Private matters – employees’ private medical records – includes related information on employer precautions

Private matters – employees’ private medical records – includes related information on employer precautions – Cover Story

Dan Wise

It’s getting harder to safeguard workers’ confidential medical files, and riskier not to. Here’s what employers need to know.

With a slip of the tongue, Motorola Corp. became the target of an invasion-of-privacy lawsuit. Joy Miller, an assembly-line worker for the electronics company in Shaumburg, Ill., was approached by another employee shortly after she’d returned to work from a medical leave several years ago. “How did you cope with your mastectomy?” the coworker asked, according to court filings. Miller had wanted her experience to be entirely private.

According to her attorney, Stanley Jakala of Berwyn, Ill., Miller had consulted a company nurse about medical leave for the surgery. Somehow, details of Miller’s condition got out to her coworkers, despite promises by the nurse that the information would be kept confidential.

Miller’s lawsuit, filed in Cook County Circuit Court in 1989, was initially dismissed. On appeal, the First District Appellate Court of Illinois overruled the lower-court judge, contending the incident involved a “public disclosure of a private fact,” based on the plaintiff’s “special relationship” with her coworkers. Before the scheduled trial, Motorola and Miller reached an undisclosed settlement.

Safeguarding confidential medical information is getting tougher, benefits managers say. To rein in health costs, employers must use a variety of tactics, including health-promotion efforts, detailed health screenings, wellness incentives, employee assistance programs, onsite primary-care clinics, and case management. Making these efforts pay off often requires the collection of sensitive, personal medical information.

While employers depend on outside vendors–such as third-party administrators, EAP companies, and other health-management consultants–to insulate them from receiving identifiable data, the potential exists for abuse or human error. And benefits offices can’t avoid handling some personal information. For example, when an employee is denied coverage or prompt payment of a claim, he or she will typically ask the benefits office to intervene.

Benefits managers and employment managers recommend that employers implement tight security and internal systems to control access to personal information, promote clear articulation of policies, and institute strict discipline for breaches of security. (See “Keeping Secrets Safe: Precautions for Employers,” page 24.) However, they acknowledge that a vast uncharted legal territory exists where employers’ other responsibilities clash with an employee’s need for privacy. These clashes occur primarily in the areas of hiring, wellness incentives, and employee assistance programs.


The Americans with Disabilities Act (ADA), enacted in 1990, imposes strict penalties for actual or perceived discrimination in hiring or promotion practices involving disabled individuals. Under the ADA, pre-employment medical exams are limited to probing an applicant’s ability to perform the job in question. Benefits experts warn, however, that physicians conducting pre-employment exams may be unaware of the complexities of the ADA and could put employers in jeopardy by furnishing them with too much information.

“An employer has a duty under the ADA to determine if an employee is capable of doing the job with or without reasonable accommodation,” says Mark Mallery, a partner in the New Orleans law firm of McCalla, Thompson, Pyburn, Hymowitz & Shapiro. “But his duty is limited to that.”

Mallery, who co-chairs an American Bar Association subcommittee on workplace privacy, says employers who decline to hire an applicant on legitimate grounds could be open to a discrimination charge if their files contain information about the applicant’s medical condition or handicap that does not fit the ADA’s narrow limits for the pre-employment exam.

For example, a doctor’s report to the employer might say the applicant has a chronic back condition that might limit his ability to perform the job in the future. Such a report, according to Mallery, would not be grounds for refusing to hire the applicant if the back condition did not currently hinder his ability to do the job.

The Equal Employment Opportunity Commission (EEOC), which administers the ADA, says the law bars employers from withdrawing a job offer unless the reasons are job-related or unless they believe placing the individual in the job would directly threaten his or her health or safety–and no options for reasonable accommodation exist.

Although the ADA does permit broader inquiries about previous ailments, injuries, and workers’ compensation claims before the hiring process is completed, there are three stipulations:

1. The medical exam or a health questionnaire must come after the applicant has been offered a job (a stage referred to as “post-offer”).

2. The inquiry must be required of all employees entering that job category.

3. Any medical information collected must be segregated from other personnel files.

The post-offer medical exam enables employers to obtain base-line information that could be used later to determine whether an on-the-job injury was an aggravation of an existing condition or a previous injury. Such information could lessen the employer’s liability for workers’ comp benefits.

Libby Sartain, employee benefits director for Southwest Airlines in Dallas, says her company concluded that the exam wasn’t worthwhile because the burden of proof for excluding someone on medical grounds was so great. Worse, she adds, if the employee is found incapable of doing the job, the accumulation of information from the post-offer exam might provide the employee with ammunition to claim the employer discriminated against him.

