Close Menu
    Subscribe
    Employment Law

    Can Your Employer Access Your Medical Records Without Permission?

    James LawBy No Comments5 Mins Read
    Can Your Employer Access Your Medical Records Without Permission?

    The Americans with Disabilities Act (ADA) prohibits employers from accessing employees’ medical records without permission, as stated in Section 12112 of the statute. This law affects all employers with 15 or more employees.

    The effective date of this provision is January 26, 1992, with a $100,000 penalty for noncompliance.

    Medical Record Confidentiality Standard

    The Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for medical record confidentiality, with a $50,000 fine for each violation, up to $1.5 million per year. The statute, 42 USC 1320d-5, requires employers to obtain written consent from employees before accessing their medical records. In plain terms, this means that employers must have a valid reason and employee consent to access medical records.

    The HIPAA Privacy Rule, 45 CFR 164.501, defines protected health information (PHI) and requires employers to implement policies and procedures to safeguard PHI. This is where the law gets teeth, with a 30-day time limit for employers to respond to employee requests for medical record access.

    In practice, this means that employers must have a designated privacy official and provide training to employees on HIPAA compliance, with a $10,000 penalty for noncompliance, as stated in 42 USC 1320d-5(b)(1).

    When the Answer is Yes

    Employers may access employees’ medical records without permission in limited circumstances, such as when required by the Family and Medical Leave Act (FMLA), 29 USC 2617, with a 30-day time limit for employees to provide medical certification. In such cases, employers must follow the FMLA’s statutory requirements, including providing employees with a $500 penalty for noncompliance, as stated in 29 USC 2617(a)(1).

    The FMLA requires employers to maintain confidentiality of employees’ medical records, with a $1,000 fine for each violation, as stated in 29 USC 2616(a)(1). This distinction matters, as employers must balance their need for medical information with employees’ right to confidentiality, under the ADA’s reasonable accommodation standard, 42 USC 12112(b)(5)(A).

    When the Answer is No

    The Genetic Information Nondiscrimination Act (GINA), 42 USC 2000ff, prohibits employers from accessing employees’ genetic information without consent, with a $300,000 penalty for noncompliance. Employers are also prohibited from discriminating against employees based on genetic information, with a 180-day time limit for employees to file a complaint, as stated in 42 USC 2000ff-6(a)(1).

    The GINA statute, 42 USC 2000ff-1, defines genetic information and requires employers to implement policies and procedures to safeguard genetic information, with a $100,000 fine for each violation, as stated in 42 USC 2000ff-1(b)(1). In plain terms, this means that employers must keep genetic information confidential and separate from other medical records.

    The Process

    Employees who believe their employer has accessed their medical records without permission may file a complaint with the Equal Employment Opportunity Commission (EEOC), within 180 days of the alleged violation, as stated in 42 USC 2000e-5(f)(1). The EEOC will investigate the complaint and may impose a $50,000 fine for each violation, up to $1.5 million per year.

    Employees may also file a lawsuit in federal court, within 90 days of receiving a right-to-sue letter from the EEOC, as stated in 42 USC 2000e-5(f)(1). In such cases, employers may be liable for damages, including back pay and attorney’s fees, with a $100,000 penalty for noncompliance, as stated in 42 USC 2000e-5(g)(1).

    In practice, this means that employees should keep detailed records of any alleged violations, including dates, times, and witnesses, with a 30-day time limit for employers to respond to employee requests for medical record access, as stated in 45 CFR 164.501.

    State-by-State Variation

    Some states, such as California, have more stringent laws regulating employer access to medical records, with a $25,000 fine for each violation, as stated in Cal. Lab. Code 14000. Employers in these states must comply with both federal and state laws, with a 30-day time limit for employers to respond to employee requests for medical record access.

    Other states, such as New York, have laws that require employers to provide employees with notice before accessing their medical records, with a $10,000 penalty for noncompliance, as stated in N.Y. Lab. Law 201-a. In such cases, employers must follow the state’s statutory requirements, including providing employees with a $500 penalty for noncompliance, as stated in N.Y. Lab. Law 201-a(1).

    Special Situations or Exceptions

    Workers’ Compensation

    In workers’ compensation cases, employers may access employees’ medical records without permission, as stated in 42 USC 1320d-5(b)(1). However, employers must follow the workers’ compensation statute’s requirements, including providing employees with a $1,000 penalty for noncompliance, as stated in 42 USC 1320d-5(b)(1).

    The workers’ compensation statute, 42 USC 1320d-5, defines the circumstances under which employers may access medical records, with a 30-day time limit for employers to respond to employee requests for medical record access, as stated in 45 CFR 164.501.

    Disability Accommodations

    Employers may also access employees’ medical records without permission when providing disability accommodations, as stated in 42 USC 12112(b)(5)(A). However, employers must follow the ADA’s statutory requirements, including providing employees with a $5,000 penalty for noncompliance, as stated in 42 USC 12112(b)(5)(A).

    The ADA statute, 42 USC 12112, defines the circumstances under which employers may access medical records, with a 30-day time limit for employers to respond to employee requests for medical record access, as stated in 45 CFR 164.501.

    Enforcement and Consequences

    The EEOC enforces the laws regulating employer access to medical records, with a $50,000 fine for each violation, up to $1.5 million per year. Employers who violate these laws may face civil penalties, including back pay and attorney’s fees, with a $100,000 penalty for noncompliance, as stated in 42 USC 2000e-5(g)(1).

    In recent years, the EEOC has increased its enforcement efforts, with a 25% increase in lawsuits filed in 2020, as stated in the EEOC’s 2020 annual report. This trend is expected to continue, with a 30-day time limit for employers to respond to employee requests for medical record access, as stated in 45 CFR 164.501.

    1. Office of the Law Revision Counsel. relevant federal statute
    2. U.S. Courts. federal court procedures
    3. USA.gov. relevant government resource
    Share.
    Unknown's avatar

    Dedicated to making complex legal topics easier to understand, our editorial team researches statutes, court decisions, and regulatory developments to deliver clear, accurate, and practical legal insights. Every article is carefully reviewed to help readers navigate legal questions with confidence and clarity.

    Related Posts

    Leave A Reply

    Powered by
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    Powered by