Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

The confidentiality of medical records requirement under the Americans with Disability Act (ADA) is violated when an employer discloses a current or former employee's medical records in response to a state court subpoena absent the employee's release or some other exception under the ADA, the Equal Employment Opportunity Commission (EEOC) recently held in Bennett v. U.S. Postal Serv., 2011 WL 244217 (E.E.O.C.), Jan. 11, 2011.

Companies frequently receive requests for information about current and former employees. These requests often come in the form of an attorney's demand letter or a subpoena and apply to the individual's medical records. Those receiving such requests typically feel compelled to respond without taking the time to think through issues such as: 

• what kind of information in contained within the files being requested;
• what specific statutory or regulatory protections apply for some or all of the information being requested (see below);
• is a response appropriate without an authorization of the individual or giving an individual an opportunity to object;
• is a court order needed for some or all of the information being requested; and
• what safeguards should be taken to ensure the disclosure is secure.

As we have reported previously, failing to think through these issues can be a costly trap for the unwary.

EEOC Analysis

In the Bennett decision cited above, the EEOC sets out the basic ADA requirements concerning confidentiality of employee medical records:

Title I of the [ADA] requires that all information obtained regarding the medical condition or history of an applicant or employee must be maintained on separate forms and in separate files and must be treated as confidential medical records. [Citations omitted]. These requirements also extend to medical information that an
individual voluntarily discloses to an employer. [Citations omitted]. The confidentiality obligation imposed on an employer by the ADA remains regardless of whether an applicant is eventually hired or the employment relationship ends. [Citations omitted]. These requirements apply to confidential medical information from any applicant or employee and are not limited to individuals with disabilities. [Citations omitted].

The decision goes on to explain the general exceptions to these requirements:

• supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;
• first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; 
• government officials investigating compliance with this part shall be provided relevant information on request;
• employers may disclose medical information to state workers' compensation offices, state second injury funds, workers' compensation insurance carriers, and to health care professionals when seeking advice in making reasonable accommodation determinations; and
• employers may use medical information for insurance purposes.

The EEOC found that the Postal Service's disclosure of Mr. Bennett's medical records in response to the subpoena issued by the Galveston County 405th District Court did not fall into one of these exceptions. The EEOC held that while the ADA allows an employer to comply with the requirements of another federal statute or rule, even if in conflict with the ADA, "it is not a valid defense to argue that the [Postal Service's] actions were required by state law," (emphasis added) unless one of the ADA exceptions applied.  The Commission also noted the subpoena in this case was signed and issued by the Deputy Clerk, and did not qualify as an “order” for purposes of the Privacy Act of 1974, on which the Agency attempted to rely to permit the disclosure.

Because of this violation of the ADA, the EEOC ordered the Postal Service (i) to start an investigation into compensatory and other damages that may be due to Mr. Bennett,  (ii) to conduct training concerning the ADA's confidentiality requirements, and (iii) to prepare a report regarding corrective action. The Postal Service also may be responsible for Mr. Bennett's attorneys' fees, among other things.

Is the ADA the only concern?

In short, no, the ADA is only one protection for medical and other personal information that could trigger exposure for a company that improperly discloses such information. There is an increasing array of federal and state laws that need to be examined, as appropriate, before responding to a request:

• GINA: Regulations issued under Title II (GINA's employment provisions) provide that  employers that possess genetic information must maintain the information in confidence and may not disclose that information except in limited circumstances, such as (i) at the request of the employee, (ii) in response to a court order, (iii) to respond to a request from a government official investigating GINA compliance, or (iv) in support of an employee’s FMLA certification. The preamble to the GINA regulations provides that the court order exception "does not allow disclosures in other circumstances during litigation, such as in response to discovery requests or subpoenas that are not governed by an order specifying that genetic information must be disclosed. Thus, a covered entity’s refusal to provide genetic information in response to a discovery order, subpoena, or court order that does not specify that genetic information must be disclosed is consistent with the requirements of GINA." Additionally, the individual whose genetic information is disclosed may need to be notified. 
• HIPAA: The privacy regulations under HIPAA likewise generally prohibit the disclosure of "protected health information" except in limited circumstances. HIPAA regulation 45 CFR 164.512(e), among other exceptions to the general rule, provides an exception for disclosures in connection with administrative and judicial proceedings. But one of the first questions to ask is whether the information being sought is "protected health information." Very often, employee medical information in a personnel or medical file is not, in the hands of the employer, protected health information subject to HIPAA. 
• 42 USC Part 2: Federal law provides very stringent protection for records relating to substance abuse treatment at certain federally funded facilities. 
• State law: Many states have laws protecting certain classes of medical records from disclosure without taking appropriate safeguards to address confidentiality. This includes application of the physician-patient privilege, as well as statutes and regulations dealing with specific types of information, such as mental health records. 

