Employees can request a leave of absence for a wide range of reasons: to welcome a new child into the family, to care for an ill or injured family member, or to obtain medical treatment. An employee going on parental leave may have already told everyone in the office about it. But an employee taking medical leave under the Family and Medical Leave Act (FMLA) may want to keep the details of their condition to themselves.

As an employer, it's your responsibility to follow FMLA confidentiality requirements and only share information on a need-to-know basis. Here’s what you need to know about FMLA confidentiality rules and how you can protect employees’ right to privacy.

What Is FMLA?

The Family and Medical Leave Act (FMLA) entitles employees to 12 weeks of unpaid leave in any 12-month period for certain qualifying conditions. According to the U.S. Department of Labor (DOL.gov), these conditions include:

  • The birth, adoption, or fostering of a child
  • Caring for the employee’s family member
  • Treatment for a serious health condition
  • A qualifying exigency related to military service

Eligible employees are must meet these three criteria:

  • Work for a covered employer — a public or private school, government agency, or private-sector company with at least 50 employees
  • Have worked there for at least one year
  • Have worked 1,250 hours within the past year

FMLA regulations entitle employers to request a medical certification to determine the employee’s eligibility to take FMLA leave. However, this can only be done under strict conditions in line with FMLA confidentiality rules and return-to-work guidelines.

Who Can Access Employee Medical Records?

There’s nothing stopping an employee from discussing their condition with co-workers, but that doesn’t mean you can disclose this information to anyone who asks. Outside of your HR department, there are only three groups of people who should have access to the information in an employee’s medical file. These are:

  • The employee’s supervisor or manager can have access to limited information about the employee’s medical condition and work restrictions.
  • Government officials can access FMLA records in order to perform an audit and ensure conformance with federal and state laws.
  • Safety personnel may need to be informed about the employee’s underlying condition in order to provide first aid or emergency treatment.

Mishandling confidential information under FMLA can have serious repercussions. The employee may experience abuse or harassment about their medical condition, and the employer may face legal action for violating their obligations under FMLA. Employers who inadvertently reveal confidential medical records should seek legal advice.

What Are the FMLA Confidentiality Rules for Employers?

Business owner reviewing his company's FMLA confidentiality rules

When an employee requests a leave of absence for medical reasons, it’s important for your human resources team to follow the right procedures to ensure their FMLA rights. Although precisely who can access the employee’s medical information will vary on a case-by-case basis, there are three key guidelines to keep in mind:

Only Collect Necessary Information

The Family and Medical Leave Act entitles employers to request a certification of the employee’s health condition from their health care provider. They can also request a recertification for an ongoing condition, but no more than once every 30 days.

However, FMLA doesn’t give employers the right to request an employee’s complete medical history or details of their medical treatment. The request should only cover what's necessary to verify the condition and protect against FMLA abuse.

For example, if an employee requires time off for surgery, the employer can inquire about the expected recovery period, but not about prior surgeries they’ve had.

Store Data Separately and Securely

After receiving an employee’s medical records, it’s important to store them securely and keep them separate from other documents. Storing confidential medical records in their personnel file is a violation of the FMLA and can result in legal repercussions.

In addition to FMLA confidentiality rules, these documents may be protected under the Health Insurance Portability and Accountability Act (HIPAA), which dictates how health care providers and health plans share personal health information (PHI).

Always use the DOL’s official FMLA forms to ensure that your requests for information comply with FMLA confidentiality rules.

Share Data on a Need-to-Know Basis

Information about the employee’s condition should only be shared on a need-to-know basis. This means that their private medical information shouldn’t be passed along to their supervisor or other team members without a legitimate reason for it.

If an employee is on an extended leave of absence, then their supervisor should be kept in the loop about their expected return date. If an employee is on intermittent leave, then their supervisor might need to know how often the employee needs to leave work early to attend a medical appointment — but not what the appointment is for.

When the employee begins the return to work process, the supervisor can be told about any necessary restrictions or reasonable accommodations they’ll need to perform the essential functions of their job. Still, this should be limited to the relevant information and shouldn’t go into detail about their medical condition. 

FMLA Confidentiality Rules in Practice

FMLA confidentiality rules don’t exist in isolation, and need to be considered alongside other employment laws, such as the Americans with Disabilities Act (ADA). There may be additional considerations around what information can be collected and shared if your employee’s FMLA leave request overlaps with any of these federal laws.

The Americans with Disabilities Act (ADA)

FMLA provides employees with short-term leave related to a medical condition, while the ADA covers reasonable accommodations due to an ongoing disability. Both laws have very similar confidentiality requirements, and stipulate that confidential health information be disclosed only on a limited, as-needed basis.

Let’s say that an employee requests medical leave under FMLA, and qualifies for an accommodation when they return under the ADA. In both cases, their supervisor only needs to be informed about the details of their accommodation or work restriction — such as no heavy lifting — and not the underlying medical condition.

Health Insurance Portability and Accountability Act (HIPAA)

Employers should be familiar with HIPAA regulations when requesting personal medical records. According to the National Law Review, employers can only ask for information from a health care provider directly if the employee has filled out an authorization form or if they have failed to respond to a request within a 7-day period.

Any communication with a medical professional should go through the HR team or a leave administrator, not the employee’s supervisor.

Genetic Information Nondiscrimination Act (GINA)

The Genetic Information Nondiscrimination Act (GINA) is a federal law that restricts the ways in which employers can request genetic information from an employee or inquire about their family medical history.

To comply with GINA, employers can request that medical providers omit genetic information from an employee’s medical records. In this way, employers won’t be penalized for inadvertent disclosure.

Employers may also be permitted to request family medical records if the reason for leave is to care for an ill or injured family member.

Ensure FMLA Confidentiality With Pulpstream

Entrepreneur holding a pen while reading something

The Family and Medical Leave Act provides up to 12 weeks of job-protected leave for eligible employees who need to take time off for medical treatment or another qualifying situation. Employers can verify their eligibility by requesting a medical certification, but must store this information securely in accordance with FMLA confidentiality rules.

Pulpstream helps employees comply with FMLA requirements with our no-code leave management system. Store documents securely in the cloud, and allow employees to upload their own medical certifications from a convenient self-service portal.

You can even create a rule engine to automatically assess FMLA leave requests, all without having to learn how to code. Request a demo today to see it in action!