M A i N E P l O y E M E i A A

MANAgiNg EMPlOyEE MEdiCAl dATA

ACCDocket 69 April2011

by lee braem

Privacy permeates the list of concerns for corporations. breaches of security for social security numbers, credit card data and consumer data can pose serious legal con-sequences. this outward focus is valid and undoubtedly overdue; however, companies should not lose sight of the requirements for privacy of data related to one of their most valuable resources: protecting the privacy of their employees, and specifically, the medical data gen-erated or maintained on employees.

if you mention privacy of employee health data to counsel, most will think that the federal health insurance Portability and accountability act (hiPaa) sets the applicable standards for employers to follow. that is an incorrect assumption and a trap that in-house counsel should not fall into. hiPaa may not apply to employment records held by a human resources or safety department, and there are more important laws that must be followed when managing employee medical records. counsel should be familiar with these laws and how they apply.

to describe these laws and how they influence the management of employee medical data, this article will use the concept of data buckets. the framework for discussion in this article will be to review what goes into a bucket — and what does not — and what are the rules for transferring data into or out of each bucket. the compliance goal is to stop or prevent data “leaks” from these buckets.

The BuckeT LisT


not required when disclosure is done for pur-poses of treatment, occupational treatment and care required under OSHA, workers’ compensa-tion, Department of Transportation drug testing purposes, or when there is some other disclosure required by law or judicial process.2 However, these authorization exceptions are often strictly construed by covered entities, and disclosures are “permissive” rather than mandatory. Therefore, even when disclosure is permitted without an authorization, a covered entity may still insist on having a signed authorization from an employee before disclosing that employee’s medical data to the employer.

The following situations are those during which an employer could most likely expect the need for a signed authorization before it receives employee medical data from an external physi-cian. First, an authorization should be used when an employer wants data from an employee’s private physician for purposes of its short-term

disability or leave program. Beware of confusion that may be created if the employer’s request for data is made by the employer’s medical personnel. The external provider may believe that the disclosure is done for purposes of treat-ment (a proper exception). While an employer, who is not a covered entity, would not violate HIPAA by failing to clarify the purpose of the request, it would seem an ethical duty of any medical professional requesting the information to inform the external provider the reason for the request. Sec-ond, an authorization should be expected when an employer requests data about a workers’ compensation case that is not required to be provided to the employer by state law.

Once HIPAA-covered data is disclosed to the employer, a non-covered entity, whether through an authorization or an exception, the data is no longer subject to HIPAA.3 Thus, the employer receiving such data is under no obligation to maintain it in accordance with HIPAA. As discussed below, however, other privacy requirements for employee data may apply. Therefore, it is always a good practice to maintain the “medical record” nature of such data received from external providers.

There is one other healthcare industry-specific obliga-tion that applies outside of HIPAA. Under state law, health-care facilities and/or professionals are generally under obligations of medical privacy, and the usual method for them to disclose medical data is to have the employee sign a “common law” consent form. Employers usually include this consent form in an employment offer package, drug testing forms or other employment forms.

As discussed above, on-site medical clinics are likely not covered entities. If they are requested to provide employee

HIPAA – the bucket for healthcareLet’s first address the 800-pound gorilla in the

room — HIPAA. HIPAA privacy (and security) applies to patient data generated within our healthcare system, and where electronic trans-actions are standard methods to bill and pay for services. HIPAA is industry-specific: It only applies to healthcare “covered entities,” which for our purposes are the healthcare organizations and providers that diagnose and treat individuals such as hospitals, clinics, physicians, etc. HIPAA does not apply to employers per se.

HIPAA also does not apply to employment records (job applications, pre-employment physi-cals, fitness-for-duty examinations, drug tests under corporate drug-free policies, etc.), nor does it apply to the following types of employment-related insurance/benefit programs that may contain medical information: workers’ compensa-tion, disability income insurance and short-term disability. Basically, HIPAA applies to patient health records and not to employee medical records.

