About Us  |  About Cheetah®  |  Contact Us

Keeping employees’ personal and occupational health information in one file poses risk of ADA and GINA violations, EEOC letter warns

Maintaining employees’ personal and occupational health information in a single electronic medical record (EMR), particularly one that permits individuals with access to the EMR to view any information in the record, “presents a real possibility” that the ADA or the Genetic Information Nondiscrimination Act (GINA), or both, will be violated, according to an EEOC informal discussion letter released on June 30, 2011.

An agency letter, dated May 31, 2011, and signed by EEOC Legal Counsel Peggy R. Mastroianni, addresses two issues:

  1. whether an employer or its agent should have access to an employee’s personal health information without the employee’s consent; and
  2. the manner in which employers must safeguard employees’ medical information.

Title I of the ADA and Title II of the GINA both limit employer access to medical information. The letter provides a roadmap to when personal health information about applicants or employees may be accessed, regardless of whether an employer or an occupational health provider maintains information in paper or electronic files.

ADA-related constraints. Mastroianni first noted that an employer’s right to access personal health information is governed by provisions in the ADA that limit an employer’s right to make disability-related inquiries and conduct medical examinations of applicants and employees. The EEOC, she said, has not yet explicitly addressed whether accessing personal health information, stored in the same EMR as occupational health information, would be considered a disability-related inquiry. However, she stated, “there seems to be no basis for distinguishing between this situation and others that the Commission clearly has said would be disability-related inquiries, such as where an employer asks an employee, or an employee’s doctor, to provide documentation about a disability, or searches through an employee’s belongings for the purpose of uncovering information about a disability.”

Mastroianni reviewed the application of the ADA to disability-related inquiries, noting that Title I limits when employers may obtain medical information and how that information can be used prior to extending a job offer; after an offer has been made, but before an individual starts working; and once the individual is on the job. Before extending a job offer, employers generally may not ask any disability-related questions or require medical examinations of applicants. After an offer of employment has been extended, but before an individual begins to work, employers may ask disability-related questions or require medical examinations, regardless of whether they are job-related related, so long as the employer does so for all entering employees in the same job category. This may include requesting an individual’s consent to access his personal health information. However, Mastroianni cautioned, “because the ADA prohibits an employer from withdrawing a job offer from an individual with a disability or making other discriminatory decisions based on a person’s actual or perceived medical conditions, an employer should be careful not to obtain more information than is necessary to determine whether a person can do a job, even at the post-offer stage.”

After an individual begins working, employers may only ask disability-related questions or require medical examinations that are job-related and consistent with business necessity, Mastroianni advised. This means that, generally, an employer may only obtain medical information where the employer reasonably believes an employee will be unable to perform the job or will pose a direct threat, due to a medical condition. Medical information also may be obtained to determine if an employee with a disability, that is not obvious, is entitled to a requested reasonable accommodation or satisfies criteria for using certain types of leave, such as leave under the FMLA or the employer’s sick leave policy. In these cases, however, the information sought must be limited in scope. Thus, employers may not ask for, or view, an employee’s entire medical record because it is likely to contain information that is unrelated to the need to make an employment-related decision, Mastroianni wrote. She also noted that employers may not obtain an employee’s medical information or view an employee’s personal health information unless the employee has executed an appropriate release.

GINA-related constraints. The EEOC attorney also outlined the additional constraints that GINA places on employers’ ability to obtain personal health information. “With limited exceptions, GINA prohibits employers from requesting, requiring, or purchasing genetic information (e.g., information about an individual’s genetic tests, genetic tests of a family member, or family medical history) about job applicants and employees or their family members at any time, including during the post-offer stage of employment,” she explained. According to Mastrioanni, an employer’s accessing an individual’s medical records directly would be no different from asking the individual for information about his or her current health status, which the EEOC considers to be “a request for genetic information where it is likely to result in the acquisition of such information, particularly family medical history.”

Employers should therefore “be careful about asking individuals to sign an authorization for release of their EMRs because it is likely that these records will contain genetic information,” Mastroianni warned. “We recommend that if an employer lawfully requests access to an applicant’s or employee’s medical records (e.g., at the post-offer stage if all entering employees are asked for access to their medical records or during employment where the request for information is job related and consistent with business necessity), the employer include warning language like that provided for in EEOC’s regulations implementing Title II of GINA on any release to ensure that acquisition of any genetic information in response to the request will be considered inadvertent,” she wrote. The warning language is found at 29 C.F.R. Sec. 1635.8(b)(1)(i)(B).

Confidentiality requirements. As to issues of confidentiality, Mastroianni observed that neither the ADA nor GINA specifically addresses whether encryption, password authorization, or other security safeguards are necessary for electronic records maintained by employers. However, she advised that the EEOC does not interpret either statute’s confidentiality provisions to apply only to paper records. “Therefore, if an employer maintains medical information and genetic information electronically, it must ensure that it is kept confidential, and disclosed only to the extent permitted by the ADA and GINA,” Mastroianni wrote.

Title I of the ADA requires that information obtained by an employer about the medical condition or history of an applicant or employee “must be collected on separate forms, kept in separate medical files, and be treated as a ‘confidential medical record,’ Mastroianni explained. Likewise, when an employer has genetic information obtained under one of GINA’s limited exceptions, the employer must keep this information separate from personnel files and treat it as a confidential medical record. According to Mastroianni, this information may be maintained in the same file as medical information obtained under the ADA. However, she cautioned that while both the ADA’s and GINA’s confidentiality provisions include limited exceptions under which information may be disclosed, “none of these exceptions specifically authorize an employer to allow access to medical information related to employment by individuals providing health services unrelated to employment.” Thus, for example, under the ADA and GINA, a health professional treating an employee at the hospital where she works is not permitted to view medical information that was provided in support of a request for reasonable accommodation.

Single medical file poses risk of violation. The bottom line is that “an employer’s right to access personal health information about applicants and employees and to allow access to occupational health information by individuals providing health services unrelated to employment is strictly limited under both the ADA and GINA,” as Mastroianni wrote in concluding her discussion. “Therefore, maintaining personal health information and occupational health information in a single EMR, particularly one that allows someone with access to the EMR to view any information contained therein, presents a real possibility that the ADA, GINA, or both will be violated,” she warned.

The EEOC’s letter is not considered an official opinion of the agency; it is merely an informal discussion of the issues presented by a request for public comment.