EEOC Issues Guidance on Medical Privacy

Printer-friendly version

The Equal Employment Opportunity Commission (EEOC) has released an informal discussion letter suggesting that employers may be obligated to do more than just maintain a separate file for employee medical records, especially when those records are in an electronic format. Both the Americans with Disabilities Act of 1990 (ADA), as amended, and the Genetic Information Non-Discrimination Act of 2008 (GINA) require employers to maintain a confidential medical record, which is separate from the employee’s other personnel file(s), for information about the employee’s medical conditions, medical history or “genetic information.” The statutes do not, however, specify how such records are to be maintained or what level of security must be in place to protect the confidentiality of medical or genetic information.

In its letter, the EEOC makes a distinction between “personal” and “occupational” health information. According to the EEOC, personal health information is “information obtained in the course of diagnosis or treatment,” while occupational health information “concern[s] an employee’s ability to work.”

The EEOC’s letter raises two issues for employers in possession of both occupational and personal health information. First, the EEOC’s letter suggests that employers need to distinguish between occupational or personal health information. Second, once the employer determines what information is occupational and what information is personal, the employer has to determine whether it has appropriate safeguards in place to prevent unauthorized access to or disclosure of either category of information. For paper files, this might mean maintaining separate folders in separate locations. For electronic medical records, an employer may need to erect an electronic “wall” so that the users of the system only have access to the relevant and appropriate information.

For a copy of the EEOC letter, click here.