For an employer, the only way a HIPAA obligation is cre-ated is if it is a covered entity, e.g., a hospital, or if it offers an employer-sponsored group health plan to its employees. In any event, HIPAA would only apply to the covered entity or health plan functions performed by the employer.1 In the case of a group health plan, HIPAA treats the employer as plan sponsor and the plan as separate legal entities. HIPAA’s covered entity obligations only apply to the plan functions and not to human resources or benefits as a whole. Note, HIPAA places restrictions on what the plan may disclose to the sponsor and prohibits the employer from using any plan data acquired in its role as sponsor for employment deci-sions. In addition, some employers operate on-site clinics or employ healthcare professionals to provide medical services to employees. Unless these clinics bill external payers for their services electronically, they are not covered entities.

Thus, for most employers who are outside of the health-care industry, the HIPAA bucket will be empty or small. HIPAA will likely apply, however, to transfers of medical data to an employer from either an employee’s private phy-sician or from an occupational clinic where an employer arranged service.

Private physicians are most always HIPAA-covered because they electronically bill third-party payers for their services. Occupational health physicians may not be covered, depending on how they bill for services. If the em-ployer requests employee medical data, the physician, who has the HIPAA compliance obligation, must review the reason for the disclosure and decide whether they will first require a signed HIPAA authorization. An authorization is

LEE BRAEM is senior corporate counsel

and chief compliance officer for Evonik

Degussa Corporation. With a background in

advising on environmental health

and safety law, he gained experience

with HIPAA working for Quest Diagnostics

and continues advising on HIPAA for pro bono clients. His current compliance

role has added responsibilities for privacy, FMLA and

ADA, and other employment related matters. Braem may be contacted at [email protected].

ArgentinaFunes de Rioja & Asociados

AustraliaFreehills

AustriaKunz Schima Wallentin

Rechtsanwälte OG

BelgiumClaeys & Engels

BrazilVeirano Advogados

CanadaHeenan Blaikie

ChilePhilippi, Yrarrázaval,

Pulido & Brunner

ColombiaBrigard & Urrutia

Costa RicaBDS Asesores

Czech RepublicRandl Partners

CyprusGeorge Z. Georgiou & Associates LLC.

DenmarkNorrbom Vinding

Dominican RepublicPellerano & Herrera

EstoniaRaidla Lejins & Norcous

FinlandDittmar & Indrenius

FranceCapstan

GermanyKliemt & Vollstädt

GreeceKremalis-Law Firm

IndiaKochhar & Co.

IrelandLK Shields Solicitors

ItalyToffoletto e Soci

LatviaRaidla Lejins & Norcous

LuxembourgCastegnaro Cabinet

d'Avocats

LithuaniaRaidla Lejins & Norcous

MexicoBasham, Ringe

Y Correa SC

NetherlandsBronsgeest Deur

Advocaten

NetherlandsBergamin & Gielink

pensioenrechtadvies B.V.

NorwayHjort

PanamaArosemena Noriega

& Contreras

PeruEstudio Olaechea

PolandRaczkowski i

Wspólnicy Sp.k.

Portugalpbbr

Puerto RicoMcConnell Valdés

RussiaLaw Firm ALRUD

SpainSagardoy Abogados

SwedenElmzell Advokatbyrå AB

SwitzerlandLenz & Staehelin

TurkeyBener Law Offi ce

United KingdomLewis Silkin

United KingdomSacker & Partners

USALittler Mendelson, P.C.

VenezuelaAraque Reyna Sosa Viso

& Pittier

Every employee makes a difference for your organization. So do we.

Ius Laboris provides legal counsel and Human Resource professionals with Labour and Employment advice internationally.

With more than 2,500 lawyers and more than 40 fi rms worldwide, Ius Laboris offers unparalleled access to leaders in Labour and Employment law.

To see how we can solve your Human Resource challenges internationally, check www.iuslaboris.com

IUS1001_Adv_ACC_Docket.indd 1 23/02/11 12:37


requires medical screening and surveillance.7 This standard requires physician evaluation of exposed employees and places limits on what can be disclosed to the employer after employee evaluation. recordkeeping must conform to the records access rule.

