Legal Bulletins

Hero Image for page

Privacy of Medical Information: Employer and Employee Rights and Obligations

This article appeared in the January/February 2002 issue of The Maryland Bar Journal.

Employers regularly obtain medical information concerning applicants and employees through a variety of sources, including health insurance forms, workers' compensation reports, leave requests, doctors' notes regarding absences, and general conversation and interaction with applicants and employees. Although most employers understand that such information should be treated with care, many employers fail to realize that employee and applicant medical information may be subject to specific protection under federal and state law. On the federal side, the Americans with Disabilities Act, the Family and Medical Leave Act, the Fair Credit and Reporting Act, and regulations issued under the Health Insurance Portability and Accountability Act all relate, directly or indirectly, to medical information in an employer's possession. Maryland statutes and common law also impose obligations and limits on employers.


The Americans with Disabilities Act (ADA), which is applicable to employers of at least 15 employees, prohibits discrimination "against a qualified individual with a disability because of the disability" in regard to any aspect of the individual's application or employment. 42 USC §12112(a). Subsection (d) provides that "the prohibition against discrimination as referred to in subsection (a) shall include medical examinations and inquiries." Subsection (d) limits the medical inquiries which employers may make of applicants and employees, obligates employers to use separate forms to collect any information regarding the medical condition or history of applicants and employees, and requires employers to keep any such information separate from other personnel files. Furthermore, the ADA requires employers to keep such information confidential, subject to certain narrow exceptions.
Under the statute, an employer may disclose such information only to: (i) supervisors and managers if it relates to "necessary restrictions on the work or duties of the employee and necessary accommodations"; (ii) first aid and safety personnel "when appropriate, if the disability might require emergency treatment"; and (iii) government officials investigating compliance with the ADA, upon request. The Equal Employment Opportunity Commission (EEOC), which enforces the ADA, has interpreted these provisions in its ADA Technical Assistance Manual and in Guidances.

The EEOC's Guidance on Pre-Employment Disability-Related Inquires and Medical Examinations Under the ADA (issued on October 10, 1995) provides that employers may also disclose medical information to workers' compensation insurance carriers and state workers' compensation offices in accordance with workers' compensation laws, and "may use medical information for insurance purposes"-- for example, by submitting to the employer's insurer information necessary to administer a health insurance plan. The Guidance also notes that medical information can be shared with employer representatives involved in the hiring process or implementing an affirmative action program, to the extent such representatives "need to know the information."

The same EEOC Guidance provides that the employer's confidentiality obligations under the ADA apply to medical information which an applicant or employee has voluntarily disclosed to the employer, in addition to information which an individual provided in response to medical inquires or a medical examination. The Guidance states that employees' general personnel files should not contain "any medical-related material." In this regard, the Guidance differentiates between a mere notice that an employee has taken sick leave or had a doctor's appointment, which is not considered to be covered medical information, and documentation which contains information regarding the employee's diagnosis or symptoms, which is considered covered medical information. According to the Guidance, the confidentiality obligations do not end when an individual is no longer an applicant or employee.

Section 6.5 of the EEOC's Technical Assistance Manual on the Employment Provisions of the ADA (issued in January, 1992) provides that an employer "should take steps to guarantee the security of the medical information", including keeping the information "in a medical file in a separate, locked cabinet, apart from the location of personnel files" and restricting access to such files to a specific person or persons. The Manual also permits disclosures to government officials investigating compliance with other federal and state laws which prohibit discrimination on the basis of disability, and disclosures pursuant to "other Federal laws and regulations [which] also may require disclosure of relevant medical information."

The EEOC's Enforcement Guidance on Disability-Related Inquiries and Medical Examinations Under the ADA (issued on July 26, 2000) provides that an employer should treat an employee who applies for another position within the organization as an applicant. Accordingly, the EEOC states that a current supervisor who knows of medical information regarding such employee may not disclose such information to a person interviewing the employee for the new job or to a supervisor of that new job.

In this Guidance, the EEOC takes the position that the restrictions on medical inquiries and the confidentiality obligations apply to "all employees, not just those with disabilities". This position is supported by the Eighth, Ninth, and Tenth Circuits, but is contrary to the position of the Fifth Circuit. Compare Griffin v. Steeltek, 160 F.3d 591 (10th Cir. 1998); Fredenburg v. County of Contra Costa, 172 F. 3d 1176 (9th Cir. 1999); and Cossette v. Minnesota Power and Light, 1888 F. 3d 964 (8th Cir. 1999) with Armstrong v. Turner Industries, Inc., 141 F. 3d 554 (5th Cir. 1998). The Third Circuit recently declined to rule on the issue. Tice v. Centre Area Transportation Authority, 245 F. 3d 506 (3d Cir. April 23, 2001).

