Employment and Your Medical Privacy (California Medical Privacy Series)

Posted: Jul 01 2012  | Revised: Oct 10 2017


  1. What does this guide cover?
  2. Which laws provide medical privacy protections for employees and job applicants?
  3. May a potential employer require access to your medical information?
  4. Can employee background checks include medical information?
  5. Can an employer or potential employer find medical information about you even if you don’t allow access to your medical records?
  6. Are there privacy protections for employment-related drug tests and examinations?
  7. Can an employer or prospective employer access medical information in workers' compensation records?
  8. What protections exist for medical records of disabled job applicants and employees?
  9. If your employer sponsors your health plan, does it have access to your medical information?
  10. Must your employer protect medical information it receives?
  11. Do you have to provide your employer with medical records to take leave under The Family and Medical Leave Act?
  12. Can an employer require you to provide your genetic information?
  13. Can your employer access health and medical information through employee wellness and harm risk reduction programs?
  14. Additional Resources


1. What does this guide cover?

This guide discusses medical information privacy as it relates to employment in California.  


2.  Which laws provide medical privacy protections for employees and job applicants?

HIPAA, the primary federal law addressing health information privacy, applies to employee health insurance plans but does not apply to employers or employment records.  For more information about HIPAA, see PRC’s guide, Health Privacy: HIPAA Basics and the U.S. Department of Health and Human Services publication Employers and Health Information in the Workplace.

California's Confidentiality of Medical Information Act (CMIA) requires employers to protect the privacy and security of any medical information they receive. Cal. Civ. Code §§ 56.20-56.245


When you apply for a job and are asked to submit to a background check, both California law and the federal Fair Credit Reporting Act (FCRA) restrict consumer-reporting agencies from including medical information in employee background checks without your authorization. For example, a consumer-reporting agency may not include medical bills that have gone to collection in a background check without your authorization.  See Cal. Civ. Code § 1786.12(f) and Pub. L. 108-159, 111 Stat. 1952.


If you are disabled, California’s disability discrimination laws and the Americans with Disabilities Act (ADA) limit the circumstances under which employers or prospective employers may inquire about your medical condition or mental or physical disabilities.  See Cal. Gov’t Code § 12940 and 42 U.S.C. § 12101.


3. Can employee background checks include medical information?

It depends. In general, consumer reporting agencies that perform background checks cannot include medical information in your background check unless you consent and the information is relevant to the job you are seeking. See FCRA § 604(g) and Cal. Civ. Code §§ 1786–1786.30  For more information on employee background checks, see PRC's guides: Employment Background Checks: A Jobseeker's Guide, and Employment Background Checks in California: A Focus on Accuracy.


Tip: In California, you are entitled to receive a copy of an employee background check report.  Cal. Civ. Code § 1786.16


It is important to note that these laws don’t stop employers from informally looking for information about you before hiring you. Remember that there may be publicly available sources that contain medical information about you. 


4. Can an employer or potential employer find medical information about you even if you don’t allow them to see your medical records?

Yes.   Employers may find publicly available medical information about you in many ways, including the following.

  • Media stories. For example, you may have been involved in an accident, a disease or treatment study, or a lawsuit.
  • Online and on social media.  There is no special protection for health or medical information you post publicly about yourself. 

Some employment screening companies now specialize in scouring social media websites for information on both applicants and employees. Such third-party screening companies are subject to federal and California laws governing consumer reporting agencies and you have the same rights as you do with any other background check.


You do not have rights under federal or California laws covering background checks if an employer independently views your online posts or other publicly available information.  However, California law prohibits employers from discriminating against you based on medical information. Cal. Gov’t Code §§ 12900 – 12996


Depending on your privacy settings, employers may see it and data miners may collect this information and sell it.

Note: In California, employers cannot require you to provide them with a social media account password or to log into an account in their presence. Cal. Labor Code § 980


For more information, see PRC’s guide: Social Networking Privacy: How to Be Safe, Secure and Social.

