California Medical Privacy Fact Sheet C5:

Employment and Your Medical Privacy

Send to PrinterSend to Printer
Copyright © 2012-2016
Privacy Rights Clearinghouse
Posted July 2012
Revised July 2012
  1. Introduction
  2. Employment and medical information in general
  3. Employment-related drug tests
  4. Can an employer or prospective employer access workers' compensation records?
  5. What protections exist for medical records of disabled job applicants and employees?
  6. If your employer sponsors your health plan, does it have access to your medical information?
  7. Are there other ways an employer can acquire employee medical information?
  8. May employers obtain, use, or disclose your medical records without your consent?
  9. Can you refuse to give an employer access to your medical information?
  10. Does an employer have any right to see your genetic information?
  11. What are employee wellness and harm risk reduction programs, and can an employer access medical information through them?
  12. Tips for protecting your medical records
  13. Resources

1.  Introduction

Have you ever wondered what kind of medical information your employer might have about you, and what rules, if any, they are required to follow?  What about any personal health or medical information that a potential employer may get or ask for in the hiring process?

California offers some privacy protections for medical information as it relates to employment or applying for a job. California's Confidentiality of Medical Information Act (CMIA) requires employers to protect the privacy and security of any medical information they receive. (Cal. Civ. Code §§ 56.20-56.245) This is significant, because federal regulations governing medical privacy—the Health Insurance Portability and Accountability Act (HIPAA)—cover neither employers nor employment records even if they contain health-related information. (45 CFR § 160.103;164.512(b)(1)(v))

HIPAA, unlike California law, treats a great deal of medical information as simply part of an employment record.  This includes information pertaining to drug screening or testing; Family and Medical Leave Act (FMLA); Americans with Disabilities Act (ADA) and/or Occupational Safety and Health Administration (OSHA) records; workers' compensation records; sick leave/return to work documents; and records relating to an alcohol and/or drug-free workplace.

For more information on HIPAA as it relates to medical information in the workplace, see the U.S. Department of Health and Human Services publication titled “Employers and Health Information in the Workplace.”

Although HIPAA does not cover employers or employment records, it does apply to employee health plans. If your employer contracts with an outside insurer to provide employees with group health care coverage, the employer may access only summary information necessary to negotiate premiums. If your employer self-insures its employees, as many large companies do, it must establish a separate office to process medical claims.  This type of health plan is known as a “hybrid entity” under the HIPAA Privacy and Security regulations. “Hybrid entities” must keep medical records completely separate from other employment records, such as payroll and personnel, and maintain HIPAA confidentiality and security standards.

When you apply for a job and are asked to submit to a background check, both California law and the federal Fair Credit Reporting Act (FCRA) restrict consumer-reporting agencies (CRAs) from including medical information in employee background checks without your authorization. For example, a consumer-reporting agency may not include medical bills that have gone to collection in a background check without your authorization.  (Cal. Civ. Code § 1786.12(f); Pub. L. 108-159, 111 Stat. 1952)

If you are disabled, California’s disability discrimination laws (Cal. Gov’t Code § 12940) and the Americans with Disabilities Act (ADA) (42 U.S.C. § 12101) limit the circumstances under which employers or prospective employers may inquire about your medical condition or mental or physical disabilities.

2.  Employment and medical information in general

a. May a potential employer require access to your medical information?

California’s Fair Housing and Employment Act (FEHA) prohibits employers from requiring job applicants to take a medical or psychological examination.  (Cal. Gov’t Code §§ 12900–12996) The FEHA also prohibits employers from inquiring about any mental or physical disability or medical condition. However, the employer may ask about an applicant’s ability to perform any job-related functions. Also, if an applicant requests a reasonable accommodation on the job, the employer may respond by asking why it’s necessary.  For example an applicant with a disability that prevents using a computer keyboard may ask for voice-recognition software.

After extending an offer, the employer may ask the applicant to have a pre-employment medical exam or laboratory test, as long as it relates specifically to the requirements of the job. (Cal. Gov’t Code § 12940(e-f)) If the offer of employment is withdrawn as a result of the medical exam or lab test, or for some other reason, you should ask for a copy of the report. While California law requires employers to keep employee medical records confidential (Cal. Civ. Code § 56.20), it’s not clear whether they have the same responsibility concerning job applicants’ medical records.

See the Department of Fair Employment and Housing Fact Sheet titled “Employment Inquiries” for more information about what employers can ask job applicants and employees.

b. Finding out what is in your own medical records

Just as a practical matter, you may want to know what is in your own medical records. California’s Patient Access to Health Records Act (PAHRA) gives you the right to see and copy your medical records (with some exceptions) that are maintained by healthcare providers. (Cal. Health & Safety Code §§ 123100–123149.1) To do this you will need to make a written request to the provider and pay the copying costs.

