Contrary to popular belief, the most significant law for employers with regard to medical privacy is the Americans with Disabilities Act (ADA), not the Health Insurance Portability and Accountability Act (HIPAA). Employers, in their activities as employers (as opposed to health plan sponsors) are not included under the HIPAA provisions. In activities as plan sponsors, however, HIPAA privacy rules require protected health information be kept private and secure.
Under the ADA, any employment-related documentation containing medical information must be maintained in confidential files completely separate from the general personnel file. That way, medical information won’t be inadvertently shared with individuals who don’t have a legitimate business need to see it.
What constitutes medical information?
Medical information can be anything related to an employee’s medical condition. It might be the results from pre-employment physical exams, information the employee provides about medications or medical history, and even information obtained through a wellness program.
The ADA’s recordkeeping requirements also cross over with other laws. For instance, records such as medical certifications, recertifications, or medical histories under the Family and Medical Leave Act (FMLA) qualify as medical information under the ADA. Occupational exposure records under the Occupational Safety and Health Act (OSHA) also qualify as medical information under the ADA.
How many separate files?
While medical information under the ADA needs to be kept separate from general personnel files, employers are allowed to combine all medical information in a single medical file for each employee. For example, it is not necessary to have separate medical files for ADA, OSHA, and FMLA information.
Paper or electronic?
When medical files are stored in file cabinets, the cabinets must be locked, or kept in a locked room. Individuals with access to these files should be limited to those with a distinct business need.
An employer also has the option to maintain employee medical information electronically. Even though the ADA does not specifically address electronic security, the Equal Employment Opportunity Commission (which enforces the ADA) also expects confidentiality for electronic medical files.
There will be times when employers need to share information from employee medical files. Under the ADA, disclosure of employee medical information is limited to the following:
- Supervisors and managers may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations (but they may not need to know the underlying condition which brought about the need for the accommodation).
- First aid and safety personnel may be informed (when appropriate) if an employee’s condition might require emergency treatment.
- Government officials investigating compliance must be provided relevant information upon request.
- Workers’ compensation insurance carriers may receive information in compliance with state workers’ compensation provisions.
Nonsupervisory employees will almost never have a need to be informed of other employees’ medical information.
Employers have an obligation to protect employees’ privacy by ensuring medical files are kept confidential, separate from the general personnel file, and in a secure location.
This article was featured in the Benefits & Compensation Regulatory Alert newsletter.
The Benefits & Compensation Regulatory Alert newsletter helps you stay ahead of emerging regulations and trends on pay and other issues that can impact your organization’s employment benefits and compensation program. Click here to sample this newsletter for free or view our full library of HR compliance publications.
Additional articles by Michael Henckel: