In response to a letter asking for guidance on whether maintaining an employee’s personal health information and occupational health information in a single Electronic Medical Record (EMR) violates the privacy requirements of the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA), the EEOC noted that neither the ADA nor GINA specifically addresses the need for encryption, password authorization, and other security safeguards for electronic records maintained by employers. However, the agency does not interpret either statute’s confidentiality provisions as applying only to paper records. Therefore, if an employer maintains medical information and genetic information electronically, it must ensure that it is kept confidential, and disclosed only to the extent permitted by the ADA and GINA.
The letter pointed out that Title I of the ADA provides that information obtained by an employer regarding the medical condition or history of an applicant or employee must be collected on separate forms, kept in separate medical files, and be treated as a “confidential medical record.” Similarly, if an employer has genetic information obtained under one of GINA’s limited exceptions, it must also keep this information separate from personnel files and treat it as a confidential medical record.
The EEOC said that although both the ADA’s and GINA’s confidentiality provisions provide limited exceptions under which information may be disclosed, none of these exceptions specifically authorize an employer to allow access to medical information related to employment by individuals providing health services unrelated to employment. For example, the ADA and GINA would not permit a health professional treating an employee at the hospital where she works to view medical information provided in support of a request for reasonable accommodation.The agency concluded that an employer’s right to access personal health information about applicants and employees and to allow access to occupational health information by individuals providing health services unrelated to employment is strictly limited under both the ADA and GINA. Therefore, maintaining personal health information and occupational health information in a single EMR, particularly one that allows someone with access to the EMR to view any information contained therein, presents a real possibility that the ADA, GINA, or both will be violated.
« Manager Hires Increasing in Real Estate and Alternatives