Several federal laws protect the privacy rights of employees concerning the disclosure of their medical information. The Health Insurance Portability and Accountability Act of 1996 establishes minimum federal standards for privacy concerning medical records. Every state has the power to provide more privacy protection, but not less. This means that rights vary from state to state. The Health Privacy Project of Georgetown University makes state information available to the public. Other relevant legislation includes the Americans with Disabilities Act and the Generic Information Nondiscrimination Act.
HIPAA, and the subsequent HIPAA Privacy Rule issued by the United States Department of Health and Human Services, restrict the information that can be shared between health care providers, health care insurance companies (including employer paid group plans) and health care clearinghouses (companies that act as go-betweens for health care providers and health care insurance plans). These three types of entities are generally prohibited from disclosing an employee’s medical information to her employer without her written authorization. However, an employer may be entitled to limited medical information if it relates to the performance of the employee’s duties, such as making accommodations for a disability.
The ADA prohibits an employer from asking whether a potential employee has a disability or has any past or present medical conditions. The employer is also not permitted to ask the potential employee to disclose his workers’ compensation history. Pre-employment medical examinations are also prohibited under the ADA; however, after the employee has been offered employment, and prior to the employee’s start date, the employer may require the employee to undergo a medical examination, but only if the policy extends to all new employees holding similar jobs.
Access to Medical Records
A group health care provider can tell an employer whether an employee is enrolled in the health care plan and give him a “summary” of information for the purpose of getting premium bids or changing coverage. Some large companies are self-insured, meaning the employer assumes the responsibility for health care costs directly, paying for claims out of the company’s operating funds, which means that the employer would necessarily have all claim information. HIPAA requires that medical files be kept separate from personnel files and that “reasonable efforts” be made to prohibit uses and disclosures of private protected health information between the department that handles the employees’ medical claims and other departments.
An employer may ask for a doctor’s note for the purpose of administering sick leave, workers’ compensation insurance and other health plans, but he cannot approach the health care provider directly without the employee’s authorization. The request for information is required to be reasonably related to the reason for the request, meaning the employer’s request cannot be based on subjective factors and must be limited in scope.
Family Medical History
The GINA prohibits employers – and group health insurers -- from requesting, requiring or purchasing genetic information on employees. Additionally, an employee’s premiums cannot be adjusted based on genetic information.