Very few of us would find it acceptable for our medical information to be shared with anyone who asks for it. In fact, a majority of us prefer that such information remain private and confidential. We are not interested in other people assessing our mental and/or physical health, nor do we want to be the victims of discrimination based on what others think they know about our medical condition.

For purposes of this paper, we are going to take a general look at the intersection of federal civil rights laws requiring nondiscrimination and equal opportunity, and the right to medical confidentiality and privacy under the Health Insurance Portability and Accountability Act (HIPAA). Notably, federal civil rights laws require data collection and, under certain circumstances, collection of a person’s medical information. As the Equal Opportunity (EO) professional for an agency or organization operating federally funded programs and activities, you must know when you are entitled to request medical information, how you get this information, and what you do with it once you have it.

To set the stage for data collection under federal civil rights laws, we’ll start with Title VI of the Civil Rights Act of 1964 (Title VI). This was an impressive piece of legislation that, for the first time, mandated nondiscrimination and equal opportunity based on race, color, and national origin in federally funded programs and activities. Data collection was part of this law. For example, DOL regulations implementing Title VI at 29 C.F.R. § 31.6(b) requires, in part, the following:

In general, recipients should have available for the department racial and ethnic data showing the extent to which members of minority groups are beneficiaries of federally assisted programs.

29 C.F.R. § 31.6(b). The main purpose for this data collection was to measure a recipient’s performance and compliance with Title VI.

For example, a One Stop Career Center is located in an area where 85 percent of the population is Hispanic, but the Center’s data reveals that 15 percent of the persons they serve are Hispanic. This disparity may signal a need for the Center to strengthen and expand its outreach in the community among other actions. As another example, data reveals that 80 percent of black persons are being referred to higher paying jobs with a local company, whereas only 20 percent of white persons with the same credentials are being referred to these higher paying jobs. Here, data collected supports a finding that the recipient engaged in discriminatory referral of applicants in violation of Title VI.

Moving to collection of medical information, disability-related nondiscrimination laws first surfaced in 1973 with enactment of the Rehabilitation Act. Again, certain data collection requirements are imposed on recipients of these federal funds to gauge compliance with the law. For example, in DOL-funded programs, 29 C.F.R. § 32.44(b) requires:

. . . recipients should have available for the Department data showing the extent to which known handicapped individuals are beneficiaries and participants in federally assisted programs or activities.

29 C.F.R. § 32.44(b). Likewise, the ADA and ADAAA, enacted in 1990 and 2008, respectively, place similar disability-related nondiscrimination and equal opportunity requirements on recipients operating federally funded programs and activities.

Let’s take a closer look at circumstances where a recipient offering federally funded programs and activities must collect medical-related data on an individual. One example would be to determine whether the person meets the “essential eligibility requirements” for the federally funded service, aid, training, or benefit at issue. Another example is where the person requests accommodation. In such a situation, medical documentation may be requested to satisfy the requirements for providing such accommodation, or to determine what accommodation would be reasonable.

As the Equal Opportunity (EO) professional for a recipient of federal funds, storing this data in an unsecured location, or sharing it without limitation, leaves the individual with a disability particularly susceptible to discrimination, and it would leave the recipient operating federally funded programs and activities open to liability and/or sanctions.

Here is where it is useful to understand the purpose of HIPAA. HIPAA is not a civil rights law; rather, it is a health information privacy law. This law gives the individual control over who may review or receive his or her mental and/or physical health information and it gives the individual certain rights over this information.

The interplay between a privacy law, like HIPAA, and a civil rights law is best demonstrated by example. For this purpose, we’ll look at the Workforce Investment Act of 1998 (WIA). WIA prohibits discrimination in federally-funded programs and activities on a wide variety of bases, including disability. Some examples of WIA-funded recipients operating programs and activities are One Stop Career Centers offering employment referral services, training, and unemployment insurance benefits as well as Job Corps Centers offering educational programs and activities designed to enhance a person’s employability.

As with civil rights laws coming before it, DOL’s regulations for WIA set forth certain data collection and reporting requirements as follows:

Each recipient must record the race/ethnicity, sex, age, and where known, disability status of every applicant, registrant, eligible applicant/registrant, participant, terminee, applicant for employment, and employee.

29 C.F.R. § 37.37(b)(2). Importantly, however, this law further requires:

Such information must be stored in a manner that ensures confidentiality and must be used only for the purposes of recordkeeping and reporting; determining eligibility, where appropriate, for WIA Title I-financially assisted programs or activities; determining the extent to which the recipient is operating its WIA Title I-financially assisted program or activity in a nondiscriminatory manner, or other use authorized by law.

29 C.F.R. § 37.37(b)(2).

You are the EO Officer for a Job Corps Center offering federally funded educational programs and activities. Sam asserts that he is a person with a visual impairment and he requests reasonable accommodation by way of enhanced computer technology. Sam wears glasses and sometimes uses a stick when he walks. In order to determine the appropriate accommodation, you request medical documentation.

HIPAA prohibits you from accessing Sam’s medical documentation directly from his health care providers. Rather, Sam must authorize the providers to release whatever medical information he desires for you to review. For your part, you should request only that medical information, which is necessary to make a decision.

Now, once Sam’s medical documentation is in your hands, WIA limits its use and requires confidentiality. Notably, you must use the information solely for purposes of determining a reasonable accommodation for Sam and the information must be kept confidential.

Consequently, as the EO professional for your agency or organization, it is highly-recommended that you keep all medical information obtained in conjunction with a reasonable accommodation request, or in conjunction with determining whether an individual meets the essential eligibility requirements for a particular service, aid, training, or benefit, in a folder that is completely separate from your program file on the individual. Moreover, the separate folder containing medical information should be in a secure location. This means that paper medical records would be kept in a locked drawer or locked filing cabinet with very limited access. Electronic medical information should be password protected and/or encrypted and, again, with very limited access. Any employee of the recipient with access to these records must understand that s/he is strictly bound to adhere to confidentiality requirements pertaining to the records. Finally, you should review your agency’s or organization’s policies for time limits on storing such information—you will not keep an individual’s medical information indefinitely.

Look at the Methods of Administration for your state or territory to determine how you should handle confidential medical information. You may also seek guidance from your state EO leadership, or from the civil rights office of the federal funding agency.

Also, keep in mind that the same confidentiality requirements are imposed on employers with regard to their employees. Namely, EEO/AA/HR professionals must ensure that all medical information pertaining to an employee is kept in a folder that is separate from the employee’s personnel record. And, the medical information folder must be confidential and secure. Look to the U.S. Equal Employment Opportunities Commission for additional guidance in the context of the workplace.

Seena Foster is an attorney and author of “Civil Rights Investigations under the Workforce Investment Act and Other Title VI-Related Laws: From Intake to Final Determination.” She is also a Partner with Title VI Consulting in Alexandria, VA. You may visit her website at www.titleviconsulting.com. The opinions expressed in this paper are attributable to Ms. Foster.