Your Patient Privacy Rights in Employment

Explore Your Patient Privacy Rights in Context

Your personal health information can affect hiring, firing, promotions, and workplace opportunities—so U.S. law limits what employers can ask for, how they can use it, and how it must be handled when they receive it. The rules depend on when the information is requested (before an offer, after an offer, or during employment) and why it's requested (job fitness, leave, accommodations, insurance, or wellness programs).

1. Your right to limit employer health questions and exams

   Before a job offer: The Americans with Disabilities Act offers important protections in the workplace. Employers with 15 or more employees may not ask disability- or health-related questions or require a medical exam before making a job offer—including questions likely to reveal a disability (such as questions about medications, diagnoses, or workers' compensation history). But, before making a job offer, an employer may:

   • Ask about your ability to do the job, including whether you can perform the job's essential functions, with or without reasonable accommodation.
   • Ask you to describe or demonstrate how you would perform job tasks (especially if it's obvious you may need an accommodation to perform a specific function).
   • Use non-medical skills or ability tests, including physical agility or fitness tests that measure performance of tasks (so long as they don't measure physiological responses like blood pressure or heart rate).
   • Ask limited safety-related certification for a physical test, e.g., give you a description of a fitness or agility test and ask your doctor to state only whether you can safely perform it.
   • Test for current illegal drug use (and ask about current illegal drug use), because illegal-drug tests are not treated as "medical exams" under the Americans with Disabilities Act.
   • Invite voluntary self-identification of disability for affirmative action purposes, but only under specific conditions (voluntary, confidential, separate from the application, etc.).

   After a conditional job offer: After an offer is made, an employer may require a medical exam only if it is required for all applicants in the same job category.

   During employment: Health inquiries or exams are typically permitted only when job-related and consistent with business necessity (for example, a safety-sensitive role or objective evidence that a medical condition may affect job performance).

   Confidentiality requirement (when the employer has medical information): When an employer lawfully obtains employee medical information (e.g., through an exam, accommodation process, or leave paperwork), it generally must be treated as confidential, kept in separate medical files, and shared internally only on a need-to-know basis.

   What to do:

   • You may want to keep health details out of early conversations. Before an offer, consider answering only about your ability to do the job (e.g., "Yes, I can perform the essential functions with/without reasonable accommodation"). Consider not volunteering diagnoses, medications, or workers' compensation history.
   • If you need an accommodation, consider sharing the minimum necessary. If you decide to request the accommodation, consider keeping documentation narrowly focused on functional limitations and what you need—not your full medical history
   • For physical or fitness tests, consider asking for a "fit to test" note only. If the employer wants medical clearance, consider asking that your clinician provide only whether you can safely perform the described test—nothing more.
   • After a conditional offer, consider confirming consistency. If you're asked to take an exam or answer health questions, consider asking whether every applicant in the same job category must do the same exam.
   • During employment, consider asking "What is the job-related reason?" If an employer requests an exam or medical inquiry, consider asking (in writing if possible) what objective, job-related basis and business necessity supports it.
   • Protect confidentiality. If you provide any medical information, consider asking your employer's Human Resources to confirm it will be kept in a separate confidential medical file and shared only on a need-to-know basis.
   • Document everything. Save emails, forms, and notes of conversations; if something feels improper, consider requesting the question/exam request in writing and keep copies.
   If you have an incident to report, please let us know.

    

2. Your Right to Control Medical Record Releases to Your Employer

   Employers may ask you to sign a written authorization allowing release of medical records—for example, for:

   • leave or accommodation documentation
   • fitness-for-duty evaluations
   • workers' compensation processes
   • insurance-related administration

   A few practical realities:

   • You can often refuse, but refusal may affect the benefit or process you're seeking (depending on the context).
   • Employers typically can't obtain records directly from your clinician without your permission unless another legal process applies.
   • Your health care provider generally needs a valid authorization (or another legal basis) to release records.

   What to do: Review the scope of any authorization you're asked to sign—these forms are sometimes overly broad. Consider requesting that it be limited to specific dates, specific information, and specific recipients. If you have an incident to report, please let us know.

    

3. Your right to keep genetic information out of employment decisions

   The Genetic Information Nondiscrimination Act prohibits employers from using genetic information in hiring, firing, job assignments, or promotions, and generally bars them from requesting, requiring, or purchasing your genetic information. There are a few narrow exceptions, including:

   • Inadvertent acquisition ("oops" exception): The employer obtains genetic information unintentionally—for example, in casual conversation, by overhearing it, through an unsolicited email, or through a lawful medical-document request that included a "do not provide genetic information" warning.
   • Family and medical leave documentation: The employer may receive family medical history or genetic information as part of documentation for leave (including leave to care for a family member) under the Family and Medical Leave Act or similar state or local programs.
   • Voluntary wellness or genetic services: An employer may offer voluntary wellness or genetic services and collect genetic information only under strict conditions—participation must be voluntary, you must give prior written authorization, decisionmakers cannot receive individual results, and the employer may receive only aggregate or non-identifying information.
   • Publicly available information: The employer may acquire genetic information from broadly public sources (such as newspapers, books, or public websites), but not from restricted medical or research databases—and not by searching with the intent to find your specific genetic information.
   • Genetic monitoring for workplace toxin exposure: Genetic monitoring may be permitted to assess the effects of toxic substances in the workplace, with required notice, individual results provided to the employee, and (when not required by law) written authorization; any information shared back to the employer must be aggregate or non-identifying.
   • Forensic lab quality control or human remains identification: Certain forensic DNA laboratories may conduct limited DNA analysis of employees solely for quality control (e.g., contamination detection) or identification purposes, and must handle the information consistently with those limited uses.

