A critical aspect of the development and operation of an occupational medicine program is the confidentiality of medical information. The unauthorized release of personal details which may be recorded as part of a medical evaluation could cause legal and personal problems, either for the employee or for the employer and/or employer’s physician.
Examples of such important information are sexual practices, sexually transmitted diseases, a history of other contagious diseases such as tuberculosis, and personal habits.
Release of information such as HIV positivity can result in the loss of insurance benefits or employment for the employee. Such an event may in turn be grounds for a lawsuit against the employer and the employer’s physician. The Occupational Safety and Health Act (OSH Act), the Americans with Disabilities Act (ADA) and NFPA 1582 all address medical confidentiality and give guidance to employers and employees.
OSHA guidance is contained in 29 CFR 1910.20. The intent of this document is centered more on ensuring employee access to their own medical and exposure records, protecting the employer from release of confidential product information, and specifying how OSHA may gain access to medical records than on protecting the employee from unauthorized access by the employer. The main section relevant to a discussion of medical confidentiality is 1910.20 (e)(1)(i)and (ii): (i) Whenever an employee or designated representative requests access to a record, the employer shall assure that access is provided in a reasonable time (either apprise the employee of the record status or provide a record within 15 working days of the request), place, and manner... (ii) The employer may require of the requester only such information as should be readily known to the requester and which may be necessary to locate or identify the records being requested (e.g. dates and locations where the employee worked during the time period in question.)
The ADA addresses the issue of confidentiality more directly. It states that all information obtained as a result of medical evaluations be considered confidential and that employers may have access only to information regarding fitness for duty, necessary work restrictions, and appropriate accommodations. The only listed exceptions to this policy are that first aid and safety personnel should be informed of any conditions that may require emergency treatment, and that government officials investigating a complaint about medical examinations may have access to records. The ADA further states that all medical information must be maintained in separate files from other personnel information.
NFPA 1582, while not a federal law with penalty provisions, does provide guidance to fire fighters’ physicians on confidentiality in section 2-6. Based in part on the provisions of the ADA, the section states that all information gathered as part of a medical evaluation is considered confidential, and that its release requires written consent from the employee. In addition, section 2-6.3 states: The fire department physician shall inform the fire department only as to whether or not the candidate or current fire fighter is medically certified to perform as a fire fighter. The specific written consent of the candidate or current fire fighter shall be required to release confidential medical information to the fire department.
Confidentiality and Data Storage
Ensuring medical confidentiality often requires more than just a mention of it in a written program; it requires careful, up-front planning of how data will be stored. Medical files are often stored at the physician’s office or in a department’s health and safety office. Physicians are required by their ethical codes to restrict access to all medical records. If the records location is physically separate from the fire department, a statement in the contractual arrangement stating that only employees or their authorized representatives may have access to records should be sufficient. When medical records are stored within a fire department, as in a health and safety office, care must be taken that all medical records are separated from any other personnel files and kept in a separate, locked cabinet. Only medical personnel (physicians, physician’s assistants or nurses) should have access to the cabinet. Care must be taken that only statements of ability to perform job duties are entered into personnel files. The use of computers to record and analyze health databases introduces additional opportunities for breaches of confidentiality. Care must be taken to remove personal identifiers such as name, ID numbers, birth dates, height and weights, or identifying marks or characteristics from such databases. Access to the database can also be limited by the use of passwords or locked computer disks. In cases where the computer is used for both individual and group records, care must be taken to prevent the linkage of the two databases.
Disclosure of HIV status and treatment for drug dependency in a federally sponsored program can only be released with special written consent. A written consent is usually required each time the information is disclosed and is limited to the party named on the disclosure. Likewise, the general waiver provided by worker’s compensation statutes may not apply to a patient’s HIV status. Physicians may be required to provide special written consent from a patient to release this information. Physicians should be aware of the specific legal stipulations regarding disclosure of HIV status and involvement in drug treatment.