Therefore, if an employer is intent on managing medi-cal records carefully and not allowing data to inadvertently fall into or out of a bucket, it is important for employers to properly classify data as a medical record or exposure record — or not. For example, the records access rule does not apply to exposures to safety hazards (trips, falls or cuts), nor does it apply to non-occupational evaluations and tests. The records access rule specifically provides that ex-posure records do not include test results for an employee’s use of alcohol or drugs, and that medical records do not in-clude the following records (as long as they are maintained separate from medical records, or are not part of a medical program to assess exposures to hazardous substances8): health insurance claims — including workers’ compensa-tion — and voluntary employee assistance program records — including alcohol and drug use test results. Attorney work product is also not subject to the records access rule.9

The following is a summary of the qualified access rights given to OSHA inspectors, employees, and employee representatives under either Part 1904 or the records access rules:

1. An OSHA representative has a right of access to the confidential list of employee information, the sup-porting documentation — kept off the Forms 300 and 301 for privacy cases — and to employee medical and exposure records (and to any analysis thereof), provided, however, that OSHA will need to observe its rules for access to medical records, including obtaining a medical records access order.10

2. Current or former employees have a right of access to Forms 300 and 300A (except for list of privacy concern cases), to their own medical records, to their own exposure records (if an employee does not have one, he has a right to any sanitized exposure records of other employees in similar work condi-tions), and to sanitized analyses or compilations of employees’ exposure or medical records that concern their workplace.

3. Employee representatives have access rights that depend on the type of representation. A personal representative is anyone, such as a friend or relative, with written consent from an employee (or can in-clude a court appointee). A labor representative is an agent from the collective bargaining unit at that work location (there is no written consent from employee necessary). Both types of representatives may see the Forms 300 and 300A (except for privacy concern

medical data to, for example, human resources or safety, there is not any requirement for a signed HIPAA authoriza-tion. However, if the data was generated as a result of an employee voluntarily seeking treatment for non-occupation-al reasons at the clinic, state medical privacy laws attach-ing to the clinic’s licensed staff may require an employee’s signed consent before the transfer is made to non-medical employer personnel.

OSHA – the occupational health bucketThe Occupational Safety and Health Act (OSHA) cre-

ated three types of data buckets where medical privacy rules may apply. But for purposes of a privacy analysis, one must first understand that OSHA rules are designed to encourage the access to and communication of workplace injuries, illnesses and accident investigations. Through such openness of records, the theory goes, the workplace becomes safer. Therefore, the presumption under OSHA is for mandatory accessibility. There is no general right of privacy within the OSHA rules; only those privacy provi-sions that restrict the rights of access.

The first bucket, the “Part 1904” recordkeeping rules, requires employers to record workplace or work-related injuries or illnesses, and to annually publish summaries on standardized forms (300, 300A and 301).4 In general, this data and any data used to complete the forms are avail-able for unrestricted access because they lack detailed and private employee information. This includes daily reports of new injury or illness cases, first-aid records, company accident or incident reports, worker’s compensation first report of injury or insurer’s accident reports, nurse/physi-cian onsite clinic logs, and sanitized medical and exposure records (or compilations/summaries).

Within the Part 1904 rules, there is restricted access for the “privacy concern cases.”5 Privacy cases refer to any illness or injury to an intimate body part or to the repro-ductive system, to sexual assault cases, sharps injuries, HIV infections and other sensitive cases. For these cases, the employer must limit the personally identifiable informa-tion that is placed in the accessible records, especially the illness and injury forms.

The second bucket, the “records access rule,” applies to exposure records and medical records, or to any analysis thereof, pertaining to employee exposure to toxic substanc-es or harmful physical agents.6 Unlike records that must be created under the Part 1904 rule, employers are not required to create medical or exposure records; however, once these records are voluntarily created, they are subject to mandatory retention and access.

