Confidentiality of Medical Information

TO:  Deans, Directors and Department Chairpersons
FROM: Robert F. Pack

DATE: April 14, 2003

Most of you are keenly aware that the individual records of the University's faculty, staff and students are confidential.  These records must be handled and retained in a manner that protects an individual's privacy and limits access to those who genuinely need to know.  Individual records are for that reason generally kept in locked and strictly controlled filing cabinets.

What is not as commonly understood are the regulations regarding the special treatment required for employee medical information.  Not only is it improper to freely discuss an individual's personal medical situation, it is a violation of certain federal and state laws to maintain medical documentation in the same files as those that contain payroll, benefits, performance appraisals, or other general individual records.  Medical information must be retained in a completely separate and secure file, and access to that information should be restricted to the minimum number of employees.  Medical documentation includes any information from the employee or student or from a health care provider concerning an individual's medical condition or history, including typed or handwritten reports from physicians or any health care provider pertaining to an individual's health status or fitness for work.

To ensure the University's compliance with its legal obligations regarding medical record maintenance, I want to remind you of the requirement that every department implement the following:

  • Review each individual's department file and remove any document that references medical information.
  • Maintain all records containing medical information in completely separate files in a separate and secure location.
  • Emphasize to every employee that medical information should not be discussed with others, should not be left unattended in public spaces or on a photocopy machine, and should not be faxed without ensuring the recipient is the only one who will see it.
  • Keep records and the contents of records containing medical information highly confidential.  Very few people will need to see these records.  Access should be limited only to those with a need to know.  Please note that an individual's official position does not necessarily entitle him/her to review such files.  Generally, supervisors and managers need only know about work restrictions that have been imposed or job accommodations that must be made, not about any underlying medical conditions.  This includes information concerning workers' compensation matters and FMLA or FMLF leaves of absence, or applications for short or long term disability.

I am also taking this opportunity to call to your attention new regulations, effective on April 14, 2003, under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  The regulations address the confidentiality and security of medical records and the electronic transmission of identifiable patient health information.  Although only a limited number of specified units of the University will be directly subject to the HIPAA regulations, private patient medical information held by those units cannot be shared with other University units without patient consent.  Please see the University's Policy manual for the newly adopted HIPAA policy and related policies governing the privacy of confidential medical information.  These policies are also on the University web site at

If you have any questions about who should have access to an individual's medical records or the information they contain, please call the Employee Relations section of Human Resources at 412-624-8138, or me at 412-624-4228.

Thank you for your attention to this matter.  Please feel free to distribute copies of this memorandum to all employees in your unit.