The provider may charge no more than 25 cents per page, or 50 cents for copies made from microfilm. If the records are electronic, the charge can be no more than the reasonable cost of accessing the records and transferring them as a digital file. If you believe your record is incorrect or incomplete, you may give your provider a written attachment (limited to 250 words) and indicate that you want it included in the record. (Cal. Health & Safety Code § 123111)

For more information on requesting your medical records, see Question 2 of “Medical Records Access and Privacy in California,” from the Health Consumer Alliance.

c. Can employee background checks include medical information?

Employee background checks have become a routine part of the hiring process. There are two types of background checks: (1) those prepared commercially by consumer reporting agencies, and (2) those compiled by employers themselves (or by someone acting at their behest). The federal Fair Credit Reporting Act (FCRA) applies to “consumer reports,” which include any report used for credit, insurance, rental, or employment purposes. It also applies to “investigative consumer reports (ICRs),” which contain information obtained by any means, concerning your character, general reputation, or personal characteristics, and which are compiled by a CRA.

California law identifies two types of consumer reports. One type, “consumer credit reports,” includes only credit-related information (such as your credit cards and balances or outstanding debts) and is provided by a credit reporting agency (CRA). (Cal. Civ. Code § 1785) California restricts an employer’s access to your credit report to certain types of jobs, such as law enforcement and those that involve handling confidential or proprietary information or large amounts of money. See PRC Fact Sheet 16a: Employment Background Checks in California: New Focus on Accuracy.

The other type, “investigative consumer reports,” is the same as reports about your character as defined by the FCRA.   However it is provided by either a CRA or by any person who collects the information without using the services of a CRA. (Cal. Civ. Code § 1786) For simplicity’s sake, we will call this non-CRA background check an “in-house report.” An “in-house report” is not covered by the federal FCRA, but it is to some extent covered by California law.

The FCRA is clear that a CRA cannot include medical information in an employee background check unless you consent and the information is relevant to the job you are seeking. (FCRA § 604(g)) California law is also clear that an Investigative Consumer Reporting Agency (ICRA) cannot furnish a report containing medical information to an employer without your consent. (Cal. Civ. Code § 1786.12(f))

An “in-house,” non-ICRA employee background check that is based on public record information does not require your consent, and nothing in the statute prohibits it from containing medical information culled from public records (such as court proceedings that contain medical testimony or evidence). Other protections may, however, apply in this situation:

  • California’s FEHA prevents medical information from being used to discriminate against you in employment. (Cal. Gov’t Code §§ 12900 – 12996)
  • The California Public Records Act (CPRA) considers public disclosure of medical records held by a government agency to be an unwarranted invasion of personal privacy (Cal. Gov’t Code § 6254(c). See the Attorney General’s “Summary of the Public Records Act” for more information. Courts are not bound by the CPRA, however. Redaction of medical information from remotely accessible electronic court records is discretionary.

To learn more about what must be redacted in federal court case files see the U.S. Courts website.  For information on sealing a record in California, see the California Rules of Court.

In California, the law entitles you to receive a copy of an ICRA employee background check report.  (Cal. Civ. Code § 1786.16) Under federal law, you are entitled to a copy only if the report results in denial of employment. (FCRA § 604(b)(2))

For general information on employee background checks, see PRC's Fact Sheet 16: Employment Background Checks: A Jobseeker's Guide, and Fact Sheet 16a: Employment Background Checks in California: A Focus on Accuracy. Both offer helpful and detailed information about this complex subject.  PRC's Fact Sheets contain information about the contents of background checks (what they may and may not contain), how they are assembled, California and federal laws regulating their use, and your own rights. For information on how you can try to get a copy of your employee background check, see Fact Sheet 6b: "Other" Consumer Reports: What You Should Know about "Specialty" Reports, Sec. 8, Employment Background Screening Reports.

d. Can medical information that is not protected find its way into an employer-initiated background check?

Unfortunately, the answer is “yes.” For example, medical information has no legal protection from employers or potential employers if it has been reported in the media. This may be due to an accident you were involved in, a disease or treatment study you’ve participated in, a lawsuit you filed against a doctor or pharmaceutical company, or for some other reason.

There is also no protection for information you publicly put online about yourself. Data miners may collect this information and sell it. In addition, more and more frequently, employers are checking social media sites for publicly posted profiles, photographs, and other information. In any case, before you post something, consider what you are revealing about yourself and who other than your friends might see it.  Learn about any available privacy settings the social media service you use offers. Test the settings by looking yourself up when you are not logged in or, if the website offers it, using a feature on the site that allows you to preview what others see.

e. Can employers use health information they gain through social media?

