There is understandable confusion among employers about the various laws affecting workplace confidentiality. This article will attempt to clarify the obligations of employers when dealing with employee medical information. In addition, a helpful reference chart comparing the confidentiality requirements of the various federal laws can be accessed by clicking here.


Although the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996, Title II, which contains the Privacy Rule, did not take effect until April 14, 2003. The Privacy Rule establishes regulations for the use and disclosure of Protected Health Information (PHI), which generally includes any part of a patient’s medical record. However, the HIPAA Privacy Rule applies only to “covered entities,” defined as a health plan, a health care clearinghouse, or a health care provider. Importantly, the definition of “covered entities” does not include employers unless the employer is the administrator of a group health plan.

Confusion often arises with “hybrid” employers – where an employer also acts as a covered entity. For example, what duty does a health care provider-employer have to protect the private health information of its employees? The short answer is: Employment records are excluded as PHI and not protected by HIPAA when maintained by a covered entity in its capacity as an employer. The entity must ask itself what position it played when obtaining the employee’s health information: Was it acting as a health care provider or an employer?

If the covered entity was acting as a health care provider, the medical record is PHI and is covered by HIPAA, as would be the medical information of any other patient. In this situation, the covered entity may use the information only as permitted by the Privacy Rule and will likely need the employee’s authorization to use the information for employment purposes. On the other hand, if the entity is making hiring, firing, promotion, or payment decisions when it receives the employee’s health information, then the entity is acting as an employer and the information is not protected by HIPAA. The medical information becomes part of the employment record and is excluded as

For example, drug screening test results are PHI when the entity administers the test to the employee (i.e., the employer-hospital’s lab runs the drug test on the specimen). However, the results are not PHI when, pursuant to the employee’s authorization, the test results are provided to the entity acting as employer and placed into the employee’s employment record.


The Americans with Disabilities Act (ADA) imposes a series of restrictions on an employer’s use of medical examinations and inquiries in three situations: (1) at the application stage; (2) after individuals have been offered a job; and (3) for existing employees.

During the “pre-offer stage,” an employer may not perform a medical examination or inquire of a job applicant as to whether he or she has a disability (or the nature and severity of such). Screening employees must generally be based on non-medical factors, although the ADA permits employers to discuss medical issues with job applicants in three situations.

First, the employer may conduct pre-employment inquiries into an applicant’s ability to perform job-related functions, as long as the inquiry is made of all applicants for the particular job. Next, an employer may request that an applicant demonstrate how he or she would perform the essential functions of the job for which he or she is applying. Third, an employer may inquire of an applicant with an obvious or known disability what accommodation is required.

After a job offer has been made but before an employee begins work, the ADA permits an employer to require a medical examination and may condition the offer of employment on the results of such examination, provided that: (1) all entering employees are subject to the same medical examination without regard to whether they have a disability; (2) the employer keeps the medical information on separate forms, in separate medical files, and treats it as a “confidential medical record;” and (3) the employer uses the results of the examination only to comply with the ADA.

As to the confidentiality provision, the ADA allows the employer to disclose medical information to: (1) supervisors and managers who need to know the necessary restrictions on the employee’s duties and necessary accommodations; (2) first aid and safety personnel who need to be informed should emergency treatment of the employee become necessary; and (3) government officials who need the information to investigate compliance with the ADA.

An employer may not withdraw an employment offer based on the information obtained in a medical examination unless it is job-related or necessary for the conduct of the employer’s business. The job offer may also be withdrawn if the employee’s disability would constitute a “direct threat” to the health and safety of the employee and others and no reasonable accommodation is available.

The ADA prohibits an employer from requiring “existing employees” to submit to a medical examination or asking an employee whether he or she has a disability (or the nature or severity of the disability), unless such examination or inquiry is related to the functions of the employee’s job and consistent with business necessity. Again, all of the medical history information obtained from existing employees should be maintained in a separate medical file, but it may be shared with supervisors and managers, first aid and safety personnel, and government officials as discussed above.


The Family and Medical Leave Act (FMLA) provides that an employee is eligible for FMLA leave because of “a serious health condition that makes the employee unable to perform the functions of the position.” The FMLA requires the employee to provide a copy of certification of the medical condition issued by a health care provider. The medical certification must state: (1) the date on which the serious health condition began; (2) the probable duration of the condition; and (3) the appropriate medical facts within the knowledge of the health care provider regarding the condition.

Because the employer is permitted to inquire about the “serious health condition” of an employee pursuant to that employee’s request for FMLA leave, there is obvious tension between the FMLA and the restrictions on medical inquiries under the ADA for “existing employees.” For example, suppose an employee’s “serious health condition” is also considered a “disability” under the ADA. What happens if the employer’s request for a medical certification under the FMLA requires more information than the employer could lawfully obtain under the ADA?

The U.S. Department of Labor has created Form WH-380 to assist employees in obtaining medical certification. If the FMLA inquiry relates to the information on Form WH-380, an employer is permitted to ask why an employee is requesting time off. As long as the request for information concerns job-related issues, then such questions regarding medical certification are consistent with the “business necessity” exception under the ADA.

Following FMLA leave, the employer may seek “fitness-for-duty certification only with regard to the particular health condition that caused the employee’s need for FMLA leave.” The policy must, however, be applied uniformly to all “similarly-situated employees (i.e., same occupation, same serious health condition) who take leave for such conditions to obtain and present certification from the employee’s health care provider that the employee is able to resume work.”

The ADA requires that any return-to-work physical be “job-related” and “consistent with business necessity.” For example, “an employer may require a warehouse laborer, whose back impairment affects his ability to lift, to be examined by an orthopedist, but may not require the employee to submit to an HIV test where the test is not related to either the essential functions of his/her job or to his/her impairment.”

The certification only needs to be a simple statement of the employee’s ability to return to work. For purposes of clarification of the employee’s fitness to return to work, a health care provider employed by the employer may contact the employee’s health care provider with the employee’s permission. However, “no additional information may be acquired, and clarification may be requested only for the serious health condition for which FMLA leave was taken.” Further, “the employer may not delay the employee’s return to work while contact with the health care provider is being made.”


Browse More Insights

Practice Group

Employment Law

Ogletree Deakins’ employment lawyers are experienced in all aspects of employment law, from day-to-day advice to complex employment litigation.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now