EEOC Office of Legal Counsel staff members wrote the following informal discussion letter in response to an inquiry from a member of the public. This letter is intended to provide an informal discussion of the noted issue and does not constitute an official opinion of the Commission.
ADA & GINA: CONFIDENTIALITY REQUIREMENTS
May 31, 2011
This is in response to your April 13, 2011, letter to Chair Jacqueline A. Berrien asking for guidance on whether maintaining an employee’s personal health information and occupational health information1 in a single Electronic Medical Record (EMR) violates the requirements of Title I of the Americans with Disabilities Act (ADA) and Title II of the Genetic Information Nondiscrimination Act (GINA). You believe that neither the employer nor the occupational medicine physicians and nurses who diagnose and treat work-related injuries and illnesses should have access to personal health information without the consent of the employee. Although you do not recommend maintaining personal and occupational health information in totally separate systems, you suggest that personal health information protected under the ADA and GINA should be appropriately “walled off” from view in the broader EMR.
Your letter appears to raise two issues: 1) whether an employer or its agent should have access to an employee’s personal health information without the employee’s consent; and 2) the manner in which employers must safeguard employees’ medical information.
Accessing Personal Health Information of Applicants and Employees
Title I of the ADA and Title II of GINA limit employer access to medical information. Regardless of whether an employer or an occupational health provider maintains information in paper or electronic files, it must ensure that personal health information about applicants or employees cannot be accessed, except under the circumstances and to the extent outlined below.
An employer’s right to access personal health information is governed by the provisions of the ADA that limit an employer’s right to make disability-related inquiries and conduct medical examinations of applicants and employees. See 42 U.S.C. § 12112(d); 29 C.F.R. §§ 1630.13 and 1630.14. The Commission has not explicitly addressed whether accessing personal health information stored in the same EMR as occupational health information would constitute a disability-related inquiry. However, there seems to be no basis for distinguishing between this situation and others that the Commission clearly has said would be disability-related inquiries, such as where an employer asks an employee or an employee’s doctor to provide documentation about a disability or searches through an employee’s belongings for the purpose of uncovering information about a disability. See Enforcement Guidance on Disability-Related Inquiries and Medical Examinations of Employees Under the Americans with Disabilities Act at Q. 1 & n.20 (July 27, 2000), http://www.eeoc.gov/policy/docs/guidance-inquiries.html.
Title I of the ADA limits when an employer may obtain medical information and how that information can be used at three stages: before extending a job offer, after an offer is made but before an individual starts working, and once a person is on the job. Prior to extending a job offer, an employer generally may not ask any disability-related questions and may not require medical examinations of applicants. See 29 C.F.R. §1630.13(a). After extending an offer of employment but before an individual begins work, an employer may make disability-related inquiries or require medical examinations, regardless of whether they are related to the job, as long as it does so for all entering employees in the same job category. Id. at §1630.14(b). This could include requesting an individual’s consent to access his personal health information. However, because the ADA prohibits an employer from withdrawing a job offer from an individual with a disability or making other discriminatory decisions based on a person’s actual or perceived medical conditions, an employer should be careful not to obtain more information than is necessary to determine whether a person can do a job, even at the post-offer stage.2
Once an individual begins working, an employer may only ask disability-related questions or require medical examinations that are job related and consistent with business necessity. 29 C.F.R. at §1630.14(c). Generally, this means that an employer may only obtain medical information where it reasonably believes that an employee will be unable to perform the job or will pose a direct threat due to a medical condition. Medical information also may be obtained to determine whether an employee with a non-obvious disability is entitled to a requested reasonable accommodation or satisfies the criteria for using certain types of leave, such as leave under the Family and Medical Leave Act or under the employer’s own sick leave policy. In all of these instances, however, the information sought must be limited in scope. For example, an employer cannot ask for, or view, an employee’s complete medical record because it is likely to contain information unrelated to the need to make an employment-related decision. Of course, an employer may not obtain medical information about an employee or view an employee’s personal health information unless the employee has executed an appropriate release. See, e.g., Revised Enforcement Guidance on Reasonable Accommodation and Undue Hardship Under the Americans with Disabilities Act (Oct. 17, 2002) at Q. 6 & n.28, http://www.eeoc.gov/policy/docs/accommodation.html.
GINA places additional constraints on an employer’s ability to obtain personal health information. With limited exceptions, GINA prohibits employers from requesting, requiring, or purchasing genetic information (e.g., information about an individual’s genetic tests, genetic tests of a family member, or family medical history) about job applicants and employees or their family members at any time, including during the post-offer stage of employment. 29 C.F.R. §1635.8(a)-(b). Accessing an individual’s medical records directly is no different from asking an individual for information about current health status, which the Commission considers a request for genetic information where it is likely to result in the acquisition of such information, particularly family medical history. Id. at § 1635.8(a), (b)(1)(i). Employers, therefore, should be careful about asking individuals to sign an authorization for release of their EMRs because it is likely that these records will contain genetic information. We recommend that if an employer lawfully requests access to an applicant’s or employee’s medical records (e.g., at the post-offer stage if all entering employees are asked for access to their medical records or during employment where the request for information is job related and consistent with business necessity), the employer include warning language like that provided for in EEOC’s regulations implementing Title II of GINA on any release to ensure that acquisition of any genetic information in response to the request will be considered inadvertent. Id. at §1635.8(b)(1)(i)(B).
Neither the ADA nor GINA specifically addresses the need for encryption, password authorization, and other security safeguards for electronic records maintained by employers. However, we do not interpret either statute’s confidentiality provisions as applying only to paper records. Therefore, if an employer maintains medical information and genetic information electronically, it must ensure that it is kept confidential, and disclosed only to the extent permitted by the ADA and GINA.
Title I of the ADA provides that information obtained by an employer regarding the medical condition or history of an applicant or employee must be collected on separate forms, kept in separate medical files, and be treated as a “confidential medical record.” 29 C.F.R. §1630.14(b)(1). Similarly, if an employer has genetic information obtained under one of GINA’s limited exceptions, it must also keep this information separate from personnel files and treat it as a confidential medical record. This information may be maintained in the same file as medical information obtained under the ADA. 29 C.F.R. §1635.9. Although both the ADA’s and GINA’s confidentiality provisions provide limited exceptions under which information may be disclosed, none of these exceptions specifically authorize an employer to allow access to medical information related to employment by individuals providing health services unrelated to employment. For example, the ADA and GINA would not permit a health professional treating an employee at the hospital where she works to view medical information provided in support of a request for reasonable accommodation.
An employer’s right to access personal health information about applicants and employees and to allow access to occupational health information by individuals providing health services unrelated to employment is strictly limited under both the ADA and GINA. Therefore, maintaining personal health information and occupational health information in a single EMR, particularly one that allows someone with access to the EMR to view any information contained therein, presents a real possibility that the ADA, GINA, or both will be violated.
We hope this information is helpful. This letter is an informal discussion of the issues you raised and should not be considered an official opinion of the EEOC.
Peggy R. Mastroianni
1 We assume that the term “personal health information,” as used in your letter, refers to information obtained in the course of diagnosis and treatment and that the term “occupational health information” refers to medical information concerning an employee’s ability to work (e.g., medical information gathered after a job offer has been made, or information concerning an injured employee’s ability to return to work).
2 As a result of the ADA Amendments Act, withdrawing a job offer based on an impairment will result in an individual being regarded as having a disability, unless the offer was withdrawn based on an impairment that was both transitory and minor. See 42 U.S.C. § 12102; see also 29 C.F.R. §1630.2(l).
This page was last modified on June 28, 2011.
Return to Home Page