That depends. Material gleaned from social media can provide employers with a wealth of information never found on a resume. Some employment screening companies now specialize in scouring social media websites for information on both applicants and employees. Such third-party screening companies are subject to the FCRA and California’s Investigative Consumer Reporting Act (ICRA), and you have the same rights as you do with any other background check. (Cal. Civ. Code §§ 1786–1786.60)

You do not have rights under the FCRA if an employer independently views your online posts. For example, employers are always looking for ways to cut health care costs. Public postings that suggest unhealthy habits, even if meant as a joke, can signal a risk to employers and may cost you a job. Since most employment is “at will,” no justification for firing you would be required. If you have a job from which you can be fired only for cause, the employer would probably have to divulge the reason and justify it as being related to job performance.

Privacy settings on social media websites will limit access by others, including a potential employer.  This is no guarantee, however, that the information will remain private. Applicants increasingly report being asked during job interviews to either log on to social networks or provide access to hiring officials, prompting threatened actions from lawmakers throughout the country. Facebook and Twitter both advise against giving an employer access to your account or your password information.  In fact, it is against Facebook's "Statement of Rights and Responsibilities" to share your password.

f. Do some jobs require post-offer, pre-employment medical examinations and drug or alcohol tests?

Some types of employment are subject to health and safety regulations that require medical examinations and/or drug and alcohol tests after a job has been offered but prior to employment, and at regular intervals after you are employed. These include airline pilots, applicants for merchant marine licenses, as well as commercial truck drivers and interstate bus drivers (both medical certificate and drug test required). Federal and state agencies regulate licenses or certifications for such jobs where public safety is at issue.

3.  Employment-related drug tests

a. Can your employer require you to take a drug test?

California has no statutory law covering employee drug testing. Instead, court decisions have created the law in this area. In general, courts have required an employer to have a “particular suspicion” that an employee’s ability to perform his job is impaired by drugs before requiring a drug test. If you decline to take a test and your refusal leads to litigation, remember that both the interpretation of “particular suspicion” and “impairment” will be questions of fact for a jury to decide.

Random—as opposed to mandatory—drug testing of employees whose jobs are safety sensitive is allowed. (Smith v. Fresno Irrigation District, 72 Cal. App. 4th 147 (1999)) Examples of safety-sensitive jobs include police officers and firefighters, public transit workers involved in driving or maintenance, and nurses. But random drug testing violates the privacy of an employee whose work raises no safety issues that would require a random drug test. (Luck v. Southern Pacific Transportation Co., 218 Cal.App.3d 1 (1990)) At least two cities, San Francisco and Berkeley, have ordinances that prohibit on-the-job drug testing except for safety-sensitive jobs.

Job applicants who have been offered a job have less expectation of privacy than employees when it comes to drug tests, because they are in the position of asking prospective employers to accept their suitability for a particular job.  Your prospective employer may expect you to answer a set of questions, which may include the results of a drug test. (Loder v. City of Glendale, 14 Cal. 4th 846 (1997); Pilkington Barnes Hind v. Superior Court, 66 Cal. App. 4th 28 (1998))

b. Do employee drug test results have any privacy protections?

California employers must protect the confidentiality of any medical information they receive. (CMIA, Cal. Civ. Code §§ 56.20-56.245) This contrasts with the federal HIPAA regulations. HIPAA considers protected health information (PHI) used for employment purposes as part of an employment record rather than a medical record and therefore not entitled to privacy protection. (45 CFR § 160.103; 45 CFR § 164.512(b)(1)(v))  “PHI” is the equivalent of “medical information” in California law.

As with pre-employment medical exams, it is unclear whether this protection extends to a job applicant's drug tests.  If a prospective employer requests a drug test after making an offer and withdrawls the offer as a result of the test, you should ask to have documentation of the test results returned to you.

c. Are employment-related drug tests really necessary, or is a safe and productive workplace possible without intruding on employees’ privacy rights?

Employers are legally responsible for maintaining a healthy and safe workplace, but many organizations oppose workplace drug testing as a means of doing that. The ACLU and the National Workrights Institute, for example, point out that in addition to raising constitutional privacy issues, drug tests are unreliable and prone to errors. They suggest that there are less privacy-invasive ways to test an employee’s ability to perform a job.

For example, computer-assisted tests that measure hand-eye coordination and reaction time can demonstrate the ability to perform—or not—without identifying the cause of any impairment and labeling someone as a drug user. Poor performance could be caused by fatigue, illness, or stress, not just by drugs. For more on this subject, see the National Workrights Institute report titled “Drug Testing: A Bad Investment.”

