By Judith Langevin – October 23, 2015
There are several reasons an employer might have employee health information, ranging from the results of a pre-employment physical to the contents of a request for FMLA leave to what’s written in a health provider’s note about the need to be absent from work. Employers may also have records related to health insurance or wellness programs. It’s important to remember that any health or disability-related information obtained from or about employees should be treated with special care.
The Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA) and comparable state laws restrict the circumstances in which an employer can obtain health or disability-related information from applicants or employees. Perhaps less well known is the fact that federal and some state laws (like Minnesota, California, and Virginia) also dictate how health information should be maintained and secured. Although the ADA only applies to employers with 15 or more employees, state laws may apply to employers with a single employee. Be sure to learn the requirements of your state law, as well as the requirements of the ADA.
Even if an employer is not required by state or federal law to maintain employee health information in a particular fashion, careless handling could lead to claims of invasion of privacy, negligence, or intentional infliction of emotional distress. If health information is kept in electronic form, it is subject to data breaches, just like other forms of personally identifiable information, and may become the subject of data breach notification requirements as well as individual or class claims.
Here are some best practices for the handling of employee health and disability-related information:
- Ask only for what you really need and can lawfully obtain.
- Secure the information as carefully as you secure social security numbers. Keep it under lock and key if you use paper, and if it is stored electronically, limit access to those with a current, legitimate need to know.
- Keep health-related information separate from other personnel records. Don’t put it in employees’ regular personnel files or make it available to personnel decision-makers unless it is clearly relevant and a legitimate consideration.
- Remember that health information is broadly defined. If it refers or relates to an employee’s illness, disability, general health condition, health-related absence, or efforts to improve health, it should be handled with care.
- Don’t keep health information that you no longer need. Consistent with your overall record retention policy, retain employee health and disability-related information only as long as legally required.
- Require any vendors or third parties who may have access to your employees’ health information to secure it and follow best practices in handling it.