Note, this article is part of our continuing series of articles titled “Dealing With….”. This special series is designed to provide simple practical advice of immediate usefulness to federal employees (and even local and state employees to a certain degree) dealing with certain situations specifically indicated in the article.
The safeguarding and regulatory compliant handling of Protected Health Information (PHI), also referred to simply as medical information, in our opinion, presents one of the most significant risks for federal agencies and managers (particularly with an aging workforce and increased frequency of FMLA, Reasonable Accommodation, and sick leave use). Violations in the handling of this information is almost routine in our opinion and we are constantly correcting managers in the handling, use, and management of this information, whether leaving PHI on a desk in plain view or openly discussing medical diagnosis with staff who have absolutely no need to know. Nothing surprises us anymore whether the information is submitted in connection with a Reasonable Accommodation request or a request for leave under the Family Medical Leave Act.
There are a myriad of laws and regulations, not to mention provisions of collective bargaining agreements (potentially), that apply to the handling of employee medical information in connection with employment. The Americans with Disabilities Act (ADA), 42 USC 12112 (d)(3)(B) and 12112(d)(4)(c), requires employers to maintain information regarding medical condition and history of employees with disabilities in separate medical files and to treat such information as confidential. See also 29 CFR 1630.14 (b)(1), (c)(1), and (d)(1). Whereas, the Privacy Act prohibits agencies from disclosing records contained in a system of records to any person, or to another agency, except pursuant to a written request by the individual to whom the record pertains. See, 5 USC Section 552a(b). Vast provisions of the Rehabilitation Act also apply, requiring (and reiterating) the requirement to maintain separate files, apart from other records such as disciplinary files, when they contain medical records. See, Complainant v. Department of Justice, Federal Bureau of Prisons, 0520130125, 114 FEOR 252 (EEOC 2014).
What You Should Expect
As noted in Grey v. U.S. Postal Service, EEOC No. 0120121846 (EEOC OFO 2012), confidentiality requirements apply to any medical information from any applicant or employee, not only individuals with disabilities. Federal agencies possess the authority to request and handle employee medical information in connection with employment matters. This authority extends to applicants but is not limited in that regard. For example, an agency may ask for information possibly connected to a disability provided it is job-related and consistent with business necessity. See, Slavin v. U.S. Postal Service, EEOC No. 0120061503 (EEOC OFO 2007). Requests of this nature also extend to situations in which an employee may exhibit “unusual behavior” or the agency otherwise establishes a reasonable belief a worker poses a direct threat due to a medical condition or that he is unable to perform the essential functions of his position due to a medical condition. See, Watson v. U.S. Postal Service, EEOC No. 0120121195 (EEOC OFO 2013) and Norton v. Department of Veterans Affairs, EEOC No. 01A51018 (EEOC OFO 2006).
When a federal employee submits medical information in connection with employment, for any reason, whether voluntarily or requested/ordered by the agency, they have a right to expect that this information will be protected in accordance with law, and frankly, common sense. This applies to medical information submitted in connection with FMLA, sick leave, a fitness for duty examination, Reasonable Accommodation requests, job applications, a return to duty, or for any other reason. Failure by the agency to properly safeguard an employee’s health information is typically actionable under EEOC guidelines and possibly a civil action. Awarded damages can range from minimal to significant.
SIDEBAR: Whether voluntarily submitted or otherwise ordered and received by an agency, all employee medical information must be protected.
Any violation of confidentiality concerning Protected Health Information (PHI) is actionable and should not be taken lightly, especially by managers. The violation does not have to be discriminatory in nature; it stands alone, typically under the Rehabilitation Act, and otherwise referred to as a per se violation. See, Fisher v. DOD, Department of the Army, (EEOC OFO 09/04). In other words, even if the rest of a complainant’s EEO claims fail at hearing, the mishandling of medical information remains a violation of the Rehabilitation Act.
Some examples of a violation concerning Protected Health Information could include:
- Disclosure to unauthorized persons (no need to know)
- Leaving the information unattended on an office desk
- Sending the information to the wrong person
- Disclosing the information off duty to non-agency employees
- Losing the information
- Not maintaining the information in a separate folder, apart from other employment records
- Placing the information in a “six-part folder”
- Giving the information to a gaining supervisor
However, each case is fact dependent and professional consultation should be obtained to assess the individual circumstances of each case.