Access to employees’ sensitive personal medical information is a reality for employers covered by the Family and Medical Leave Act (FMLA). This is due to the fact that it's a best practice for leave administrators to request medical certification in order to process a leave case.
Of course, this information is sensitive, and it’s crucial to be compliant with various security regulations at both the federal and state levels. To ensure your organization’s compliance, the collection and storage of this information must be done with care. Fortunately, following best practices will allow you to gather the necessary information to manage leave while protecting employees' FMLA confidentiality!
Your Obligations As An Employer
If an employee needs FMLA leave for their own serious health condition, you may choose to request certification of the condition in order to approve their case. A medical certification will include details pertaining to the employee’s condition. Take care to avoid requesting more information than required to process the leave, and consider any privacy legislation which impacts the information employers can request in support of a medical leave. Also, be aware that you generally may request recertification no more than once every 30 days, in connection to an absence.
You can mitigate the chance of missteps during the FMLA certification process by utilizing the right forms. Generally, we recommend using the forms provided by the Department of Labor (DOL) or by modelling your own forms on them. Still not sure which form to use or worried about staying up to date on them? You might also consider utilizing a leave management app which automatically produces the correct forms for each type of leave.
A good rule of thumb is that any solicitation of medical information must stick explicitly to the medical facts: medical impact on essential functions, onset, likely duration, medical necessity for intermittent leave, etc.
Additionally, be aware of the Genetic Information Nondiscrimination Act (GINA). This act prohibits employers from requesting any genetic information, such as genetic predisposition and family history.
Once you’ve collected the required information, it’s time to ensure the data is stored appropriately. Medical information disclosed for the purposes of certifying FMLA leave is to be kept confidential! These records must be stored separately from an employee’s other personnel files. Only those who administer leave should have access to the information in these medical records, save for these instances outlined in the FMLA recordkeeping requirements (§825.500):
- Managers or supervisors who must be informed of work restrictions
- First-aid and safety personnel providing emergency treatment
- Government officials performings audits
Remember, it’s advised that you do not disclose the medical reason for an employee’s leave to their supervisor. Generally, explaining the length of their absence will suffice.
What Happens If You Fail To Comply?
Failure to ensure the security of employee medical information may lead to serious consequences… including a trip to court! The FMLA provides employees with the right to the confidentiality of their medical information. Employees who find their rights infringed upon may choose to, and have the right to, pursue the matter in court.
Consider Holtrey v. Collier County Bd. of Commissioners. Holtrey’s genito-urinary disorder was disclosed by a manager to eight of his fellow employees during a meeting he was absent from. Following this meeting, Holtrey’s coworkers joked and made rude gestures regarding his condition. In response to the violation of his right to confidentiality under the FMLA, Holtrey asserted claims of interference and retaliation. His employer’s motion to dismiss the case was denied.
Another similar case is Doe v. United States Postal Service. Doe disclosed his HIV status to support his need for FMLA leave. His supervisor shared this information with Doe’s colleagues, prompting him to take legal action. Though initially the district court sided with the employer, the D.C. Circuit reversed the decision in Doe’s favor. This decision falls in line with the confidentiality provisions outlined in the ADA.
Not only are these types of acts insensitive, they also violate your employees’ rights to privacy. These cases, and many others, may have been easily avoided if the employers had taken the necessary steps to protect confidential employee medical information.
How To Ensure The Security Of Confidential Medical Information
To minimize the risk of confidential employee information falling into the wrong hands, it’s imperative to provide thorough training. Ensure that all leave administrators are aware of how the information is to be stored, and who it can be disclosed to. Management and supervisors who are made aware of confidential medical information must be trained on their obligation to keep it private. Consider providing this training during onboarding, and then annually, to keep everyone up to date! At the end of the day, proper compliance with privacy and security regulations will reduce your organization’s liability, and will demonstrate your dedication to protecting your employees’ rights.