In the course of conducting business, employers may become privy to employee health information. There are also times when it may be appropriate for an employer to engage with employees in conversations, albeit in a limited capacity, about their health and medical information.

In these situations, preventing violations of medical privacy in the workplace is an important responsibility - both to maintain employees' trust and your company's reputation while also helping your business minimize the risk of severe fines and penalties handed down by government agencies for noncompliance.

The following federal laws set minimum standards across all 50 states. Additional requirements may apply at the state or local level in the specific locations where your company operates.

Within your organization, knowledge of any employee's current disability or medical condition as well as any susceptibility or genetic predisposition toward any medical condition should be limited to:

  • Direct managers who need to know about these issues to accommodate needs, reassign workloads or otherwise make plans around an employee's extended absence
  • HR specialists or management personnel who may facilitate leaves
  • Any personnel responsible for ensuring organizational compliance with relevant laws

Remember: Any medical information in an employee's personnel file should be kept confidential, and steps should be taken to secure this information. Employers should create a separate file for employee medical information that includes but is not limited to:

  • Records related to medical leave
  • Reasonable accommodations
  • Workers' compensation claims

Americans with Disabilities Act (ADA)

Administered by the Equal Employment Opportunity Commission (EEOC), the ADA prohibits discrimination in the workplace against individuals with a qualifying medical condition or disability.

If an employee discloses to you that they have a certain condition or disability and expresses a need for a change or adjustment to their work, you're required to engage the employee in the ADA interactive process to identify a reasonable accommodation so that the employee can still perform the essential functions of their job - unless it creates an undue hardship or significant expense for the business. (The EEOC doesn't clearly define undue hardship or significant expense.)

Employers should periodically check in with employees to ensure that accommodations are still relevant and effective. The interactive process continues for as long as modifications are needed.

Genetic Information and Nondiscrimination Act (GINA)

Also administered by the EEOC, Title II of GINA protects employees from discrimination in the workplace who may have a family history of, or genetic predisposition for, certain medical conditions. If employers or supervisors somehow become aware that an employee could be more susceptible to a certain medical condition, one cannot base employment decisions (e.g., terminating an employee or denying them promotions) on this information.

Family Medical Leave Act (FMLA)

Administered by U.S. Department of Labor, the FMLA mandates that covered employers offer employees up to 12 weeks of job-protected leave in certain situations, including:

  • The birth of a child
  • To deal with a health condition that prevents them from performing the essential functions of their job (e.g., undergoing major surgery or cancer treatment)

The leave can be taken continuously - all at once - or intermittently.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects the privacy of patients' medical information. According to this law, health care providers, medical facilities and other covered entities cannot share patients' medical information or records with third parties - including their employers - without patient consent. They must also meet national standards to prevent accidental disclosure of this information.

However, that's where HIPPA relevancy to the average, nonmedical workplace ends. HIPAA is targeted toward the medical industry, so employment records aren't covered by the law. HIPAA doesn't apply to information collected or used for administrative purposes in the workplace, such as a physician's note for sick leave or worker's compensation claims. However, some states do have laws requiring employers to take specific measures to protect and maintain the confidentiality of any health information they receive about employees.

Employers can ask employees for a doctor's note or other health information if they need the information for sick leave, workers' compensation or voluntary wellness programs. However, employers cannot ask health care providers directly for information about employees; the providers cannot give the information without the employee's authorization, unless other laws require them to do so.

Group health plans are covered by HIPAA, so if you offer your employees a group health plan you will need to evaluate whether HIPAA's protections extend to the data you use in administering your plan. For example, enrollment information will generally not be protected by HIPAA, but information you receive from a carrier (or directly from an employee) in connection with plan administration may be subject to HIPAA's protections. In addition, your plan will need to have a set of HIPAA policies and procedures, and employees will need to be provided with a notice explaining their rights under HIPAA.

