How Much to Disclose?
Question: We just completed an internal investigation into allegations of discrimination and found the evidence did not substantiate a finding of discrimination. However, we learned through the investigation that the manager was going through serious personal problems at home and that this negatively affected his interactions at work with some of his subordinates -- including this employee -- thereby leading this employee to complain about what he incorrectly thought was discrimination. We are now working with the manager to get him emotional and management counseling. We informed the employee who complained that we did not find evidence of discrimination but we have not told him anything about the personal problems that the manager has or the counseling that the manager is now receiving because we want to maintain the manager's privacy. However, the employee has been continuously asking for more information about who was interviewed, what was asked, what was said, what was found if not discrimination -- the whole nine yards. Are we required by law to tell him this information? If not, is there a best practice for how much information HR should share about an investigation and its results with the complaining employee?
Answer: No, you are not required by law to disclose personal employee-health information in these circumstances, and there are some best practices for how much information HR should share with a complaining employee about an investigation.
Before disclosing a manager's mental and emotional counseling, an employer should be aware of various statutes that govern the dissemination of personal employee health information. To the extent that the manager is receiving counseling from a healthcare provider, various laws may limit the amount of information the employer can reveal to another employee.
The Health Insurance Portability and Accountability Act
The HIPAA Privacy Rule outlines and restricts the ability of "covered entities" (healthcare providers, health plans, and health care clearinghouses) to disclose protected health information. 45 CFR §§ 160 and 164. Employers considered covered entities under HIPAA must not disclose PHI if an employee is also a patient of the employer or a member of the employer's health plan. Employers who have an in-house EAP and are not otherwise subject to HIPAA restrictions may nonetheless be considered covered entities under the Act due to in-house clinical operations. That a manager is receiving mental or emotional counseling in an EAP program may count as PHI.
The HIPAA Privacy Rule also applies to "business associates" defined under HIPAA as companies that maintain, create, receive or transmit PHI while performing certain services for healthcare providers. Employers that are business associates are not necessarily healthcare providers but are directly subject to HIPAA due to legislation passed as part of the American Reinvestment and Recovery Act in 2009. 42 U.S.C. §§ 17921, 17931-33. Thus, if an employer is a business associate, it should avoid dissemination of employee PHI at the conclusion of an internal investigation.
Employers should also be aware of state laws which may limit or prohibit disclosure of PHI in a similar manner that HIPAA limits covered entities and business associates. For example, Virginia state law limits an employer's re-disclosure of patient health information in its possession: "No person to whom health records are disclosed shall re-disclose or otherwise reveal the health records of an individual, beyond the purpose for which such disclosure was made, without first obtaining the individual's specific authorization to such re-disclosure." Va. Code §32.1-127.1:03. Likewise, California law prohibits employers from using, disclosing or knowingly permitting its employees or agents to use or disclose medical information which the employer possesses pertaining to its employees without signed authorization from the employee. Cal. Civ. Code § 56.20(c).
The Americans with Disabilities Act
If the manager's emotional issues rise to the level of a disability (e.g. bipolar disorder), the employer should be aware of their privacy obligation under the ADA. The ADA specifically prohibits the disclosure of medical information. As a general rule, with limited exceptions, employers may not disclose such medical records of employees and applicants to third parties. Id. Additionally, information does not have to include medical diagnoses or treatment details to be considered confidential, and a healthcare provider does not have to create it. For example, the ADA's confidentiality requirements cover an employee's request for a reasonable accommodation. EEOC Enforcement Guidance on Reasonable Accommodation and Undue Hardship Under the Americans with Disabilities Act, ADA Division, Office of Legal Counsel (2002).
The limited exceptions to the ADA confidentiality requirements are: (1) supervisors and managers may be informed about necessary restrictions on the work or duties of the employee and about necessary accommodations; (2) first aid and safety personnel may be informed if the disability might require emergency treatment; and (3) government officials investigating compliance with the ADA must be given relevant information on request. 42 U.S.C. § 12112(d)(3)(B). Furthermore, the Equal Employment Opportunity Commission, the regulatory body charged with enforcing the ADA, has interpreted the ADA to allow employers to disclose medical information in the following circumstances: (1) in accordance with state workers' compensation laws, employers may disclose information to state workers' compensation offices, state second injury funds, or workers' compensation insurance carriers; and (2) employers are permitted to use medical information for insurance purposes. EEOC Enforcement Guidance on Reasonable Accommodation and Undue Hardship Under the Americans with Disabilities Act, ADA Division, Office of Legal Counsel (2002).
It is important however to note that providing medical-related information to an employee complaining of discrimination will likely not fall within any of the above exceptions.
In light of the foregoing, there are a few "best practices" to follow when conducting an internal fact investigation and deciding how much information to disclose to a complaining employee. An employer should complete an investigation as quickly as practicable, communicate conclusions reached to only those who have a strict need to know, and keep all documents generated in the investigation in a secured location.
Employers should separately and verbally inform the complaining employee and the accused of the outcome of the investigation – limiting discussion to whether the facts alleged by the complaining employee were or were not substantiated by the investigation. If the facts are substantiated such that they constitute a violation of the employer's policy (including the employer's EEOC policy), the employer should determine the appropriate course of disciplinary action and advise the complaining employee that appropriate disciplinary action has been taken/will be taken. However, depending on the circumstances of the violation, the professional relationships of the individuals involved, and any sensitivities related to the specific case, if the disciplinary action is anything less than termination, it is generally recommended that the employer endeavor to avoid, if possible, getting into the specifics of what disciplinary action is/will be taken. Nonetheless, the decision of whether to disclose to the complaining employee the specifics of what disciplinary action will be taken should always be assessed on a case by case basis.
Keisha-Ann G. Gray is a partner in Proskauer's labor and employment department, resident in the firm's New York office. Proskauer Associate Ebony Ray, resident in Proskauer's New York office, assisted with this article.