Employers covered by the Family and Medical Leave Act (FMLA) undoubtedly have access to their employees’ sensitive medical information. This is because it’s best practice for leave administrators to request medical certifications in order to determine the need for employees’ FMLA leaves. Additionally, medical information is often needed when engaging in the interactive process to determine reasonable accommodations under the Americans with Disabilities Act (ADA).
Understandably, this is sensitive information that you need to take strides to protect in order to remain compliant with various security and privacy regulations at the federal and state levels. Acquiring and storing this information carefully is essential in ensuring your organization is compliant with all regulations. By following some simple guidelines, you can strike the perfect balance of protecting your employees' FMLA confidentiality and gathering the information you need to manage leave!
Your Obligations As An Employer
If an employee needs FMLA leave for their own serious health condition, you may choose to request certification of the condition in order to approve their case. A medical certification will include details pertaining to the employee’s condition. Take care to avoid requesting more information than required to process the leave, and consider any privacy legislation which impacts the information employers can request in support of a medical leave. Also, be aware that you generally may request recertification no more than once every 30 days, in connection to an absence.
You can mitigate the chance of missteps during the FMLA certification process by utilizing the forms provided by the Department of Labor (DOL), or by modelling your own forms on them. You might also consider implementing a leave management solution which automatically produces the correct forms for each case and notifies you when it’s time to recertify.
When it comes to requesting documentation to support an employee’s need for reasonable accommodation under the ADA, bear in mind that you should only require enough information to establish the employee’s disability, current restrictions, and their need for an accommodation.
A good rule of thumb is that any solicitation of medical information must stick explicitly to the medical facts: medical impact on essential functions, onset, likely duration, medical necessity for intermittent leave, etc.
Additionally, be aware of the Genetic Information Nondiscrimination Act (GINA). This act prohibits employers from requesting any genetic information, such as genetic predisposition and family history.
Once you’ve collected the required information, it’s time to ensure the data is stored appropriately. Medical information disclosed for the purposes of certifying FMLA leave or providing reasonable accommodation under the ADA is to be kept confidential! These records must be stored separately from an employee’s other personnel files. Only those who administer leave should have access to the information in these medical records, save for these instances outlined in the FMLA recordkeeping requirements (§825.500):
- Managers or supervisors who must be informed of work restrictions or accommodations
- First-aid and safety personnel providing emergency treatment
- Government officials performings audits
Remember, it’s advised that you do not disclose the medical reason for an employee’s leave or accommodation to their supervisor. Generally, explaining the length of their absence or the type of accommodations they need will suffice.
What Happens If You Fail To Comply?
Failure to ensure the security of employee medical information may lead to serious consequences… including a trip to court! The FMLA and the ADA provide employees with the right to the confidentiality of their medical information. Employees who find their rights infringed upon may choose to, and have the right to, pursue the matter in court.
Consider Holtrey v. Collier County Bd. of Commissioners. Holtrey’s genito-urinary disorder was disclosed by a manager to eight of his fellow employees during a meeting he was absent from. Following this meeting, Holtrey’s coworkers joked and made rude gestures regarding his condition. In response to the violation of his right to confidentiality under the FMLA, Holtrey asserted claims of interference and retaliation. His employer’s motion to dismiss the case was denied.
Another similar case is Doe v. United States Postal Service. Doe disclosed his HIV status to support his need for FMLA leave. His supervisor shared this information with Doe’s colleagues, prompting him to take legal action. Though initially the district court had sided with the employer, the D.C. Circuit reversed the decision in Doe’s favor. This decision falls in line with the confidentiality provisions outlined in the ADA.
Not only are these types of acts insensitive, they are also violating your employees’ rights to privacy. These cases, and many others, may have been easily avoided if the employers had taken the necessary steps to protect confidential employee medical information.
How To Ensure The Security Of Confidential Medical Information
To minimize the risk of confidential employee information falling into the wrong hands, it’s imperative to provide thorough training. Ensure that all administrators of leave are aware of how the information is to be stored, and who it can be disclosed to. Management and supervisors who are made aware of confidential medical information must be trained on their obligations to keep it private. Consider providing this training during onboarding, and then annually, to keep everyone up to date!
If your organization utilizes a cloud based leave management solution, such as Presagia, find out whether it offers secure document storage! This includes the ability to restrict down access based on user role. For instance, the leave team users will be granted access to medical certifications, but all other users, like HR or managers, will not be able to see medical certifications. Also, all of your case records may be stored electronically so long as they’re kept for a minimum of three years. At the end of the day, proper compliance with privacy and security regulations will reduce your organization’s liability, and will demonstrate your dedication to protecting your employees’ rights.
Founded in 1987, Presagia has a long history of helping organizations solve complex business problems with easy-to-use solutions. Today, this means providing cloud-based absence management solutions that enable organizations to be more efficient, control lost time and risk, and strengthen compliance with federal, state and municipal leave and accommodation laws.