You work in accounting for a government agency. You’ve been there five years. After trying to get pregnant for more than a year, you are thrilled to find out you’re carrying a baby. Although you want to share the news with an assistant accountant who is also a close friend, you wait until you start to show to do so. You are less thrilled about telling your boss, Nancy, who is a vice president. Nancy is universally disliked. She has been known to yell and throw things when she gets upset. Childless and single, she lives for her job and seems not to understand that not everyone chooses to live like that. Your relationship with her is poor, though you have tried everything and gone out of your way to get along with her. Fed up after her most recent outburst, you called your agency’s EEO office to report that this vice president was creating a hostile work environment.
Six months into the pregnancy, tragedy strikes. While at home one day, you start to bleed profusely. Your husband rushes home to take you to the hospital. You have a big agency report due tomorrow. Despite being in a panic about the bleeding, you tell him to make sure to call Kathy, your friend and coworker, so that she will know why you are not at work.
When you arrive at the hospital, the doctor gives you some horrible news. The baby is in cardiac arrest. You are rushed into the OR. Though distraught, your husband remembersto call Kathy. He knows her because she has been to your house for dinner with her husband. Through tears, he tells her that you are in the hospital “losing the baby.”
This hits Kathy like a punch in the gut. Looking at the photos of her fiveyearold daughter sitting on her desk, she starts to sob. She quickly gets up to leave. As fate would have it, she runs into Nancy at the elevator bank. Noticing how distraught Kathy is, Nancy asks, “What’s wrong?” Kathy replies that it’s personal. Nancy presses on, saying, “Listen, I’m sorry for whatever is going on, but we have this report to get out tomorrow. Do you know where Mary is? I just can’t have her out today.” Kathy blurts out, “For the love of God, Nancy, Mary is at the hospital right now losing her baby. Is that a good enough reason for you?” Nancy pauses briefly and says, “Does anyone else know about this?” As the elevator door closes, Kathy says, “I don’t know. I haven’t told anyone.”
In less than a minute, Nancy sends out an email to the entire staff asking them to meet in the conference room. At the meeting, Nancy tells everyone about your miscarriage. She expresses sympathy and says she “understands that everyone is upset about this tragic news.” She goes on to say, “We will be sending her flowers as an office today. But you all know that we have a big report to get out today. I know that she would want us to get that done, because she’s put a lot of hard work into it.”
1 This hypothetical is based on a modification of the facts in the case Walker v. Gambrell, 647 F. Supp. 2d 529 (D. Md. 2009).
For some reason, Nancy then goes rogue. She drafts a letter to you, expressing “deep sympathy for your situation,” then noting “I assume you will need time off to deal with this difficult situation. Just for our HR purposes here to arrange FMLA leave, can you let me know if you have any history of depression, including in your immediate family? Again, this isn’t to pry. I’m just trying to help out.”
Is what Nancy did legal?
The answer is complicated and likely depends on your jurisdiction and court. There are two potential violations: Nancy’s disclosure of your private medical information and Nancy’s inquiry about your medical history.
Some courts, including district courts in the Fourth Circuit, have ruled that an employer is not required to keep confidential any medical information that it discovers through any means outside of an employer initiated exam or inquiry. Therefore, because your coworker voluntarily blurted out the information about the miscarriage to Nancy, you likely do not have a claim.
However, Nancy has no reason to ask you about your history of depression, which is completely unrelated to your miscarriage; moreover, you have not yet asked for FMLA leave due to your medical condition. In addition, under the ADA, employers can only ask disability related questions that are job related and consistent with business necessity. Here, the question about your family history of mental illness has no bearing on any job related decision. Therefore, it is unlawful.
Read on to learn about several laws that can protect your confidential medical information. At the end of this chapter, I’ll share some strategies to protect you in the event that you face a scenario like the one above.
