• Choose Language:
  • print
  • decrease text sizeincrease text size
    text

Your Rights Medical Privacy

Clark Law Group

This page provides answers to the following questions:

1. What types of medical information might be part of my employer's records about me?

2. Do I have a right to have my medical information kept private in the workplace?

3. Can an employer require me to take medical tests in order to be hired?

4. Can my employer require me to take medical tests in order to keep my job?

5. I've heard about a law, HIPAA, which protects the privacy of my medical records. Does this law protect me at work?

6. I am part of a group health plan at work. How does HIPAA protect my health information?

7. My employer is self-insured. How does HIPAA protect my health information?

8. When I was injured at work, I was required to go to the company's health clinic. Will the information I gave the doctor be disclosed to my employer?

9. My company has an employee assistance program (EAP) which I have used to receive mental health counseling. Will any information I reveal to my counselor be kept confidential from my employer?

10. Who can my employer disclose my health information to?

11. I recently learned I am HIV-positive. Do I need to disclose this information to my employer?

12. Do I need to disclose my HIV status or medical condition in order to receive a reasonable accommodation of my disability?

13. Do I need to disclose my HIV status in order to receive family/medical leave?

14. I recently disclosed my HIV status to my supervisor to explain why I needed medical leave for doctor's appointments. Is the person I told legally required to keep this information confidential?

15. Can an employer refuse to hire me on the basis of genetic testing that revealed I am at higher risk to develop a rare disease?

16. My employer has started a "wellness program" and is giving incentives, such as bonuses and extra vacation days, to employees who exercise and lose weight. Is it legal for them to do this?

17. What can I do if my privacy rights have been violated by my employer?

1. What types of medical information might be part of my employer's records about me?

Medical records are created when you receive treatment from a health professional such as a physician, nurse, dentist, chiropractor, or psychiatrist. Records may include your medical history, details about your lifestyle (such as smoking or involvement in high-risk sports), and family medical history.

In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. Your records could also include the results of genetic testing used to predict your future health. And they might include information about your participation in research projects.

Information you provide on applications for disability, life, or accidental insurance with private insurers or government programs can also become part of your medical file.

All of these types of medical records present privacy implications for you as an employee, if there is a possibility of your employer accessing this information.

2. Do I have a right to have my medical information kept private in the workplace?

Your employer has a number of ways to obtain medical information about you, whether it's because you volunteer it when you call in sick or tell co-workers, or because you provide requested information on health insurance application or workers compensation claim forms. However, just because your employer has the information does not mean that it should be shared with everyone in the workplace, especially when you have not chosen to do so.

The basic legal principle that employers should follow is not to reveal medical information about you unless there is a legitimate business reason to do so. But because that standard is fairly vague, there are laws which more specifically protect the privacy of your medical records, such as the Americans with Disabilities Act, the law which makes it illegal to discriminate on the basis of an employee's disability. State laws may also provide additional protection.

3. Can an employer require me to take medical tests in order to be hired?

Under the Americans with Disabilities Act, you cannot be required by an employer to take a medical examination before you are offered a job. Following a job offer, however, an employer can condition the job offer on your passing a required medical examination, but only if all entering employees for that job category have to take the exam and the exam is job-related and consistent with the employer's business needs. (You cannot be singled out for an exam merely because you have, or your employer believes you have, a disability.)

However, an employer cannot reject you because of information about your disability revealed by the medical examination, unless the reasons for rejection are job-related and necessary for the conduct of the employer's business. The employer cannot refuse to hire you because of your disability if you can perform the essential functions of the job with an accommodation.

The results of all medical examinations must be kept confidential and maintained in separate medical files apart from your regular personnel files.

For more information, see our website's page on disability discrimination.

4. Can my employer require me to take medical tests in order to keep my job?

Under the Americans with Disabilities Act, once you have been hired and started work, your employer cannot require that you take a medical examination or ask questions about your disability unless they are related to your job and necessary for the conduct of your employer's business. For example, if you appeared to be homicidal or suicidal, your employer might have a duty to require a psychological exam and/or inform your coworkers, to keep the workplace safe.

However, your employer may conduct voluntary medical examinations that are part of an employee health program and may provide medical information required by State workers' compensation laws to the agencies that administer such laws.

The results of all medical examinations must be kept confidential and maintained in separate medical files apart from your regular personnel files.

For more information, see our website's page on disability discrimination.