The third bucket is created under OSHA’s specific standards for exposures to toxic and hazardous materials. For example, the general industry standard for asbestos


cases), and the sanitized analysis, or compilations of exposure or medical records. Both types may have access to an employee medical record consistent with the terms of an employee’s signed authorization letter.11 A personal representative may see all other OSHA records that the employee who provided the written consent has a right to see. A labor representa-tive may also see the right-hand portion of Form 301 (that contains no personal information) and exposure records (and analysis using exposure such records), as long as he submits a written request justifying the occupational health need for access.

4. If an employer chooses to provide Forms 300 and 301 to persons other than those listed above, the employer must first remove personal employee identifiers. How-ever, for voluntary disclosures of the following types, the employer may bypass the sanitizing step: • to the employer’s health and safety auditor or

consultant; • to the extent necessary to process workers’ com-

pensation or other insurance benefits; or • to public health or law enforcement authorities as

required by law.

The protected class bucketsThe Americans with Disabilities Act (ADA)12 restricts

an employer’s collection and maintenance of employee or job applicant medical information to ensure the employer does not use such data for unlawful discrimination. The employer’s collection of medical data, e.g., through a post-employment offer physical exam or asking for history of workers’ compensation claims, must relate to determining the individual’s ability to perform job-related functions. Under the ADA, medical information should be used to de-termine how to accommodate an individual’s disability or to determine whether an individual can perform a job func-tion. On return to work, the ADA permits employers to require appropriate fitness-for-duty exams as long as they are job-related and consistent with business necessity.13

Any employee disability information must be kept as a confidential medical record in a file separate from other personnel records, and not used for any purposes incon-sistent with the ADA. The ADA does allow disclosures of employee health information to specific individuals for limited purposes on a need-to-know basis. Informa-tion may be revealed to supervisors and managers about the necessity and effectiveness of work restrictions or accommodations; to safety and first aid workers, if necessary, to treat the employee or provide for evacua-tion procedures; to government officials as required by law; as required by workers’ compensation laws; and for insurance-related purposes.14

ACC Docket• Keeping Secrets: Developing Confidentiality Systems

(Oct. 2006). Whatarethepracticalissuesinvolvedinprotectingconfidentialinformation?Readthisarticletobrushuponthelaw,andtakeactualphysicalmeasurestoprotectyourcompany’sdata.www.acc.com/docket/confidsys_oct06

InfoPAKsSM

• Workplace Information Risk in the Digital Age: Monitoring Employees, Social Media Challenges, Managing Access to Data and Optimizing Flexibility (Jan. 2011). ThisInfoPAKprovidesanoverviewofkeyissuesaffectingemployers,including:(1)managingtheworkplacerisksassociatedwithemployees’electroniccommunicationsandsocialmediause;(2)employmentlitigationissuesarisingfromelectronicallystoredinformationandcommunications;and(3)workplacechallengesofsecuringsensitiveemployeeandcompanydata.www.acc.com/infopaks/info-risk_jan11

• Data Protection (Sept. 2010). ThisInfoPAKprovidesanelementaryintroductiontotheprinciplesofdataprotectionlawwithaneyetowarditspracticalimplications,andsurveystheuniquefacetsofdataprotectionregimesinseveralmajorcountries. www.acc.com/infopaks/data-protect_sep10

Quick Reference• Protecting Personal Information: A Guide for Business

(May 2009).Thisquickreferenceprovideschecklistsforthefivekeyprinciplesofbuildingasounddatasecurityplan:takestock,scaledown,lockit,pitchitandplanahead.www.acc.com/quickref/protect-info_may09

Article• Guide to Protecting the Confidentiality of Personally

Identifiable Information (PII) (April 2010). AreportfromtheNationalInstituteofStandardsandTechnology,USDepartmentofCommerceonhowtoprotectPII. www.acc.com/protect-pii_apr10

ACChasmorematerialonthissubjectonourwebsite.Visitwww.acc.com,whereyoucanbrowseourresourcesbypracticeareaorsearchbykeyword.

