EEOC Loss on ADA Confidentiality Provides Useful Win for Employers

Posted on November 26, 2012 by Privacy and Data Protection Practice Group

By Philip Gordon

In the decade since the HIPAA Privacy Rule went into effect, human resources professionals and employment counsel have increasingly grappled with medical confidentiality issues. While HIPAA certainly has heightened awareness of the need to handle employees’ health information with care, HIPAA (perhaps ironically) protects only a very narrow subset of such information, i.e., individually identifiable health information created or received by, or on behalf of, a HIPAA-covered health plan. By contrast, the EEOC has taken the position for years that the Americans with Disabilities Act’s (“ADA”) medical confidentiality provision protects all employee health information received by an employer other than the narrow subset of health benefits information subject to HIPAA. In a ruling handed down just two days before Thanksgiving, the Seventh Circuit rejected the EEOC’s interpretation of the ADA as overbroad, giving employers something to be thankful for.

The Seventh Circuit’s decision addressed the question whether Thrivent Financial for Lutherans (Thrivent) violated the ADA’s confidentiality provision by allegedly disclosing medical information about a former employee, Garry Messier, to Messier’s prospective employers. The case had its genesis on November 1, 2006, when Messier failed to report to work. Thrivent’s agent sent an e-mail to Messier asking him to “give John [his supervisor at Thrivent] a call” because John “need[ed] to know what [was] going on.” Rather than calling John, Messier sent him a lengthy e-mail which revealed that Messier had a “severe migraine,” had taken “Innitrex” to ameliorate the symptoms, is “bedridden” when he suffers migraines of this severity, and that the “migraines are an end result of the head trauma” suffered in a “major car accident in 1984.” Apparently recognizing that he might have crossed the line into TMI (“too much information”), Messier concluded, “Probably a lot more than either of you wanted to know, but I want to be totally honest with both of you.”

Approximately one month after sending this e-mail, Messier quit his position with Thrivent, apparently not on good terms, and he began looking for another job. When three consecutive prospective employers rejected Messier after contacting Thrivent for a reference check, Messier hired a reference checking company to call Thrivent, posing as a prospective employer, and inquire about Messier. In response to this inquiry, Messier’s former supervisor at Thrivent stated that Messier “has medical conditions where he gets migraines. I had no issue with that. But he would not call us. It was the letting us know.” Representing Messier, the EEOC took the position that Thrivent’s response violated the ADA’s confidentiality requirement because the ADA protects medical information learned by an employer through any job-related inquiry.

The Seventh Circuit rejected the EEOC’s position based on the ADA’s plain language. More specifically, the ADA’s confidentiality provision, by its plain terms, applies only to medical inquiries. By contrast, when Messier wrote the November 1, 2006 e-mail to his supervisor at Thrivent, Messier was responding to a generalized inquiry about “what was going on,” not to a medical inquiry. Consequently, Messier voluntarily disclosed that he had suffered a severe migraine, and the ADA did not prohibit Thrivent from re-disclosing that information.

The Seventh Circuit’s ruling is significant because employers can receive information about the medical condition of employees from a variety of sources, particularly with the explosion of self-disclosure in social media. By contrast, the ADA permits employers to make medical inquiries of current employees, or to require employees to undergo a medical examination, only: (a) when an employer has objective evidence to question whether an employee can perform essential job functions; (b) when necessary to evaluate an employee’s request for an accommodation; or (c) when necessary to determine whether an employee poses a direct threat of harm to himself or others.

In other words, like HIPAA, the ADA protects only a subset of employee health information that an employer might receive during the course of the employment relationship. As to this subset, the ADA’s confidentiality provision imposes on the employer a legal obligation to keep the information confidential, maintain it separately from the general personnel file, and limit access to those with a need to know. The Seventh Circuit’s ruling makes it easier for employers to establish policies and procedures to satisfy these legal compliance obligations because the decision narrows and specifically identifies the scope of employee health information that is subject to the ADA’s confidentiality requirement.

