Employers' access to, and retention of, employee medical information can be fraught with legal risk. Even the most seasoned HR professionals have trouble navigating the complex rules and regulations governing employee medical data and records, including restrictions on what medical information may be collected from employees, when it can be collected, and when it can be disclosed. This article highlights some of the key legal issues and best practices for employers developing policies and protocols governing employee medical information and documents.
Legal Requirements under the ADA and Similar Laws
There are myriad federal, state, and local laws that govern what employee medical information may be collected by employers, when an employer can request employee medical information, how such information may be requested, how it must be stored, and how long the records must be retained.
For example, the Americans with Disabilities Act (ADA) imposes restrictions on when and how employers can request and collect medical information, both before and after employment commences. The limits differ based on whether the individual is a job applicant, has received a conditional offer, or has begun their employment. Employers may ask job applicants about their ability to perform specific job functions, but generally should not ask questions about an applicant's medical condition, or the existence, nature, or severity of a disability.
After a conditional offer has been extended, and subject to certain limitations, an employer may require the candidate to undergo an examination to determine fitness for duty, but only if the employer requires such examinations for all candidates applying for the same position or job category. Failure to comply with these rules may expose an employer to potential risk of liability under disability discrimination claims.
Once employment has commenced, an employer can generally make medical inquiries or require examinations only when they are job-related and consistent with business necessity (e.g., before return to work from certain medical leaves). Of course, what is "job-related" and "consistent with business necessity" will largely depend on the circumstances. For instance, an employer may request relevant medical information and supporting documentation as part of the interactive process when presented with an employee's request for a reasonable accommodation to assist the employee in performing their job duties.
Complying with FMLA and Other Medical Leave Laws
Besides the ADA, employers must also comply with various other laws that place additional or different restrictions on employer access to and maintenance of employee medical information. Under the Family and Medical Leave Act (FMLA), employees may request to take leave for their own or a family member's "serious health condition," among other reasons. Employers are permitted to make relevant, job-related inquiries about the "serious health condition" and require the employee to submit a medical certification filled out by a healthcare provider in support of the FMLA leave request. However, employers must be careful not to run afoul of the FMLA's retaliation and anti-interference provisions by requesting more information or documentation than permitted by the FMLA regulations. Fortunately, the Department of Labor has created FMLA-compliant forms to assist employers, employees, and healthcare providers in submitting medical information in support of FMLA leave requests for covered serious health conditions.
Employers must also comply with applicable state and local laws. For example, it is becoming more common for state statutes and regulations to prohibit or severely restrict employers from requesting information substantiating an employee's reason for taking paid sick leave under state and local paid sick leave ordinances. Some jurisdictions have also enacted their own version of the FMLA and other medical leave laws.
Medical Recordkeeping and Privacy Obligations
Once medical information is obtained, employers must also be sure to comply with laws governing how such information must be maintained, protected, and retained. Under the ADA, employers are generally prohibited from disclosing an employee's medical information, except to:
- Supervisors and managers who need to know the necessary restrictions on the employee's duties and necessary accommodations
- First aid and safety personnel who need to be informed should emergency treatment of the employee become necessary
- As required by law, including to government officials who need the information to investigate compliance with applicable obligations
Employee medical records and information must generally be maintained on forms and in files separate from the applicant's and employee's personnel file, and access to such information should be solely on an as-needed basis. Medical records may also be subject to additional or more onerous federal and state record retention requirements. For example, some state workers' compensation laws require employers to maintain employees' medical information for substantially longer than required by most employers' standard document retention policies.
Does HIPAA Apply to Employers?
On the other hand, there are some requirements that many employers think apply, but often do not. For example, the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) does not apply to employers simply because they have employee medical information.
The rule applies to "covered entities" and "business associates." Covered entities include healthcare providers, health plans (like company health plans), and healthcare clearinghouses (processors of nonstandard health information). Business associates perform functions or activities that involve the use or disclosure of protected health information on behalf of, or in connection with services provided to, a covered entity. Confusion can arise if an employer, in the conduct of its business, fits within the definition of a "covered entity" or "business associate." But the fact that an employer fits within this definition does not mean that it must comply with the HIPAA Privacy Rule with respect to its own employees' information. In most circumstances, if the employer received employee health information by virtue of its role as the employer, HIPAA concerns are not triggered.
Best Practices for Handling Employee Medical Information
Some best practices for handling employee medical information include:
- Avoid inquiring about a candidate's medical or health information during the job application and interview process. Employers may generally inquire whether an applicant can perform the duties of the job, with or without reasonable accommodation
- Request and collect employee medical information only when necessary for a legitimate business purpose and when such information is related to the employee's particular job functions
- Limit requests for supporting documentation for an employee's medical leave or reasonable accommodation to pertinent, job-related information. Use government-issued forms, such as FMLA forms, when possible
- Be careful to not disclose employee medical information to third parties or other employees, except as permitted by law
- Maintain employee medical records separate from other personnel files and limit access to persons who have a legitimate business purpose or need
- Check applicable recordkeeping and reporting laws that may apply to certain employee health information, including state workers' compensation laws and the Occupational Safety and Health Administration and state counterparts
- Implement clear written policies and procedures governing access to, maintenance of, and retention of employee medical records. Review applicable federal, state, and local records privacy and record retention laws to ensure compliance
As is the case in many areas of employment, an ounce of prevention is worth a pound of cure. It is critical that employers understand what requirements apply and develop clear and compliant procedures concerning applicant and employee medical information. Employers who have questions about how to develop or implement such procedures, or about any other issues raised in this article, may contact the authors or any other attorney in Venable's Labor and Employment Group.