Skip to main content

SHHHH! It’s a Secret.

By March 5, 2015April 8th, 2019Human Resources

by Renee Mielnicki, Esq.
Top-Secret (2)Lately, I have engaged in several discussions with clients concerning an employer’s obligation to maintain confidentiality with regard to medical information and records. Employers may house many different types of medical records including those related to pre-employment medical exams, post-employment medical exams, drug tests, worker’s compensation claims, leaves of absences under the Family Medical Leave Act or medical records related to health care claims for which the employer provides a self-funded health plan. One or more laws will impose upon employers a duty to store these types of medical records securely and maintain their confidentiality by restricting access to only certain types of individuals.

The Americans with Disabilities Act (“ADA”) is a federal law that applies to any employer who has 15 or more employees. This law imposes a duty of confidentiality upon all covered employers who receive medical information pertaining to applicants and employees to not only store that information securely in a location that is separate from any other personnel information, but to maintain confidentiality by limiting its disclosure to only those individuals who actually have a legitimate business need to see it. For all practical purposes, those who “need to know” about medical information will almost always be only those directly involved in either a decision making process related to the medical record and/or the employee(s) responsible for storing the information, like a Human Resources professional. There are, however, a few limited exceptions where medical information can be shared under the ADA:

1. Supervisors and managers may be told about necessary restrictions on the work or duties of the employee and about necessary accommodations (however, disclosure should be limited to the actual restriction or accommodation and not include any diagnoses or treatment details);

2. First aid and safety personnel may be told, when appropriate, if the disability might require emergency treatment;

3. Government officials investigating compliance with the ADA must be given relevant information on request;

4. Employers may give information to state workers’ compensation offices, state second injury funds, and workers’ compensation insurance carriers in accordance with state workers’ compensation laws; and

5. Employers may use the information for insurance purposes (such as processing a claim).

As you may know, the ADA generally applies to applicants and employees who are defined as disabled under this law. However, most courts as well as the EEOC have held that the ADA’s confidentiality provisions pertaining to medical records apply to those who are disabled as well as those who are not disabled. This view therefore obligates employers to maintain medical records pertaining to all employees, whether disabled or not, according to the provisions of the Act. In actuality, medical records pertaining to pre-hire and post-hire medical exams, including drug tests, should only be shared with those directly involved in making hiring decisions, reasonable accommodation decisions, return to work decisions or any other decision directly related to obtaining the medical information. Please note however that in most states, drug tests results are not considered confidential in unemployment compensation claim proceedings if the employee was terminated for violating the employer’s drug and alcohol policy.

The Family Medical Leave Act (“FMLA”), a federal law that applies to employers with 50 or more employees, has its own confidentiality provisions separate and apart from the ADA. The FMLA grants eligible employees an unpaid leave of absence of up to 12 weeks (or in certain circumstances 26 weeks) in a 12-month period for certain qualifying events. In order to process a request for leave under FMLA, employers usually must request and obtain medical information. The FMLA imposes an obligation upon the employer to make sure that this information is also stored separate and apart from any other personnel information and maintain confidentiality. The FMLA allows medical information pertaining to this law to be stored with all other medical information protected by the ADA. In addition to the ADA, medical information obtained pursuant to FMLA may also be restricted according to the requirements of the Genetic Information Nondiscrimination Act (“GINA”) if it contains family medical history or genetic information. In practice, FMLA medical information should only be shared with those who are involved in the process of deciding whether a FMLA request will be approved and any other related decision, such as the need for a recertification from a health care professional or the return to work process.

The Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, health providers and healthcare clearing houses. Any employer that utilizes a self-funded employer provided health care plan is considered a covered entity under HIPAA and must therefore comply with all provisions of this law. Employers with self-funded health plans may have or have access to a wider or more detailed array of medical information than those who do not have a self-fund health plan. All covered employers must ensure strict compliance with HIPAA rules, including confidentiality, or they may face penalties anywhere from $100 to $50,000 per violation with a maximum penalty of $1.5 million per year.

As for worker’s compensation records, HIPAA’s Privacy Rule does not apply unless the employer is a covered entity (i.e. has a self-funded health care plan). However, the Equal Employment Opportunity Commission (“EEOC”) has issued guidance stating that the ADA’s confidently provisions do apply to worker’s compensation records. Therefore, employers with 15 or more employees are still obligated by law to store these records separate from other personnel records and restrict access to only those who have need to know about the information. The two exceptions that may apply are: (1) giving information to state workers’ compensation offices, state second injury funds, and workers’ compensation insurance carriers in accordance with state workers’ compensation laws; or (2) using the information to process a claim.

I have had a few employers ask me, “What happens if I breach these confidentiality rules pertaining to my employee’s medical records?” That’s a fair question. For any record covered by the ADA, which will be almost all medical records where the employer has 15 or more employees, the employee can bring a lawsuit against the employer, but may only be successful if the employee can show some type of injury in fact occurred as a result of the breach of confidentiality. One example might be where a former employee (and yes, our duty of confidentiality under the ADA still applies post-employment) applies for a new job and a supervisor tells the prospective employer about the former employee’s medical condition. If this then results in the employee not getting the job, s/he may be successful. Another example might be where the employee is discriminated or retaliated against based upon the medical information that was received by someone who had no need to know about it. If the employee can show s/he was somehow harmed by the employer as a result of the breach, they may be successful in a lawsuit against the employer.

While the “injury in fact” may be a defense to breach of confidentiality lawsuits, I still recommend that employers always maintain confidentiality according to the law to avoid having to defend a lawsuit in the first place. Defending a lawsuit can be very expensive. While winning the case would be nice if you are sued, the cost of getting there would far outweigh the joy of the win in my opinion. Therefore, it’s always best to constantly ensure compliance.

As far as HIPAA, as stated above, that statute provides for penalties over and above those that could be awarded under the ADA if an employee were successful.

If you have any questions about confidentiality issues, please send an email to so we can help!

Disclaimer: The information provided on this web site is for informational purposes only and not for the purpose of providing legal advice. Use of and access to this web site does not create an attorney-client relationship between East Coast Risk Management or our employment attorney and the user or browser.