The Seventh Circuit’s rejection of the EEOC’s broad reading of ADA confidentiality, of course, does not mean that an employer should be careless with employees’ health information not protected by the ADA or HIPAA. State law, such as California’s Confidentiality of Medical Information Act, may still apply. But even when state law provides no protection, disclosing employees’ health information to those without a need to know exposes the employer to the risk that the information will be used improperly and has the potential to create tension and undercut employee morale. To reduce these risks, employers should remind managers who may receive voluntary disclosures of employee health information to limit their disclosure of that information to those with a need to know.

Photo credit: hoch2wo photo & design
Tags: , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Two Recent Decisions Illuminate for Employers the Broad Contours of ADA Confidentiality vs. the Narrow Boundaries of HIPAA Privacy

Posted on July 22, 2011 by Privacy and Data Protection Practice Group

By Philip Gordon

Ever since the HIPAA Privacy Rule first went into effect for larger health plans in April 2003, HR professionals and in-house employment counsel often warn of the proverbial “HIPAA violation” when discussing employee medical information. However, one recent federal decision demonstrates that the greater risk for many employers is a violation of the ADA’s confidentiality requirement, that can protect even false information disclosed by an employee to an in-house physician. The second recent decision highlights a critical limitation on the ADA’s broad confidentiality requirement.

The first case arose out of General Dynamics’ decision to terminate the employment of Guillermo Blanco (Blanco) for failing to disclose his Attention Deficit Hyperactivity Disorder (ADHD) when he responded to the company’s post-offer, pre-hire Medical Surveillance History Questionnaire. According to Blanco’s complaint, the in-house physician with whom Blanco discussed his post-employment request for a reasonable accommodation accused Blanco of failing to disclose his ADHD on the medical questionnaire. Blanco further alleged that the in-house physician discussed Blanco’s allegedly false responses to the questionnaire with management in General Dynamics’ Labor Relations Department. Blanco claimed that General Dynamics terminated his employment as a result of the disclosure. 

Notably, the case did not involve an alleged HIPAA violation at all. Although in-house physicians are health care providers as defined by the HIPAA Privacy Rule, they are not “covered” health care providers required to comply with the Privacy Rule. Only providers who use HIPAA-mandated electronic codes to bill insurance companies and government welfare programs for services are subject to HIPAA. Because virtually all in-house physicians are paid a salary and do not bill for their services, HIPAA does not apply to them, contrary to common misconceptions of HIPAA’s scope.

The ADA’s confidentiality requirement, by contrast, does apply to in-house physicians. The ADA requires that employers separately file employees’ medical information and maintain it as confidential. The ADA carves out only three narrow exceptions to the confidentiality requirement. Employee medical information may be disclosed to managers to the limited extent necessary for them to accommodate an employee with a disability or otherwise be made aware of work restrictions, to first aid and safety personnel who need to know about a disability that might require emergency treatment, and to government officials responsible for enforcing the ADA.

The court in the General Dynamics case read the ADA’s confidentiality requirement to apply not only to disclosures to third parties outside the company (except in the limited circumstances described above), but also to intra-corporate disclosures. More to the point, if the complaint’s allegations turned out to be true, the in-house physician would have violated the ADA because her disclosure of Blanco’s medical information was not necessary for managers in General Dynamics’ Labor Relations Department to accommodate Blanco or to address a work restriction, and the other two exceptions obviously did not apply.

The General Dynamics decision is particularly remarkable because the court held that the ADA protects even false medical information provided by an applicant or employee to an employer. The court explained its reasoning as follows:
 

The ADA clearly protects the confidentiality of Mr. Blanco’s response [to the medical questionnaire] if truthful, and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

(emphasis supplied). While the court acknowledged that this ruling could be troublesome for employers, such as General Dynamics, whose employees operate heavy machinery or are exposed to workplace hazards made even riskier by a disability, the court concluded that it was bound to apply the ADA’s plain language and leave the policymaking to Congress.

The second recent decision establishes a critical limitation on what might otherwise seem like a boundless protection in light of the General Dynamics case. In the second case, Thrivent Financial for Lutherans (Thrivent) had hired a temporary IT consultant, named Messier, through Omni Resources (Omni). When Messier, a typically reliable employee, was “no-call, no-show” for work, Thrivent asked Omni for an explanation. Messier’s manager at Omni sent Messier an e-mail asking him to call because he “need[ed] to know what’s going on.” Messier responded with a lengthy e-mail to both his Omni and Thrivent managers, explaining that he had missed work because of a severe migraine and providing them with a lengthy explanation of his medical history related to migraines. The Thrivent manager later disclosed this information to a reference check company hired by Messier who suspected the Thrivent manager of re-disclosing his medical information. The EEOC, taking up Messier’s cause, sued Thrivent for violating the ADA’s confidentiality requirement.

