2 minute read
Employers collect employees' medical information for various reasons, such as verifying accommodation requests or certifying leave. Federal laws like the Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA), the Genetic Information Nondiscrimination Act of 2008 (GINA), and the Health Insurance Portability and Accountability Act (HIPAA) restrict when this information can be requested and require it to be kept confidential.
The ADA is the key federal law safeguarding employees' medical information at work. It restricts when employers can request this information and mandates confidentiality, ensuring it's kept separate from personnel files and accessed only by authorized individuals. Employers must also comply with state and local laws, which may have stricter confidentiality rules.
| Law | Covered Employees | Restrictions on Obtaining Medical Information | Confidentiality |
| ADA | Employers with 15 or more employees | Before a job offer, medical exams and disability inquiries are not allowed. Applicants can be asked about essential job functions. A job offer can depend on a medical exam if it's required for all similar roles. Once employed, exams and inquiries must be job-related and necessary for business. |
Employers must keep medical records confidential and separate.
|
| FMLA | Private-sector employers with 50 or more employees and governmental employers of any size | Employers may ask for a health care provider’s certification for leave due to serious health conditions or injuries. A fitness-for-duty certification might also be needed for returning to work. | Employers must keep medical records confidential and stored separately, with few exceptions. |
| GINA | Employers with 15 or more employees | Employers are generally prohibited from obtaining genetic information about applicants or employees, including family medical history, except in limited cases. | Employers must keep genetic information confidential and stored separately, with few exceptions. |
|
HIPAA *Does not apply to employment records |
Employers that receive protected health information (PHI) to administer their health plans | Employers can access PHI from their health plan for administrative purposes, provided they meet privacy and security standards. | Protect PHI privacy and security; it must not be used in employment decisions or other benefit plans. |
Compliance Tips
To maintain confidentiality, employers should:
- Use secure storage that is separate from personnel files;
- Limit access to authorized individuals;
- Train employees on confidentially practices;
- Ensure electronic systems are secure; and
- Promptly address any suspected breaches of confidentiality
Download the bulletin for more details.
Additional Resources
Understanding the ADA: Core Concepts
