Privacy & Information Security Law Blog

As reported in the Hunton Employment & Labor Perspectives Blog:

The EEOC recently released an informal discussion letter suggesting that employers may be obligated to do more than just maintain a separate file for employee medical records, especially when those records are in an electronic format. Both the Americans with Disabilities Act of 1990 (“ADA”), as amended, and the Genetic Information Non-Discrimination Act of 2008 (“GINA”) require employers to maintain a confidential medical record, which is separate from the employee’s other personnel file(s), for information about the employee’s medical conditions, medical history or “genetic information.” The statutes do not, however, specify how such records are to be maintained or what level of security must be in place to protect the confidentiality of medical or genetic information.

In its letter, the EEOC makes a distinction between “personal” and “occupational” health information. According to the EEOC, personal health information is “information obtained in the course of diagnosis or treatment,” while occupational health information “concern[s] an employee’s ability to work.” While both the ADA and GINA sharply limit employers’ right to access personal health information, employers who lawfully utilize post-offer questionnaires or medical examinations will likely obtain personal health information in the normal course of business.  Similarly, health care facilities or other employers who provide on-site medical services might have access to both personal and occupational health information.

As the EEOC points out, the ADA and GINA authorize employers to use or disclose an employee’s confidential medical or genetic information only in limited circumstances. Those limited exceptions do not include the provision of occupational health information to healthcare workers providing non-job related medical services. Similarly, while supervisors and managers are permitted to access information regarding an employee’s work restrictions or necessary accommodations, they do not have the right to access other medical information.

Given the dichotomy between personal and occupational health information and the attendant restrictions on who can access what information, the EEOC suggests that maintaining both types of information in a single medical record “presents a real possibility” that employers are violating the ADA or GINA. According to the EEOC, employers who maintain medical records in an electronic format that allows individuals with access to the records to view all the information contained in the record are even more likely to be in violation of the ADA, GINA, or both.

The EEOC’s letter raises two issues for employers in possession of both occupational and personal health information. First, the EEOC’s letter suggests that employers need to distinguish between occupational or personal health information. Making this distinction is not always easy.  Second, once the employer determines what information is occupational and what information is personal, the employer has to determine whether it has appropriate safeguards in place to prevent unauthorized access to or disclosure of either category of information. For paper files, this might mean maintaining separate folders in separate locations. For electronic medical records, an employer may need to erect an electronic “wall” so that the users of the system only have access to the relevant and appropriate information.

The EEOC’s letter increases the costs and complexity of maintaining confidential employee medical records. Instead of a simple partition between medical and non-medical records, employers may now have to consider establishing additional privacy protections for different types of medical information.