In addition to litigation over whether a non-disabled individual can bring a claim under §12112(d), the courts have addressed the extent of injury required to support a claim under that provision. Recent appellate court decisions have required a plaintiff to prove that the violation of §12112(d) caused injury to the plaintiff.

In Tice, the Third Circuit affirmed the grant of summary judgment against an employee, and held that a plaintiff does not have a cause of action for violation of §12112(d) without demonstrating the existence of an injury in fact, "either through actual damage (emotional, pecuniary, or otherwise), or through the presence of a continuing illegal practice to which plaintiff is likely to be subject absent court intervention". The court found that the plaintiff's "bare allegations of mental/emotional distress, mental anguish, stress and inconvenience" were not sufficient. The court concluded by citing the Fifth Circuit's decision in Armstrong and stated that "there is no indication in either the text of the ADA or its history that a technical violation of §12112(d) was intended to give rise to damages".

In Cossette, the Eighth Circuit held that a plaintiff "must establish a tangible injury caused by the alleged illegal disclosure" as a prerequisite to maintaining suit. Ms. Cossette claimed that her employer wrongfully disclosed confidential medical information both within the company and to an unrelated entity to which she was applying for a job. The court stated that if the wrongful disclosure to the prospective employer led to her being denied a higher paying job, she would have a viable ADA claim. The court then found that the internal disclosure was "more problematic". The court noted that being treated in a condescending and patronizing manner by co-workers because of the disclosure of the confidential medical information "falls short of an adverse employment action that would be required to establish a prima facie case of disability discrimination under §12112(a)". However, it remanded the case to allow the district court to determine whether such treatment was a sufficient basis for a claim of illegal disclosure of medical information under §12112(d).

In Griffin v. Steeltek, the plaintiff prevailed in his first visit to the Tenth Circuit, which ruled that he did not need to be disabled in order to bring suit under §12112(d). Back in the district court, Mr. Griffin lost on the merits. In dismissing his second appeal, the Tenth Circuit held, in Griffin v. Steeltek, 2001 U.S. App. LEXIS 18917 (August 22, 2001), that "merely being asked the impermissible question is not sufficient, by itself, to inflict a cognizable injury" and that compensatory damages (including even nominal damages) are available only if the plaintiff establishes that by asking a prohibited question, the employer "actually engaged in unlawful intentional discrimination". The court then affirmed the denial of attorney's fees to the plaintiff, citing the recent Supreme Court decision in Buckannon Bd. & Care Home, Inc. v. West Va. Dept. of Health & Human Resources, 121 S. Ct. 1835 (2001). The Tenth Circuit rejected the "catalyst for change" theory and held that a plaintiff who does not prevail on the merits in an ADA case via a judgment or consent decree is not entitled to attorney's fees "even if the pursuit of litigation has caused a desired and voluntary change in the defendant's conduct", such as the discontinuance of impermissible inquiries.

The EEOC has filed numerous lawsuits asserting ADA claims against employers under §12112(d) based on impermissible inquiries, the commingling of medical information in personnel files, or breaches of confidentiality. However, in all of these cases, the EEOC also alleged other violations of the ADA or other civil rights statutes. Of the 27 cases on the active litigation docket of the EEOC's Baltimore District Office in September, 2001, one includes an allegation that the employer failed to keep medical information in a separate file and another includes a claim of wrongful disclosure of confidential medical information.

There are no decisions of the Fourth Circuit or the federal district court for the District of Maryland which address the liability of an employer for violation of the ADA provisions requiring that medical information be kept confidential. The EEOC is continuing to seek to enforce these provisions. In addition, individuals have a private right of action under the ADA. The extent of employers' exposure for violation of the confidentiality provisions of the ADA has yet to be determined.


