• Public Affairs

    landing-header-public-affairs_37748_17213
  • Confidentiality of Medical Information in the Workplace

    ACOEM Committee on Ethical Practice in Occupational and Environmental Medicine

    As do all physicians, occupational and environmental medicine (OEM) practitioners rely on the patient to completely and truthfully disclose private information before rendering a professional opinion. In order to facilitate the disclosure of private personal information, employees must feel that their private disclosures will be treated in a dignified and confidential manner. Because a physician must first of all do no harm, information received in confidence should be disclosed only when it is in the best interests of the patient or society, or required by applicable law or valid governmental rule or regulation.

    When considering requests for job accommodation, addressing threats to health or safety, or reviewing claims for workers’ compensation benefits, employers may require access to personal information. Additionally, employers shoulder an increasing responsibility for providing other types of benefits such as health and disability insurance, family medical leave, and employee assistance programs. As a result, the employer becomes inextricably and unavoidably involved in employees’ personal and medical affairs. Thus, competing interests between the employee’s right to privacy and the employer’s legitimate interest in the health of the employee creates sensitive ethical and legal dilemmas for physicians who practice occupational medicine. Other parties, such as insurers, state and federal agencies, and accrediting organizations may also have a right to patient records, and this right must be considered and managed carefully.

    The laws governing the confidentiality of employee medical information are complex and vary depending on the relationship between parties and by jurisdiction.1 Difficult ethical problems arise when the physician must attempt to balance the importance of the employee’s need and legal right to keep information confidential versus the employer’s need and legal right to know or the interests of other parties.

    ACOEM Position
    The American College of Occupational and Environmental Medicine (ACOEM) acknowledged the importance of medical confidentiality with publication of its first Code of Ethical Conduct in 1976. This Code was later revised in 1993 to reflect changes in the character of the modern workplace,2 and subsequently updated in 2010.3 The 2010 Code of Ethics states that physicians should:

    “5. Protect Patient Confidentiality. Keep confidential all individual medical, health promotion, and health screening information, only releasing such information with proper authorization. Recognize that employers may be entitled to counsel about an individual’s medical work fitness.”3  

    Additional Guidance on Medical Confidentiality in the Workplace
    While the ACOEM Code of Ethics provides direction, the ACOEM Committee on Ethical Practice in Occupational and Environmental Medicine believes that additional guidance on the issue of confidentiality is necessary. Therefore, in addition to Point 5 of the ACOEM Code of Ethics, the College is providing the following guidance regarding medical record confidentiality:

