As a general rule, an employer may not disclose or share your medical records or medical information. When an employer obtains medical information from applicants and employees, the employer must store the information on separate forms and in separate files and treat it as “confidential” information.
Under limited circumstances, however, the employer may share an employee’s or applicant’s medical information, such as with managers and supervisors to advise them of work restrictions and reasonable accommodations. Additionally, employers may share medical information if an employee needs emergency treatment or assistance. Employers also have obligations to cooperate with official investigations relating to the employer’s compliance with the law and when needed to support an employee’s claims for workers’ compensation or insurance.
These protections for employees’ medical information derive from the Americans with Disabilities Act and the Rehabilitation Act of 1973 (which applies to the federal government and government contractors). Additional protections are also found under the Privacy Act, which restricts the federal government’s sharing of personal information, to include health information.
Medical providers are also limited in what medical information they can disclose. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects the privacy of all individually identifiable health information held or transmitted by a covered entity or its business associate.
Individually identifiable health information, also referred to as “protected health information”, is what it sounds like: health information that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Health information is any information relating to:
- the individual’s past, present, or future physical or mental health or condition;
- the provision of health care to the individual; or
- the past, present, or future payment for the provision of health care to the individual.
Health information covered under these three categories is protected under HIPPA only if an individual can be identified from the information. If the information has been redacted to remove all personal identifiers, to include names, addresses, social security numbers, identifying photos, etc., the information ceases to be protected under HIPPA.
Covered entities subject to HIPPA include:
- Health plans
- Health care clearinghouses
- Health care providers who transmit health information in electronic form
HIPAA generally prohibits a covered entity from disclosing an individual’s individually identifiable health information to others without the individual’s consent or authorization. The circumstances in which a covered entity is permitted to disclose an individual’s individually identifiable health information are tightly regulated and include activities such as exchanges of protected health information between covered entities for the purposes of treating the patient in question.
In the context of your employment, your health providers generally cannot provide your employer with your protected health information without your consent or authorization. Your employer may ask you for medical information such as a doctor’s note if related to sick leave, health insurance, wellness programs, or other such items that require you to disclose health information. However, if your employer asks your health provider directly for your protected health information, your health providers generally may not disclose that information without your consent or authorization.