4.  Can an employer or prospective employer access workers' compensation records?

Initial workers' compensation claims are not public records, but when a claim is appealed to the Workers’ Compensation Appeals Board (WCAB), it becomes a public record. Employers may access WCAB records only if a work-related injury might interfere with your ability to perform a certain job.

Under the California Labor Code workers’ compensation claims records may not contain individually identifiable information—which would include any medical information that is identifiably linked to you—when accessed by someone who is not a party to the claim. (Cal. Labor Code § 138.7(a)) An exception to the law allows someone who is not party to a claim, but who identifies himself and the reason for the request, to access an identifiable record.

In California, employers can access these records only after a job offer has been made. They cannot rescind the offer based on information in the record. (Cal. Labor Code §132(a)) However, if a workers’ compensation record includes prior claims that you failed to disclose during the job application process, that can be grounds for denying employment or for termination if you have already been hired.

To access worker compensation records an employer submits a “Request for Public Records” to the California Workers’ Compensation Appeals Board, giving a legitimate reason for the request. If the purpose of the request is screening prior to employment, but after an offer of employment has been extended, the Director of the Department of Workers' Compensation must give you this notice, in 12-point type: “IT MAY BE A VIOLATION OF FEDERAL AND STATE LAW TO DISCRIMINATE AGAINST A JOB APPLICANT BECAUSE THE APPLICANT HAS FILED A CLAIM FOR WORKERS' COMPENSATION BENEFITS.” (Cal. Labor Code § 138.7(b)(5))  As a job applicant, you’d get this notice, but if you’re not hired, it would be up to you to prove the reason was that you had previously filed a workers' compensation claim.

5.  What protections exist for medical records of disabled job applicants and employees?

A federal law, the Americans with Disabilities Act (ADA), applies to workplaces with 15 or more employees. It prohibits employers from discrimination in hiring based on certain medical conditions (42 U.S.C. § 12101). The ADA requires the following:

  • Employers may not ask job applicants who are disabled according to the ADA’s definition for medical information or require a physical examination prior to offering employment.  Under the ADA, a disability is generally considered to be a physical or mental impairment that substantially limits "a major life activity." (42 U.S.C. §12102) An important difference under California disability law is that the limitation need not be substantial for the protection to apply. (California’s disability law, part of the Unruh Civil Rights Act, is at Cal. Civ. Code §§ 54–55.3)
  • After extending a job offer, an employer can ask you to have a medical examination only if it is required of all employees who hold similar jobs.

  • If you are turned down for work based on the results of a medical examination, the employer must prove that it is physically impossible for you to do the work required.

The ADA also prevents employers from using the existence of a workers' compensation claim to discriminate against disabled applicants. (42 U.S.C. §12101)

You can report ADA violations to the U.S. Equal Employment Opportunity Commission (EEOC). Phone: (800) 669-4000.

The California Attorney General offers a helpful pamphlet titled “Legal Rights of Persons with Disabilities.” 

6.  If your employer sponsors your health plan, does it have access to your medical information?

The two most common types of employment-based health plans are group plans and employer-sponsored plans.

The traditional group health insurance plan offered by most employers is a “fully funded plan.” The employer pays a monthly premium to an insurer or health maintenance organization (HMO) —like Kaiser, Blue Shield, or United Health—based on the number of employees, and the HMO or insurer pays the claims.

The benefits depend on the contract between the employer and HMO or insurer, and the plan may include deductibles or co-payments for the employee. With group health insurance plans, an employer sees only claims data and summary health information. In other words, the employer sees information that summarizes claims history, but which has been de-identified according to HIPAA standards.

With employer-sponsored plans, the employer pays administrative costs and individual claims. These plans are an odd hybrid. Employer-sponsored plans are also called “self-funded” or “self-insured” plans. They are “covered entities” under the HIPAA Privacy Rule, which treats the health plan as a separate entity from the sponsoring employer. (45 CFR Parts 160 and 164)  In other words, the employer-sponsor is not a covered entity, but the health plan itself is.

The result is that the employer is responsible for complying with CMIA and HIPAA regulations concerning the privacy of medical information. If the employer-sponsor has access to its employees’ protected health information, it must ensure that the information is used only for administrative functions, such as paying benefits.  The employer must build a firewall between its CMIA/HIPAA-covered functions and its non-covered functions in order to keep employee health claims data separate from other employee data.  Examples of non-covered functions are maintaining payroll records and human resources files.

Employers with this type of plan must notify employees about personnel in the company who are inside the firewall and have access to employee medical records. It must also train those outside the firewall to refer health plan questions to those inside the firewall. In addition, employers must comply with other HIPAA requirements.  These include appointing a privacy officer; establishing policies and procedures for HIPAA compliance; training and sanctioning employees for failure to follow procedures; and entering into business associate agreements with any third parties involved in handling employee medical records.

