The COVID-19 pandemic brought mandatory vaccinations and medical screenings to many companies, which has caused some controversy regarding the confidentiality of employee medical information. In particular, many want to know who should and who should not have access to their employee medical records.
A few federal laws pertain to employee medical records, as does OSHA’s Access to Employee Exposure and Medical Records (Standard 1910.1020). Furthermore, state laws also play a role, as specific states have differing laws regarding access to employee medical information.
That means there’s quite a bit to know about the confidentiality of employee medical records for managers and HR departments, regardless of industry.
If you perform employee background checks, require mandatory vaccinations, or request doctor’s notes for sick days, you must know the laws and regulations surrounding employee health information. Otherwise, you may wind up violating your employee’s privacy without even realizing it.
Additionally, you need to ensure all your sensitive employee files are kept under lock and key to prevent data breaches. Approximately 95% of the US population has had their private medical information disclosed between 2009 and 2021 – so cybersecurity is a real concern.
Stay tuned to learn everything you need to know about the laws, standards, and best practices surrounding employee medical record confidentiality.
Federal laws and standards regarding employee medical records
There are two federal employment laws that cover employee medical record confidentiality in the United States. They are the Americans with Disabilities Act (ADA) and the Health Insurance Portability and Accountability Act (HIPAA).
Then there are the standards put in place by The Occupational Safety and Health Administration (OSHA Standard 1910.1020).
Lastly, there are specific state laws that apply to the confidentiality of employee medical records, such as the Texas Medical Privacy Act, which provides more protection for employee privacy than HIPAA.
Here’s a look at all the laws that cover who should not have access to employee medical records.
Americans with Disabilities Act (ADA)
Under the ADA, employers must maintain confidentiality for all medical records obtained from medical examinations or inquiries — including any medical information from voluntary health & wellness programs. However, if the medical records in question WERE NOT obtained through a medical examination or inquiry, the ADA does not require employers to keep such records confidential.
In addition, the ADA states that you must keep all employee medical records separate from general personnel files, with access allowed only to designated representatives.
The Equal Employment Opportunity Commission (EEOC) provides guidelines for when employers can share medical information & medical histories:
If an employer needs to provide reasonable accommodation to an employee due to a medical issue or injury, managers and supervisors are allowed access to that employee’s medical records.
Should an employee need emergency treatment due to a medical condition, first-aid workers and safety personnel are allowed access to the employee’s medical information & first-aid records.
Individuals that are performing compliance audits for ADA and similar laws are allowed access to employee medical records.
Employers can share employee medical records with a state workers’ compensation office to evaluate claims for insurance purposes.
Besides these exceptions, there are no other reasons why you should share your employee’s medical records with anyone. That means as an employer, you will not be able to request an employee’s complete medical record, as they may contain information that can be used for discriminatory purposes.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s privacy rule requires employers to keep all employee medical records confidential that are derived from the group health plan. Most of the time, this refers to medical records obtained from summary claims reports from the company’s insurance provider.
Healthcare providers and clearinghouses will have additional regulations for patient records, but they’re separate from HIPAA.
That means for most organizations, your group health plan is what’s covered by HIPAA, with the rest of your medical records falling under ADA’s jurisdiction. Accordingly, you’ll need to maintain strict confidentiality for all employee medical records obtained through your group health plan (medical exams, laboratory tests, medical treatment records, etc.) to stay in compliance with HIPAA.
Sick leave notes and worker’s compensation records are two examples of medical documents NOT covered by HIPAA (they fall outside the company health plan) but are covered by ADA. Any records covered by HIPAA are not to be shared with anyone unless you have the employee’s permission. For instance, if you uncover that an employee has sleep apnea by reading the quarterly report from your company’s medical program, it must remain confidential under HIPAA.
OSHA Standard 1910.1020
Should an employee get exposed to harmful physical agents or toxic substances, they fall under OSHA’s Standard 1910.1020 for access to employee exposure and medical records. That’s because the OSHA Standard is all about detecting, preventing, and treating occupational diseases.
If an employee has heightened exposure levels to harmful agents like lead, bacteria, or silica — designated employee representatives are granted full access to their medical records under the OSHA Standard.
What qualifies as a designated employee representative?
They include any individual or organization where the employee gave written consent for the right to access their information.
The toxic and harmful agents covered by the standard include the following:
Metals and dust like silica, lead, and cadmium.
Biological agents like bacteria, viruses, and fungi.
Physical stressors like heat, cold, noise, repetitive motion, vibrations, and ionizing & non-ionizing radiation.
Should an employee experience exposure to any of these agents, their employers MUST provide access to their relevant medical and exposure records, including access to their designated representatives (physicians and other health professionals), free of charge and in a reasonable timeframe.
Here are the different ways an employer can present an employee/designated representative with their medical and exposure records:
Provide a copy of the records to the employee on-site.
Provide facilities for the employee to copy the records for later use.
Let the employee borrow the records to copy them off-site.
It’s the employee’s right to have access to any medical document that measures their exposure to a harmful agent or toxic substance. If the employer does not have any medical documents measuring their exposure, they have the right to access other employees’ records that have received similar exposure in the same line of work.
