The confidentiality of medical records requirement under the Americans with Disability Act (ADA) is violated when an employer discloses a current or former employee’s medical records in response to a state court subpoena absent the employee’s release or some other exception under the ADA, the Equal Employment Opportunity Commission (EEOC) recently held in Bennett v. U.S. Postal Serv., 2011 WL 244217 (E.E.O.C.), Jan. 11, 2011.

Companies frequently receive requests for information about current and former employees. These requests often come in the form of an attorney’s demand letter or a subpoena and apply to the individual’s medical records. Those receiving such requests typically feel compelled to respond without taking the time to think through issues such as: 

  • what kind of information in contained within the files being requested;
  • what specific statutory or regulatory protections apply for some or all of the information being requested (see below);
  • is a response appropriate without an authorization of the individual or giving an individual an opportunity to object;
  • is a court order needed for some or all of the information being requested; and
  • what safeguards should be taken to ensure the disclosure is secure.

As we have reported previously, failing to think through these issues can be a costly trap for the unwary.

EEOC Analysis

In the Bennett decision cited above, the EEOC sets out the basic ADA requirements concerning confidentiality of employee medical records:

Title I of the [ADA] requires that all information obtained regarding the medical condition or history of an applicant or employee must be maintained on separate forms and in separate files and must be treated as confidential medical records. [Citations omitted]. These requirements also extend to medical information that an
individual voluntarily discloses to an employer. [Citations omitted]. The confidentiality obligation imposed on an employer by the ADA remains regardless of whether an applicant is eventually hired or the employment relationship ends. [Citations omitted]. These requirements apply to confidential medical information from any applicant or employee and are not limited to individuals with disabilities. [Citations omitted].

The decision goes on to explain the general exceptions to these requirements:

  • supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;
  • first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; 
  • government officials investigating compliance with this part shall be provided relevant information on request;
  • employers may disclose medical information to state workers’ compensation offices, state second injury funds, workers’ compensation insurance carriers, and to health care professionals when seeking advice in making reasonable accommodation determinations; and
  • employers may use medical information for insurance purposes.

The EEOC found that the Postal Service’s disclosure of Mr. Bennett’s medical records in response to the subpoena issued by the Galveston County 405th District Court did not fall into one of these exceptions. The EEOC held that while the ADA allows an employer to comply with the requirements of another federal statute or rule, even if in conflict with the ADA, "it is not a valid defense to argue that the [Postal Service’s] actions were required by state law," (emphasis added) unless one of the ADA exceptions applied.  The Commission also noted the subpoena in this case was signed and issued by the Deputy Clerk, and did not qualify as an “order” for purposes of the Privacy Act of 1974, on which the Agency attempted to rely to permit the disclosure.

Because of this violation of the ADA, the EEOC ordered the Postal Service (i) to start an investigation into compensatory and other damages that may be due to Mr. Bennett,  (ii) to conduct training concerning the ADA’s confidentiality requirements, and (iii) to prepare a report regarding corrective action. The Postal Service also may be responsible for Mr. Bennett’s attorneys’ fees, among other things.

Is the ADA the only concern?

In short, no, the ADA is only one protection for medical and other personal information that could trigger exposure for a company that improperly discloses such information. There is an increasing array of federal and state laws that need to be examined, as appropriate, before responding to a request:

  • GINA: Regulations issued under Title II (GINA’s employment provisions) provide that  employers that possess genetic information must maintain the information in confidence and may not disclose that information except in limited circumstances, such as (i) at the request of the employee, (ii) in response to a court order, (iii) to respond to a request from a government official investigating GINA compliance, or (iv) in support of an employee’s FMLA certification. The preamble to the GINA regulations provides that the court order exception "does not allow disclosures in other circumstances during litigation, such as in response to discovery requests or subpoenas that are not governed by an order specifying that genetic information must be disclosed. Thus, a covered entity’s refusal to provide genetic information in response to a discovery order, subpoena, or court order that does not specify that genetic information must be disclosed is consistent with the requirements of GINA." Additionally, the individual whose genetic information is disclosed may need to be notified. 
  • HIPAA: The privacy regulations under HIPAA likewise generally prohibit the disclosure of "protected health information" except in limited circumstances. HIPAA regulation 45 CFR 164.512(e), among other exceptions to the general rule, provides an exception for disclosures in connection with administrative and judicial proceedings. But one of the first questions to ask is whether the information being sought is "protected health information." Very often, employee medical information in a personnel or medical file is not, in the hands of the employer, protected health information subject to HIPAA. 
  • 42 USC Part 2: Federal law provides very stringent protection for records relating to substance abuse treatment at certain federally funded facilities. 
  • State law: Many states have laws protecting certain classes of medical records from disclosure without taking appropriate safeguards to address confidentiality. This includes application of the physician-patient privilege, as well as statutes and regulations dealing with specific types of information, such as mental health records. 

Because of these issues, businesses should develop a clear policy and procedure to direct employees on how to respond when they receive these requests.