Other federal statutes also protect medical information in the employment context. The Family and Medical Leave Act (FMLA), 29 U.S.C. §§ 2601 et seq., indirectly affords employee medical information protection by limiting an employer's right to request or question such information. Employers can require employees taking FMLA leave because of their own serious health condition or the serious health condition of a covered relative to provide medical certification from the health care provider. Under regulations issued by the Department of Labor, however, an employer cannot require the diagnosis of the employee or covered relative. 29 CFR § 825.306. Furthermore, once medical certification is provided, the employer may not request additional information from the health care provider. While an employer may contact the employee's health care provider for purposes of clarifying or authenticating the medical certification, the contact must be made by a health care provider representing the employer, and only with the employee's permission. 29 CFR § 825.307. On the other hand, if the employee is on a workers' compensation absence running concurrently with FMLA leave and the provisions of the workers' compensation statute permit the employer to have direct contact with the employee's workers' compensation physician, then the employer may continue to have such contact. 29 CFR § 825.307 (a)(1).


The federal Fair Credit and Reporting Act (FCRA), 15 U.S.C. §§ 1681-1681u, also affords protection to employee medical information. The FCRA regulates an employer's access to "consumer reports" from a "consumer reporting agency." 15 U.S.C. § 1681. The Act requires an employer to disclose to an applicant or employee that it is going to procure information from a reporting agency for use in considering the individual's employment. 15 U.S.C. § 1681d. Section 604(g) of the FCRA prohibits consumer reporting agencies from providing reports that contain medical information for employment purposes, or in connection with credit or insurance transactions, without the specific prior consent of the consumer who is the subject of the report. In the case of medical information being sought for employment purposes, the consumer must explicitly consent to the release of the medical information in addition to authorizing the employer to obtain a consumer report generally. Section 603(i) defines "medical information" to mean "information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics, or other medical or medically related facilities." Information from non-medical sources, such as employers, is not "medical information."


When Congress passed the Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d, et seq. ("HIPAA"), it included provisions on "administrative simplification" that were aimed at improving the "efficiency and effectiveness of the health care system . . . through the establishment of standards and requirements for the electronic transmission of certain health information." P.L. 104-191 § 261. The emphasis on electronic transmission of health information gave rise to concerns about privacy, and the statute required the Secretary of Health and Human Services ("HHS") to make recommendations to Congress on the privacy of health information, and provided that if Congress did not pass legislation within three years, the Secretary was required to issue regulations to protect the privacy of health information. P.L. 104-191 § 264. Congress did not pass legislation, and HHS issued the final HIPAA privacy regulations in December, 2000. 65 Fed. Reg. 82526 (12/28/00). Compliance is required by April 14, 2003, although small health plans (defined as those with $5 million or less in annual receipts, 45 C.F.R. § 160.103) have an additional year.

The HIPAA privacy regulations apply directly to "covered entities": health plans, health care clearinghouses, and health care providers that choose to conduct certain transactions electronically. 45 C.F.R. § 160.103. The only health plans that are not covered are those that have fewer than 50 participants and are administered by the plan sponsor. Id. Although the regulations do not apply directly to employers, most employers that offer health benefits will be affected through the provisions that apply to health plans and those that apply to "business associates."

The regulations require covered entities to obtain agreements from their "business associates" to abide by the same privacy protection obligations that apply to the covered entities. 45 C.F.R. § 164.502(e). A business associate is any entity to which a covered entity discloses protected health information, if that entity performs or assists in the performance of functions such as claims processing, billing, or benefit management, or provides legal, actuarial, accounting, consulting, administrative, or financial services. 45 C.F.R. § 160.103. If an employer performs functions or provides services that make it a business associate of a health plan it sponsors, the employer will be required to sign a business associate agreement and will be required to comply with all the same HIPAA privacy requirements as the health plan. For example, many employers provide administrative services to their health plans by handling enrollment and premium payment functions.

The inclusion of providers of legal services within the definition of "business associates" means that attorneys who represent covered entities, or the business associates of covered entities (such as employers that sponsor health plans) should determine whether they receive protected health information from their clients and whether they will be required to sign business associate agreements.

The HIPAA privacy regulations cover "protected health information" ("PHI") that is held by covered entities. PHI is information that is individually-identifiable and relates to a medical condition, treatment, or payment for health care. 45 C.F.R. § 164.501. All PHI is covered, regardless of whether it is oral, on paper, or in electronic form, 45 C.F.R. § 160.103, and PHI may be used or disclosed only as authorized by the participant or as permitted by the regulations. The inclusion of restrictions on the use of PHI means that the regulations apply to the internal use of the information, not just disclosure of the information to outsiders.

