[BreachExchange] Do your employee medical files meet ADA privacy requirements?
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Dec 8 16:10:03 EST 2017
https://www.bizjournals.com/bizjournals/how-to/human-
resources/2017/12/do-your-employee-medical-files-meet-ada-privacy.html
Contrary to popular belief, the most significant law for employers with
regard to medical privacy is the Americans with Disabilities Act, not the
Health Insurance Portability and Accountability Act.
Employers,in their activities as employers (as opposed to health plan
sponsors), are not included under the HIPAA provisions. In activities as
plan sponsors, however, HIPAA privacy rules require protected health
information be kept private and secure.
Under the ADA, any employment-related documentation containing medical
information must be maintained in confidential files completely separate
from the general personnel file. That way, medical information won’t be
inadvertently shared with individuals who don’t have a legitimate business
need to see it.
What constitutes medical information?
Medical information can be anything related to an employee’s medical
condition. It might be the results from pre-employment physical exams,
information the employee provides about medications or medical history, and
even information obtained through a wellness program.
The ADA’s recordkeeping requirements also cross over with other laws. For
instance, records such as medical certifications, recertifications, or
medical histories under the Family and Medical Leave Act qualify as medical
information under the ADA. Occupational exposure records under the
Occupational Safety and Health Act also qualify as medical information
under the ADA.
How many separate files?
While medical information under the ADA needs to be kept separate from
general personnel files, employers are allowed to combine all medical
information in a single medical file for each employee. For example, it is
not necessary to have separate medical files for ADA, OSHA and FMLA
information.
Paper or electronic?
When medical files are stored in file cabinets, the cabinets must be locked
or kept in a locked room. Individuals with access to these files should be
limited to those with a distinct business need.
An employer also has the option to maintain employee medical information
electronically. Even though the ADA does not specifically address
electronic security, the Equal Employment Opportunity Commission (which
enforces the ADA) also expects confidentiality for electronic medical files.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171208/92bc6d60/attachment.html>
More information about the BreachExchange
mailing list