Many entities understand the Americans with Disabilities Act or ADA prohibits discrimination against individuals on the basis of disability in regards to employment compensation and other terms, conditions, and privileges of employment. This is found under title I of the ADA and includes ‘‘fringe benefits available by virtue of employment, whether or not administered by the covered entity.’’ The ADA Title I also restricts the medical information employers may obtain from employees by generally prohibiting disability-related inquiries or requiring medical examinations. 42 U.S.C. 12112(d)(4)(A). The statute further provides an exception to the prohibition of disability related inquiry or medical exams for voluntary employee health programs, which includes many workplace wellness programs.
A wellness program that is an employee health program may be part of a group health plan or may be offered outside of a group health plan or group health insurance coverage. Common examples include: a health risk assessment (HRA) or medical questionnaire; medical examinations; screening for high blood pressure, cholesterol, or glucose; classes to help employees stop smoking or lose weight; physical activities in which employees can engage (such as walking or exercising daily); coaching to help employees meet health goals; and/or the administration of flu shots.
Section 102 of the ADA provides that any information relating to a medical condition of an employee obtained by an employer during “voluntary medical examinations, including voluntary work histories, which are part of an employee health program available to employees at that work site,” must be “collected and maintained on separate forms and in separate medical files and [be] treated as a confidential medical record.”
To state a viable claim under the ADA’s confidentiality provisions, a plaintiff has to allege (1) the employer obtained the medical information through employment-related medical examinations and inquiries; (2) the information was disclosed by the employer and not treated confidentially; and (3) the employee suffered a tangible injury as a result of the disclosure. Please note, caselaw has held emotional injury as a recognizable injury.
Employers and wellness program providers must take steps to protect the confidentiality of employee medical information provided as part of any employee health program or for other employment areas (like FMLA, medical leave, and workers compensation). Based on recent comments from the EEOC, here are some things to remember for ADA confidentiality:
It is critical to properly train all individuals who handle medical information about the requirements of the ADA and, as applicable, HIPAA’s privacy, security, and breach requirements and any other privacy laws.
Employers and program providers should have clear privacy policies and procedures related to the collection, storage, and disclosure of medical information.
On-line systems and other technology should guard against unauthorized access, such as through use of encryption for medical information stored electronically. The protections also apply whether the employee is at work or ranting on social media after hours.
Breach Investigation and Reporting.
Breaches of confidentiality should be reported to affected employees and should be investigated. Recent guidance from the EEOC says reporting should be "immediate" and investigations should be "thoroughly" performed.
Employers should make clear that individuals responsible for disclosures of confidential medical information will be disciplined and should consider discontinuing relationships with vendors responsible for breaches of confidentiality. Such discipline should include the potential dismissal for those that disclosed information improperly.
Job Responsibilities, Vendors and Firewalls.
Individuals who handle medical information that is part of an employee health program should not be responsible for making decisions related to employment, such as hiring, termination, or discipline.
Use of a third-party vendor that maintains strict confidentiality and data security procedures may reduce the risk that medical information will be disclosed to individuals who make employment decisions, particularly for employers whose organizational structure makes it difficult to provide adequate safeguards. If an employer uses a third-party vendor, it should be familiar with the vendor’s privacy policies for ensuring the confidentiality of medical information.
Employers that administer their own wellness programs need adequate firewalls in place to prevent unintended disclosure. If individuals who handle medical information obtained through a wellness program do act as decision-makers (which may be the case for a small employer that administers its own wellness program), they may not use the information to discriminate on the basis of disability in violation of the ADA.
Starting in 2017, in order to meet the "voluntary" requirement for a wellness program that includes a disability related inquiry or medical examination, a new ADA notice must be included explaining many of these points above. This notice is required with or without an incentive to participate in the wellness program. A sample notice is available from the EEOC, but we recommend some reasonable edits before using this sample.
If you need help understanding these rules, please contact Kinney & Larson LLP.