5. I've heard about a law, HIPAA, which protects the privacy of my medical records. Does this law protect me at work?

The federal Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for privacy of health information, which applies to how medical records are used and disclosed. Entities covered by HIPAA must:

Give notice of written privacy procedures;

Place restrictions on the use of health information; and,

Appoint a privacy officer and train staff.

But the law only applies to medical records maintained by health care providers, health plans, and health clearinghouses--and only if the facility maintains and transmits records in electronic form. Any health-related information which exists outside of health care facilities and the files of health plans is not covered by HIPAA, which means that workplace health records that relate to other employee benefits such as life insurance, disability, workers compensation, or long-term care insurance are not covered. Nor are records that relate to your employer's compliance with laws that govern safety and health risks in the workplace.

How you're protected by HIPAA in the workplace in conjunction with employer-provided health insurance depends on whether your employer has you enrolled in a group health plan, or whether your employer is self-insured.

6. I am part of a group health plan at work. How does HIPAA protect my health information?

If you are a member of a group health plan, your employer pays a premium to the health plan which covers your health care costs. In return for the premium paid, the health care plan assumes the risk of paying for your health care expenses covered by the plan.

Group health plans are covered by the HIPAA Privacy Rule as long as the plan has 50 or more participants. The HIPAA Privacy Rule applies to the plan itself, but not your employer, but still attempts to limit the use of medical information for employment purposes.

Under HIPAA, the group health plan can tell your employer whether you are enrolled in the plan or not, and can provide the employer with "summary information" that it can use to evaluate and compare premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures to keep the information private much like that of an entity that is covered by HIPAA.

7. My employer is self-insured. How does HIPAA protect my health information?

Self-insured plans are health plans often offered by large employers as an employee benefit, in which the employer itself assumes the risk of health care costs and pays health care claims out of the company's operating funds. Some companies process their own claims internally, using company personnel, while other companies contract out the work of processing and maintaining the records to another company.

It can be scary to have such a close relationship between your boss and the person who processes your health claims: you may not really want Jane in the HR department knowing that you're seeing a psychiatrist, that your husband just had a vasectomy, or that you've been diagnosed with cancer, when she's the person you go to when you're having problems with your supervisor.

Under HIPAA, if your employer is also the insurer of your health benefits, it is in a category called a "hybrid" entity, which means that the portion of the company's operations that deal with processing health claims is covered by HIPAA. Although HIPAA requires that hybrid entities erect "firewalls" between the parts of the company handling health claims and the parts that do not, it is not yet clear whether this procedure is enough to be effective against the disclosure of private medical information. If you work for a company that is self-insured, and you believe there has been unauthorized disclosure of your medical records within your company, you may want to consult with a local attorney to determine whether the policy appears to violate any laws.

8. When I was injured at work, I was required to go to the company's health clinic. Will the information I gave the doctor be disclosed to my employer?

An on-site health clinic at your place of employment may be another example of what the HIPAA Privacy Rule calls a "hybrid" entity. This depends on whether the health clinic transmits information electronically and engages in standard transactions under HIPAA's electronic data interchange rule (for example, if the clinic bills an employee's health plan). If so, the records maintained by the health clinic are subject to the same protections that apply to other covered entities. However, if the clinic does not transmit information electronically or bill your employer, it would be specifically excluded from HIPAA's protections.

Before you disclose any information to the company's health clinic that you would not want your employer to know, you should ask whether the clinic is subject to HIPAA or has a privacy policy that governs how your medical information is used.

9. My company has an employee assistance program (EAP) which I have used to receive mental health counseling. Will any information I reveal to my counselor be kept confidential from my employer?

An employee assistance program may be another type of "hybrid" entity, depending on how its information is transmitted and transactions are conducted. If so, the records maintained by the health clinic are subject to the same protections that apply to other covered entities. "Referral only" EAPs, which provide only referrals to mental health counselors are not subject to HIPAA, nor are EAPs provided through a disability income insurance policy.

Before you disclose any information to a counselor through the EAP program that you would not want your employer to know, you should ask whether the program is subject to HIPAA or has a privacy policy that governs how your medical information is used.

10. Who can my employer disclose my health information to?

The Americans with Disabilities Act recognizes that employers may sometimes have to disclose medical information about applicants or employees. Therefore, the law contains certain exceptions to the general rule requiring confidentiality. Information that is otherwise confidential under the ADA may be disclosed:

To supervisors and managers where they need medical information in order to provide a reasonable accommodation or to meet an employee's work restrictions;

To first aid and safety personnel if an employee would need emergency treatment or require some other assistance (such as help during an emergency evacuation) because of a medical condition;

To individuals investigating compliance with the ADA and with similar state and local laws; and,

As required for workers' compensation claims (for example, to a state workers' compensation office in order to evaluate a claim) or for insurance purposes.