When you can discuss medical issues with employees or request medical information

1. Coronavirus vaccination status

Whether companies can require employees to get the COVID-19 vaccine is a hot topic. (Spoiler: They can.) To that end, it's lawful and acceptable for you to ask an employee or job candidate at the time of hiring if they're vaccinated as long as you ask all employees or all applicants - and make it a condition for continued employment. This should always be a simple yes or no question. You may also need to make accommodations for employees or applicants with underlying medical conditions that make it unadvisable to get a vaccine or for an employee's sincerely held religious beliefs that prohibit vaccination.

2. ADA interactive process

When an employee approaches you about a medical condition or disability covered under the ADA, it's your legal obligation to discuss with the employee how your company can accommodate them and verify that they can still perform each core job function. But that's where your responsibility ends - you shouldn't ask about the nature of the disability itself.

3. Request for medical or disability leave

If an employee asks for a leave, you need to confirm the type of leave: medical, disability, personal or military. Once you've confirmed this, you can ask for:

  • Beginning date
  • Anticipated time away from the office or expected return date

For medical leaves, leave it to your HR team or leave administration group to contact the employee for details about the reason for the leave and to obtain a physician's note and other supporting documentation. If the employee's leave is related to a disability, leave it to your HR team or claims administrator to collect details and documentation from the employee. This provides some buffer between the manager and employee regarding sensitive health information.

Managers may reach out to the employee on leave in regular intervals to say hello, confirm any changes in status (without soliciting medical details) or ask about modifications to their return date. Once the employee is ready to return to the workplace, managers should have a plan in place to assist with the transition.

4. Extended sick leave

All employees take a day here and there when they're sick. When an employee calls in sick, don't ask why - let the employee share what they're comfortable with, enough to determine the reason for the call-in, and document accordingly.

However, if excessive absenteeism becomes a problem, or you notice patterns when a certain employee takes sick days, then you should ask the employee if everything's fine and whether you can help with an issue. If the employee responds that nothing's wrong and you have no reason to suspect they have a medical condition, then you've fulfilled your company's obligation to engage the employee in the ADA interactive process. And you can proceed with progressive discipline in handling absenteeism and potential abuse of sick time.

It's a best practice to have a sick leave policy that sets ground rules and explains how violations of the policy will be addressed. If the laws of the state where you operate permit, it's common practice to ask for a physician's note when an employee's sick time extends beyond three days. The purpose of a physician's note is not to solicit details of a medical condition or obtain a diagnosis. Instead, what you're looking for is simply a doctor's confirmation that the sick leave was valid and obtain clearance from a medical professional for the employee to return to work.

5. Injuries on the job

If an employee is injured at your workplace, this will kick-start the workers' compensation process. Your responsibility is only to collect basic information - what happened, when, where and which activities preceded the event - for a form that you'll submit to the workers' compensation claims department. This information should be kept confidential and in a separate file.

6. Substance-abuse issues impacting the workplace

Undoubtedly, handling substance abuse in the workplace is a complex HR and legal issue. However, if you suspect that an employee is under the influence of drugs or alcohol at work, you may ask the employee about their behavior and, if necessary, mandate that the employee submit to a drug or alcohol test (if state laws allow it). Of course, these test results should remain confidential and should only be available to direct managers who need to know.

If an employee tests positive for drugs at the office, depending upon state law, employment may be terminated.

Should a current employee announce that they're in treatment for an addiction, the ADA requires you to engage in the interactive process to accommodate the employee during the process. If an employee discloses their treatment and pursues accommodations, focus on the accommodations in the workplace - not the reasons behind the substance abuse or how treatment is going. If the employee needs help or wants to talk to a mental-health professional, refer them to your company's employee assistance program.

It's recommended that you have a substance-abuse policy that aligns with ADA and Occupational Safety and Health Administration (OSHA) regulations, as well as a progressive discipline policy. These policies can help you in the event that the employee's behavior fails to improve.

7. Voluntary workplace health initiatives

Many employers offer wellness programs intended to enhance the health of their workforce, with the noble goals of increasing productivity, reducing absenteeism and lowering health-insurance premiums. With the caveat that employee participation in these programs must be 100% voluntary, employers can ask employees to share some personal metrics, such as blood pressure, body mass index or cholesterol levels.