    1. Legislation and local practice may treat medical records created in the context of occupational health, independent medical evaluations, and workers’ compensation cases differently from medical records created by personal health care providers. However, the physician practicing occupational medicine is advised not to make such distinctions in practice without clear legal guidance or permission from the proper parties. Confidential medical information should be treated the same as in situations where there is a clear physician-patient relationship unless there is a valid legal reason or consent to do otherwise, a health and safety risk to the client or others, or evidence of a criminal act.4
    2. Physicians should make all reasonable efforts to obtain the patient’s consent before disclosing all or any portion of his or her medical record. If disclosure is legally required or consent is not legally required, the patient should be notified of the impending disclosure unless such notification is impossible or there are overriding patient or public health concerns.
    3. Physicians should recognize a patient’s consent-for-disclosure only if said consent is both informed and voluntary. The consent should specify the nature of the information to be released, the purposes for its release, the person or persons to whom it may be released, the time period for which the consent remains in effect, and acknowledgement statement that the patient may rescind consent at anytime. The consent must be signed by the employee or his or her legal guardian, or if the employee is deceased, by his or her personal representative.
    4. Whenever physicians are aware that the results of an examination or records of a visit may be shared with a third party (e.g., in the case of an independent medical examination the information will be shared with an insurer and/or attorneys representing the insurer and the claimant), it is incumbent upon the physician to properly notify the examinee prior to gathering historical or clinical data as to the nature of the evaluation, what information will be collected, and to whom it will be transmitted. The physician should not state or imply that any records will be kept confidential if this cannot be assured. The physician performing independent medical examinations should be knowledgeable of statutes and/or regulations controlling the distribution of their reports. It is appropriate that the insurer and physician share with the claimant the nature of information to be included and the distribution of the report. Sensitive confidential medical information that is not relevant to the claim should not be included in the report.
    5. Although all personal health information should be presumed to be confidential, physicians should recognize that certain types of health information are particularly sensitive such as sexual orientation, HIV/AIDS status,5 drug and alcohol treatment, past history of physical or sexual abuse, treatment for sexually transmitted diseases, and genetic information.6 Physicians should be aware that a general consent for disclosure of medical records cannot be presumed to be sufficient in these situations and that specific written consent for release of such information must be obtained. This information should only be disclosed in compliance with U.S. federal and state law and similar laws of other countries where occupational physicians work. Because it is often possible to infer sensitive information from other parts of the medical record, such as the medication history, the physician should treat such information in the same manner as explicitly sensitive information.
    6. Physicians should release only the portion of a record covered by a release and not disclose the entire medical record unless indicated and permitted by the patient. Forwarding records that have been obtained from other medical providers is appropriate when that information is relevant to the specific problem in question and permitted.
    7. Physicians should develop a written policy for the treatment of medical records in their offices, clinics, or workplaces. The policy should address such issues as where, and for how long the records are stored; the security of medical records including computer databases; what happens in the event of employee resignation, layoff, termination, job transfer, or closure and/or merger of employer; and the mechanisms of employee access and consent for disclosure.7
    8. Physicians should make reasonable efforts to ensure that those under their supervision act with due care regarding the confidentiality of medical records, and act to educate fellow health care providers and office support staff regarding the confidentiality of medical information. Physicians should encourage the confidential treatment of medical information by their clients and in their organization by colleagues in other departments such as human resources or benefits who may have access to such data.
    9. Physicians should disclose their professional opinion to both the employer and the employee when the employee has undergone a medical assessment for fitness to perform a specific job. However, the physician should not provide the employer with specific medical details or diagnoses unless the employee has given his or her permission. Additionally, physicians should not disclose without permission any “non-medical” information gained in the context of a physician/patient relationship that could adversely affect the employee. Exceptions include health and safety concerns or knowledge of unlawful activity.
    10. Physicians should notify employees of their right to obtain access to their medical records and to request correction of any inaccuracies therein.8
    11. Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and recommended accommodations. First aid and safety personnel may be informed, when appropriate, if a condition might require emergency treatment, in which case the employee should be informed.
    12. Physicians should be a source of professional, unbiased, and expert opinion in the workers’ compensation or court systems and should only disclose medical information that is relevant and necessary to the claim or suit. When release of medical information is authorized or required by specific regulation, only the necessary and relevant information should be released.
    13. Physicians should exercise caution whenever presented with a request or subpoena for medical records that does not include a written authorization for release by the employee, or when the records requested contain information about HIV status, drug and alcohol treatment, or genetic information. It may be appropriate to seek legal advice in these situations.
    14. Physicians should withdraw or decline services when faced with an irresolvable ethical conflict or an unethical request by a client or employer. In many instances, the medical record will be the property of an employer. This ownership does not abrogate any of these principles. Each employer that owns medical records should designate a custodian of the records. Access by employer officials (e.g., employee relations, legal counsel) should proceed via the same process as requests by those outside the employer through the custodian. Physicians should consider inquiring about the employer’s practices regarding medical records prior to employment or contractual services.

    Because OEM physicians work in a wide variety of practice situations and must respect the laws and customs of many countries, physicians have an ethical duty to become familiar with laws and regulation applicable to their practice. The College believes that all employee health and medical records should be treated as confidential by the employer and provider; however, occupational medicine physicians are in a unique position and must carefully balance the interests of all parties and society as a whole. These recommendations are intended to serve as guidance for OEM physicians in their relationships with their patients and the other individuals that they serve including employers.

    References
    1. Rischitelli DG. The confidentiality of medical information in the workplace. J Occup Environ Med. 1995;37(5):583-93.
    2. Teichman R, Wester MS. Code of ethical conduct. J Occup Med. 1994;29(1):27-30.
    3. ACOEM Code of Ethics. 2010. Available at www.acoem.org/codeofconduct.aspx.
    4. American Medical Association Council on Ethical and Judicial Affairs. Code of Medical Ethics. Current Opinions with Annotations. Chicago, Ill: AMA, 2006.
    5. Americans with Disabilities Act, 42 USC §12112(D)(3)(B) (1990).
    6. ACOEM Task Force on Genetic Screening in the Workplace. Position statement. Genetic screening in the workplace. J Occup Environ Med. 2010;52(7):763. Available at www.acoem/org/GeneticScreening.aspx.
    7. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Federal Register. 65 FR 82462. December 28, 2000. Available at www.hhs.gov/ocr/hipaa/finalreg.html.
    8. OSHA. Access to Employee Exposure and Medical Records Standard. 19 CFR § 1910.20.

    This statement was reviewed and revised by the ACOEM Committee on Ethical Practice in Occupational and Environmental Medicine. Committee members are Drs. David Lukcso, chair, Paul Brandt-Rauf, and William W. Greaves. This statement was peer-reviewed by Dr. Robert Orford, and approved by the ACOEM Board of Directors on July 28, 2012. This statement updates ACOEM’s 2008 statement.

    Return to Previous Page