• Press Releases
• Policies and Position Statements
• Guidance Statements
• Public Comments
• Reference Material
• Press Room
• Advocacy
  • Federal Relations
  • State Relations
  • Action Center
  • News
  • Key Contacts
  • Policies & Position Statements
• Healthy Workforce Now

Confidentiality of Medical Information in the Workplace

As do all physicians, occupational and environmental medicine (OEM) practitioners rely on the patient to completely and truthfully disclose private information before rendering a professional opinion. In order for this disclosure of intimate information to occur, workers must feel that their private disclosures will be treated in a dignified and confidential manner. Because a physician must first of all do no harm, information received in confidence should be disclosed only when it is in the best interests of the patient or society, or required by applicable law or valid governmental rule or regulation.

When considering requests for job accommodation, addressing threats to health or safety, or reviewing claims for workers’ compensation benefits employers may require access to personal information. Additionally, employers shoulder an increasing responsibility for providing other types of benefits such as health and disability insurance, family medical leave, and employee assistance programs. As a result, the employer becomes inextricably and unavoidably involved in employees’ personal and medical affairs. Thus, competing interests between the worker’s desire for privacy and the employer’s legitimate interest in the health of the worker creates sensitive ethical and legal dilemmas for physicians who practice occupational medicine. Other parties, such as insurers, state and federal agencies, and accrediting organizations may also have a right to patient records, and this right must be considered and managed carefully.

The laws governing the confidentiality of employee medical information are complex and vary depending on the relationship between parties and by jurisdiction.¹ Difficult ethical problems arise when the physician must attempt to balance the importance of the worker’s need and right to keep information confidential versus the employer’s need and legal right to know or the interests of other parties.

ACOEM Position
The American College of Occupational and Environmental Medicine (ACOEM) acknowledged the importance of medical confidentiality with publication of its first Code of Ethical Conduct in 1976. This Code was later revised in 1993 to reflect changes in the character of the modern workplace.² The revised Code states that physicians should:

“5. keep confidential all individual medical information, releasing such information only when required by law or overriding public health considerations, or to other physicians according to accepted medical practice, or to others at the request of the individual”; and

“6. recognize that employers may be entitled to counsel about an individual's medical work fitness, but not to diagnoses or specific details, except in compliance with laws and regulations.”

Additional Guidance on Medical Confidentiality in the Workplace
While the ACOEM Code of Ethical Conduct provides direction, the ACOEM Committee on Ethical Practice in Occupational and Environmental Medicine believes that additional guidance on the issue of confidentiality is necessary. Therefore, in addition to Points 5 and 6 of the ACOEM Code of Ethical Conduct, the College is providing the following guidance regarding medical record confidentiality: 

