Privacy Issues in the Community College Workplace

1. R EQUIREMENTS R EGARDING E MPLOYEE M EDICAL F ILE California law requires an employer, including a public employer, who receives medical information to establish appropriate procedures to ensure the confidentiality and protection from unauthorized use and disclosure of that information. 218 This includes any information regarding an individual’s mental condition. 219 The procedures must include, but need not be limited to, instructing employees and agents on properly handling files containing medical information to protect the confidentiality of the information. 220 The Americans with Disabilities Act (ADA), 221 also requires that information obtained regarding the medical condition or history of an employment applicant be kept confidential with few exceptions. The ADA further requires that information from medical examinations or inquiries be placed in a separate file and not placed in an employee’s general personnel file. 222

2. C ONFIDENTIALITY OF M EDICAL I NFORMATION A CT

a. What Is “Medical Information” for Purposes of the CMIA? The CMIA defines medical information as:

“any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.” 223 Medical information is “individually identifiable” if it “includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number or social security number, or other information that,

alone or in combination with other publicly available information, reveals the individual's identity.” 224

b. Requirements of Valid Authorization A health care provider cannot release information to an employer (or anyone else for that matter) unless the patient’s written authorization:

 Identifies the person authorized to release the information;

 Identifies the person authorized to receive the information;

 Identifies any limitations on the types of information to be disclosed and the purposes for which the information can be used;  States a specific date after which the health care provider is no longer authorized to disclose the information;

Privacy Issues in the Community College Workplace ©2021 (c) Liebert Cassidy Whitmore 69