If your health insurance is through an employer-sponsored plan, you should find out if the employer is meeting its requirements. A good place to start would be identifying the company’s privacy officer. If there is one, you can direct your questions there.  If the company does not have a privacy officer, you may have discovered a problem your employer needs to address.

a. Disclosure of pre-existing conditions

The Affordable Care Act (ACA) eliminates pre-existing conditions as a qualifying factor for obtaining health insurance. The information that follows will remain in effect only until 2014, when states begin to operate the health insurance exchanges that the ACA’s individual mandate requires. At that time, since you cannot be denied health insurance based on your medical history, you should not have to authorize disclosure of your medical records when you apply. Keep in mind, though, that the ACA’s pre-existing condition provision applies only to health insurance. Individual applicants for life, disability, and long-term care insurance will still need to disclose their medical records.

The effect of pre-existing medical conditions on insurability is a complex subject, perhaps because the industry is so highly regulated. If you work at a small business (2 -50 employees) that offers a group health plan, you can be denied coverage for treatment of pre-existing conditions for a total of six months following the effective date of coverage under the plan. (Cal. Health and Safety Code §§ 1357.06 and 1357.51(a))

Large employer group health plans (for more than 50 employees) and association group health insurance, like individual health insurance, are subject to medical underwriting. This means that your employer can ask you to provide medical information that can be used to evaluate your insurability.

Another thing to know about large employer group plans is that, in contrast to small group plans, they are not required to be offered on a guaranteed-issue basis. This means a health insurer could reject an entire large employer group for a policy based on its claims history. But if an insurer does issue a policy to a large employer, no individual employee who is eligible for benefits can be denied coverage based on a pre-existing condition.

In order to find out if you have a pre-existing condition for which there may be an exclusionary period or coverage can be denied, an employer may ask you to fill out a health questionnaire. Therefore, the employer can obtain health information it couldn’t otherwise get, although the CMIA imposes privacy and confidentiality requirements on the employer regarding that information. (Cal. Civ. Code § 56.20-56.245)

Instead of a group health plan, your employer may offer a self-insured plan, under which the employer administers the plan and pays the benefits. Some, but not all, self-insured health plans are regulated by ERISA (Employee Retirement Income Security Act of 1974), a federal law that is enforced by the U.S. Department of Labor Employee Benefits Security Administration (DOL-EBSA). Self-insured plans that are sponsored by an employer or a union fall under ERISA; those sponsored through school districts, other municipal agencies, and churches do not, and would thus be regulated by the state.

Self-insured, ERISA-regulated plans have a pre-existing condition exclusion for up to 12 months. Again, an employer needs to inquire whether you have any pre-existing conditions, and may ask for your medical information by means of a questionnaire.

It may not be obvious whether the health coverage your employer offers is a group plan or a self-insured plan. In the event that the way the plan is administered affects you, you should ask.

As noted above, the Affordable Care Act of 2010 eliminates pre-existing conditions as a disqualification for health insurance.  The state insurance exchanges set up to meet the ACA’s individual mandate begin operations in 2014.

For more information about health insurance plans generally, including how to make inquiries and complaints, see the California Department of Insurance “Consumer Guide to Health Insurance.” For further details about large and small group insurance from an industry perspective, see the National Association of Health Underwriters (NAHU) “Consumer Guide to Group Health Insurance.”

7.  Are there other ways an employer can acquire employee medical information?

Employers may have greater access to your medical records once you become an employee than they do when you are a job applicant. An employer is not a covered entity for purposes of medical privacy under the HIPAA regulations. California law, however, obligates an employer who receives medical information “to ensure the confidentiality and protection from unauthorized use and disclosure of that information.” (CMIA, Cal. Civ. Code § 56.20) An employee who experiences economic loss or personal injury because an employer fails to maintain the confidentiality of her medical information may sue for damages and legal costs.

Also, there are several kinds of medical information an employer may receive that are not considered protected health information (PHI). Examples include medical information an employer keeps to meet its obligations under the Family and Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), and the Occupational Safety and Health Act (OSHA). These types of non-covered information could include records of occupational injuries, disability insurance eligibility, and job-fitness medical examinations.

a. The Family and Medical Leave Act

The Family and Medical Leave Act (FMLA) gives most workers the right to 12 weeks of unpaid leave annually for reasons of personal and family health. If the reason for an FMLA request is a serious illness, your employer may want a doctor’s certification, but cannot require you to provide actual medical records. The U.S. Department of Labor offers complete information on the operation of the FMLA, for both employees and employers.

b. The Americans with Disabilities Act

The Americans with Disabilities Act (ADA) prohibits discrimination against people with disabilities in the workplace. It sets out strict rules for covered employers, which include private employers, state and local governments, employment agencies, and labor organizations. Prior to employment, the ADA prohibits employers from asking whether a potential employee has a disability or has any past or present medical conditions.

The employer also may not ask a potential employee to disclose his workers’ compensation history. Pre-employment medical examinations are prohibited by the ADA. However, after someone has been offered employment, and prior to the start date, an employer may require the potential employee to have a medical examination if the policy applies to all new employees holding similar jobs.

The ADA requires that disabled employees’ medical records be kept confidential and separate from other employment records. They may be disclosed to a supervisor making a “reasonable accommodation” for a disabled worker; to safety and first aid workers, in the event that a disabled employee needs to be treated or evacuated; to insurance companies that require a medical exam; and otherwise as required by law. For more information on the ADA, including an 800 number to call if you have questions, see the Equal Employment Opportunity Commission’s ADA website. The Council for Disability Rights also has an FAQ written expressly for non-lawyers.

c. Occupational Health and Safety Act

In the case of the Occupational Health and Safety Act (OSHA), the regulations governing workplace health and safety cover all private-sector employers with one or more workers in all states and U.S. territories. OSHA regulations do not cover public sector employers (municipal, county, state, or federal government agencies); self-employed individuals; family members operating a farm; or domestic household workers.

Sample OSHA issues include such things as ergonomics, hazardous materials in the workplace, indoor air quality, emergency preparedness, and record-keeping. The Department of Labor’s OSHA website offers information about workers’ rights, as well as an FAQ section about specific problems the law covers and compliance requirements for employers.

Cal OSHA complements the federal regulations and limits the use and disclosure of all personally identifiable information by state agencies. Data—including medical information—can be used only for the purposes for which it was collected, and you must be told what those purposes are. Disclosure for any other purpose requires your consent. (Cal. Gov’t Code § 11019.9) For information on filing an OSHA complaint in California, in English and Spanish, see the Department of Industrial Relations website.

OSHA regulations require employers to retain general medical records for the duration of employment plus 30 years—quite a long time. A medical record is  “…a record concerning the health status of an employee which is made or maintained by a physician, nurse, or other health care personnel or technician.” (See OSHA Definitions, 29 C.F.R. § 1910.1020(c)(6))

This broad definition encompasses just about every record that could arise at the intersection of personal medical information and workplace health and safety. It includes:

  • medical examination results (both prior to employment and while employed);
  • laboratory, diagnostic, and biological monitoring;
  • doctors’ opinions, diagnoses, progress notes, and recommendations;
  • first-aid records;
  • descriptions of treatments and prescriptions, and employee medical complaints; and
  • medical and employment questionnaires and histories, including job description and occupational exposures.

There are a few exceptions to this massive mandatory record-keeping requirement: 

  • first-aid records for one-time treatment,
  • medical records of individuals employed for less than one year and offered to the employee upon termination,
  • and health insurance claims from a fully funded employee health plan.

As an employee you have the right to request your OSHA records. See OSHA’s publication, “Access to Medical and Exposure Records.”

8.  May employers obtain, use, or disclose your medical records without your consent?

There are a number of exceptions to the CMIA’s requirement that employers protect the privacy and security of any employee medical information they receive. (Cal. Civ. Code § 56.20-56.245) These circumstances include:

  • judicial or administrative process that compels disclosure (for example, a court subpoena);
  • when medical information is relevant to a lawsuit, arbitration, or other claim, and you (the employee) have raised the issue in the case;
  • administering employee benefit plans, such as disability and workers' compensation, and determining eligibility for paid or unpaid medical leave from work;
  • in an emergency situation when you or a designee is unable to authorize disclosure.

9.  Can you refuse to give an employer access to your medical information?

You can refuse to let an employer see your medical records, but there may be consequences. Although the employer cannot discriminate against you in the terms or conditions of employment for refusing to authorize access to your medical records, he may take whatever action is necessary in the absence of medical information due to your refusal. For example, if all employees in a certain job category are required to have a medical examination to determine their fitness to perform that job and you either refuse to have the examination or to give your employer access to the results, you can be denied the job. (CMIA, Cal. Civ. Code § 56.20(b))

10.  Does an employer have any right to see your genetic information?

California law prohibits employers from requiring employees or job applicants to submit to genetic testing unless the request is based on a bona fide occupational qualification. (Cal. Gov’t Code § 12940) An example of an occupational qualification would be employment in a workplace where exposure to toxic substances or radiation is monitored.

