Special Privacy Concern: Employer-Held Medical Records

By: Melanie M. Dunajeski, Drewry Simmons Vornehm, LLP

The employment relationship frequently places the employer as the recipient of sensitive employee personal and medical information.  A variety of laws including the Americans with Disabilities Act (ADA), the Genetic Information Non-Discrimination Act (GINA), and the Family and Medical Leave Act (FMLA) among others, place responsibility on an employer to treat employee medical records as confidential files. Medical records may not be maintained as part of an employee’s main personnel file. Medical records must be maintained separately, securely, and with access strictly limited to specific enumerated persons and situations.  An employer may face federal or state agency sanction for failure to maintain such separate and secure records, and an employee may also pursue various claims against and employer for violation of privacy.  The EEOC recently gave some insight into how it will treat an employer who fails to properly segregate and secure such records—even where no breach of the employee’s privacy actually arises.  The case Celine D. v. Brenner, Postmaster General involved a federal employee’s Rehabilitation Act claim that her general personnel file included copies of some of her medical records, and that such file was widely accessible within the agency, even though there was no evidence that anyone had ever accessed her records. In essence, it was a claim for improper storage of her medical records.  In the agency appeal, the EEOC found that the employer’s act of improper storage of Celine D.’s medical records—even without any evidence that the records had been accessed or that the employee’s privacy had been compromised, was a violation of the Rehabilitation Act.  The EEOC’s position is significant because although the Rehabilitation Act does not apply to private employers, the identical medical record privacy provisions occur in the Americans with Disabilities Act (ADA) which does apply to private employers.  There is no reason to believe that the EEOC will interpret this issue differently for claims against private employers. Employers should act promptly to ensure that medical records are separately and securely maintained, and that access to these records complies with current state and federal law.