ACC Extras on… Managing Employee Data


The Family and Medical Leave Act (FMLA)15 provides unpaid leave to eligible employees for, among other condi-tions, a serious health condition (of their own or of a family member). Employers are permitted to request an employee to provide “sufficient” medical certification (typically from a physician) to establish FMLA eligibility for leave.16 On return to work, employers may require fitness-for-duty certifications regarding the health condition that caused the need for the leave, as long as the process is uniformly applied to all similarly situated employees. If an employer doubts or has questions about the medical certification for an employee, FMLA places restrictions on who and what type of questions may be asked of the certifying physician.17

Similar to the ADA, employers are required to keep FMLA-related medical information confidential and sepa-rate from personnel files. While payroll, benefit or health insurance records associated with an FMLA-covered leave may be kept in personnel files, the reason for the leave (along with any medical substantiation) must be kept in a separate confidential file.

Title II of the Genetic Information Non-Discrimination Act (GINA) prohibits the use of genetic information in mak-ing employment decisions, and restricts employers from re-questing or requiring genetic information about an employee and his family.18 Under the GINA regulations, employers will need to warn employees’ healthcare providers not to provide “genetic health information” and review, among other things, whether any genetic information is already contained in per-sonnel files, and if so, whether it may be lawfully retained.

Other non-discrimination regulations of the Equal Em-ployment Opportunity Commission (EEOC) may implicate how employers use employee medical data if the use can be tied to discrimination on the basis of race, sex, religion, national origin or other protected characteristics.

In sum, as many federal and state laws make it unlawful for employers to make personnel decisions on “protected” categories — this list keeps growing — it is incumbent on employers to manage personnel records according to some rules of functional necessity.

Other federal privacy bucketsInformation on employees participating in any alcohol

or drug abuse program receiving federal funds or assis-tance may be subject to privacy rules, even after disclosed to the employer by the program. The 42 CFr Part 2 priva-cy regulations supersede both HIPAA and more permissive state laws, requiring that most all disclosures of informa-tion related to substance abuse treatment be accompanied by the individual’s signed consent. Unlike HIPAA, if an employer receives employee information subject to Part 2, it cannot be re-disclosed — there must be a written state-ment on the information to that effect.

TABLE 1: Employee Records Containing Medical DatareCOrD type

employment business records

Pre-employment, post-offer physical*

Pre-employment or on-the-job drug/alcohol tests (per company drug-free workplace policies)*

employer sick leave and wellness benefits

Short-term disability and sick leave benefit claim forms (employee provided or private physician provided records)+

other medically-based absence requests+

return to work clearance and light duty restrictions (if containing medical information)+

applications/questionnaires for healthcare coverage

First-aid, wellness, flu shot records, etc.

on-site health clinic records*

oSha, dot and other occupational health records

accident reports, and incident investigations and evaluations

contracted occupational health clinic records*+

department of transportation (or other) drug-testing records*

medical monitoring, screenings, and surveillance for exposures to toxic or hazardous substances (occupational) per oSha+

injury and illness records per Part 1904 of oSha

other post-injury or illness exams and treatment (occupational purposes) per oSha+

oSha Forms 300, 300a, and 301

oSha bloodborne pathogen (vaccination) records and/or sharps injury log

other employee exposure records (oSha)

other employee medical records (oSha)

workers’ compensation

First report of injury and other claims information*

claims review documentation*

employee assistance programs

alcohol, substance abuse and other testing results

Fmla and ada

requests for disability and accommodation under the ada*

Fmla requests and certifications (for leave)*

employer-sponsored group health plan

health plan enrollment, disenrollment, benefit claims, payment and appeals information

* Performed by outside healthcare provider, usually disclosed to employer with employee’s signed consent.

+ If performed by outside healthcare provider, often an employee’s private physician, provider may require a signed HIPAA authorization before disclosing to employer (despite exceptions for OSHA and workers’ compensation).