Genetic information includes:

  • your genetic test results, and also those of family members;
  • your family medical history, which is often used to assess your future risk of getting a certain disease;
  • your or a family member’s request for, or receipt of, genetic services, or participation in clinical research that includes genetic services;
  • the genetic information of a fetus carried by you or a family member; and
  • the genetic information of any embryo legally held by you or a family member for assisted reproductive technology.

Information about your own or your family’s medical history that you voluntarily give up on medical, genealogy, or social networking websites is not protected by any laws that regulate the use or privacy of genetic information.

There are some legal protections against the acquisition and use of genetic information. The 2008 federal Genetic Information Nondiscrimination Act (GINA) prohibits employers and most health insurers from requesting or requiring employees to provide genetic information.  GINA also prohibits discrimination—for instance, denying employment or health benefits—based on genetic information. (Pub. Law 110–233) The Equal Employment Opportunities Commission (EEOC), which enforces GINA, has information for consumers about the Act and its application. Another good source, particularly from a privacy perspective, is the Council for Responsible Genetics.

Recent amendments to the California Fair Employment and Housing Act (FEHA) and the Unruh Civil Rights Act further reinforce GINA’s prohibition against discrimination based on genetic information. Changes to the FEHA affect not only employment but also housing, business services, emergency medical services, licensing qualifications, life insurance coverage, mortgage lending, and participation in state-funded or state-administered programs. The Unruh Civil Rights Act changes affect access to accommodations, advantages, facilities, privileges, or services provided by business establishments. (Cal. Gov’t Code §§ 12921, 12940(a), (b), and (c); Cal. Civ. Code § 51)

Employers may not discriminate based on genetic information, and they are obligated to protect such information and not use it in any legally prohibited way. However, there are circumstances under which an employer might obtain such information.  These circumstances may include:

  • information acquired inadvertently, such as by a supervisor who overhears your conversation about your or a family member’s genetically based illness;
  • information (such as family medical history) you voluntarily give up as part of a health, genetic services, or wellness program offered by your employer;
  • information about family medical history that’s included in the certification process for Family and Medical Leave Act (FMLA) leave;
  • information acquired from commercial or publicly available sources, like newspapers or websites, as long as the employer is not searching those sources for the purpose of finding genetic information about you;
  • information collected through a genetic monitoring program of the biological effects of toxic substances in the workplace where the monitoring is required by law or, under some circumstances, voluntary;
  • employee genetic information collected by employers who do DNA tests for law enforcement purposes or to identify human remains, but only to analyze DNA markers for quality control to detect sample contamination.

11.  What are employee wellness and harm risk reduction programs, and can an employer access medical information through them?

Employee wellness and harm (or sometimes health) risk reduction programs (HRRPs) have become increasingly popular because employers and insurers, along with most of society, have a strong interest in reducing healthcare costs. Improving employee health through various types of employer-sponsored health monitoring and behavior modification is seen as a way to create savings on medication and treatment. Such programs may be beneficial, but they also raise concerns, not least of all for the privacy of the medical and behavioral data they accumulate.

Wellness in the employment context can cover everything from dealing with violence and bullying in the workplace to specific health-related programs that would be collecting and maintaining personal health information about you. Programs might involve on-site exercise rooms and healthy food choices in the cafeteria, immunizations paid for by an employer, health fairs and health education, smoking cessation and weight-loss programs, health risk assessments, and on-site “health coaches.”

Before enrolling in a work-related wellness program, ask these important questions:

  • What information will be collected about you and by whom?
  • Who has access to it, and for what purposes?
  • What privacy protections do (or don’t) apply?
  • Do you have any control over the use and dissemination of the information that is collected?

There are dozens of companies that market wellness and harm risk reduction programs to employers. How the program is offered affects the privacy of the information it collects and any control you have over it. If the program is a benefit of an employer-sponsored health plan (that is, the plan pays for it), the vendor must have a business associate agreement with the employer-sponsor, which obligates it to comply with HIPAA and California’s Confidentiality of Medical Information Act. If the vendor’s agreement with the employer does not involve an employer-sponsored health plan, but is instead an agreement to provide a service, probably the only privacy protections that apply are those in the vendor’s privacy policy, assuming it has one.

Regardless of the employer’s relationship to the vendor, if an employer receives any medical information about you that is collected because you participate in an employee wellness or harm risk reduction program, California law requires the employer to protect the privacy and confidentiality of that information. (Cal. Civ. Code § 56.20-56.245)  Wellness or HRRP information might also be protected if the records maintained by program vendors were considered personal health records (PHRs), in which case HIPAA would apply. However, this seems unlikely since one feature of a PHR is that the person it belongs to controls access to it. 

