The federal laws barring discrimination on the basis of disability protect the confidentiality of certain medical information. The information protected by these laws falls within the larger definition of “health information” under this privacy regulation. The two primary disability nondiscrimination laws are the Americans with Disabilities Act (ADA), 42 U.S.C. 12101 et seq., and the Rehabilitation Act of 1973, as amended, 29 U.S.C. 701 et seq., although other laws barring discrimination on the basis of disability (such as the nondiscrimination provisions of the Workforce Investment Act of 1988, 29 U.S.C. 2938) may also apply. Federal disability nondiscrimination laws cover two general categories of entities relevant to this discussion: employers and entities that receive federal financial assistance.
Employers are not covered entities under the privacy regulation. Many employers, however, are subject to the federal disability nondiscrimination laws and, therefore, must protect the confidentiality of all medical information concerning their applicants and employees.
The employment provisions of the ADA, 42 U.S.C. 12111 et seq., expressly cover employers of 15 or more employees, employment agencies, labor organizations, and joint labor-management committees. Since 1992, employment discrimination complaints arising under sections 501, 503, and 504 of the Rehabilitation Act also have been subject to the ADA's employment nondiscrimination standards. See “Rehabilitation Act Amendments,” Pub. L. No. 102-569, 106 Stat. 4344. Employers subject to ADA nondiscrimination standards have confidentiality obligations regarding applicant and employee medical information. Employers must treat such medical information, including medical information from voluntary health or wellness programs and any medical information that is voluntarily disclosed as a confidential medical record, subject to limited exceptions.
Transmission of health information by an employer to a covered entity, such as a group health plan, is governed by the ADA confidentiality restrictions. The ADA, however, has been interpreted to permit an employer to use medical information for insurance purposes. See 29 CFR 1630 App. at § 1630.14(b) (describing such use with reference to 29 CFR 1630.16(f), which in turn explains that the ADA regulation “is not intended to disrupt the current regulatory structure for self-insured employers . . . or current industry practices in sales, underwriting, pricing, administrative and other services, claims and similar insurance related activities based on classification of risks as regulated by the states”). See also, “Enforcement Guidance on Disability-Related Inquiries and Medical Examinations of Employees under the Americans with Disabilities Act,” 4, n.10 (July 26, 2000), __ FEP Manual (BNA) __ (“Enforcement Guidance on Employees”). See generally, “ADA Enforcement Guidance on Preemployment Disability-Related Questions and Medical Examinations” (October 10, 1995), 8 FEP Manual (BNA) 405:7191 (1995) (also available at http://www.eeoc.gov). Thus, use of medical information for insurance purposes may include transmission of health information to a covered entity.
If an employer-sponsored group health plan is closely linked to an employer, the group health plan may be subject to ADA confidentiality restrictions, as well as this privacy regulation. See Carparts Distribution Center, Inc. v. Automotive Wholesaler's Association of New England, Inc., 37 F.3d 12 (1st Cir. 1994)(setting forth three bases for ADA Title I jurisdiction over an employer-provided medical reimbursement plan, in a discrimination challenge to the plan's HIV/AIDS cap). Transmission of applicant or employee health information by the employer's management to the group health plan may be permitted under the ADA standards as the use of medical information for insurance purposes. Similarly, disclosure of such medical information by the group health plan, under the limited circumstances permitted by this privacy regulation, may involve use of the information for insurance purposes as broadly described in the ADA discussion above.
Entities that receive federal financial assistance, which may also be covered entities under the privacy regulation, are subject to section 504 of the Rehabilitation Act (29 U.S.C. 794) and its implementing regulations. Each federal agency has promulgated such regulations that apply to entities that receive financial assistance from that agency (“recipients”). These regulations may limit the disclosure of medical information about persons who apply to or participate in a federal financially assisted program or activity. For example, the Department of Labor's section 504 regulation (found at 29 CFR part 32), consistent with the ADA standards, requires recipients that conduct employment-related programs, including employment training programs, to maintain confidentiality regarding any information about the medical condition or history of applicants to or participants in the program or activity. Such information must be kept separate from other information about the applicant or participant and may be provided to certain specified individuals and entities, but only under certain limited circumstances described in the regulation. See 29 CFR 32.15(d). Apart from those circumstances, the information must be afforded the same confidential treatment as medical records, id. Also, recipients of federal financial assistance from the Department of Health and Human Services, such as hospitals, are subject to the ADA's employment nondiscrimination standards. They must, accordingly, maintain confidentiality regarding the medical condition or history of applicants for employment and employees.
The statutes and implementing regulations under which the federal financial assistance is provided may contain additional provisions regulating collection and disclosure of medical, health, and disability-related information. See, e.g., section 188 of the Workforce Investment Act of 1988 (29 U.S.C. 2938) and 29 CFR 37.3(b). Thus, covered entities that are subject to this privacy regulation, may also be subject to the restrictions in these laws as well.
Americans with Disabilities Act
Comment: Several comments discussed the intersection between the
proposed Privacy Rule and the Americans with Disabilities Act ("ADA")
and sections 503 and 504 of the Rehabilitation Act of 1973. One comment
suggested that the final rule explicitly allows disclosures authorized
by the Americans with Disabilities Act without an individual's
authorization, because this law, in the commenter's view, provides more
than adequate protection for the confidentiality of medical records in
the employment context. The comment noted that under these laws
employers may receive information related to fitness for duty, pre-
employment physicals, routine examinations, return to work
examinations, examinations following other types of absences,
examinations triggered by specific events, changes in circumstances, requests for reasonable accommodations, leave requests,
employee wellness programs, and medical monitoring.
Response: We disagree with the comment that the final rule should
allow disclosures of protected health information authorized by the ADA
without the individual's authorization. We learned from the comments
that access to and use of protected health information by employers is
of particular concern to many people. With regard to employers, we do
not have statutory authority to regulate them. Therefore, it is beyond
the scope of this regulation to prohibit employers from requesting or
obtaining protected health information. Covered entities may disclose
protected health information about individuals who are members of an
employer's workforce with an authorization. Nothing in the privacy
regulation prohibits employers from obtaining that authorization as a
condition of employment. We note, however, that employers must comply
with other laws that govern them, such as nondiscrimination laws. For
example, if an employer receives a request for a reasonable
accommodation, the employer may require reasonable documentation about
the employee's disability and the functional limitations that require
the reasonable accommodation, if the disability and the limitations are
not obvious. If the individual provides insufficient documentation and
does not provide the missing information in a timely manner after the
employer's subsequent request, the employer may require the individual
to go to an appropriate health professional of the employer's choice.
In this situation, the employee does not authorize the disclosure of
information to substantiate the disability and the need for reasonable
accommodation, the employer need not provide the accommodation.
We agree that this rule does not permit employers to request or use
protected health information in violation of the ADA or other
antidiscrimination laws.
