In our last blog, we talked about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that gives you rights over your health information. With a few exceptions, you have the right to inspect, review and get a copy of your medical records and billing records. Of course, you have the right to look at your own medical information. Yet, who else is allowed to look at your medical history? Generally, no one is allowed to look at your health information without your permission. However, there are some exceptions where, by law, your medical information may be used and shared for specific reasons. For example, your health information may be used for reporting as required by state or federal law. There are federal and state laws that require reporting when the flu is in your area for instance. In many cases, you may be entitled to know who has looked at your health information. Fortunately, these exceptions are limited. Generally, your health information cannot be seen or used without your permission. Your doctor may not give your health information to marketing and advertising agencies without your prior written permission for example. In addition, family members cannot obtain information about their relative without the patient’s consent. Similarly, under the New York State Mental Hygiene Law, a patient’s consent is generally needed before disclosures to family members can be made. However, it should be noted that HIPPA does not prevent your employer from requesting information about your health if your employer needs the information to administer workers’ compensation, health insurance or sick leave. Nonetheless, your health provider may not give your employer your health information directly without your permission. If you believe your HIPPA rights are being violated, you should contact an attorney to protect your rights. It’s essential to have a medical report for an employee if you’re considering dismissing for capability reasons or looking at whether an employee has a disability and therefore requires reasonable adjustments at work. Medical reports can be obtained from a doctor, or from Occupational Health, but it’s sensitive information and GDPR provides extra protections for sensitive data. Obtaining a report amounts to processing personal data under the GDPR, and according to the regulations there must be lawful grounds for processing the information. What constitutes lawful grounds?Article 6(1) identifies six lawful grounds for processing personal data:
Consent may be the lawful ground to depend on when asking an employee to allow access to a medical report. Consent requires a positive opt-in, which means the employee cannot be sent a pre-ticked form presuming consent. You can’t force an employee to see a doctor, so regardless of the GDPR, obtaining consent is key. Generally, a doctor would provide a report to the patient and this is only released to an employer with explicit consent. Patients are in control of any information released to an employer, and they have the right to review and ask for changes before it is submitted to an employer. It then gets more complicated for ‘special categories’, as employers need a valid reason for processing the data, and have to satisfy an additional condition under Article 9. What is Article 9?GDPR gives extra protection to ‘special categories’ which are generally those which could be used to discriminate unlawfully against an employee. The employer needs to give a specific reason for processing the data. In GDPR terms, one given reason may be that “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”. This means it can be justified by stating that it meets the employer's legal obligations not to unfairly dismiss, not to discriminate against a disabled employee, to identify reasonable adjustments where applicable and to ensure they are fit to return to work. Using a pre-employment questionnaire to determine whether or not to employ someone would contravene the Equality Act 2010 as well as GDPR, as it is discriminatory – and there is, therefore, no valid reason to process the data. The pre-employment questionnaire can be used to identify any potential issues, and allow the doctor to suggest reasonable adjustments, and this is a valid reason for processing the data under GDPR. To simplify the issue: you need to identify the reason for processing the data (ie consent to acquire a medical report), and be able to demonstrate that there is a requirement to process the data (ie use the data in the medical report to ensure that you are not discriminating against a disabled employee). What information can be requested?The GDPR holds various principles which the medical report needs to align to, including data minimisation. This means that the information is:
A medical report should contain only the information required for the employer to fulfil their legal responsibilities. If the employee has any health condition, the employer may only need to know:
For example, details of a chest infection at the time of assessment would be irrelevant to undertaking an office-based role. However, it would be reasonable to disclose information about chronic back pain, so an adequate chair and desk assessment can be made before commencing the role. However, not all this information would necessarily be provided to the employer if it was not relevant. HR is responsible for ensuring that the medical report is necessary, that the questions asked (and answered) in the medical report are relevant, and for being aware that the employee needs to give consent to the medical report. HR also needs to track and monitor the justification for the processing the data. Vicki Field is HR director and Daniel Fenton is clinical director at London Doctors Clinic |
Can my employer access my medical records without my consent
Related Posts
Copyright © 2024 paraquee Inc.