11. I recently learned I am HIV-positive. Do I need to disclose this information to my employer?

Most job applicants or employees who live with HIV do not have to disclose their HIV status to their employers. The only exception would be if you work at a job where HIV infection poses a direct threat to the health of others, such as if you work as a surgeon or other health care worker performing invasive procedures. (That is not every health care worker who has public contact, by the way: HIV-positive chiropractors, manicurists, food handlers, chefs, bank tellers, veterinarians, hairdressers, and barbers do not pose direct threats.)

Otherwise, it is your choice whether or not to disclosure your HIV status to your employer. You may choose whether or not to disclose this information, for example, if you need an accommodation of your disability, or wish to take leave covered by the Family & Medical Leave Act.

12. Do I need to disclose my HIV status or medical condition in order to receive a reasonable accommodation of my disability?

It is not legally required or otherwise necessary to disclose your HIV status (or any medical condition) to your employer in order to receive a reasonable accommodation of your disability.

To receive accommodation of your disability, you have to identify yourself to the employer as a person living with a disability, but you do not have to identify the specific disability or diagnosis. To request accommodation, you must tell your employer what your functional limitations are.

For example: You do not have to request reasonable accommodation for your HIV-related diarrhea. Instead, you request reasonable accommodation because your disability limits your ability to stay at your workstation without more frequent bathroom breaks.

13. Do I need to disclose my HIV status in order to receive family/medical leave?

It is not legally required or otherwise necessary to disclose your HIV status (or any medical condition) to your employer in order to receive family and medical leave.

To receive family and medical leave, all you have to communicate is information sufficient for the employer to understand that you need leave for FMLA-qualifying reasons. In other words, you do not need to mention FMLA or your diagnosis when requesting leave, but must only explain why the leave is needed. While your employer can request medical certification from your health care provider of your need for leave, all your health care provider must communicate is a description of the serious health condition, the date that the condition began or treatment became necessary, and the expected duration of the condition or treatment.

14. I recently disclosed my HIV status to my supervisor to explain why I needed medical leave for doctor's appointments. Is the person I told legally required to keep this information confidential?

As discussed in the previous two questions, it is not legally required or otherwise necessary to disclose your HIV status to your employer in order to receive either family and medical leave or a reasonable accommodation of your disability.

However, if you have already disclosed your HIV status to your employer, you may be protected by state laws regarding the confidentiality of medical information and/or an HIV/AIDS diagnosis. Some state laws apply only to health care providers, and not employers. If you have concerns about what your employer is required to keep confidential, you may want to consult with a local attorney or legal services agency which provides services to persons living with HIV to determine whether a disclosure of your HIV status would violate any laws.

15. Can an employer refuse to hire me on the basis of genetic testing that revealed I am at higher risk to develop a rare disease?

No. Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA), is a federal law which prohibits genetic information discrimination in employment ("http://www.eeoc.gov/laws/types/genetic.cfm").

If your employer requires genetic testing, or appears to be discriminating against you on the basis of a genetic test, you may want to consult with a local attorney.

16. My employer has started a "wellness program" and is giving incentives, such as bonuses and extra vacation days, to employees who exercise and lose weight. Is it legal for them to do this?

Most of us would like to be healthier and eat better. Some companies, concerned about rising health care costs and employee productivity, have decided to help the process along by instituting wellness programs that encourage employees to become healthier by encouraging weight loss and exercise.

No one faults the good intentions behind the policies, but some are concerned about how such programs may intrude on an employee's private life and health status. The legal territory at this point is mostly uncharted, but any program which is not purely voluntary runs certain risks, which may include discriminating against disabled employees and/or illegally disclosing medical information. If you are subject to a mandatory wellness policy, you may want to consult with a local attorney to determine whether the policy appears to violate any laws.

17. What can I do if my privacy rights have been violated by my employer?

How you can respond to an unauthorized disclosure of your medical information depends on what law or laws were violated by the disclosure: the ADA, HIPAA, or state protections. Some laws allow what is called a "private right of action," which means that you can sue in court, while others require that you file with an administrative agency. If you believe your privacy rights have been violated, you may want to consult with a local attorney to determine whether your employer has violated any laws, and if so, how you should proceed.

This page was updated on January 9, 2013

Follow us on: