EEOC Office of Legal Counsel staff members wrote the following informal discussion letter in response to an inquiry from a member of the public. This letter is intended to provide an informal discussion of the noted issue and does not constitute an official opinion of the Commission.
ADA: Confidentiality of Medical Information
February 18, 2010
This is in response to your December 28, 2009, letter to the Equal Employment Opportunity Commission (EEOC or Commission) asking about the confidentiality of employee medical information under the Rehabilitation Act. You state that Medical Records Custodians (MRCs) -- federal employees and contractors whose official duties require access to employee medical information - work in open cubicles surrounded by co-workers whose duties do not require access to such information. You also state that restricted medical information (i.e., diagnoses, treatment plans, prognoses, recommendations for work restrictions) intended for a MRC is transmitted to a fax machine shared by employees who are not MRCs. You ask whether disclosure of employee medical information to someone other than an MRC violates the Rehabilitation Act. Finally, you ask about the possible consequences for unauthorized disclosure of medical information and what steps your agency should take to protect this information.
The Rehabilitation Act strictly limits when a federal agency may obtain medical information, how the information can be used, and who can have access to such information. Specifically, the Act provides that information obtained regarding the medical condition or history of an applicant or employee must be collected on separate forms, kept in separate medical files, and be treated as a "confidential medical record." 29 C.F.R. §1630.14(b)(1). Only authorized employees should have access to such information on a need-to-know basis.
In limited circumstances, agencies may share medical information with: supervisors and managers, who need to know about an employee's work restrictions and necessary accommodations; first aid and safety personnel if an employee's disability might require emergency treatment or special procedures; and government officials investigating compliance with the Rehabilitation Act. 29 C.F.R. §1630.14(b)(1). The Commission also has interpreted the Rehabilitation Act to allow agencies to disclose information to state workers' compensation offices and "second injury" funds in accordance with state workers' compensation laws and for insurance purposes. 29 C.F.R. Pt. 1630, App. §1630.14(b), §1630.14(f).
You state that employees who are not authorized to have access to employee medical information often overhear conversations MRCs have by telephone and in person discussing employees' medical conditions and also pick up and read medical documents from a shared fax machine. It also appears that although MRCs are required to have access to medical information, they may have access to all employee medical information rather than just to the relevant information they need to carry out their duties with respect to particular employees. Because these circumstances allow for unlawful disclosure, for which the agency could be liable for damages if an affected employee filed a complaint, your agency should take steps to guarantee the security of each employee's medical information.
First, you should remind all employees that medical information is confidential and that only MRCs are authorized to have access to such information on a need-to-know basis. For example, you might issue a memorandum informing all employees that anyone who discusses another employee's medical information with unauthorized persons or reads medical documents not intended for him or her will be disciplined. Further, to ensure that other employees, including other MRCs, cannot overhear conversations about an employee's confidential medical information, you could provide an office with a door that an MRC can use when he or she needs to discuss an employee's medical condition or history by telephone or in person. A fax machine that is shared only by other MRCs also could be installed in this office with the door kept locked except when in use by an MRC. Further, you should remind MRCs to keep any employee medical information in a locked file cabinet in their cubicles or in a file cabinet in the shared office to which only other MRCs have access. Finally, you should periodically audit your policies and procedures to make sure that you are doing everything possible to guarantee the confidentiality of employee medical information and protect against unauthorized disclosures.
I hope this information is helpful. Please note that this is an informal discussion of the issues you raised and does not constitute an official opinion of the EEOC.
Senior Attorney Advisor
This page was last modified on March 29, 2010.
Return to Home Page