In the decade since the HIPAA Privacy Rule went into effect, human resources professionals and employment counsel have increasingly grappled with medical confidentiality issues. While HIPAA certainly has heightened awareness of the need to handle employees’ health information with care, HIPAA (perhaps ironically) protects only a very narrow subset of such information, i.e., individually identifiable health information created or received by, or on behalf of, a HIPAA-covered health plan. By contrast, the EEOC has taken the position for years that the Americans with Disabilities Act’s (“ADA”) medical confidentiality provision protects all employee health information received by an employer other than the narrow subset of health benefits information subject to HIPAA. In a ruling handed down just two days before Thanksgiving, the Seventh Circuit rejected the EEOC’s interpretation of the ADA as overbroad, giving employers something to be thankful for.

The Seventh Circuit’s decision addressed the question whether Thrivent Financial for Lutherans (Thrivent) violated the ADA’s confidentiality provision by allegedly disclosing medical information about a former employee, Garry Messier, to Messier’s prospective employers. The case had its genesis on November 1, 2006, when Messier failed to report to work. Thrivent’s agent sent an e-mail to Messier asking him to “give John [his supervisor at Thrivent] a call” because John “need[ed] to know what [was] going on.” Rather than calling John, Messier sent him a lengthy e-mail which revealed that Messier had a “severe migraine,” had taken “Innitrex” to ameliorate the symptoms, is “bedridden” when he suffers migraines of this severity, and that the “migraines are an end result of the head trauma” suffered in a “major car accident in 1984.” Apparently recognizing that he might have crossed the line into TMI (“too much information”), Messier concluded, “Probably a lot more than either of you wanted to know, but I want to be totally honest with both of you.”

Approximately one month after sending this e-mail, Messier quit his position with Thrivent, apparently not on good terms, and he began looking for another job. When three consecutive prospective employers rejected Messier after contacting Thrivent for a reference check, Messier hired a reference checking company to call Thrivent, posing as a prospective employer, and inquire about Messier. In response to this inquiry, Messier’s former supervisor at Thrivent stated that Messier “has medical conditions where he gets migraines. I had no issue with that. But he would not call us. It was the letting us know.” Representing Messier, the EEOC took the position that Thrivent’s response violated the ADA’s confidentiality requirement because the ADA protects medical information learned by an employer through any job-related inquiry.

The Seventh Circuit rejected the EEOC’s position based on the ADA’s plain language. More specifically, the ADA’s confidentiality provision, by its plain terms, applies only to medical inquiries. By contrast, when Messier wrote the November 1, 2006 e-mail to his supervisor at Thrivent, Messier was responding to a generalized inquiry about “what was going on,” not to a medical inquiry. Consequently, Messier voluntarily disclosed that he had suffered a severe migraine, and the ADA did not prohibit Thrivent from re-disclosing that information.

The Seventh Circuit’s ruling is significant because employers can receive information about the medical condition of employees from a variety of sources, particularly with the explosion of self-disclosure in social media. By contrast, the ADA permits employers to make medical inquiries of current employees, or to require employees to undergo a medical examination, only: (a) when an employer has objective evidence to question whether an employee can perform essential job functions; (b) when necessary to evaluate an employee’s request for an accommodation; or (c) when necessary to determine whether an employee poses a direct threat of harm to himself or others.

In other words, like HIPAA, the ADA protects only a subset of employee health information that an employer might receive during the course of the employment relationship. As to this subset, the ADA’s confidentiality provision imposes on the employer a legal obligation to keep the information confidential, maintain it separately from the general personnel file, and limit access to those with a need to know. The Seventh Circuit’s ruling makes it easier for employers to establish policies and procedures to satisfy these legal compliance obligations because the decision narrows and specifically identifies the scope of employee health information that is subject to the ADA’s confidentiality requirement.

The Seventh Circuit’s rejection of the EEOC’s broad reading of ADA confidentiality, of course, does not mean that an employer should be careless with employees’ health information not protected by the ADA or HIPAA. State law, such as California’s Confidentiality of Medical Information Act, may still apply. But even when state law provides no protection, disclosing employees’ health information to those without a need to know exposes the employer to the risk that the information will be used improperly and has the potential to create tension and undercut employee morale. To reduce these risks, employers should remind managers who may receive voluntary disclosures of employee health information to limit their disclosure of that information to those with a need to know.