September 10, 2021

Best Practices: Safeguarding Employee Medical Information

COVID-19 and its Delta variant continue to wreak havoc in the workplace. A continually changing landscape of guidelines, mandates, and federal emergency temporary standards (EST) make it increasingly difficult to stay abreast of the private employer’s increasing responsibilities. With more and more private employers implementing – or considering implementing – vaccination mandates, it is important to remember the employer’s duty to safeguard employee medical information.

Advances in technology have created new concerns for workplace privacy. Automated systems, email and instant messaging technology have helped employers reduce operating costs, comply with COVID-19 reporting requirements, and increase efficiency. Below is a brief discussion concerning issues of privacy in the workplace and how employers can lessen the risk associated with the use of technology and lower employee expectations of privacy in the workplace environment when it comes to maintaining employee medical records.

In addition to certain prohibitions on questions regarding a physical or mental disability and the timing and type of medical exams that may be required for employment – including COVID-19 testing – as a result of the Americans with Disabilities Act (ADA) and similar state statutes, privacy concerns may also limit an employer’s right to an employee’s medical status and history. Employers have specific duties to maintain the confidentiality of medical-related information they receive in connection with workplace testing protocols (e.g., drug testing, pre-employment exams, COVID-19 vaccination and testing records, fitness for duty exams).

In addition to requirements to take measures to maintain the confidentiality of medical records, under the ADA the employer may only disclose medical information concerning an employee when it is needed with regard to work restrictions and possible reasonable accommodations; to safety personnel when emergency treatment may be needed; and to government officials for compliance purposes. The Family and Medical Leave Act also requires that medical records be kept confidential.

In California, medical records may be disclosed for specific purposes (e.g., compliance with a subpoena, administration of benefit plans, and in connection with a workers’ compensation claim). However, other disclosures can only be made with the written authorization of the employee.

These restrictions on the use of medical records are in addition to confidentiality requirements found in the Federal Health Insurance Portability and Accountability Act (HIPAA).

Employers should make every effort to minimize use and disclosure of an employee’s private information (e.g., social security numbers and medical records). Procedures should be put into place to prevent unauthorized disclosures.

In California, statutory provisions require businesses, including employers, who have access to personal information (which includes a name with a social security number, driver’s license number, certain financial information or medical information; or a user name or email address in combination with a password or security question/answer) to take reasonable measures to prevent unauthorized disclosure of such information; destroy such information by a means that will make it unreadable or undecipherable; and disclose any breach in its computerized data system which could result in unauthorized access to such personal information.

Arizona has similar legislation requiring notification of any breach in the security of the computer system on which there is personal data.

Members with questions about best practices in protecting employee medical information should contact Western Growers.