You are here
Managing Confidential or Sensitive Records
This guidance is intended to provide advice on managing records which contain information that requires safeguarding or additional controls pursuant to and consistent with applicable law, regulations, or government-wide policies. Public officials should be familiar with the various laws, regulations and policies that require special protections for certain records, particularly state laws including the Personal Privacy Protection Law, the Public Health Law and the Mental Hygiene Law and applicable Federal statutes or regulations.
Identify and label confidential files
Store confidential information in a secure environment
Securely and completely destroy unnecessary confidential information
Develop and distribute policy and procedures for dealing with confidential information
Employee Medical Records
- Records retention requirements differ for employee medical records and personnel records and filing the two types of records separately facilitates disposition of the records. For example, the General Retention and Disposition Schedule for New York State Government Records authorizes destruction of employee personnel records 6 years after employee separation from agency, whereas, for example, employee hazardous substance exposure records, which usually contain medical information, must be retained 30 years after exposure per federal Occupational Safety and Health Administration (OSHA) regulations. Local government retention items make a similar distinction in terms of retention periods for personnel records and employee medical records.
- It is important to limit access to employee medical records to a small number of human resources staff and physical separation of medical and personnel records allows you to do this. Although most staff in an HR department have access to personnel files, only one HR staffer should have access to employee medical information. Limiting access to employees' medical records helps ensure privacy and assures that personal medical information won't get in the hands of staff who don't have a need to know.
- There are federal laws that require employee medical records be filed separately. Here is a listing of those laws:
The Americans With Disabilities Act (ADA) imposes very strict rules for handling information obtained through post-offer medical examinations and inquiries. Employers who are covered by the ADA must keep these medical records confidential and separate from other personnel records. This information may be revealed only to safety and first aid workers, if necessary, to treat the employee or provide for evacuation procedures; to the employee's supervisor, if the employee's disability requires restricted duties or a reasonable accommodation; to government officials as required by law; and to insurance companies that require a medical exam [see ADA Sect. 12112 (d)(3)].
The Health Insurance Portability and Accountability Act (HIPAA) also imposes privacy obligations on many employers who provide group health plans. Under HIPAA, employers are required to protect the privacy of employees' personal health-related information by designating an in-house privacy official, adopting policies and procedures to keep this information private, and notifying employees of their privacy rights, among other things.
The Genetic Information Nondiscrimination Act (GINA) also requires employers to keep employee medical records confidential. GINA prohibits employers from requesting or requiring that employees provide genetic information. If, however, the employer receives such information inadvertently or pursuant to one of the strict exceptions to the law, the employer must keep it in separate, confidential files [see GINA Sect. 206].
The Family and Medical Leave Act (FMLA) also stipulates that covered employers must maintain “records and documents relating to certifications, re-certifications or medical histories of employees or employees' family members, created for purposes of FMLA, …as confidential medical records in separate files/records from the usual personnel files” [see FMLA Sect. 825.500(g)].