Medical Information Privacy in the Workplace

By: Katlyn M. Davidson, Esq. 

Whether and to what extent insurers and employers can share medical information regarding an employee’s workers’ compensation claim is a question which the Maine Workers’ Compensation Act provides little guidance. Sharing such medical information can be important both for insurers to keep their insureds informed of the status of a claim and for employers to be aware of an employee’s restrictions to help facilitate a successful return to work. However, there are other employment related laws that prohibit or significantly restrict the sharing of medical information in the workplace that insurers and employers should keep in mind when it comes to managing workers’ compensation claims. 

 The starting place for any discussion regarding medical information privacy is the Health Insurance Portability and Accountability Act of 1996, commonly referred to as “HIPAA.” Enacted in 1996, the primary purpose of HIPAA is to protect the privacy and security of individuals’ protected health information by imposing various restrictions on when and how such health information can be disclosed. Protected health information is generally information in any format (oral, written, or electronic) that relates to a medical condition, treatment or payment for health care. HIPAA applies to covered entities, which are generally identified as health care providers, health plans and healthcare clearing houses. HIPAA also applies to business associates of a covered entity. An entity is considered a business associate if a covered entity discloses protected health information to that entity so that the entity can perform or assist in certain services on behalf of the covered entity. Examples of such services include but are not limited to, claims processing and administration, billing or benefit management, data analysis, data storage, etc. 

Generally HIPAA does not apply to an employer unless the employer is considered to be a covered entity or a business associate. Employers, however, are still likely impacted by the requirements of HIPAA in so far as they need to obtain necessary medical information about an employee from a covered entity. 

With respect to workers’ compensation, HIPAA specifically excludes workers’ compensation from the usual requirements of HIPAA. The corresponding federal regulations provide that covered entities may use or disclose protected health information in cases where the law requires such disclosures and the use or disclosure complies with and is limited to the relevant requirements of such law. 45 C.F.R. § 164.512(a)(1).  The federal regulation goes on to specifically identify workers’ compensation matters as an exclusion from HIPAA. Subsection 164.512(l) provides: “A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.” 

The Maine Workers’ Compensation Act also provides that an authorization from an employee is not required for an employer to obtain medical information from health care providers “if the information pertains to treatment of an injury or disease that is claimed to be compensable under this Act.” 39-A M.R.S.A. § 208(1). The Act also creates an affirmative obligation on health care providers to produce medical information on certain prescribed Board forms to an employer. For example, section 208(2)(A) provides that, for lost time claims, a healthcare provider must forward to the employer, within 5 business days of treatment, a diagnostic medical report that includes information about an employee’s work capacity, likely duration of incapacity, return to work suitability and treatment required. Section 208(2)(B) further provides that a health care provider shall forward every 30 days a diagnostic medical report if ongoing treatment is provided. An employer also “may request, at any time, medical information concerning the condition of the employee for which compensation is sought. The health care provider shall respond within 10 business days from receipt of the request.” 

It would seem, therefore, that between the HIPAA exclusion for workers’ compensation matters and the relevant provisions in the Maine Workers’ Compensation Act an employer and insurer need not worry about any duties or obligations with respect to the medical information that is obtained through a workers’ compensation claim. However, there are other significant employment laws to be aware of which restrict what an employer can do with this medical information.  

The Americans with Disabilities Act (“ADA”), which generally prohibits discrimination against a qualified individual with a disability because of the disability and also creates a duty for employers to provide reasonable accommodations, limits when an employer can inquire about a disability and who can be aware of medical information obtained from any such inquiry. With respect to its employees, the ADA provides that an employer may make disability related inquiries or request a medical exam only if the inquiry or request for a medical exam is “job-related and consistent with business necessity.” 42 U.S.C. § 12112(d)(4)A). This requirement is considered by the EEOC to apply to all employees and not just employees with disabilities. An inquiry or exam is considered to be job related and consistent with business necessary when an employer has a reasonable belief, based on objective evidence, that: (1) an employee’s ability to perform essential job functions will be impaired by a medical condition;  or, (2) an employee will pose a direct threat due to a medical condition. A direct threat is defined as a “significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by reasonable accommodation.” 29 C.F.R. § 1630.2(r). 

When an employer has acquired medical information through a permitted disability related inquiry or medical exam, the ADA also imposes limits on an employer’s ability to share such medical information. The employer must be sure to keep such information confidential on separate forms and in a separate file from an employee’s general personnel file. 29 C.F.R. § 1630.14(c).  Further, an employer is restricted as to who can be aware of such medical information. Supervisors and managers can know about an employee’s necessary restrictions and necessary accommodations only. First aid and safety personnel may be informed when appropriate about a disability if the disability might require emergency treatment. See 42 U.S.C. §§ 12112(d)(3)(B)(i)  and (ii). 