   What to do:

   • Don't volunteer genetic or family medical history at work unless you consider it necessary.
   • If your employer requests medical documentation, consider asking them to include (and follow) a "do not provide genetic information" instruction, and consider providing only the minimum needed for the purpose (leave, accommodation, fitness-for-duty, etc.).
   • Treat wellness and genetic programs with extra caution: you may want to consider participating only if they're clearly voluntary, you're asked for written authorization, and the employer will receive only aggregate/non-identifying results.
   • Keep copies of any forms you sign and any communications where genetic information is requested or disclosed.
   • If you believe genetic information was requested improperly or used against you, document what happened and consider filing a charge with the EEOC (and report the incident to us, if you'd like).
   If you have an incident to report, please let us know.

    

4. Your patient privacy rights in workplace wellness programs

   Workplace wellness programs can fall under very different privacy rules depending on how they're set up.

   Wellness programs that operate through your employer's group health plan are typically covered by HIPAA (the Health Insurance Portability and Accountability Act). HIPAA sets national standards for how your healthcare providers, health plans, and their business associates can hold and share your personal health information. If a wellness program is provided through your health plan or healthcare provider, then your employer generally should not receive your identifiable health information. However, if the employer is acting as the plan sponsor or administrator and needs limited access to run parts of the plan, HIPAA may permit it—but usually only after plan documents are amended, safeguards (such as separation or "firewalls") restrict who can see the information, and the information is prohibited from being used for employment decisions. Even then, employers more commonly receive summary or aggregate reports rather than individual-level data. These reports can still carry risk: in small groups, or when conditions, diagnoses, or procedures are uncommon, "aggregate" results may effectively identify individuals, and errors or misuse can occur.

   If a wellness program is offered directly by the employer or through a consumer app or vendor outside the group health plan, the information is not protected by HIPAA. In that case, whether your data is shared with your employer depends on the vendor's contract and the program's privacy policy and terms of service.

   Genetic information has additional protections. Under the Genetic Information Nondiscrimination Act, an employer may collect genetic information through a wellness or genetic service only under strict conditions: participation must be voluntary, you must provide prior written authorization, individual results generally may not go to decisionmakers, and the employer may receive only aggregate or non-identifying information.

   What to do: Consider asking the following questions:

   • Is the wellness program through your group health plan or run directly by your employer or an outside vendor hired by your employer?
   • Will the employer receive individual-level data or only aggregate or summarized data?
   • Can you participate without sharing medical details, or use a reasonable alternative?
   If you have an incident to report, please let us know.

    

5. Your privacy risks from "aggregate" employer health reporting

   Because employers typically help fund employee health plans and choose which plans are offered, they commonly receive summary or aggregate reports rather than individual-level, identifiable data. This still carries risk: "aggregate" reports can effectively reveal identities in small groups—especially for rare conditions or diagnoses and procedures unusual among its employees—and errors or misuse can occur.

   What to do:

   • Consider asking (in writing, if possible) what reports your employer receives from the health plan or wellness vendor and how small the reporting "groups" can be.
   • Consider requesting that reports use minimum group-size thresholds and avoid breakouts by small departments, locations, roles, or rare-condition categories that could make individuals identifiable.
   • If you participate in a wellness program, consider asking whether the employer receives only aggregated results, who can access them, and what safeguards prevent re-identification or misuse.
   • Keep copies of program notices, authorizations, and any privacy policies or terms you're shown.
   • If you believe an "aggregate" report revealed your (or a coworker's) health information, document what happened (emails, screenshots, dates, who saw what) and consider raising the concern with your employer's Human Resources and the vendor, and consider filing a complaint through the appropriate channel (e.g., the plan's privacy office or your state regulator, depending on the source).
   If you have an incident to report, please let us know.

    

6. Know Which "Hat" Your Employer Is Wearing

   The Health Insurance Portability and Accountability Act (HIPAA) is a key safeguard for your health information when it is held or shared by health care providers, health plans, and their contractors. But HIPAA does not regulate your employer's employment records or what your employer collects and keeps in its role as an employer. (If your employer is also a health provider or runs a health plan, different rules can apply depending on which "hat" they're wearing in a given situation.)

   What to do: When health information comes up at work, first ask which "hat" the organization is wearing—your employer, your health plan, or a health care provider—because different rules apply. Consider sharing only what's necessary for the workplace purpose (such as leave or an accommodation), and consider keeping details as high-level as you can. Be cautious about signing medical authorizations: consider avoiding blanket releases when a narrower, time-limited authorization will do and is available. Consider requesting that any medical documentation be kept in a separate, confidential medical file with access limited to need-to-know personnel. If you believe your information was improperly requested, disclosed, or used, document everything (emails, forms, dates, names, and screenshots) and consider reporting it through your employer Human Resources and, when relevant, to the appropriate enforcement agency (for example, the U.S. Equal Employment Opportunity Commission for disability-related concerns). If you have an incident to report, please let us know.

    

Taken together, these rules are meant to help you share only what's necessary at work—while reducing the chance that sensitive health or genetic information is used to limit your employment opportunities.

Gaps remain, and vigilance matters: even small disclosures can lead to serious personal consequences. To stay informed as rules and practices evolve and incidents occur, join our mailing list. And if you experience a concerning situation tied to your health information, please report the incident so we can track patterns and strengthen public accountability. Donate, as you are able, to support this work.

Select another context in which to examine your patient privacy rights:

Note: The content above is general information for the public and is not legal advice for any specific situation. Rights and processes relevant to a particular situation can vary based on circumstances and additional state or federal laws.

This document was created and is maintained by PPR President Dr. Latanya Sweeney. Please share your feedback and let Dr. Sweeney know about the ways you've used it, and if you have any suggestions.