee matters. Among the most vulnerable discussions between HR staff and employees are those concerning medical information. With various federal and state laws designed to protect both employees and employers, adhering to best practices is key to ensuring compliance and maintaining trust.

Employers may access employee medical information for several purposes, including to verify requests for reasonable accommodation, certify leave, or confirm eligibility for disability benefits.

Several laws mandate that such information is kept confidential. These laws include:

• The Health Insurance Portability and Accountability Act (HIPAA)
• The Americans with Disabilities Act (ADA)
• The Family and Medical Leave Act (FMLA)
• The Genetic Information Nondiscrimination Act of 2008 (GINA)

Quick compliance tips

Employers should always keep their employees’ medical information confidential, regardless of how it is obtained or why it was disclosed.

To comply with the many laws and regulations that require confidentiality, employers should adopt the following best practices:

• Create clear policies for collecting, storing, accessing, and using employees’ medical information.
• Store medical records separately from other employment records.
• Utilize locked cabinets for physical files and secure storage for digital information.
• Limit access to only authorized personnel, such as HR staff.
• Train employees handling medical information on confidentiality rules, including when disclosure is allowed.
• Promptly respond to any suspected breaches of confidentiality.

Staying up to date on federal regulations regarding medical information is essential to ensure compliance and protect employee confidentiality. With laws and guidelines frequently evolving, organizations must regularly review their policies and practices to align with current standards. Proactively adapting to these changes demonstrates a commitment to maintaining a secure and compliant workplace.

HIPAA privacy and security rules

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law protecting the privacy and security of Personal Health Information (PHI).

• The Privacy Rule sets national standards for how PHI can be used or shared and gives individuals rights over their PHI.
• The Security Rule establishes standards to protect electronic PHI.

These rules apply to covered entities, including most health care providers, health insurers, self-insured health plans, and business associates handling PHI for those that are covered.

Self-insured health plans

Employers with self-insured health plans may have access to PHI from third-party administrators for tasks like claims review. In such instances, they are required to comply with specific HIPAA regulations. This includes implementing robust safeguards to protect PHI and training employees on privacy and security protocols. Additionally, PHI must not be used for employment decisions or in relation to other benefit plans.

Fully insured plans

Employers that offer a fully insured health plan are considered covered entities only if they actually receive PHI. This includes when you receive employee health information in connection with a group health plan, but not when handling employment-related tasks such as managing leave or providing accommodations of a disability. HIPAA also does not apply to employment records held by employers, even if those records include medical details, or health information disclosed to the employer by an employee or job applicant. These types of records may still be considered confidential information and therefore still need to be protected under the ADA, FMLA, or GINA, and potentially other laws.

ADA

The Americans with Disabilities Act (ADA) prohibits employers with 15 or more employees from discriminating against individuals with disabilities in recruitment, hiring, compensation, firing, training, leave, and benefits.

Medical information obtained by employers as allowed by the ADA must be treated as confidential, even if it does not contain a medical diagnosis, treatment plan, or input from a health professional. Health information from voluntary wellness programs should also remain confidential. Additionally, employees cannot be required to agree to the disclosure of their health information to join a wellness program or receive incentives.  

If a situation arises where employers need to share confidential medical information, they can only do so in limited circumstances:

• To supervisors and managers when they need medical information to offer a reasonable accommodation or meet work restrictions;
• To first aid and safety personnel if an employee needs emergency treatment or assistance due to a medical condition;
• To individuals investigating compliance with the ADA and similar state and local laws; and
• As required by workers’ compensation laws or for insurance purposes (e.g., to a state workers’ compensation office to evaluate a claim).

FMLA

The Family and Medical Leave Act (FMLA) provides eligible employees of covered employers with unpaid, job-protected leave for specific family and medical reasons.

When employees take leave for their own or a family member’s serious health condition, the employer may request a certification from a health care provider. Employers can also require a fitness-for-duty certification before employees return to work.

In regard to confidentiality under FMLA, all records related to medical certifications, recertifications, or medical histories must be kept confidential. Employers can do so by following the rules of ADA and GINA, if applicable. However, supervisors, first aid and safety personnel, and government officials can be given relevant information upon request.

GINA

The Genetic Information Nondiscrimination Act (GINA) applies to companies with 15 or more employees and prohibits employers from using genetic information in employment decisions. It also restricts employers from requesting, requiring, or purchasing such information and enforces strict confidentiality provisions.

Genetic information encompasses details about an individual’s genetic tests as well as the tests of their family members. It can also include information regarding the presence of diseases or disorders in a family, often referred to as family medical history.

There are six circumstances under which an employer may request, require, or purchase genetic information:

1. When information is acquired unintentionally, such as when a manager overhears someone discussing a family member’s illness;
2. As part of a voluntary health or genetic service, such as a wellness program provided by the employer;
3. As family medical history to meet FMLA, state or local leave laws, or employer leave policy requirements;
4. From commercially and publicly available sources, including newspapers, books, magazines, and electronic sources such as public websites.;
5. As part of genetic monitoring required by law or offered voluntarily; and
6. By employers conducting DNA testing for law enforcement or human remains identification.

With limited exceptions, employers are required to keep genetic information confidential and apart from other personnel information and in compliance with the ADA. Additionally, employers who request health information for ADA accommodations or FMLA leave should inform employees in advance not to include genetic information in their responses.

Bottom line

Protecting employee medical information is not only a legal requirement but also an essential component of building trust and safeguarding privacy in the workplace. As laws and guidelines continue to evolve, organizations must routinely review and update their policies to meet current standards under both federal and state laws. For guidance on best practices, reach out to a trusted advisor.

This content is not intended to serve as legal advice for individual fact-specific legal cases or as a legal basis for your employment practices.