In a recent informal discussion letter, the Equal Employment Opportunity Commission (EEOC) suggested that employers who maintain both personal health information (PHI) and occupational health information in a single employee file are probably violating the privacy provisions of both the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA).

Both acts severely restrict employers' access to employees' personal health information (PHI) but do allow for the gathering of occupational health information on new hires and employees.

(According to the EEOC, personal health information is “information obtained in the course of diagnosis or treatment,” while occupational health information “concern[s] an employee’s ability to work.”)

The problem, as the EEOC sees it, is that in the process of obtaining permitted occupational health information, PHI is also often obtained. If the two are then stored in one file, even if it is secure and private, it is a violation of the ADA and GINA because it allows access to the PHI.

The two acts have always dictated that health records be retained and stored completely separately from personnel files. Now with this EEOC "suggestion," employers may also have to separate their employees' medical files into two distinct and physically removed files.