By Jill Pedigo Hall

Consider these frequently occurring conversations:

• Kathy returns from FMLA leave and is overheard by supervisors talking in a loud voice with a group of coworkers in the lunch room about her depression that required her leave.
  
• The next day, Kathy is overheard again, this time on the elevator talking with a coworker about the complications that another coworker, Joan, is having as a result of recent surgery. Kathy has learned this as a function of her role as a manager in the office.
  
• Mary needs to be suddenly and unexpectedly absent for some medical testing. She tells her supervisor, Mark, that she will need to be absent that day for medical testing and tells him the reason for the testing. In a team meeting during Mary’s absence, Mark explains that Mary is absent because she is undergoing some tests. When Mary returns, Mark asks Mary to share the reason for the testing with the team to allay their concerns for her health.
  
• Jeff seeks FMLA leave through Human Resources for a highly personal medical condition. He does not tell his supervisor, John, about his medical condition and does not share it with any coworkers. When Jeff returns from leave, Human Resources tells John only that Jeff is limited to working four hours per day for the next six weeks. As a result, other members of Jeff’s team are required to pick up work Jeff is not doing. John approaches Jeff and tells Jeff it would really help if he would tell him and the coworkers the reason he cannot work the full schedule because John is in a difficult spot with coworkers who are resentful about having to do the extra work.

In each of these common situations, the boundaries around protecting the privacy of employee medical information have been crossed. These and similar scenarios raise basic questions. When an employee goes out on medical leave or returns with reduced or restricted duty, what can the employer say? More particularly, do boundaries shift when an employee volunteers medical information in the workplace? If an employee openly shares private medical information, does an employer still need to treat it as private? Is there a way for an employer to communicate about medical leave in a way that balances preserving medical privacy but at the same time alleviates team member concerns or frustrations?

Answers to these and related questions can be found in federal and state laws governing employee medical privacy. The primary, pertinent federal laws governing this are the Americans with Disabilities Act (“ADA”) and the federal Family and Medical Leave Act (“FMLA”). These laws and their state statutory counterparts define how, when, and the extent to which an employer may disclose medical information of current employees, and these laws are highly restrictive. The laws require that any information obtained by an employer regarding the medical condition or history of an applicant or employee be collected and maintained on separate forms, kept in separate files, and treated in a confidential manner. Employers may only disclose such information to (1) supervisors and managers who need to be informed regarding necessary work restrictions and necessary accommodations; (2) first-aid and safety personnel who need to be informed about emergency treatment; and (3) government officials who are investigating compliance-related issues. Information may also be released for purposes mandated by local, state, or federal law. Notably, the ADA protects all employees, not just persons with disabilities, against the inappropriate gathering and disclosure of confidential medical information.

The FMLA also protects against disclosure of an employee’s medical information by limiting an employer’s right to request or question such information. Private medical information may be protected from disclosure on a more limited basis under the Genetic Information Nondiscrimination Act of 2008 (“GINA”), a federal law protecting individuals from genetic discrimination in health insurance and employment, and under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which relates only to health care providers and health plans. It is a common misconception that HIPAA directly regulates employers or covers medical or disability information obtained by employers for employment purposes, such as leave programs.

The extremely limited nature of approved disclosure of employee medical information informs us that even if an employee has openly discussed or shared some aspect of private medical information, an employer cannot declare “open season” on that employee’s medical information to use or disclose it, even if that disclosure is done with the best of intentions. The laws do not contemplate any waiver of that privacy unless the employee places their medical condition at issue in litigation. This means that, notwithstanding the common sense courtesy that dictates one does not discuss a coworker’s personal medical situation, when an employee shares private medical information with a supervisor or administrator, privacy laws prohibit any further disclosure of the information. Thus, Kathy’s elevator discussion and John’s team meeting disclosure could be considered ADA violations. Moreover, an employee’s clear right to maintain privacy should not be challenged even by well-meaning superiors who are trying to address management problems.

Practical Steps for Preserving Medical Privacy

More clear and direct communication to employee and management about the rules around employee medical privacy can be the most effective way to prevent not only illegal disclosure but also eliminate any misunderstandings in the workplace. Practical steps an employer can take to ensure medical privacy rights are protected include the following:

• Review your internal practices regarding the communication, processing, and protection of employee medical information.
  
• Implement a medical privacy policy that clearly defines employee medical privacy rights and train employees regarding it.
  
• Ensure that employee medical information is maintained in separate, locked files. Identify those within the workplace with a need to know such information, and ensure that only they have access to such files.
  
• Provide regular training to all employees on medical privacy and appropriate communication, including refraining from discussing or disclosing information that could impact or violate employees’ medical privacy.
  
• Train supervisors and management on how to preserve employee medical privacy while addressing team member concerns. (For example, rather than simply stopping any conversation with a response such as, “I am not at liberty to tell you why Jeff can’t work a full shift,” John could reinforce a medical privacy culture and re-focus the conversation on the other employees by saying, “Just as I would not share your private medical information, I cannot share Jeff’s. However, let’s look at what we can do to reduce the amount of work you are doing right now.”

In particular, ensure that policies and practices demonstrate a workplace culture where it is understood and accepted that medical privacy is protected.