Under the Americans with Disabilities Act ("ADA") employee medical information must be kept confidential and separate from personnel files. This separate medical file should be in a locked cabinet or apparatus and only accessible by a human resources professional, or a municipal manager. Although supervisors can be told medical information about an employee when it relates to the job, accommodations or work restrictions, supervisors should not be given copies of medical records. As for records that are stored electronically, such as .pdf files, these must also be accessible only by a human resources professional or municipal manager. Employers can be sued under the ADA for failing to abide by these confidentiality rules.
The importance of these rules was recently emphasized by an administrative ruling of the EEOC. In May 2015, the EEOC held, in a case involving a postal worker, that a supervisor violated the confidentiality rules by maintaining a duplicate, unofficial medical file on an employee. Complainant v. Postmaster General, United States Postal Service, EEOC Appeal No. 0120112516 (April 3, 2015). This is an important reminder that medical information should never be kept in a supervisor’s desk or maintained by a mid-level supervisor. Supervisors are provided medical information on a need to know basis. They do not need actual records or documents. They only need an understanding of the medical condition as it relates to the performance of a subordinate’s duties. In this case, the supervisor took a duplicate copy of the employee’s medical records home with him, which would be impossible to justify based on legitimate business concerns.
The EEOC also recently issued a proposed rule pertaining to employee wellness programs, which addressed confidentiality. In April 2015, the EEOC issued a proposed rule generally approving the use of health risk assessments and biometric screening in the workplace, finding them to be "voluntary" if the reward does not exceed more than thirty percent of the cost of employee-only coverage and certain other requirements are satisfied. In the same proposed rule, the EEOC also set forth best practices for the storage of employee medical information.
Under these best practices, the EEOC advises the following: (1) Employers should ensure that employees who handle medical information know their obligations under the law and are informed that any disclosure or dissemination of confidential medical information is prohibited and will result in discipline; (2) Employers should adopt privacy policies for collection and handling of employee medical information, assuming they have not already done so; (3) If medical information is stored electronically, it should be encrypted and other security measures implemented such as password protection and firewalls; (4) If possible, employees who handle medical information should not be "making decisions related to employment, such as hiring, termination, or discipline." If that is not possible, then the employer should ensure that there is no discrimination based on the employee’s disability; and, (5) Breaches in confidentiality should be promptly and effectively addressed.
These best practices do not represent a change in the law. Rather, they are a statement of best practices to ensure compliance with confidentiality mandates concerning medical records. Employers that adopt these best practices run less of a risk of being held financially accountable for a confidentiality breach.