The definition of PHI is very broad and extends well beyond what the phrase "protected health information" might ordinarily bring to mind. Information on premium payments, claims, preexisting conditions, subrogation, and coordination of benefits may all be PHI. Information need not include identifiers such as name, address, or social security number to be individually-identifiable. For example, a high-dollar claim report that contains only diagnoses or procedures and amounts paid might contain individually-identifiable information, if there is a reasonable basis to believe that the information can be used to identify the persons covered. 45 C.F.R. § 164.501.

Health plans that are covered by the regulations must:

· Adopt and implement written privacy policies and procedures that meet the requirements of the regulations, 45 C.F.R 164.503(i);

· Provide a notice of privacy policies and procedures to each participant, 45 C.F.R. 164.520;

· Train employees in the privacy policies and procedures, 45 C.F.R. 164.530(b);

· Appoint a privacy officer, 45 C.F.R. 164.530(a);

· Obtain authorization to use PHI for purposes other than payment and health care operations, 45 C.F.R. 164.508(a); and

· Disclose only the minimum necessary PHI, 45 C.F.R. § 164.502(b).

In addition, the regulations give plan participants the right to inspect and obtain a copy of their PHI, 45 C.F.R. § 164.524, request amendment of their PHI, 45 C.F.R. § 164.526, receive an accounting of disclosures of PHI, 45 C.F.R. 164.528, and request that uses and disclosures of PHI be restricted, 45 C.F.R. 164.522(a).

The HIPAA privacy regulations emphasize the distinction between the employer that sponsors a health plan and the health plan itself, and impose restrictions on what the health plan may disclose to the employer. A health plan may disclose PHI to the employer only if the employer certifies that the plan documents have been amended as required by the HIPAA privacy regulations, 45 C.F.R. § 164.504(f), including provisions:

· Prohibiting the employer from using or disclosing PHI other than as permitted or required by the plan documents or as required by law, 45 C.F.R. § 164.504(f)(2)(ii)(A);

· Prohibiting the use or disclosure of PHI for employment-related action or in connection with any other benefit plan sponsored by the employer, 45 C.F.R. § 164.504(f)(2)(ii)(C);

· Requiring the employer to report to the plan any improper use or disclosure of PHI, 45 C.F.R. § 164.504(f)(2)(ii)(D);

· Requiring the employer to return or destroy PHI after the permitted use is completed, 45 C.F.R. § 164.504(f)(2)(ii)(I); and

· Describing which employees will have access to PHI , 45 C.F.R. § 164.504(f)(2)(iii)(A), and restricting such access to the plan administrative functions that the employer performs, 45 C.F.R. § 164.504(f)(2)(iii)(B).

Employers that sponsor health plans and that have not, in the past, drawn any distinction between information that is the employer's and information that is the plan's will now have to recognize that distinction and limit the use of, and access to, the plan's information.

The HIPAA administrative simplification provisions impose both criminal and civil penalties for noncompliance. For violations that are knowing and intended for commercial advantage or malicious harm, the criminal penalties include fines up to $250,000 and ten years in prison. 42 U.S.C. § 1320d-6. Civil penalties of up to $100 per violation may be imposed, up to a maximum of $25,000 per year for violations of the same requirement or prohibition. 42 U.S.C. § 1320d-5. With over 50 separate requirements and prohibitions in the privacy regulations, civil penalties could top out at over $1.25 million per year.

The regulations do not provide for a private cause of action, but the standards in the regulations may become the yardstick for what is "reasonable care" in handling employee health information, and state courts could use the regulations to gauge whether employers and health plans have acted reasonably in dealing with employee health information. This could open employers to suits under state tort law.
The privacy regulations establish a floor, not a ceiling. If the HIPAA privacy requirements are more stringent than state law, the federal standards apply. On the other hand, if state law gives health plan participants more protection, the state law applies. 45 C.F.R § 160.203.

