If you are like the vast majority of employed people, you have learned something at work about a co-worker’s illness or medical condition. It can be as specific as someone telling you about their medical issues, or as vague as someone commenting in hushed tones that they heard a fellow employee has a serious or terminal illness.
Some privacy rights follow employees into the workplace, and other rights are conveyed by specific laws and regulations. Employers are challenged in understanding the obligations and restrictions placed on the exchange of information about employees and their personal medical status.
First, the basics: There is a law covering almost all employers that says any information about medical conditions and treatments is Protected Health Information (PHI), and that employers must take great care in how they communicate that information with benefit plan providers and within the organization. That law is the Health Insurance Portability and Accountability Act (HIPAA).
Another law, the Americans with Disabilities Act (ADA), requires employers with 15 or more employees to reasonably accommodate employees with disabilities.
A “disability” is defined as:
- a physical or mental impairment that substantially limits one or more major life activities;
- a person with a record of such an impairment; or
- a person regarded as having such an impairment.
Some examples of major life activities are such things as walking, sitting, standing, seeing, hearing, breathing, working, and caring for oneself. The law also requires that the medical condition requiring accommodation not be disclosed by the organization to others, including, in most cases, the supervisor and co-workers.
These privacy requirements necessitate a delicate balancing between the employee’s right to personal privacy on the job and the employer’s need to maintain a safe, efficient and productive workplace. The simple act of sharing a medical diagnosis with the employee’s supervisor without the employee’s express (written) permission, even when the employee is the one who told you their condition, can result in a violation of the employee’s right to privacy.
So is there a way through this maze? The answer is a qualified “yes.” Here is what employers need to do.
- Be aware of the privacy requirements contained in the various laws that pertain to the organization.
- Assure employees that the organization takes its responsibility to maintain appropriate employee privacy seriously.
- Encourage employees to share critical information with key parties on their own, or authorize in writing the sharing of that data. Any such authorization should include what information is to be shared and with whom.
- Have a written policy about the confidentiality of employee information, including any medical information that the employer becomes aware of.
- Train supervisors and managers about the privacy requirements and strongly advise that no inappropriate disclosure of information is to occur.
- Have a process by which employees can bring to management’s attention any concerns they have about the inappropriate disclosure of personal information.
This last step is critical because it gives an organization an opportunity to try to resolve any issues or correct problems before an employee takes their concern to an outside attorney specializing in privacy lawsuits.
In this day when the fears about “big brother” are too often being realized, we all want our personal information to stay private at work. By taking this concern seriously and working to have appropriate protections in place, employers can create greater trust with employees and meet compliance requirements at the same time.
— Judy Clark, SPHR
CEO, HR Answers
EPIC is a public interest research center in Washington, D.C, created to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. Go to www.epic.org.
The Office for Civil Rights–HIPAA addresses such issues as medical privacy and the National Standards to Protect the Privacy of Personal Health Information. Go to www.hhs.gov/ocr/hipaa.
The Center for Democracy and Technology is a nonprofit public policy organization “dedicated to promoting the democratic potential of the Internet.” Check out its medical information section at www.cdt.org/privacy/medical.
The Health Privacy Project’s Fact Sheet 8 explains how private your medical records really are. Go to www.privacyrights.org/fs/fs8-med.htm.