1. Legislation and local practice may treat medical records created in the context of occupational health, independent medical evaluations, and workers’ compensation cases differently from medical records created by personal health care providers. However, the physician practicing occupational medicine is advised not to make such distinctions in practice without clear legal requirements or permission from the proper parties. Confidential medical information should be treated the same as in situations where there is a clear physician-patient relationship unless there is a valid legal reason and consent to do otherwise, a health and safety risk to the client or others, or evidence of a criminal act.³ 
2. Physicians should make all reasonable efforts to obtain the patient’s consent before disclosing all or any portion of his or her medical record. If disclosure is legally required or consent is not legally required, the patient should be notified of the impending disclosure unless such notification is impossible or there are overriding patient or public health concerns.
3. Physicians should recognize a patient’s consent-for-disclosure only if said consent is both informed and voluntary. The consent should specify the nature of the information to be released, the purposes for its release, the person to whom it may be released, and the time period for which the consent remains in effect. The consent must be signed by the worker or his or her legal guardian, or if the worker is deceased, by his or her personal representative.
4. Whenever physicians are aware that the results of an examination or records of a visit may be shared with a third party (e.g., in the case of an independent medical examination), it is incumbent upon the physician to properly notify the examinee prior to gathering historical or clinical data as to the nature of the evaluation, what information will be collected, and to whom it will be transmitted. The physician should not state or imply that any records will be kept confidential if this cannot be assured.
5. Although all personal health information should be presumed to be confidential, physicians should recognize that certain types of health information are particularly sensitive such as sexual orientation, HIV/AIDS status,⁴ drug and alcohol treatment, past history of physical or sexual abuse, treatment for sexually transmitted diseases, and genetic information. Physicians should be aware that a general consent for disclosure of medical records cannot be presumed to be sufficient in these situations and that specific written consent for release of such information must be obtained. This information should only be disclosed in compliance with U.S. federal and state law. Because it is often possible to infer sensitive information from other parts of the medical record, such as the medication history, the physician should treat such information in the same manner as explicitly sensitive information.
6. Physicians should release only the portion of a record covered by a release and not disclose the entire medical record unless indicated and permitted by the patient. Forwarding records that have been obtained from other medical providers is appropriate when that information is relevant to the specific problem in question.
7. Physicians should develop a written policy for the treatment of medical records in their offices, clinics, or workplaces. The policy should address such issues as where and how the records are stored; the security of medical records including computer databases; what happens in the event of employee resignation, layoff, termination, job transfer, or plant closure; and the mechanisms of employee access and consent for disclosure.⁵ 
8. Physicians should make reasonable efforts to ensure that those under their supervision act with due care regarding the confidentiality of medical records, and act to educate fellow health care providers regarding the confidentiality of medical information. Physicians should encourage the confidential treatment of medical information by their clients and in their organization by colleagues in other departments such as personnel or benefits who may have access to such data.
9. Physicians should disclose their professional opinion to both the employer and the worker when the worker has undergone a medical assessment for fitness to perform a specific job. However, the physician should not provide the employer with specific medical details or diagnoses unless the worker has given his or her permission. Additionally, physicians should not disclose without permission any “non-medical” information gained in the context of a physician/patient relationship that could adversely affect the employee. Exceptions include health and safety concerns or knowledge of unlawful activity.
10. Physicians should notify workers of their right to obtain access to their medical records and to request correction of any inaccuracies therein.⁶ 
11. Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and recommended accommodations. First aid and safety personnel may be informed, when appropriate, if a condition might require emergency treatment, in which case the employee should be informed.
12. Physicians should be a source of professional, unbiased, and expert opinion in the workers’ compensation or court systems and should only disclose medical information that is relevant and necessary to the claim or suit. When release of medical information is authorized or required by specific regulation, only the necessary and relevant information should be released.
13. Physicians should exercise caution whenever presented with a request or subpoena for medical records that does not include a written authorization for release by the worker, or when the records requested contain information about HIV status, drug and alcohol treatment, or genetic information. It may be appropriate to seek legal advice in these situations.
14. Physicians should withdraw or decline services when faced with an irresolvable ethical conflict or an unethical request by a client or employer. In many instances, the medical record will be the property of an employer. This ownership does not abrogate any of these principles. Each employer that owns medical records should designate a custodian of the records. Access by employer officials (e.g., employee relations, legal counsel) should proceed via the same process as requests by those outside the employer through the custodian.

Because OEM physicians work in a wide variety of practice situations and must respect the laws and customs of many countries, physicians have an ethical duty to become familiar with laws and regulation applicable to their practice. The College believes that all employee health and medical records should be treated as confidential by the employer and provider; however, occupational medicine physicians are in a unique position and must carefully balance the interests of all parties and society as a whole. These recommendations are intended to serve as guidance for OEM physicians in their relationships with their patients and the other individuals that they serve including employers.

References 

1. Rischitelli DG. The confidentiality of medical information in the workplace. J Occup Environ Med. 1995;37(5):583-93.
2. Teichman R, Wester MS. Code of ethical conduct. J Occup Med. 1994;29(1):27-30.
3. American Medical Association Council on Ethical and Judicial Affairs. Code of medical ethics. Current opinions with annotations. Chicago, Ill: AMA, 2006.
4. Americans with Disabilities Act, 42 USC §12112(D)(3)(B) (1990).
5. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Federal Register. 65 FR 82462. December 28, 2000. On line at www.hhs.gov/ocr/hipaa/finalreg.html.
6. OSHA Access to Employee Exposure and Medical Records Standard. 19 CFR § 1910.20. 

Approved by the Board of Directors of the American College of Occupational and Environmental Medicine (ACOEM) on October 24, 1994. Reviewed and revised by the Committee on Ethical Practice in Occupational and Environmental Medicine, and approved by the Board of Directors on January 14, 2008. 

Return to Previous Page