An employer’s right to access personal health information about applicants and employees and to allow access to occupational health information by individuals providing health services unrelated to employment is strictly limited under both the ADA and GINA. Therefore, maintaining personal health information and occupational health information in a single electronic medical record, particularly one that allows someone with access to the EMR to view any information contained therein, presents a real possibility that the ADA, GINA, or both will be violated.
ADA Americans with Disabilities Act (ADA). An employer’s right to access personal health information is governed by the provisions of the ADA that limit an employer’s right to make disability-related inquiries and conduct medical examinations of applicants and employees. See 42 U.S.C. § 12112(d); 29 C.F.R. §§ 1630.13 and 1630.14. The Commission has not explicitly addressed whether accessing personal health information stored in the same EMR as occupational health information would constitute a disability-related inquiry. However, there seems to be no basis for distinguishing between this situation and others that the Commission clearly has said would be disability-related inquiries, such as where an employer asks an employee or an employee’s doctor to provide documentation about a disability or searches through an employee’s belongings for the purpose of uncovering information about a disability. See Enforcement Guidance on Disability-Related Inquiries and Medical Examinations of Employees Under the Americans with Disabilities Act at Q. 1 & n.20 (July 27, 2000), http://www.eeoc.gov/policy/docs/guidance-inquiries.html.
Title I of the ADA limits when an employer may obtain medical information and how that information can be used at three stages: before extending a job offer, after an offer is made but before an individual starts working, and once a person is on the job. Prior to extending a job offer, an employer generally may not ask any disability-related questions and may not require medical examinations of applicants. See 29 C.F.R. §1630.13(a). After extending an offer of employment but before an individual begins work, an employer may make disability-related inquiries or require medical examinations, regardless of whether they are related to the job, as long as it does so for all entering employees in the same job category. Id. at §1630.14(b). This could include requesting an individual’s consent to access his personal health information. However, because the ADA prohibits an employer from withdrawing a job offer from an individual with a disability or making other discriminatory decisions based on a person’s actual or perceived medical conditions, an employer should be careful not to obtain more information than is necessary to determine whether a person can do a job, even at the post-offer stage.
Once an individual begins working, an employer may only ask disability-related questions or require medical examinations that are job related and consistent with business necessity. 29 C.F.R. at §1630.14(c). Generally, this means that an employer may only obtain medical information where it reasonably believes that an employee will be unable to perform the job or will pose a direct threat due to a medical condition. Medical information also may be obtained to determine whether an employee with a non-obvious disability is entitled to a requested reasonable accommodation or satisfies the criteria for using certain types of leave, such as leave under the Family and Medical Leave Act or under the employer’s own sick leave policy. In all of these instances, however, the information sought must be limited in scope. For example, an employer cannot ask for, or view, an employee’s complete medical record because it is likely to contain information unrelated to the need to make an employment-related decision. Of course, an employer may not obtain medical information about an employee or view an employee’s personal health information unless the employee has executed an appropriate release. See, e.g., Revised Enforcement Guidance on Reasonable Accommodation and Undue Hardship Under the Americans with Disabilities Act (Oct. 17, 2002) at Q. 6 & n.28, http://www.eeoc.gov/policy/docs/accommodation.html.
GINA The Genetic Information NonDiscrimination Act (GINA) places additional constraints on an employer’s ability to obtain personal health information. With limited exceptions, GINA prohibits employers from requesting, requiring, or purchasing genetic information (e.g., information about an individual’s genetic tests, genetic tests of a family member, or family medical history) about job applicants and employees or their family members at any time, including during the post-offer stage of employment. 29 C.F.R. §1635.8(a)-(b). Accessing an individual’s medical records directly is no different from asking an individual for information about current health status, which the Commission considers a request for genetic information where it is likely to result in the acquisition of such information, particularly family medical history. Id. at § 1635.8(a), (b)(1)(i). Employers, therefore, should be careful about asking individuals to sign an authorization for release of their EMRs because it is likely that these records will contain genetic information. We recommend that if an employer lawfully requests access to an applicant’s or employee’s medical records (e.g., at the post-offer stage if all entering employees are asked for access to their medical records or during employment where the request for information is job related and consistent with business necessity), the employer include warning language like that provided for in EEOC’s regulations implementing Title II of GINA on any release to ensure that acquisition of any genetic information in response to the request will be considered inadvertent. Id. at §1635.8(b)(1)(i)(B).
Confidentiality. Neither the ADA nor GINA specifically addresses the need for encryption, password authorization, and other security safeguards for electronic records maintained by employers. However, we do not interpret either statute’s confidentiality provisions as applying only to paper records. Therefore, if an employer maintains medical information and genetic information electronically, it must ensure that it is kept confidential, and disclosed only to the extent permitted by the ADA and GINA.
Title I of the ADA provides that information obtained by an employer regarding the medical condition or history of an applicant or employee must be collected on separate forms, kept in separate medical files, and be treated as a “confidential medical record.” 29 C.F.R. §1630.14(b)(1). Similarly, if an employer has genetic information obtained under one of GINA’s limited exceptions, it must also keep this information separate from personnel files and treat it as a confidential medical record. This information may be maintained in the same file as medical information obtained under the ADA. 29 C.F.R. §1635.9. Although both the ADA’s and GINA’s confidentiality provisions provide limited exceptions under which information may be disclosed, none of these exceptions specifically authorize an employer to allow access to medical information related to employment by individuals providing health services unrelated to employment. For example, the ADA and GINA would not permit a health professional treating an employee at the hospital where she works to view medical information provided in support of a request for reasonable accommodation.