However, be careful about storing and tracking employees' health information. If not set up properly and without the input of an attorney, these initiatives can violate employees' medical privacy in the workplace and risk triggering charges of discrimination.

8. Employer-mandated medical exams

Employers cannot require job candidates to undergo a medical exam before extending a job offer. However, companies can ask employees, once hired, to undergo a medical exam provided that it:

  • Applies to all employees (No one is being singled out on suspicion of having a medical issue or disability.)
  • Is necessary due to the nature of the job
  • Serves a legitimate business purpose

Results of medical exams should be kept confidential. Direct managers only need to know whether an employee met minimum standards - yes or no.

9. General check-ins

If you have good reason to be concerned about an employee's health and welfare in the moment, do what's appropriate to prevent a potential medical emergency. Keep your questions general and let the employee tell you as much information as they want to share. It's not about prying - it's about showing you care.

For example, as you walk around the office doing a daily check-in with employees, perhaps you notice that an employee that seems visibly unwell - maybe they clutch at their chest, are hunched over in their seat, have their head down on their desk, cough excessively or exhibit breathing problems, or seem confused. Call that employee into your office for a private conversation, if they're able to move easily. Start with "I noticed X [whichever physical symptoms have drawn your attention]. Are you feeling OK?"

Depending on how the employee responds, ask what you can do to help. It could be as simple as releasing the employee to go home for the day to recover. Obviously, in more serious cases, calling 911 may be necessary.

What you cannot ask employees

  • Why they aren't vaccinated against COVID-19 (or any other vaccine-preventable illness)
  • Which medical conditions they've been diagnosed with
  • If they have a disability
  • Whether they're pregnant or plans to be pregnant
  • Details about physician visits
  • Information about medications the employee is taking
  • The nature of existing or chronic medical conditions, for example:
    • When it started (or how long it's been a concern)
    • Side effects of treatment
    • How long the condition is expected to last
  • Whether the employee has a family history of, or genetic predisposition for, certain medical conditions and related details

The few exceptions to prohibitions against companies asking employees about medical diagnoses or chronic conditions may include some patient-facing health care jobs in which patient safety could be compromised. When in doubt, consult with an attorney who specializes in this area.

5 steps to prevent issues with medical privacy in your workplace

  1. Make sure all relevant company policies are updated, including those governing:
  • Anti-discrimination
  • Employee leave
  • Complaint resolution
  • Workplace accidents and injuries
  • Discipline
  • Privacy

These policies are important because they inform employees of their rights and what to expect, and educate managers on what to do in certain scenarios.

2. Solicit the advice of HR and legal professionals on adhering to best practices in maintaining medical information in employees' personnel files.

3. Provide each employee with a written job description that outlines core responsibilities or the essential functions of the job. This is helpful in the event that an employee is diagnosed with a long-term illness or becomes disabled.

  • If an employee has this job description from the outset and in advance of any future medical complications, it's a fair and objective means of determining whether the employee can still do the job and how accommodations can be made.
  • It provides a script for you to rely on during these discussions to avoid any probing questions that could violate medical privacy.

4. Train managers on what to ask - or not ask - in dealing with employees' medical privacy in the workplace, as well as how to maintain confidentiality with sensitive information in general.

5. Formalize an internal complaint process within your company. If employees feel their privacy has been violated, they should discuss issues with manager or supervisor first, then go to HR. As an alternative, provide the contact information for who they can contact if an employee is uncomfortable speaking with their direct manager.

Summing it all up

Violating employees' medical privacy in the workplace is a major concern for employers. Become familiar with the many laws at the federal, state and local level that govern this and that could impact your organization. Know the scenarios in which you can discuss medical issues with employees - and the questions and topics you should never ask. Have training, policies and procedures in place to prevent issues with violating medical privacy. When in doubt, consult with HR and legal specialists.

To learn more about following laws and adhering to best practices that reduce your organization's risks, download our free e-book: HR compliance: Are you putting your business at risk?


  • Original document
  • Permalink


Insperity Inc. published this content on 21 September 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 21 September 2021 14:41:02 UTC.