Privacy issues have become increasingly controversial with the advent of the information age. Although personal medical information has been treated as confidential since before the time of Hippocrates, powerful techniques to collect, store, and analyze this information have created new ethical and legal dilemmas. Social, legal, and cultural trends have changed the traditional relationship between workers and their employers. Employers’ access to highly personal information has increased while legislatures and courts have simultaneously expanded the privacy rights of individual employees. The result has been an explosive increase in privacy litigation. Privacy has been called the “workplace issue of the nineties.” Occupational physicians, like all physicians, rely on the individual to completely and truthfully disclose private information before rendering a professional opinion. Workers must feel that their private disclosures will be treated in a dignified and confidential manner to foster this disclosure of intimate information. Because a physician must first of all, do no harm, information received in confidence should be disclosed only when it is in the best interests of the individual or society.

Employers may require access to personal information when considering requests for job accommodation, addressing threats to health or safety, or reviewing claims for workers’ compensation benefits. Additionally, employers shoulder an increasing responsibility for providing other types of benefits and obligations such as health and disability insurance, family medical leave, and employee assistance programs. As a result, the employer becomes inextricably and unavoidably involved in employees’ personal and medical affairs. Thus, competing interests between the worker’s desire for privacy and the employer’s legitimate interest in the health of workers create sensitive ethical and legal dilemmas for physicians in occupational medicine. The law governing the confidentiality of employee medical information is complex; it depends on the relationship between the parties and varies by jurisdiction. Difficult ethical problems arise when attempting to balance the importance of the worker’s need to keep information confidential versus the employer’s need to know. Balancing these needs requires that careful consideration be given to issues of paternalism, autonomy, dignity, and consent.

Occupational physicians acknowledged the importance of medical confidentiality with publication of the College’s first code of ethics in 1976. Recently, the Code of Ethical Conduct was revised to reflect changes in the character of the modern workplace. The revised Code states that physicians should:

• Keep confidential all individual medical information, releasing such information only when required by law or overriding public health considerations, or to other physicians according to accepted medical practice, or to others at the request of the individual; and

• Recognize that employers may be entitled to counsel about an individual’s medical work fitness, but not to diagnoses or specific details, except in compliance with laws and regulations.

The American College of Occupational and Environmental Medicine recognizes its Code of Ethical Conduct to be the standard of conduct expected from those providing occupational medical services. The ACOEM Committee on Ethical Practice in Occupational Medicine believes that additional guidance on the issue of confidentiality will be helpful. Because occupational physicians work in a wide variety of practice situations and must respect the laws and customs of many countries, only general guidelines can be offered. Ethical issues should be addressed within the physician’s reason and experience in light of the Code of Ethical Conduct. Since exceptions for disclosure exist in compliance with laws and regulations, physicians have an ethical duty to become familiar with these requirements in their locale.

In addition to the points of the Code of Ethical Conduct, the committee suggests that:

1. Physicians should disclose their professional opinion to both the employer and the worker when the worker has undergone a medical assessment for fitness to perform a specific job; however, they should not give the employer specific details or diagnoses unless the worker has so requested, except as described below.
2. Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and recommended accommodations; first aid and safety personnel may be informed, when appropriate, if a condition might require emergency treatment; government officials investigating compliance with the Americans with Disabilities Act should be provided relevant information on request.
3. Physicians should make all reasonable efforts to obtain consent before any disclosure of an individual’s medical record. If disclosure is legally compelled or consent is not legally required, the individual should be notified of the impending disclosure unless such notification is impossible or there are overriding patient or public health concerns.
4. Physicians should recognize a consent for disclosure only if the consent is informed and has been made without duress. The consent should specify the nature of the information to be released, the purpose for its release, the person to whom it may be release, and the time period for which the consent remains effective. The consent must be signed by the worker, his legal guardian, or his personal representative if the employee is deceased.
5. Physicians should recognize the special confidential status of HIV and drug and alcohol treatment information. They should be aware that a general consent for disclosure of medical records will often be insufficient in these situations and that specific written consent for release of this information must be obtained. This information should only be disclosed in compliance with US federal and state law.
6. Physicians should be a source of professional, unbiased, and expert opinion in the workers’ compensation or court systems, and should only disclose medical information that is relevant and necessary to the claim or suit.
7. Physicians should develop a written policy for the treatment of medical records in their offices, clinics, or workplaces. The policy should address such issues as where and how the records are stored; the security of medical records including computer databases; what happens in the event of employee resignation, layoff, termination, job transfer, or plant closure; and the mechanisms of employee access and consent for disclosure.
8. Physicians should make reasonable efforts to ensure that those under their supervision act with due care regarding the confidentiality of medical records, and act to educate fellow health care providers regarding the confidentiality of medical information. Physicians should encourage the confidential treatment of medical information in their organization by colleagues in other departments such as personnel or benefits who may have access to such data.
9. Physicians should notify workers of their right to obtain access to their medical records and to request correction of any inaccuracies therein.
10. Physicians should exercise caution whenever presented with a request or subpoena for medical records that does not include a written authorization for release by the worker, or when the records requested contain information about HIV status or drug and alcohol treatment. It may be appropriate to seek legal advice in these situations.
11. Physicians should withdraw or decline services when faced with an unresolvable ethical conflict by a client or employer. In many instances, the medical record will be the property of a corporation. This ownership does not abrogate any of these principles. Each corporation which owns medical records should designate a custodian of the records. Access by corporate officials, e.g., employee relations, in-house legal departments, and other functions, should proceed via the same process as requests by those outside the corporation, through the custodian.

ACOEM supports the findings of the National Conference of Commissioners on Uniform State Laws that:

1. Health care information is personal and sensitive information that if improperly used or released may do significant harm to a patient’s interests in privacy, health care, or other interests.
2. Patients need access to their own health care information as a matter of fairness to enable them to make informed decisions about their health care and correct inaccurate or incomplete information about themselves.
3. In order to retain the full trust and confidence of patients, health care providers have an interest in assuring that health care information is not improperly disclosed and in having clear and certain rules for the disclosure of health care information.
4. Persons other than health care providers obtain, use, and disclose health record information in many different contexts and for many different purposes. It is the public policy of the College that a patient’s interest in the proper use and disclosure of the patient’s health care information survives even when the information is held by persons other than health care providers.
5. The movement of patients and their health care information across state lines, access to and exchange of health care information from automated databanks, and the emergence of multi-state health care providers creates a compelling need for uniform law, rules, and procedures governing the use and disclosure of health care information.

The American College of Occupational and Environmental Medicine supports the development of uniform comprehensive legislation addressing the confidentiality of medical records. The College feels that such legislation should include provisions that encompass the treatment of employee medical information in the workplace.