The critical dispute between the parties revolved around whether the ADA protected Messier’s medical information in the first instance. The EEOC took the position that the ADA protects any health information provided by an employee in response to an employer-initiated inquiry, such as the inquiry by the Omni manager into the reason for Messier’s absence. Thrivent responded that the ADA protects only information that an employee is required to provide in response to a permissible medical examination or disability-related inquiry, such as a mandatory post-offer, pre-hire medical examination or a request for medical documentation to support a request for an accommodation. Because Messier had volunteered health information in response to the Omni manager’s generalized inquiry into the reasons for Messier’s absence, the ADA did not apply.

The court rejected the EEOC’s broad reading and adopted Thrivent’s narrower construction. The court reasoned as follows:

[A]n employee’s disclosure is voluntary if the disclosure is not preceded by any request or demand for medical information by the employer. Which party initiates the conversation that leads to a disclosure is not relevant; which party initiates or requests the employee’s actual disclosure of medical information is determinative.

Applying this standard to Omni’s inquiry, the court concluded that the ADA’s protections did not attach to Messier’s medical information because Omni had not asked Messier for medical information and Messier could have been absent from work for a “vast number of reasons” unrelated to his health.

HIPAA was not a factor in this case because information received by an employer in its capacity as employer is not subject to HIPAA’s protections. HIPAA applies only to individually identifiable health information created or received by or on behalf of the employer in its capacity as the administrator of a HIPAA-covered plan. Such plans are limited to group health, dental, vision, long-term care, pharmacy benefits, health care reimbursement flexible spending accounts, and employee assistance programs.

This pair of cases provides important guidance for employers on the boundaries of the ADA’s confidentiality requirement. They also reveal, by negative implication, the relatively narrow boundaries of HIPAA’s privacy protection in the employment context. Employers who have not developed policies and procedures for handling employee medical information not protected by HIPAA should consider doing so to ensure that in-house medical staff, HR professionals and managers understand when the ADA protects employee medical information, how that information may be lawfully used, and to whom it may be lawfully disclosed.

Photo credit: hoch2wo photo & design
Tags: , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Potential Trap for Unsuspecting Employers in the Proposed Genetic Anti-Discrimination Law

Posted on May 2, 2008 by Philip Gordon

On April 25, 2008, the House passed H.R. 493, The Genetic Information Nondiscrimination Act of 2008 (GINA), a bill that President Bush is expected to sign barring private employers from engaging in genetic discrimination. On first read, I have spotted at least one potential trap for unsuspecting employers if the bill is enacted as drafted.

Section 206(b) of the Act permits disclosure of "genetic information" in only very limited circumstances, which do not include responding to a subpoena or a civil discovery request. Employment litigators, particularly on the defense side, commonly subpoena personnel files, including all medical information from a plaintiff's former employers -- for example, to test a plaintiff's allegation that the defendant/current employer's alleged actions caused emotional distress. Under the bill, as written, an employer who inadvertently produces "genetic information" in response to such a subpoena would violate the Act because the statute does not require a knowing disclosure to support a claim.

The possibility of an inadvertent disclosure of "genetic information" is not hypothetical. As defined in the House bill, that term encompasses "the manifestation of a disease or disorder in family members" of an employee, which could include, for example, an FMLA certification stating that an employee needs FMLA leave because a spouse or child has sickle-cell anemia or Tay-Sachs disease.

If the bill is enacted as written, employers should strongly consider screening all medical information upon receipt to determine whether that information might fall within the broad definition of "genetic information." If so, the information should be filed separately from all other medical information with a note that the information should not be produced except in response to a court order.
 

For a more detailed discussion of this Act, please see Littler ASAP: Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers by Philip L. Gordon and Jennifer L. Mora.

Tags: , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link