Revised FMLA Regulations Create Privacy Challenges for Employers

Revised regulations, published on November 17, 2008, to enforce the Family and Medical Leave Act (FMLA) create a complex and detailed framework governing employees’ leave for their own, or a family member’s, serious health condition. Central to the regulatory scheme is the requirement that an employee seeking leave submit, at the employer’s request, a “complete and sufficient certification” from a health care provider. The certification must establish that the employee qualifies for FMLA leave. The regulations also permit employers to require submission of a fitness-for-duty certification before an employee returns from leave for the employee’s own serious health condition.

The certification process creates privacy challenges for employers because certification forms will reveal sensitive health information about employees and their family members. Under the revised regulations, the employer may require that the employee provide the following information in the certification: (a) a description of medical facts sufficient to support the request for leave, including, as necessary, a description of symptoms, diagnosis, hospitalization, doctors visits, use of medication, and referrals for further evaluation or treatment; and (b) if an employee is requesting leave for himself, facts sufficient to show that the employee can not perform essential job functions; or (c) if an employee is requesting leave because of a family member’s condition, facts sufficient to show that the family member needs medical care and the employee’s assistance.

Given the sensitive nature of the information contained in these certifications, the revised regulations mandate privacy protections for the forms. The certifications must be maintained in a confidential medical file, separate from the general personnel file. Only employees and third-party vendors responsible for administering the leave process may access the certifications. Supervisors and managers may be advised only of necessary work restrictions and accommodations. Consistent with long-established practice for handling employee medical files, these requirements are relatively straightforward; now for the twists.

The aspect of the revised regulations that poses the greatest risk of a privacy violation by employers relates to the permissible process for “authenticating” and “clarifying” certifications. The regulations specify that only the following categories of employees may request authentication or clarification: a health care provider, a human resources professional, a leave administrator, or a management official. The regulations expressly bar a direct supervisor from performing these functions. To avoid violating this requirement, employers should (a) designate those employees permitted to conduct follow-up concerning FMLA certification, (b) inform supervisors that only the designated employees may conduct such follow-up, and (c) where consistent with internal practice, direct employees to submit certifications only to the designated individuals.

In addition, the designated employees should be trained on two key points. First, the designated employee must obtain a HIPAA-compliant authorization from the employee who submitted the certification before contacting that employee’s health care provider. The designated employee should submit the authorization to the provider before requesting any medical information. The regulations permit an employer to deny a leave request if the employee refuses to execute an authorization.

Second, the designated employee must limit communications with the provider to “authentication” and “clarification” as defined in the revised regulations. Authentication is limited to asking the provider to confirm that the provider, or someone with the provider’s authorization, furnished the information contained in the certification. The regulations restrict “clarification” to asking a provider to explain (a) illegible handwriting, or (b) the meaning of a response to a question in the certification form. Requests for clarification must be restricted to the condition of the employee or family member for which leave is being requested.

While employers can not obtain information from an employee’s provider for authentication or clarification without the employee’s prior authorization, the revised regulations bar employers from demanding that an employee sign an authorization for leave-related purposes before the employee submits a certification to the employer. Consequently, employers should train human resources professionals and others involved in the certification process not to make such a demand.

Finally, certifications revealing a family member’s serious health condition almost always will constitute “genetic information” subject to the confidentiality requirements of the Genetic Information Non-Discrimination Act of 2008 (GINA) because GINA defines “genetic information” to include “the manifestation of a disease or disorder in family members.” While GINA’s confidentiality provisions parallel the FMLA’s, GINA permits disclosure of “genetic information” in the context of litigation in much narrower circumstances. More specifically, “genetic information” may be disclosed only in response to a court order and only if, after the disclosure, the employer informs the family member of the information that was disclosed. The practical effect of this restriction is that employers producing a medical file in response to a third-party subpoena must take extra care to remove from the production any FMLA certification that reveals the medical condition of a family member of the employee to whom the subpoena relates. Employers are most likely to confront this situation when the subsequent employer of a former employee has to defend claims brought by the responding organization’s former employee.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.