The Americans with Disabilities Act (ADA)
Title I of the ADA limits employer access to medical information and an employer’s right to access personal health information is governed by the provisions of the ADA that limit an employer’s right to make disability-related inquiries and conduct medical examinations of applicants and employees. See 42 U.S.C. § 12112(d); 29 C.F.R. §§ 1630.13 and 1630.14.
From the EEOC's response letter on this topic:
Title I of the ADA limits when an employer may obtain medical information and how that information can be used at three stages: before extending a job offer, after an offer is made but before an individual starts working, and once a person is on the job. Prior to extending a job offer, an employer generally may not ask any disability-related questions and may not require medical examinations of applicants. See 29 C.F.R. §1630.13(a). After extending an offer of employment but before an individual begins work, an employer may make disability-related inquiries or require medical examinations, regardless of whether they are related to the job, as long as it does so for all entering employees in the same job category. Id. at §1630.14(b). This could include requesting an individual’s consent to access his personal health information. However, because the ADA prohibits an employer from withdrawing a job offer from an individual with a disability or making other discriminatory decisions based on a person’s actual or perceived medical conditions, an employer should be careful not to obtain more information than is necessary to determine whether a person can do a job, even at the post-offer stage.Furthermore, any information or documents relating to an employee’s medical condition “shall be collected and maintained in separate forms and in separate medical files and be treated as a confidential medical record.” 42 U.S.C. §§ 12112(d)(3)(B), (4)(C); 29 C.F.R. § 1630.14. According to the Equal Employment Opportunity Commission’s Technical Assistance Manual, Title I of the ADA, “an employer should not place any medical-related information in an employee’s personnel file.” Thus, an employer takes care to place an employee's medical information and files in a separate folder and in a secure location.
Once an individual begins working, an employer may only ask disability-related questions or require medical examinations that are job related and consistent with business necessity. 29 C.F.R. at §1630.14(c). Generally, this means that an employer may only obtain medical information where it reasonably believes that an employee will be unable to perform the job or will pose a direct threat due to a medical condition. Medical information also may be obtained to determine whether an employee with a non-obvious disability is entitled to a requested reasonable accommodation or satisfies the criteria for using certain types of leave, such as leave under the Family and Medical Leave Act or under the employer’s own sick leave policy. In all of these instances, however, the information sought must be limited in scope. For example, an employer cannot ask for, or view, an employee’s complete medical record because it is likely to contain information unrelated to the need to make an employment-related decision. Of course, an employer may not obtain medical information about an employee or view an employee’s personal health information unless the employee has executed an appropriate release.
Finally, the question most people wonder is what is the remedy for an employee when an employer violates this law. Depending on what circuit you reside in, you may have to show that the release of this information caused you some injury. "Injury" could range from loss of a job to emotional distress, but with emotional distress, one will need more than a bare allegation of such, which can prove difficult.
Genetic Information Nondiscrimination Act (GINA)
GINA places additional constraints on an employer’s ability to obtain personal health information. With limited exceptions, GINA prohibits employers from requesting, requiring, or purchasing genetic information (e.g., information about an individual’s genetic tests, genetic tests of a family member, or family medical history) about job applicants and employees or their family members at any time, including during the post-offer stage of employment. 29 C.F.R. §1635.8(a)-(b).
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA also imposes privacy obligations on many employers who provide group health plans. (Employers who administer their own plans and have fewer than 50 participants don't have to comply with HIPAA's privacy rules, and employers that sponsor plans that receive only enrollment information have minimal obligations.) Under HIPAA, employers are required to protect the privacy of employees' personal health-related information by designating an in-house privacy official, adopting policies and procedures to keep this information private, and notifying employees of their privacy rights, among other things.
Perez v. Denver Fire Department City and County of Denver, 2016 U.S. Dist. LEXIS 10114 (D. Co. Jan. 26, 2016)
In Perez, the plaintiff Perez alleges that his supervisor wrote a letter to the Assistant Chief of the Denver Fire Fighter Department requesting that he be evaluated for Post-Traumatic Stress Disorder (“PTSD”) as often times Perez would become visibly upset and have to go home from work when he was exposed to pictures reminding him of his tour of duty in the Marines. Prior to becoming a firefighter with the City and County of Denver (the “City”), Perez served eight years active duty with the United States Marine Corps. Perez further alleges that he had never disclosed to anyone at the City that he was being treated by the Veterans Administration for PTSD. Following a fitness-for-duty examination, which confirmed the PTSD diagnosis, Perez further alleges that his supervisor scheduled a meeting—on a day Perez was not at the fire station—to “discuss Perez having PTSD and get the opinion of other firefighters in regards to Perez having PTSD.” Perez alleges in his lawsuit, following this purported disclosure, his co-workers subjected him to harassment and a hostile work environment because of his disability.
From the Nixon Peabody press release on this case:
In the litigation, Perez alleges that the City violated the ADA when his supervisor allegedly disclosed his medical condition—which was only discovered in connection with a fitness-for-duty examination—to his co-workers. While the City denies engaging in such conduct or otherwise violating the ADA, following a motion seeking to dismiss Perez’s lawsuit, the court found that the allegations set forth in Perez’s complaint were legally sufficient to go forward into discovery.This case is still ongoing.