Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Approximately one month after sending this e-mail, Messier quit his position with Thrivent, apparently not on good terms, and he began looking for another job. When three consecutive prospective employers rejected Messier after contacting Thrivent for a reference check, Messier hired a reference checking company to call Thrivent, posing as a prospective employer, and inquire about Messier. In response to this inquiry, Messier’s former supervisor at Thrivent stated that Messier “has medical conditions where he gets migraines. I had no issue with that. But he would not call us. It was the letting us know.” Representing Messier, the EEOC took the position that Thrivent’s response violated the ADA’s confidentiality requirement because the ADA protects medical information learned by an employer through any job-related inquiry.

The Seventh Circuit rejected the EEOC’s position based on the ADA’s plain language. More specifically, the ADA’s confidentiality provision, by its plain terms, applies only to medical inquiries. By contrast, when Messier wrote the November 1, 2006 e-mail to his supervisor at Thrivent, Messier was responding to a generalized inquiry about “what was going on,” not to a medical inquiry. Consequently, Messier voluntarily disclosed that he had suffered a severe migraine, and the ADA did not prohibit Thrivent from re-disclosing that information.

The Seventh Circuit’s ruling is significant because employers can receive information about the medical condition of employees from a variety of sources, particularly with the explosion of self-disclosure in social media. By contrast, the ADA permits employers to make medical inquiries of current employees, or to require employees to undergo a medical examination, only: (a) when an employer has objective evidence to question whether an employee can perform essential job functions; (b) when necessary to evaluate an employee’s request for an accommodation; or (c) when necessary to determine whether an employee poses a direct threat of harm to himself or others.

In other words, like HIPAA, the ADA protects only a subset of employee health information that an employer might receive during the course of the employment relationship. As to this subset, the ADA’s confidentiality provision imposes on the employer a legal obligation to keep the information confidential, maintain it separately from the general personnel file, and limit access to those with a need to know. The Seventh Circuit’s ruling makes it easier for employers to establish policies and procedures to satisfy these legal compliance obligations because the decision narrows and specifically identifies the scope of employee health information that is subject to the ADA’s confidentiality requirement.

The Seventh Circuit’s rejection of the EEOC’s broad reading of ADA confidentiality, of course, does not mean that an employer should be careless with employees’ health information not protected by the ADA or HIPAA. State law, such as California’s Confidentiality of Medical Information Act, may still apply. But even when state law provides no protection, disclosing employees’ health information to those without a need to know exposes the employer to the risk that the information will be used improperly and has the potential to create tension and undercut employee morale. To reduce these risks, employers should remind managers who may receive voluntary disclosures of employee health information to limit their disclosure of that information to those with a need to know.

Photo credit: hoch2wo photo & design

These guidelines would apply regardless of the type of infection — MRSA, Hepatitis A, TB, HIV, etc.

1.      Investigate:  Learn the facts; do not rely on rumors.

2.      Interview The Possibly Infected  Employee:  If the facts indicate that an employee might be infected with the MRSA Superbug, designate a manager with the appropriate level of responsibility to get more information directly from the employee.

3.      Consult Counsel On How To Handle An Uncooperative Employee: If the employee refuses to disclose information, consult counsel regarding whether the employee can be required to provide health information before taking any adverse action is against the employee.  If the employee already has been sent home, promptly involve counsel to minimize or resolve any possible liability risks.  

4.      Provide Notice Of Disclosure To A Cooperative Employee:  If an employee voluntarily discloses infection with MRSA, explain that (a) the employer may need to disclose limited information about the employee’s health condition to those with a need to know, such as government health officials and health care providers of co-workers to take precautions against the spread of the infection and to facilitate any needed treatment of others, and (b) the employer will limit disclosure to those with a need to know and then will disclose only the minimum information necessary.

5.      Request Consent To Disclose:  Ask the employee for permission to make the limited disclosures described above.  If the employee refuses to consent, tell the employee that the entity may have no choice but to share information about the infection with others but will do so only to the extent permitted or required by law.

6.      Avoid Identifying The Infected Employee:  When disclosing information about the infected employee, avoid identification by name except when necessary to protect the health of co-workers who might have been infected or as required by law.

7.      Instruct Supervisors On Confidentiality And Retaliation Risks:  Instruct supervisors about the need to maintain the confidentiality of employee health information and provide guidance on how to respond to questions from other employees and supervisors so as to avoid undue panic and concern.  Supervisors should be reminded of the need to avoid any claim of retaliation by the possibly infected employee or his/her family members.  Educate supervisors on the spread of MRSA infections, types of treatment, and the Company’s planned preventative steps.

There is no one-size-fits-all solution to the many complicated privacy issues that a Superbug infection in the workplace can raise.  These guidelines, however, provide a starting point for what most likely will be a tense and fast-moving situation that raises a wide range of benefits issues and employment-related liability risks. 

My colleagues in Littler's Workplace Safety Practice Group, Don Benson and Pete Rice, are OSHA experts who will be presenting a webinar on Wednesday, December 12, 2007, on how to reduce the risks of an MRSA outbreak in your workplace and how to respond when one occurs.