The OSHA standard applies not only to general industry but also to maritime and construction industries.
Besides the federal laws and standards, some states also have specific laws regarding who should not have access to employee medical records. In fact, some states have laws that are even more stringent than federal laws, so it’s imperative to know how your state treats the confidentiality of employee medical records.
What types of medical records can employers and employees access?
There are two primary types of employee medical records that organizations keep on file that certain entities can share and purchase.
They are individually identifiable records and aggregated medical records.
An individually identifiable record contains an employee’s personal data, such as their phone number, home address, doctors, insurance claims, family members, and more. Whenever you personally request to see your medical record, your individually identifiable record is what you’ll see — which may also go by the name-protected health information (PHI).
Aggregated medical records are databases containing thousands of employee medical files. As such, these medical records aren’t used to identify just one person but hundreds or even thousands at a time. The different data in aggregated medical records are known as attributes, which healthcare professionals use for data mining.
For instance, if a healthcare facility needs to examine everyone that underwent a particular procedure, they could data mine the aggregated records of every patient that received it. Also, aggregated medical records don’t contain identifying factors, so they don’t include things like employee names and contact information.
Who has the right to access employee medical records?
While HIPAA and ADA state that medical records need to be kept confidential, there are exceptions to the rules. For example, doctors and insurance companies qualify as covered entities under HIPAA, meaning that they can access your medical records if they need them.
Here’s a list of all the covered entities under HIPAA:
Physicians and other allied medical professionals.
Healthcare facilities like laboratories, nursing homes, and hospitals.
Health insurance companies.
EHR (electronic health records) technology providers.
While these entities are permitted under HIPAA to access medical records, they still have stringent rules they must follow when doing so. Most importantly, all covered entities will need to get your written authorization to share your medical records with others.
However, they can forgo the need for written authorization IF they’re conducting activities related to medical treatment, healthcare operations, or payment.
Additional entities that can access your medical records
Here are other stipulations laid out by HIPAA:
You always have the legal right to obtain copies of your medical records.
If you grant them permission, a loved one or family member can obtain copies of your medical records for you.
Your healthcare providers have the right to share your medical records with anyone as long as you provide permission. For example, if your primary care physician wants you to see an ENT, they can share your medical records with them if they have your consent.
All your healthcare payers have the right to get copies of and view your medical records under HIPAA. That includes insurance companies, Medicare, Medicaid, workers’ compensation, Social Security, and any other entity that pays a portion of your medical costs.
Federal and state governments both have the right to get copies of and review your medical records. Besides healthcare payers like Medicaid and Social Security, other government entities may access your records — such as law enforcement, if they obtain a subpoena.
The Medical Information Bureau (MIB) is a nonprofit that feeds information to life insurance companies to discover if someone is eligible for coverage or not. The MIB may have medical records for you that aren’t subject to HIPAA laws, which is important to know.
Drug prescription databases likely have data-mined records of all the prescription drugs you’ve bought for quite some time. Yet, it’s crucial to remember that these aggregated records contain no personally identifying information like your name or address. Life insurance and disability insurance companies use this information to determine if employees are eligible for coverage.
Those are all the instances when HIPAA allows certain entities and institutions to view your medical records.
Knowing your employee’s privacy rights for medical records
Now that you know more about the laws, rules, and regulations surrounding employee medical records, it’s time to learn how they apply to your daily operations at your organization. You’ll need to know your employee’s privacy rights when conducting background checks, requiring mandatory vaccinations, and requesting doctor’s notes for sick leave.
Conducting background checks is standard practice for most companies. Still, it’s essential to know that according to the EEOC, you can’t request medical information from employees until they offer you a job.
Once you do offer a candidate a position, you’ll be able to request copies of their medical records. However, the medical information you request cannot be related to their genetics.
Mandatory COVID-19 vaccinations
Whether or not an employer can require mandatory COVID-19 vaccinations comes down to their state’s laws surrounding the issue. Some states prohibit mandating showing proof of COVID-19 vaccinations, like Arizona. So if your organization operates in that state (or another state that bans vaccine mandates), you won’t be able to require proof of vaccination.
For the states that do allow vaccine mandates, employers are only allowed to request proof of vaccination and no other medical records. That means that while each employee must provide proof of their COVID-19 vaccination, the rest of their medical information will remain confidential.
Requesting doctor’s notes for sick leave
If your organization requires employees to provide doctor’s notes whenever they call in sick, you should know that you can only ask the employee for this information. In other words, it’s illegal to reach out to an employee’s physician to ask for a note.
Under the HIPAA privacy rule, your employer cannot ask your healthcare provider directly for information about you unless they have your written consent first.
Wrapping up: Who should not have access to employee medical records
HIPAA and ADA make it clear that employee medical records must remain confidential at all times barring special circumstances. As such, you need to keep your employee’s medical records tucked away separate from your general personnel files to maintain their confidentiality. Also, don’t forget to check your state’s laws regarding the confidentiality of employee medical records to ensure you’re in total compliance.