Can My Employer Disclose My Medical Information To Other Employees?


There are a number of federal laws that protect against the disclosure of employee medical information in the workplace. While the language of each law is slightly different, the consensus is universal—employers are held to strict confidentiality rules when it comes to acquiring and disclosing an employee’s medical information.

Unless a manager, supervisor, or human resources employee has a legitimate need to know, it’s safe to say that an employer that discloses private medical information to other employees is breaking the law. Depending on the situation, the employee in question could file a federal complaint and seek compensation for damages through a civil lawsuit.

Federal Laws Regarding the Privacy of Medical Information

The following federal laws have provisions that apply to the confidentiality and disclosure of an employee’s private medical information:

Family & Medical Leave Act (FMLA)

The FMLA is intended to help employees balance their work and family obligations by providing up to 12 weeks of unpaid, job-protected leave each year for qualified personal and family medical purposes. The law applies to private companies with 50 or more employees, all public agencies (federal, state, and local government), and all public and private elementary and secondary schools.

If you submit private medical information to your employer in the process of applying for or using FMLA leave (usually in the form of a doctor’s certificate), and your employer unlawfully discloses your private information, that’s a violation of the FMLA.

The Americans with Disabilities Act (ADA)

When an employer obtains private medical information from a disability-related inquiry, medical examination, or voluntary disclosure from the employee, the employer is required to treat that information as a confidential medical record. Failure to maintain confidentiality of disability-related medical records is a violation of the ADA.

The Genetic Information Nondiscrimination Act (GINA)

This is a relatively new law that prohibits employers from discriminating against employees based on genetic information. The law defines genetic information as any information about an individual’s genetic tests, genetic tests of the individual’s family members, or information about any condition, disorder, or disease that the individual or the individual’s family may have.

Under GINA, it’s unlawful for an employer to disclose genetic information about employees and their families, and the employer is required to maintain a separate confidential medical file to protect the employee’s privacy.

The Pregnancy Discrimination Act (PDA)

This is actually an amendment to Title VII of the Civil Rights Act (Title VII). The amendment makes it illegal for an employer to discriminate against a woman on the basis of pregnancy, childbirth, or any medical condition related to pregnancy and/or childbirth.

If an employer discloses an employee’s medical information that’s protected under the PDA and the disclosure leads to discrimination, harassment, and/or retaliation, that’s a violation of Title VII.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA provides data privacy and security provisions that are intended to safeguard your private medical information. The law’s Privacy Rule controls how your health plan or healthcare provider shares your protected medical information with your employer, but it doesn’t protect your employment records (even if your employment records contain medical information).

It would only be a violation of HIPAA if your employer requested and received medical information from your health plan or healthcare provider without your explicit authorization.

Legitimate Need-to-Know Circumstances

Generally speaking, there are four circumstances where it may be permissible for an employer to share your private medical information. Note, however, that these are exceptions to the rule, not rules in and of themselves. The exceptions are:

  • Disclosure to managers and supervisors when the medical information is necessary to provide reasonable accommodations for the employee (mostly applies to the ADA)
  • Disclosure to safety personnel and first aid providers if the employee would need emergency medical treatment
  • Disclosure to authorized personnel in the course of a federal or state workplace investigation
  • Disclosure to authorized personnel in the course of an insurance or worker’s compensation claim

Filing a Federal Complaint

An experienced employment law attorney should be able to help you determine which laws were specifically broken by your employer’s unlawful disclosure of your private information.

Based on that determination, your attorney may advise you on which federal regulatory agency to file a complaint with. The following federal agencies have regulatory control over the previously-discussed laws:

US Equal Employment Opportunity Commission (EEOC)

The EEOC is responsible for enforcing federal workplace discrimination laws, and generally has jurisdiction over employers that have at least 15 employees. The EEOC administers and enforces the ADA, GINA, Title VII, and the PDA.

You can file a formal complaint with the EEOC online within 180 days of your employer’s unlawful medical information disclosure. If you have a valid case, the agency will launch an investigation, and has the authority to seek remediation and penalties from the employer on your behalf.

Wage and Hour Division of the US Department of Labor (WHD)

The WHD is responsible for enforcing the FMLA (in addition to a number of other federal laws that relate to compensation and benefits, such as the Fair Labor Standards Act).

You can file a formal complaint with the WHD online. If your employer willfully violated the FMLA, you have up to three years to file the complaint and collect damages. If the employer unknowingly violated the FMLA, the statute of limitations is two years.

Office for Civil Rights of the US Department of Health and Human Services (OCR)

You can file a complaint with the OCR if you believe that a HIPAA-covered entity or business associate has violated your health information privacy rights, or has committed another violation of the Privacy, Security, or Breach Notification Rules.

Filing a civil lawsuit

The laws are clear about what constitutes a violation of your right to privacy, but the guidelines for resolving a medical information confidentiality/disclosure violation aren’t so black and white. Depending on the situation, you may be entitled to remediation in the form of back pay, front pay, and liquidated damages.

If you have incurred a personal injury (physical, mental, or emotional) as a result of the medical information disclosure, the court may impose punitive damages, too.

Need Help With An Employment Law Issue?

Whether you are an employee or an employer, you may need help with an employment law issue, such as a breach of medical confidentiality in the workplace. If you work in the state of Arizona, the expert attorneys at JacksonWhite are here to help.

Call our Employment Law team at (480) 464-1111 to discuss your case today.

Contact Our Employment Law Team

Call (480) 464-1111 or fill out the form to schedule your consultation and discuss your best legal options.