Nevertheless, Sartain, whose company employs 1,600 people, worries that the airline’s policy of not conducting post-offer medical exams may saddle it with unnecessary workers’ compensation costs. “We’re concerned that we could be hiring people with bad backs, and could end up with workers’ comp injuries that are actually aggravations of previous injuries,” she says. “Without the exam, we won’t know that.”


Employers who provide their work force with wellness programs and incentives for healthy behavior also risk legal peril.

The Coors Brewing Co. in Golden, Colo., is one of many that ask all new hires to complete a health-risk appraisal (HRA) questionnaire as part of a wellness-incentive program. Employees who complete the voluntary survey can have their health-care benefit reimbursement levels raised from 85 percent to 90 percent. Those with high risk factors get the boost only if they agree to participate in risk-reduction programs, many of which are administered at Coors’ own wellness center.

Wellness-center counselors advise the employee on how to improve his or her health. According to P.J. Brosmith, Coors’ quality-improvement administrator for employee benefits, the only information garnered from the survey that is relayed to the Coors employee-benefits office is whether the employee took the HRA, whether recommendations were made, and whether the employee chose to accept them. The benefits office then determines the employee’s eligibility for the higher benefits. Employees are asked to sign a release form for any transfers of information among the medical department, the wellness center, and the in-house EAP program, Brosmith adds.

The barrier between these groups and the legal department may not be so high, however. Last May 18, an article in The Wall Street Journal found a dark side to this company-orchestrated concern about health. It noted that one of Coors’ subsidiaries, Coors Ceramics, which also uses the wellness center, had persuaded an administrative law judge to deny a widow’s claim for survivors’ benefits, using information from Coors’ wellness center.

The woman’s husband, Richard Truman Fletcher, had died of a heart attack, which she claimed was job-related. It occurred two weeks after he’d received a job demotion. Many states allow survivors’ benefits if a worker’s death is job-related. Coors argued that Fletcher’s death was due to his smoking, and data from the wellness center showed that Fletcher had admitted to smoking 1 1/2 packs of cigarettes a day since he was 14. The judge deemed this fact sufficient evidence to deny the widow’s claim to survivors’ benefits. Coors officials declined to discuss the case.

Benefits managers at Coors and other companies say they have a legal right to obtain medical information to defend themselves against lawsuits, and that plaintiffs give up their confidentiality rights when they initiate legal action.

However, some wellness incentive programs inherently raise invasion-of-privacy issues, says Bob Eicher, a benefits consultant with A. Foster Higgins & Co. in New York. He cites the example of an employer who uses supervisors to help implement its wellness bonus program. Based on questionnaires covering both the employee and the spouse, a list of employees entitled to the wellness discount is prepared and distributed to supervisors. The supervisors must verify if the information on items such as smoking and maintaining weight proportional to height is correct for both the employee and spouse. “The company’s view is that it’s giving employees a break, and the questionnaire is its only way of checking,” Eicher says.

While laws such as the ADA expressly permit voluntary health inquiries for wellness programs, some of the law’s interpreters are examining the role of incentives in wellness programs. Naomi Levin, a senior attorney for the ADA policy division of the EEOC, asks whether a wellness survey can truly be considered voluntary if employers provide a substantial financial reward for employees who complete it. “‘Voluntary’ hasn’t been defined by the EEOC’s rule-makers,” Levin says, “but we’re sure not every wellness program that calls itself voluntary is voluntary.”

But questionnaires don’t have to be voluntary. It may be permissible for employers to require employees to complete one, as long as the questions are job-related, are a business necessity, or are related to insurance activities. Levin says that means the questions must pertain to the setting of benefit levels and may not be a “subterfuge to discriminate on the basis of a disability.”


Employee assistance programs present another potential mine field of legal claims for employers. EAPs are promoted as an area in which confidential help with personal problems is promised to employees. But EAPs also serve the employer, who wants to ensure a safe workplace and identify unproductive workers.

The use of outside vendors can safeguard a company from claims that it has access to private information from the EAP, but only if the company’s contract with the vendor is explicit about what information can be shared, says Craig Piso, of Greenspring Health Services Inc., a behavioral health services program in Parsippany, N.J. Companies with internally operated EAPs, however, argue that they follow the same professional codes of confidentiality that govern independent vendors.

The issue of EAPs gets stickiest when a supervisor orders a poorly performing employee to consult with the program’s counselors. For example, a supervisor may suspect habitual drinking is contributing to an employee’s absenteeism and poor job performance. In lieu of immediate discipline or firing, the supervisor may order the employee to consult with EAP counselors for a formal referral. After the consultation, EAP professionals say, the employee’s supervisor is entitled to some information about the session, although not to specific details about the employee’s problems or the counselor’s diagnosis.