For more information call Dykema ChairmanRex Schlaybaugh at 877.599.6800 or go towww.dykema.com

Chicago • Dallas • Detroit • Los Angeles •Washington, D.C.Ann Arbor • Bloomfield Hills • Grand Rapids • Lansing • Lisle

When you expect your law firm to provideunparalleled client service,outstanding results, exceptional value

Dykema

ACCDocket.3.2011:Layout 1 2/25/11 3:39 PM Page 1


Managing employee recordsCompanies should take a risk-based approach to manag-

ing employee medical records. The starting point would be an inventory of the types of employee medical records main-tained and the applicable law. If a company already has a re-cords management policy, ensure that the schedule of record types is specific enough to address the records discussed in this article. The record types listed in Table 1 could be help-ful. (Find additional resources, including two white papers on employee health records, at www.hipaacow.org.)

Apply a risk-assessment tool to rank the outcome of non-compliance with use and disclosure of any of these records, e.g., high-, medium- and low-risk rankings. For one com-pany, its highest risk may be potential charges of discrimi-nation under the FMLA or ADA. For another company, OSHA recordkeeping compliance may be a higher concern. For another employer with multiple on-site medical clinics, medical license compliance may be their highest risk.

Finally, once the risks are identified and ranked, a company should assess what types of controls are needed. Any such controls should be consistent with the company’s management and organizational structure, and compliance and ethics culture.

The applicable controls may be any combination of policies, procedures, forms, job descriptions, online tools, guidance and training. The following types of control may be considered:

1. Separate personnel files containing medical data, such as OSHA medical or exposure records, or STD, FMLA and ADA records. Establish a proce-dure to prevent the addition of medical data to a personnel file, redirecting it instead to other records that are designated for medical data.

2. Designate an owner for each of these records and have written rules to help ensure consistency in how the rules are implemented.

3. Identify records that may have dual use (e.g., OSHA and workers’ compensation, STD and FMLA), or employees who have dual roles, and ensure proper controls are in place to ensure the purpose for ac-cess matches the employee’s role.

4. If using an external occupational health clinic, have the clinic maintain employee medical records at its location(s) and reflect this in a service contract.22

5. Adopt what may be called the HIPAA model for managing medical data, clearly designating the following: the protected data; the proper use and disclosure of the data; those individuals authorized for such use and disclosure; the application of the “minimum necessary” rule to such use and disclo-sure; and that all requests for and disclosures of protected data should be confirmed as authorized.

For those transportation sector companies that perform drug/alcohol testing under the US Department of Trans-portation 49 CFr Part 40 regulations, records relating to such testing “shall be maintained in a secure location with controlled access,” and individual records are to be kept in employee medical files. Except for specified exceptions, disclosure of employee test results can only be done with written consent.

Section 604 and 605 of the Federal Credit report-ing Act places restrictions on the disclosure of medical information to employers relating to background checks. Any requested medical information must be relevant to the employment, and the employee must have signed a specific written consent.

State and common law bucketsSome states, such as Connecticut, place obligations on

employers for managing employees’ personnel and medical records.19 This may require the employees’ written consent before disclosure is made to certain parties, unless some specific exemptions apply, e.g., a third party that maintains or prepares employment records.

Other state laws may provide rights of access to em-ployees for their own personnel files, which may or may not include medical records.20 This right may be limited, however, for certain records based on the privacy concern of third parties, such as those providing reference letters.

State law may also limit: • what may be asked on employment applications,

such as criminal background, credit history, or other medical and mental health information;

• information for an employer’s drug or alcohol testing programs; or

• an employer’s request for or use of genetic information.

An employer’s public disclosure of an employee’s per-sonnel or medical information could also be cause for a claim of common law invasion of privacy.21

Establishaprocedure to preventtheaddition of medical datatoapersonnelfile,redirecting it insteadtootherrecordsthataredesignated for medical data.


