Protected Health Information (PHI or Medical Information)

InformedFED » Articles » Protected Health Information (PHI or Medical Information)

The safeguarding and regulatory compliant handling of Protected Health Information (PHI), also referred to more broadly as medical information, in our opinion, presents one of  the most significant risks for federal agencies and managers (particularly with an aging workforce and increased frequency of FMLA, Reasonable Accommodation, and sick leave use as well as emerging COVID (and variant) issues).  Violations in the handling of this information is almost routine in our opinion and we constantly correct managers in the handling, use, and management of this information, whether leaving PHI on a desk in plain view or openly discussing medical diagnosis with staff who have absolutely no need to know. 

There are a myriad of laws and regulations, not to mention provisions of collective bargaining agreements (potentially), that apply to the handling of employee medical information in connection with employment. The Americans with Disabilities Act (ADA), 42 USC 12112 (d)(3)(B) and 12112(d)(4)(c), requires employers to maintain information regarding medical condition and history of employees with disabilities in separate medical files and to treat such information as confidential. See also  29 CFR 1630.14 (b)(1), (c)(1), and (d)(1).  Whereas, the Privacy Act prohibits agencies from disclosing records contained in a system of records to any person, or to another agency, except pursuant to a written request by the individual to whom the record pertains. See, 5 USC Section 552a(b). Vast provisions of the Rehabilitation Act also apply, requiring (and reiterating) the requirement to maintain separate files, apart from other records such as disciplinary files, when they contain medical records.  See, Complainant v. Department of Justice, Federal Bureau of Prisons, 0520130125, 114 FEOR 252  (EEOC 2014).

What You Should Expect Concerning Protected Health Information

As noted in Grey v. U.S. Postal Service, EEOC No. 0120121846 (EEOC OFO 2012), confidentiality requirements apply to any medical information from any applicant or employee, not only individuals with disabilities.  Federal agencies possess the authority to request and handle employee medical information in connection with employment matters.  This authority extends to applicants but is not limited in that regard. For example, an agency may ask for information possibly connected to a disability provided it is job-related and consistent with business necessity. See, Slavin v. U.S. Postal Service, EEOC No. 0120061503 (EEOC OFO 2007).  Requests of this nature also extend to situations in which an employee may exhibit “unusual behavior” or the agency otherwise establishes a reasonable belief a worker poses a direct threat due to a medical condition or that he is unable to perform the essential functions of his position due to a medical condition.  See, Watson v. U.S. Postal Service, EEOC No. 0120121195 (EEOC OFO 2013) and Norton v. Department of Veterans Affairs, EEOC No. 01A51018 (EEOC OFO 2006).

When a federal employee submits medical information in connection with employment, for any reason, whether voluntarily or requested/ordered by the agency, they have a right to expect this information will be protected in accordance with law, and frankly, common sense.  This applies to medical information submitted in connection with FMLA, sick leave, a fitness for duty examination, Reasonable Accommodation requests, job applications, a return to duty, or for any other reason. Failure by the agency to properly safeguard an employee’s health information is typically actionable under EEOC guidelines and possibly a civil action.  Awarded damages can range from minimal to significant.

SIDEBAR:  Whether voluntarily submitted or otherwise ordered and received by an agency, all employee medical information must be protected.

Actionable Violations

Any violation of confidentiality concerning Protected Health Information (PHI) is actionable and should not be taken lightly, especially by managers.  The violation does not have to be discriminatory in nature; it stands alone, typically under the Rehabilitation Act, and otherwise referred to as a per se violation.  See, Fisher v. DOD, Department of the Army, (EEOC OFO 09/04).  In other words, even if the rest of a complainant’s EEO claims fail at hearing, the mishandling of medical information remains a violation of the Rehabilitation Act.

Some examples of a violation concerning Protected Health Information could include:

  • Disclosure to unauthorized persons (no need to know)
  • Leaving the information unattended on an office desk
  • Sending the information to the wrong person
  • Disclosing the information off duty to non-agency employees
  • Losing the information
  • Not maintaining the information in a separate folder, apart from other employment records
  • Placing the information in a “six-part folder”
  • Giving the information to a gaining supervisor

It is important to keep in mind that each situation presents its own unique fact pattern and circumstances.


The contents of this website ( are intended to convey general information only and not to provide legal advice or opinions. Consultants at InformedFED are not attorneys. They are senior level practitioners of employee labor relations and EEO. The contents of this website, and the posting and viewing of the information on this website, should not be construed as, and should not be relied upon for, legal or employment advice in any particular circumstance or situation. The information presented on this website may not reflect the most current legal or regulatory developments. No action should be taken in reliance on the information contained on this website and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this site to the fullest extent permitted by law. InformedFED is comprised of independent senior level practitioners and consultants who are not employees of InformedFED.