Verifying Disabilities without Violating Privacy

It’s often necessary to get personal information about your employees’ medical condition, e.g., to determine their eligibility for benefits or ability to perform job tasks when returning from injury. But personal privacy laws restrict the employer’s right to use, collect and disclose private health information about their employees. Here’s what HR directors need to know to reconcile these seemingly contradictory legal obligations.

WHAT THE LAW REQUIRES

Employees have privacy rights vis-à-vis their employers via:

  • Personal privacy laws like PIPEDA (Personal Information Protection and Electronic Documents Act which applies to employees of federally regulated companies) or provincial equivalents in Alberta, BC and Québec;
  • Their individual or collective employment contract; and/or
  • Under common law, i.e., case law made by judges in court cases.

But employee privacy is subject to limitations. For one thing, employers are allowed to collect employees’ personal information as long as they:

  1. Request the information so they can perform a legitimate business or employment-related functions; AND
  2. Request only the amount and type of information they need to perform that function.

Of course, knowing the rules is one thing. Here’s what you need to know to be able to apply them to the real-life situations you face when collecting personal medical information from your own employees.

1. What’s a Legitimate Employment Function?

It’s not illegal to ask an employee for personal health information if you need it to carry out a legitimate business or employment function. But what’s a legitimate business function? According to Privacy Commission rulings, it includes:

Verifying employee eligibility for sick leave. You can’t force employees to “consent” to the collection, use or disclosure of their personal information. Consent must be voluntary. But the federal Privacy Commission found that a telecommunications employer could require an employee on extended sick leave to consent to his doctor’s release of medical information to the employer. The Commission said this was a “legitimate and appropriate purpose” because the employer needed information about the employee’s illness to verify his eligibility for leave [PIPEDA Case Summary No. 118].

Determining how to accommodate disabled employee. Employers might need health information about a disabled employee so it can decide what kind of accommodation to make under human rights laws. The federal Privacy Commission has indicated that verifying the need for accommodations and the kinds of accommodations necessary is a legitimate purpose for collecting, using and disclosing employee medical information [PIPEDA Case Summary No. 284].

Determining employee’s fitness to work. Employers might need reports from physicians or results of medical exams showing if injured employees are physically or mentally capable of performing job functions so they can evaluate whether the employee can return to work. This, too, is a legitimate function. For example, the Commission ruled that it was appropriate for a trucking company to ask a doctor about an injured employee’s medical condition, restrictions related to his job function and expected date of return to work [PIPEDA Case Summary No. 135]; [See also, PIPEDA Case Summary No. 287].

Verifying eligibility for disability benefits. Employers may collect, use or disclose personal health information to verify if an injured employee is eligible for long- or short-term disability benefits, the Privacy Commission has ruled [PIPEDA Case Summary No. 233].

Filing a workers’ compensation claim. It was okay for an employer to include medical information about an injured employee in a claim filed with the Workers’ Compensation Board (WCB). Disclosing the information to the WCB without the employee’s consent wasn’t just appropriate but required by provincial workers’ compensation law, the Commission noted [PIPEDA Case Summary No. 191].

2. Is the Type and Amount of Information the Minimum Necessary?

Employers may ask for only the amount and type of information they need to carry out the legitimate business or employment function. For example, if an employee calls in sick, you can ask her for a doctor note to verify that she was really ill. But asking for a diagnosis would be problematic because it would exceed the scope of the information to which you’re entitled. Making her take a physical exam or submit to a complete medical history because of one day’s illness would also be inappropriate because it’s more information than you need.

In the real world, the cases are usually much more subtle than these examples. There have been at least half a dozen cases where employees claimed that the employer was asking for more medical information than it needed to carry out a legitimate employment function.

Employer Loses: An employer’s policy required employees on sick leave to get a doctor’s certificate that lists a medical diagnosis. An employee complained that the policy violated her privacy. The employer, a transportation company, claimed that it needed a diagnosis because its drivers often work alone, put in long hours and need physical strength, agility and alertness to do their jobs. It was a fair point. The problem was that the employee in this case wasn’t a driver but an office worker. Consequently, the Privacy Commission ruled that asking for a diagnosis crossed the line and violated the employee’s privacy [PIPEDA Case Summary No. 233].

However, under some circumstances, it might be okay for an employer to request a medical diagnosis from or about an employee. For instance, the case with the transportation company might have ended differently if the employee who complained had been a driver rather than an office worker.

Employer Wins: In fact, employers have been allowed to seek a medical diagnosis from an employee in cases where the issue was verification of a disability or medical condition for the purpose of determining the right to receive benefits.

For example, a telecommunications company required any employee going on sick leave—even for one day–to submit a medical certification including a diagnosis. An employee complained that the policy was unnecessary and illegal. But the Commission disagreed. The company was administering both short- and long-term disability plans for its employees. Eligibility for both plans was based on the employee’s diagnosis. So the company needed to know each employee’s diagnosis so it could run the plans [PIPEDA Case Summary No. 191].

COMPLIANCE DO’s & DON’T’s

Here are some other general principles that apply when you collect personal health information from your employees:

  • Don’t contact the doctor directly to discuss an employee’s case without first getting the employee’s permission [See, for example, PIPEDA Case Summary No. 287];
  • Do refer to the terms of your collective agreement if your workforce is unionized. Many agreements include specific language saying when employers can request medical information [See, for example, York County Hospital Corp. and Service Employees’ International Union, Local 204, (1992) 25 L.A.C. (4th) 189]; and
  • Don’t stray from your usual procedures and policies for collecting information from employees, especially to the extent that you’ve described those policies and procedures in your consent form or notice of privacy practices.

Conclusion

Keep in mind that what we’ve described are general principles based on cases, not hard and fast rules set in ink. Personal privacy is one of those new areas of law and it would be naïve to think that we can figure out all the rules on the basis of a few years worth of cases. Even if we had a larger sample, we couldn’t necessarily predict how one commission would decide a case in the future based on what another one did in the past—especially when you consider that there are subtle differences among the privacy laws of the various provinces.

But, while it might not be an exact science, looking at the cases and trying to extrapolate rules is a valuable exercise. Indeed, at the end of the day, it’s the only way to piece together the boundaries between an employee’s right to privacy and an employer’s right to conduct legitimate business functions.