NOTES

1 67 Fed. reg. 53191-53192 (2002). 2 See 45 CFr §164.512 for permitted disclosures when required

by law. 3 This warning is a required element of the HIPAA authorization

form. 45 CFr §164.508(c)(2)(iii). 4 29 CFr Part 1904. A log of sharps injuries is also mandated

under the bloodborne pathogen standard, 29 CFr §1910.1030(h)(5).

5 29 CFr §1904.29(b)(6) - (10). 29 CFr §1910.1030(h)(5)(i) relates to a sharps injury log.

6 29 CFr §1910.1020. 7 29 CFr §1910.1001. See the other medical surveillance

requirements under Part 1910 Subpart Z, as well as §1910.1030 for bloodborne pathogens, and §1910.120 for hazardous waste operations and emergency response. Also note comparable construction industry standards.

8 29 CFr §1910.1020(c)(6)(ii). 9 Work product is not considered a medical record pursuant to 29

CFr §1910.1020(c)(6)(ii)(C). Work product is not considered an exposure record pursuant to Martin v. Bally’s Park Place Hotel & Casino, 983 F.2d 1252 (3rd Cir. 1993); See also, “Occupational Safety and Health review Commission Decision” (OSHrC Docket No. 87-1849). If recordkeeping is sloppy and these records are disclosed to non-intended parties, any privilege is waived.

10 29 CFr §1913.10. 11 See 29 CFr §1910.1020 Appendix A (sample authorization

letter).12 29 CFr §1630.14(d) and 1630.16(f). 13 42 USC §12112(d)(4)(A). 14 42 USC §§12101, 12112(d)(3). 15 29 CFr §825.16 29 USC Section 2613(b). 17 29 CFr §825.307. 18 P.L. 110-233, 122 Stat. 188. 19 Connecticut General Statutes, Section 31-128a et seq. 20 See Wis. Stats. §103.13.21 See, Miller v. Motorola, Inc., 202 Ill. App. 3d 976, 978, 560

N.E.2d 900. See, Jane Doe v. Wyoming Valley Health Care System, Inc., 2009 Pa. Super 250; 987 A.2d 758 (Dec. 18, 2009) (employee sued employer for invasion of privacy for its disclosure of personnel records in an NLrB hearing).

22 OSHA’s records access rule specifically gives employers the option to comply by having a physician or clinic manage medical records on behalf of the employer. §1910.1020(a) and (b)(3).

6. To minimize unauthorized uses and disclosures, create a virtual firewall around the authorized employees (or the job function that makes them authorized). For example, if there is a leave admin-istrator within human resources, only that person should be allowed to see FMLA or return-to-work medical certifications. On-site clinical staff may also need some separation from other human resource or safety functions.

7. Establish rules for company personnel interaction with an employee’s healthcare provider to question or verify any leave or disability certifications.

8. Establish rules for dealing with symptomatic em-ployees at work. For example, employers may not require an employee to have a flu test — a medical decision to have a test can only be made by a health-care provider. Similarly, employers cannot request to be advised of test results directly from the provider. Any return-to-work releases must be uniformly ap-plied to all employees to avoid claims of unlawful discrimination.

9. Train and conduct periodic risk assessments (e.g., to account for new laws) and audits.

10. retain records in accordance with the legal reten-tion time for that bucket.

Managing medical data is difficult but not impossibleManaging employee medical data is difficult because

there is no one law that applies to all data generated, used and maintained by employers. This article has hopefully raised awareness of what laws apply to medical data and key conceptual points for managing such data. For any employee record containing medical data, it is important to look at what bucket it fits into, who is generating and using it, and the purpose for such use. Each part has to be separately analyzed to adequately assess compliance. Given the complexity of these requirements, however, it should be clear that compliance will be a multi-disciplinary approach. Looking for an excuse to talk to the new labor and em-ployment attorney or the new health and safety specialist? Now’s your chance.∑

Have a comment on this article? Visit ACC’s blog at www.inhouseaccess.com/articles/acc-docket.

M A i N E P l O y E M E i A A

Documents