Because of these issues, businesses should develop a clear policy and procedure to direct employees on how to respond when they receive these requests. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 Does your HR staff know the limits on what they could tell prospective employers about former employees?

In this case, the US Equal Employment Opportunity Commission (EEOC) alleged that 7-Eleven of Hawaii failed to keep a former employee’s medical information confidential by disclosing the information to a prospective employer, in violation of the ADA, which caused the prospective employer to rescind a job offer. The EEOC filed suit in federal district court ( EEOC v 7-Eleven of Hawaii, Inc, DHaw, No CV 07-00478-SPK-BMK) and, after the District Court ruled in 7-Eleven’s favor, the EEOC appealed the decision in August 2008 to the US Court of Appeals for the Ninth Circuit.

However, on August 2, the EEOC announced a settlement under which 7-Eleven of Hawaii will:

1. pay $10,000,   
2. provide annual training to its human resources personnel and managers in equal employment opportunity, with an emphasis the ADA requirements concerning confidentiality, and
3. for a period of two years, 7-Eleven will also be required to report annually to the EEOC regarding the company’s policies and proposed training programs with respect to disability discrimination, medical disclosure, non-retaliation, and reasonable accommodation.

In comments about the case, EEOC representatives made clear that the ADA confidentiality requirements apply to applicants, current employees and former employees. Earlier in the year, we wrote about a recent EEOC senior staff attorney's informal letter concerning the duties of federal employees and contractors relating to medical confidentiality. It is unclear whether these actions by the EEOC suggests a greater emphasis on enforcement of medical records confidentiality under the ADA. Regardless, employers should be taking preventive steps to comply with these requirements. Some steps include:

• Creating a culture of confidentiality concerning medical records, whether those records are subject to ADA, HIPAA or some other law.
• Reminding employees that medical information is confidential and access is on a need-to-know basis.
• Reviewing and revising administrative, physical, and technical safeguards as necessary and appropriate to safeguard medical information, such as requiring employees to keep their desks clear of sensitive information and locking doors and file cabinets.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Co-authors: Frank Alvarez, Michael Soltis, and Joseph Lynett

ABC News has reported that a Fairfield, Connecticut woman, Pamela Fink, yesterday filed claims with the U.S. Equal Employment Opportunity Commission and the Connecticut Commission on Human Rights and Opportunities that her employer violated GINA when it terminated her employment on March 25, 2010. The federal Genetic Information Nondiscrimination Act (GINA) (pdf), which went into effect for employment law purposes on November 21, 2009, prohibits discrimination by employers on the basis of an employee’s “genetic information.” Final EEOC regulations on GINA have not been released.

According to the ABC and other news outlets, after genetic tests and family history indicated Ms. Fink was at risk for breast cancer, she underwent a preemptive double mastectomy. She alleges the termination of her employment, approximately five months after her procedure, was the result of informing her employer of her genetic test results that showed she carried the BRCA2 gene. Under GINA, “genetic information” includes a genetic test (defined in the statute as an “analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes”).

Her complaint is believed to be the first in the country brought under the employment provisions of GINA. It surely will be watched closely as employers begin to understand the scope of protections for employees under this new law. Employers are awaiting final EEOC regulations, which they hope will clarify the requirements under GINA, among them Title II, Section 202 of the statute. That section provides:

(a) DISCRIMINATION BASED ON GENETIC INFORMATION.—It shall be an unlawful employment practice for an employer—

(1) to fail or refuse to hire, or to discharge, any employee, or otherwise to discriminate against any employee with respect to the compensation, terms, conditions, or privileges of employment of the employee, because of genetic information with respect to the employee; or

(2) to limit, segregate, or classify the employees of the employer in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee, because of genetic information with respect to the employee.

The result of Ms. Fink’s case will not be known for some time. Employers, meanwhile, need to think about how this law affects their employment practices, as well as the group health plans (including any wellness programs) they sponsor for employees. (Title I of GINA specifically applies to group health plans.) We have written extensively on this topic here and elsewhere (pdf).

• Email This
• Print
• Comments
• Trackbacks
• Share Link