In 2011, the U.S. District Court of Maine took on the issue of an alleged violation of medical privacy under the ADA. In Blanco v. Bath Iron Works, 802 F. Supp. 2d 214 (D. Me., 2011), the employee had failed to disclose a medical condition (ADHD) on his pre-employment medical questionnaire when he became employed. This did not come to light until later on after the employee had been working for the employer and had a job transfer. In the new position, the employee felt that the job aggravated his ADHD and he was struggling with job performance. The employee requested an accommodation and was sent to meet with the employer’s in-house doctor. During this meeting, the doctor reviewed the employee’s pre-employment medical questionnaire and discovered that the employee had not disclosed his ADHD condition at that time. The doctor disclosed this omission to the employer’s Labor Relations Department and the employee was subsequently terminated. The employee challenged this disclosure, arguing that it violated the confidentiality provisions of the ADA. The presiding judge agreed, determining that the exceptions for sharing confidential medical information did not apply to this situation. Instead, the judge found that the purpose of the disclosure was to reveal the alleged lie by the employee and not to advise of necessary restrictions or accommodations.  

Questions have been raised about how the ADA interacts with workers’ compensation laws. The EEOC published enforcement guidance on this issue in 1996. Although this guidance is not considered to be law or binding legal precedent, the EEOC expressed its opinion that the ADA does not prohibit an employer or its agent from asking disability related questions or requesting medical exams. The EEOC provided that any such inquiries or exams must be consistent with state law and limited in scope to the occupational injury. Further, the EEOC cautioned that an employer should avoid excessive or “far-ranging” questions and medical exams. 

The Maine Human Rights Act is another major body of law for insurers and employers to be aware of with regards to obtaining and retaining medical information about employees. The Maine Human Rights Act provides that it is unlawful for an employer, prior to employment, to elicit or attempt to elicit information directly or indirectly pertaining to physical or mental disability (among other protected classes). The Act further provides that it is unlawful discrimination for an employer to make or keep a record of physical or mental disability except when an employer requires a physical or mental exam prior to employment. In that case, a privileged record of the exam is allowed if made and kept in compliance with the Act. See 5 M.R.S.A. §§ 4572(1)(D)(1) and (2). The Maine Human Rights Act also requires employers to keep records regarding physical or mental disability confidential and maintained on separate forms and in separate files. 5 M.R.S.A. § 4573(2). 

Similar to the ADA, the Maine Human Rights Act’s corresponding rules prohibit an employer from requiring a medical exam or from making inquiries about an individual’s physical or mental disability or about the nature or severity of any disability. Chapter three of the Rules do provide some exceptions, however, which permit an employer to request a medical exam or make an inquiry of an employee if it is job-related and consistent with business necessity.  Again, any information obtained from a permissible exam or inquiry must be kept confidential and maintained separately. The Rules also limit who within the employer can receive this medical information. Supervisors and managers may be informed about necessary restrictions on the work or duties of the employee and necessary accommodations. First aid and safety personnel may also be informed if the employee’s disability might require emergency treatment.  

Another major employment law to consider is the Family and Medical Leave Act (“FMLA”), which provides eligible employees with the right to unpaid, protected leave for specified family and medical reasons. When the leave is due to an employee’s own health condition, an employer is quite restricted in the medical information that it can obtain. First, there is no exclusion under HIPAA for medical information obtained through administration of the FMLA. Generally, an employee provides certification of the medical condition on prescribed forms that are quite vague about the nature of the employee’s condition. An employer can only follow up for further information when clarification or authentication of a certification is needed and after an employee has been provided with an opportunity to cure a defect in the certification. Even then, the federal regulations provide that clarification or authentication can only be requested by a healthcare provider, human resources professional, leave administrator or management official. See 29 C.F.R. § 825.307(a). The same regulation provides that “under no circumstances” may a supervisor contact the employee’s healthcare provider.  

The FMLA does, however, contemplate an employee taking leave under the FMLA for a workers’ compensation injury. In that case, the federal regulations provide that if FMLA leave runs concurrent with a workers’ compensation absence and the provisions of the workers’ compensation statute permit an employer to request additional medical information from the employee’s workers’ compensation health provider, then the FMLA does not prevent an employer from following the workers’ compensation provisions. 29 C.F.R. § 825.306(c). Similar to the ADA and the MHRA, the FMLA also imposes confidentiality and recordkeeping requirements for medical information.  

Finally, the Genetic Information and Nondiscrimination Act of 2008, 42 U.S.C. § 2000ff et seq., prohibits employers from using genetic information to make employment decisions. The Act also prohibits employers from intentionally acquiring genetic information and any genetic information that the Employer does possess must be kept confidential. Further, the scope of what is considered to be genetic information is quite broad and includes genetic tests of the individual and family members and family medical history.  

In sum, while both HIPAA and the Maine Workers’ Compensation Act do not really restrict an employer or insurer’s ability to obtain medical information when it relates to a workers’ compensation claim, employers and insurers should still remain cognizant of other area of law that do restrict an employer’s ability to obtain and share medical information. While it is certainly desirable to keep the insured informed of the latest medical information regarding a workers’ compensation claimant, it is important to always consider who is on the receiving end of that email correspondence or who is participating in the conference call or team meeting in order to ensure that confidential medical information is not being shared with those who are restricted from access to such information.