It is also possible, but untested, that a wellness or harm risk reduction program vendor could be covered under a California law that considers a health provider to be:

“[a]ny business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual” (CMIA) (Cal. Civ. Code § 56.06)

Since one purpose of these programs is to make information available to individuals to help them improve their health, the vendors would seem to fit the description of health care providers. The question is whether they are “organized for the purpose of maintaining medical information,” or if maintaining medical information is incidental to their organizational purpose.

The law has not yet been interpreted by the courts.  However, a consumer-friendly interpretation would consider vendors to be providers and require them to “maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business,” (Cal. Civ. Code § 56.06) and also subject them to breach notification requirements and penalties.

A consumer-friendly interpretation would also give employees enrolled in the programs the right to access their records. Wellness program vendors are not currently covered by HIPAA regulations, and California law lacks a provision for accounting of disclosures.  Therefore, you are not able to find out who has accessed your records, which is something you should want to know.

12. Tips for protecting your medical records

  • Always carefully read forms you are asked to sign to authorize the release of your medical information.  It is especially important to determine the purposes for which the information may be released or accessed by others. Do not sign a general release that authorizes your medical records to be released for “all legally valid purposes.” If you have questions or don’t understand the terms of the authorization, ask the employer to explain.
  • Certain medical information is legally considered “sensitive” and requires additional specific written authorization for release. This includes psychotherapy notes, records of substance abuse treatment, and information about HIV status or sexually transmitted diseases. Make it clear on any form you sign that you are not authorizing the release of sensitive medical information.
  • Request copies of your own medical records so you know what is in them before you authorize their release to an employer. PRC has a sample letter for requesting a copy of your medical records from your health care provider.
  • If you want information in your medical records to be kept confidential and not disclosed to an employer, make a written request to that effect to your health care provider. It’s up to the provider to honor your request (or not) if the release of information is for medical treatment, payment of medical bills, or health care operations, but she should honor it if the release is to an employer. Also, providers may not disclose information about health care services you pay for yourself.
  • Be careful about medical information you release into the public domain, which includes web-based health information sites. It is completely unprotected.
  • Use caution in posting personal information on social media websites, particularly information that relates to your health. Always choose privacy settings, but understand this may not guarantee total privacy.

13. Resources

Federal Government Agencies:

U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free: 1-877-696-6775
website with contact information:

U.S. Department of Labor
200 Constitution Ave., NW
Washington, DC 20210
Toll Free: 1-866-4-USA-DOL (1-866-487-2365), TTY: 1-877-889-5627
Contact information sorted by topic and state is available on the Department of Labor website:

Equal Employment Opportunity Commission
1801 L Street, N.W.
Washington, D.C. 20507
Phone: (202) 663-4900; TTY: (202) 663-4494

Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Toll-free helpline: 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261

California Government Agencies:

California Department of Insurance
Consumer Services Division
300 South Spring Street, South Tower
Los Angeles, CA 90013
(800) 927-HELP (4357)  (within California)
(213) 897-8921   (Outside California)
(800)-482-4833  (TDD)

California Office of Health Information Integrity
1600 9th Street, Room 460
Sacramento, CA  95814
(916) 651-6907
FAX:  (916) 653-9588

Department of Industrial Relations
Visit the DIR website for contact information regarding specific topics:

Department of Fair Employment and Housing

(800) 884-1684 or Videophone for the DEAF at (916) 226-5285 or TDD (800) 700-2320.

California Law:

The State of California's Laws and Regulations are available at:


The National Workrights Institute advocates for workplace justice and the enforcement of human rights in the workplace.

The Health Consumer Alliance has a good FAQ on California laws pertaining to medical records privacy and access.



The California Department of Fair Employment and Housing's (DFEH) publication titled “Employment Inquiries” describes what an employer can and cannot ask of a job applicant, an applicant who has been offered a job, or a current employee. An employer, for example, cannot ask an applicant who has not been offered a job to take a psychological or medical examination.

For more on health information in the workplace, see the California Department of Health and Human Services webpage on Employers and Health Information in the Workplace.

The Council for Disability Rights has the most comprehensive and readable information on disability and employment in “Employment Rights Under the Americans with Disabilities  Act (and other related laws),” Fourth Edition, April 2010, Publication #5068.01.

To learn about employers’ responsibilities regarding employee background checks, see the Federal Trade Commission’s “Using Consumer Reports: What Employers Need to Know.”

Privacy Rights Clearinghouse Publications:

Fact Sheet 6b: "Other" Consumer Reports: What You Should Know About "Specialty" Reports 

Fact Sheet 16: Employment Background Checks: A Jobseeker's Guide

Fact Sheet 8a: HIPAA Basics: Medical Privacy in the Electronic Age

Content type: 
Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.