In 1990, Maryland enacted the Confidentiality of Medical Records Act, Md. Code Ann., Health-Gen. I, § 3-401, et seq., "to provide for the confidentiality of medical records, and generally to bolster the privacy rights of patients." Warner v. Lerner, 115 Md. App. 428, 693 A.2d 394 (1997). The statute narrowly prescribes the instances when medical personnel can disclose information without the authorization of the person in interest. Id., § 4-305. There is no provision for an unauthorized disclosure to an employer or for employment purposes. Similar statutory restrictions exist with respect to the release of medical information by an insurer or an insurance service organization and condition an employer's access to such information on the insured employee's consent. See Md. Ins. Code Ann., §4-403; 63 Op. Att'y Gen. 432 (1978).
Maryland has a long-standing statutory prohibition against requiring an applicant for employment to provide information regarding a medical condition, unless the condition has a "direct, material, and timely relationship to the capacity or fitness of the applicant to perform the job properly." Md. Ann. Code, Lab. & Empl., § 3-701. Additionally, Maryland's Occupational Safety and Health Act, Md. Ann. Code, Lab. & Empl., § 5-101 et. seq., prohibits an employer from taking an adverse employment action against an employee or applicant based upon information obtained by virtue of the individual's participation in the employer's group medical coverage, absent a comparable showing of relevancy or of a fraudulent misrepresentation by the employee with respect to a medical condition. Id., § 5-604.

Recently-enacted state legislation limits an employer's right to use genetic information in connection with employment decisions. As of October 1, 2001, it is an unlawful employment practice for an employer to fail or refuse to hire, or to discharge an individual, or otherwise to discriminate against an individual because of the individual's genetic information or the individual's refusal to submit to a genetic test or make available the results of a genetic test. For these purposes, "genetic information" means information: (i) about chromosomes, genes, gene products, or inherited characteristics that may derive from an individual or a family member; (ii) obtained for diagnostic or therapeutic purposes; and (iii) obtained at a time when the individual to whom the information relates is asymptomatic for the disease, but does not include (a) routine physical measurements; (b) chemical, blood, and urinalysis that are widely accepted and in use in clinical practices; or (c) tests for use of drugs. A "genetic test" is a laboratory test of human chromosomes, genes, or gene products that is used to identify the presence or absence of inherited or congenital alterations in genetic material that are associated with disease or illness.

Finally, Maryland common law would afford further protection to the extent that an employer's access to an employee's medical information would constitute an "invasion of privacy." Maryland recognizes a cause of action for an "intrusion upon seclusion" and the "publication of private fact." See Allen v. Bethlehem Steel Corp., 76 Md. App. 642, 547 A.2d 1105, cert. denied, 314 Md. 458, 550 A.2d 1168 (1988). The former requires an "intentional intrusion upon the solitude or seclusion of another of his private affairs or concerns that would be highly offensive to a reasonable person." See Furman v. Sheppard, 130 Md. App. 67, 73, 744 A.2d 583 (2000). The latter claim exists when one gives publicity to a matter concerning the private life of another and the matter publicized is of a kind which (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public. Id. at 77. The publication element requires dissemination beyond a "small group of persons." Id. at 78.

While there are no reported decisions by the Maryland courts passing upon an invasion of privacy tort claim based upon the acquisition, use or dissemination of medical information, the issue has arisen in other jurisdictions. See, e.g., Knecht v. Vandalia Med. Ctr., Inc., 470 N.E. 2d 230 (Ohio Ct. App. 1984) (holds that unauthorized disclosure of medical records may support a claim for invasion of privacy). Such claims do not fare well, however, unless the plaintiff can show that the medical information was obtained without his or her knowledge or authorization or that the information was widely disseminated to individuals with no legitimate interest in the information. The Missouri Court of Appeals in St. Anthony's Med. Ctr. v. HSH, 974 S.W. 2d 606 (Mo. Ct. App. 1998) rejected the claim that hospital's disclosure of records without plaintiff's consent or knowledge constituted either an unlawful "intrusion upon seclusion" or "publication of private fact" because, respectively, the records were not obtained through deception or other unreasonable methods and the publication was not to "the public in general or to a large number of individuals"); See also , 633 N.E. 2d 280 (Ind. Ct. App. 1994) (same); Luedtke v. Nabors Alaska Drilling, Inc., 768 P.2d 1123 (Alaska 1989) (holding that plaintiff's claim for intrusion upon seclusion arising from urine test required by employer failed because there was no showing of either "unreasonable manner of intrusion, or intrusion for unwarranted purpose.").
Employers that obtain or hold medical information relating to applicants or employees must be aware of the variety of state and federal protections and limits that apply to that information, and should develop policies and procedures to ensure that such information is obtained, stored, used, and disclosed only in compliance with the law.