Gary Atkins, chief of special services for Value Behavioral Health, an EAP and managed mental-health administrative firm in Washington, says EAPs typically provide the referring supervisor with yes-or-no answers to several specific questions. Brosmith of Coors agrees. EAP counselors in his organization limit the information they will provide in a management referral to the following: Did the employee make the appointment with the EAP? Were recommendations made? Did the employee agree to follow them?

Brosmith and other benefits managers and EAP professionals interviewed for this article were adamant that details of EAP conferences, whether for mandatory or voluntary referrals, are not shared routinely with management. EAP information, however, can be obtained if an employee sues the employer. If, for instance, an employee challenges a denial of workers’ compensation benefits for work-related stress, the employer can subpoena or delve into EAP counseling records to seek evidence of other sources of stress in the employee’s life. Generally, employment-law specialists say, a judge makes a determination as to what information in such records is usable as evidence.

James Connolly, vice president of benefits and compensation for Leslie Fay Cos. Inc., a ladies’ garment manufacturer in New York, says benefits managers don’t want to spread confidential employee information, though they do have to handle a lot of it. “You are involved in an individual’s life; there’s no getting around it,” he adds. Connolly is concerned about the trends leading to the accumulation by employers of greater and greater amounts of personal information about employees. And he isn’t reassured by vendors who claim to “sanitize” much of the employee-specific data before providing it to the employer. “The fact is,” Connolly says, “the information is there. If someone wants it, he can get it. The potential for abuse is there.”

Compounding that problem are laws–such as the ADA and the Family and Medical Leave Act–and certain Occupational Safety and Health Act (OSHA) regulations, which are designed to protect employees. The ADA, for example, is so new and so intrusive that benefits personnel are unsure how to comply with it. Enforcement guidelines and technical assistance are being provided by the EEOC staff, according to attorney Levin, but it will take at least a year before the final regulations are approved.

Employment-law experts say that’s only the beginning. It may be several years before clear trends emerge in interpretations of those regulations in courts and in other regulations. New Orleans attorney Mark Mallery believes confidentiality and privacy issues will continue to multiply. “There are excessive pressures on employers to resolve the social problems of society,” he notes. “They will constantly struggle to stay on top of what they are supposed to do.”

Keeping Secrets Safe: Precautions for Employers

The release of confidential data can harm not only the employee or family member who is the subject of the information, but also the employer responsible for keeping the secret safe. Employers can take the following precautions to keep private information private and protect themselves from legal problems arising from confidentiality breaches.

* Designate a privacy czar in the human resources department. A single individual or group should be charged with maintaining medical files, advises Mark Mallery, an employment law attorney in New Orleans. Make him responsible for keeping them strictly segregated from other personnel files, as well. The privacy czar also should keep up to date on privacy regulations and should serve as the resident expert on the subject.

* Keep nothing in those records that you don’t need. Establish and rigorously police what goes into personnel files. For example, physicians who conduct post-offer, pre-employment physicals (to determine whether an applicant can do the job in question, as well as whether he has a pre-existing condition the employer should know about) may include more information in their report than is legally permissible for supervisors to have. Make sure reports on referrals to EAPs contain only necessary and legally permissible information. For instance, such a report can say that an individual was referred to the EAP, kept the appointment, and agreed to a treatment plan. It should not include a description of the problem, specific diagnosis, or other details.

* Standardize when, where, and how promises of confidentiality are made. Ensure that all units of the company use the same language and forms when communicating with employees on confidentiality. Such a statement on confidentiality should include all exceptions to confidentiality rules, including the possibility that records could be examined in the event an employee becomes a party to litigation against the employer. Also, standardize the timing of these disclaimers. Typically, these are discussed at the first meeting between the employee and a health provider or counselor, rather than being included in an employee benefits manual.

* Confirm that vendors’ confidentiality policies are in harmony with your own. Look closely at their internal policies on handling outside inquiries, how they maintain files, and how they discipline employees who violate those rules. Put your expectations about the protection of employee information into your vendor contracts.

* Coordinate your privacy precautions with those of your vendors. Be sure that the way you handle sensitive information conforms with that of.your third-party administrator, insurer, or other vendor. For instance, use a numeric code to refer to a medical condition, instead of naming it in correspondence about a claim.

COPYRIGHT 1995 A Thomson Healthcare Company

COPYRIGHT 2004 Gale Group