What HR Needs to Know About FMLA Confidentiality Requirements

Emma Milek
December 14, 2022
Employee typing on computer

It’s no surprise that during the FMLA and ADA process, employers may need to gather sensitive medical information from their employees. Sensitive information can range from knowledge of specific illnesses to details about family planning, mental health, medical history, etc.

As an employer, it should be your top priority and keep this information secure and confidential. Not only out of respect for your employees, but to remain compliant with HIPPA and other privacy regulations.

By following some simple guidelines, you can strike the perfect balance between protecting your employees’ FMLA confidentiality and gathering the information you need to manage leave!

Collecting Medical Data

If an employee needs to take FMLA leave for a serious health condition, you may choose to request certification of the condition in order to approve their case. A medical certification will include details pertaining to the employee’s condition. The key is to avoid requesting more information than needed to process the leave. For example, if an employee is going on leave for a serious health condition because they broke their leg and need surgery, it may not be necessary to collect all of their medical histories up to that point.

The same rules apply for ADA certifications for workplace accommodations. You should only ask for enough information to establish the employee’s disability, current restrictions, and their need for an accommodation.

A good rule of thumb: Any request of medical information must stick explicitly to the medical facts, such as: medical impact on essential functions, onset, expected leave duration, or the medical necessity for taking intermittent leave.

Additionally, be aware of the Genetic Information Nondiscrimination Act (GINA). This act prohibits employers from requesting any genetic information, such as genetic predisposition and family history.

Another way you can mitigate the chance of missteps during the FMLA certification process is by using the forms provided by the Department of Labor (DOL), or by modeling your own forms on them.

Implementing a leave management system such as AbsenceSoft ensures that every form is generated quickly and accurately. Within minutes you will have all the communications and documents ready to send to the employee. Every form is kept up to date with DOL standards, so when leave laws change you won’t have to worry about changing documentation. All of this helps to take the burden of compliance off your plate.

Storing Medical Data

Once you’ve collected the required information, it’s time to ensure the data is stored securely.

Any medical information disclosed for the purposes of certifying FMLA leave or providing an accommodation under the ADA should be kept strictly confidential.

Keep in mind that these records must be stored separately from an employee’s other personnel files. You should only allow those who administer leave to have access to the information in these medical records. That being said, the parties listed below may have access to certain information depending upon the situation:

    • Managers or supervisors who must be informed of work restrictions or accommodations
    • First-aid and safety personnel providing emergency treatment
    • Government officials performing audits

Tip: Don’t disclose the medical reason for an employee’s leave or accommodation to their supervisor. Generally, explaining the length of their absence or the type of accommodations they need will suffice.

What Happens If You Fail To Comply

Failure to ensure the security of employee medical information may lead to serious consequences, including a trip to court. The FMLA and ADA provide employees with the right of having their medical information kept confidential. Employees who find their rights infringed upon could choose to pursue the matter in court.

Consider Holtrey v. Collier County Bd. of Commissioners. Holtrey’s genito-urinary disorder was disclosed by a manager to eight of his fellow employees during a meeting he was absent from. Following this meeting, Holtrey’s coworkers joked and made rude gestures regarding his condition. In response to the violation of his right to FMLA privacy, Holtrey asserted claims of interference and retaliation. His employer’s motion to dismiss the case was denied.

Another similar case is Doe v. United States Postal Service. Doe disclosed his HIV status to support his need for FMLA certification. His supervisor shared this information with Doe’s colleagues, prompting him to take legal action. Though initially, the district court had sided with the employer, the D.C. Circuit reversed the decision in Doe’s favor. This decision falls in line with the confidentiality provisions outlined in the ADA.

Not only are these types of acts insensitive, but they also violate your employees’ rights to privacy. These cases, and many others like them, could have been easily avoided if the employers had taken the necessary steps to protect confidential employee medical information.

How to Ensure the Security of Confidential Medical Information

To minimize the risk of confidential employee information falling into the wrong hands, providing thorough training is crucial. Ensure that all administrators of leave are aware of how the information is to be stored, and to whom it can be disclosed. Consider providing this training during onboarding, and make sure to keep everyone up to date on an annual basis.

Leave management solutions such as AbsenceSoft, ensure that your documentation is fully secure. This includes the ability to restrict access based on user role. For instance, users who are part of the leave team will be granted access to medical certifications. But all other users, like HR team colleagues or managers, will not be able to see medical certifications. In addition, you can rest assured that all records are safe with AbsenceSoft. Our data security team performs ongoing security testing to ensure that AbsenceSoft remains a SOC type 2 controlled environment. This means you can rest easy, knowing your data is safe.

At the end of the day, proper compliance with privacy and security regulations will reduce your organization’s liability. All of this will help demonstrate your dedication to protecting your employees’ rights.

To learn more about FMLA check out our latest guide Best Practices for FMLA Management