Medical Privacy Laws
Medical privacy in the workplace is protected by four federal laws:
1. The Health Insurance Portability and Accountability Act (HIPAA)
2. The Genetic Information Nondiscrimination Act (GINA) 3. The Americans with Disabilities Act (ADA)
4. The Family and Medical Leave Act (FMLA)
Depending on what state you live in, you may also be protected by state laws.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA primarily applies to healthcare providers and, in limited circumstances, to employers. The HIPAA privacy rule protects personal health information from unauthorized disclosure. Health information is considered personally identifiable if it relates to a specifically identifiable individual. Under 45 C.F.R. § 160.103, it generally includes the following information, whether in electronic, paper, or oral format:
1. Healthcare claims or healthcare encounter information, such as documentation of visits to the doctor and notes made by physicians and other provider staff;
2. Healthcare payment and remittance advice;
3. Coordination of healthcare benefits;
4. Healthcare claim status;
5. Enrollment and disenrollment in a health plan;
6. Eligibility for a health plan;
7. Health plan premium payments;
8. Referral certifications and authorization;
9. First report of injury;
10. Health claims attachments;
11. Healthcare electronic funds transfers (EFT) and remittance advice; and
12. Other transactions that the US Department of Health and Human Services (HHS) may prescribe in future regulations.
Normally, an employer will only deal with covered entities and not actually be one. However, if an employer has any kind of health clinic operations available to employees, provides selfinsured health plan for employees, or acts as the intermediary between its employees and healthcare providers, it will find itself handling personal health information that is protected by the HIPAA privacy rule. So, if your employer is not a healthcare provider, generally HIPAA will not apply to disclosures of your personal health information by your employer. However, as mentioned above, if your employer needs information from your doctor to verify a claim under the ADA, FMLA, or Rehabilitation Act, you will probably need to provide your doctor with a HIPAA form authorizing a release of medical information.
HIPAA is enforced by the HHS; this is the only agency that will accept your report of a HIPAA violation.
Genetic Information Nondiscrimination Act (GINA)
GINA protects against the use of genetic information in health insurance and employment determinations. GINA’s confidentiality regulations are contained in 29 C.F.R. § 1635.9. The regulations define “genetic information” as including information about genetic tests of an individual and her family members, her family’s medical history, the request for or receipt of genetic services, or participation in related clinical research. It excludes information about sex, age, and race or ethnicity that is “not derived from a genetic test.”
If an employee asks for medical leave to care for herself or for a family member with a serious health condition, an employer may receive this information as part of the certification provisions of federal, state, or local laws that require employees to provide information about a family member’s illness to support the need for leave. An employer cannot use this information to make hiring, firing, job placement, or promotion decisions, or to make any change in the terms or conditions of employment.
Note that GINA applies only to employers with fifteen or more employees.
The ADA requires your employer to keep confidential any medical information you share during the hiring process, the results of a workrelated medical exam, information about a disability that you share to get an accommodation, information shared as part of an employer’s wellness program, and the results of drug tests. Note that the ADA does not protect information relating to your use of illegal drugs.
The FMLA allows employers to obtain medical records from your healthcare provider to verify your claims. For example, if you are taking leave under the FMLA to care for a sick loved one, your employer can ask for medical verification that you or your family member has a serious health condition. The Department of Labor’s website has a verification form that you may use to provide this information to your employer, but it is not required. Your doctor may require a HIPAA form to provide information to your employer.
Laws That Apply to Federal Employees
The records of those who work in the federal government may be protected by the Privacy Act of 1974. You can find the statute at 5 U.S.C. § 552a. The Rehabilitation Act of 1973 prohibits discrimination by federal employers and contractors as well as in programs administered by federal agencies and programs that receive federal financial assistance. This law is interpreted according to the standards applicable to ADA claims.
So, you are making a request under the ADA or FMLA, but you’re worried about the claim being in your employment file for all to see, right? Well, don’t fear. The results of medical exams and any medical records obtained must be kept confidential and kept in a separate medical file apart from your employment personnel file.
Your employer is not bound by the regulations under HIPAA, because it is not a healthcare provider. It must keep your medical file confidential, but under the ADA, it can release the information to your supervisor or managers who need to know about your restrictions or accommodations. It may also share this information with first aid or safety personnel, if your disability requires treatment in the event of an emergency. Additionally, your employer may share the information with government officials investigating compliance with these acts. Finally, your personal health information may be disclosed for worker’s compensation and insurance purposes.
If you are applying for a job, the employer cannot ask whether you are disabled or whether you are associated with (meaning that you take care of) anyone who is disabled. Nor can it ask about the nature or severity of a disability. However, it can ask whether and how you can perform the job with or without a reasonable accommodation.