  • Court proceedings.   Medical information may be present in court records, especially if your health or medical information were at issue in a case.  To learn more about what must be redacted in federal court case files see the U.S. Courts website.  For information on sealing a record in California, see the California Rules of Court.

5. Are there privacy protections for employment-related drug tests and examinations

a. May a potential employer require a medical or psychological examination?

In some situations. California’s Fair Employment and Housing Act (FEHA) prohibits employers from requiring job applicants to submit to a medical or psychological examination. The FEHA also prohibits employers from inquiring about any mental or physical disability or medical condition. However, the employer may ask about an applicant’s ability to perform any job-related functions. Also, if an applicant requests a reasonable accommodation on the job, the employer may respond by asking why it’s necessary.  Cal. Gov’t Code §§ 12900–12996 


After extending a job offer, the employer may ask you to have a pre-employment medical exam or laboratory test as long as it relates specifically to the requirements of the job. Cal. Gov’t Code § 12940(e-f)


Ask for a copy of the report if your offer of employment is withdrawn as a result of a medical exam or lab test.

For more information about what employers can ask job applicants and employees, see the Department of Fair Employment and Housing Fact Sheet: Employment Inquiries.


b. Do some jobs require pre-employment medical examinations and drug or alcohol tests?

Yes. Some jobs are subject to health and safety regulations that require medical examinations and/or drug and alcohol tests after a job has been offered but prior to employment, and at regular intervals after you are employed. These include airline pilots, applicants for merchant marine licenses, as well as commercial truck drivers and interstate bus drivers (both medical certificate and drug test required). Federal and state agencies regulate licenses or certifications for such jobs where public safety is at issue.


c. Can your employer require you to take a drug test?

It depends.  Generally, random drug testing is allowed if you have a safety-sensitive job. Additionally, an employer may require you to take a drug test if the employer has a particular suspicion that you are impaired by drugs which affect your ability to perform your job.

California has no statutory law covering employee drug testing. Instead, court decisions have created the law in this area. In general, courts have required an employer to have a “particular suspicion” that an employee’s ability to perform his job is impaired by drugs before requiring a drug test. If you decline to take a test and your refusal leads to litigation, remember that both the interpretation of “particular suspicion” and “impairment” will be questions of fact for a jury to decide.


Random—as opposed to mandatory—drug testing of employees whose jobs are safety sensitive is allowed. (Smith v. Fresno Irrigation District, 72 Cal. App. 4th 147 (1999)) Examples of safety-sensitive jobs include police officers and firefighters, public transit workers involved in driving or maintenance, and nurses. But random drug testing violates the privacy of an employee whose work raises no safety issues that would require a random drug test. (Luck v. Southern Pacific Transportation Co., 218 Cal.App.3d 1 (1990)) At least two cities, San Francisco and Berkeley, have ordinances that prohibit on-the-job drug testing except for safety-sensitive jobs.


Job applicants who have been offered a job have less expectation of privacy than employees when it comes to drug tests, because they are in the position of asking prospective employers to accept their suitability for a particular job.  Your prospective employer may expect you to answer a set of questions, which may include the results of a drug test. See Loder v. City of Glendale, 14 Cal. 4th 846 (1997); Pilkington Barnes Hind v. Superior Court, 66 Cal. App. 4th 28 (1998); see also, the California Department of Fair Housing and Employment Fact Sheet: Employment Inquiries: What Can Employers Ask Applicants and Employees? 


d. Are employment-related drug tests really necessary?

This is an ongoing public policy debate.  Employers are legally responsible for maintaining a healthy and safe workplace for all their employees, but many organizations oppose workplace drug testing as a means of doing that. The ACLU and the National Workrights Institute, for example, point out that in addition to raising constitutional privacy issues, drug tests are unreliable and prone to errors. They suggest that there are less privacy-invasive—as well as less stigmatizing—ways to test an employee’s ability to perform a job.


6.  Can an employer or prospective employer access medical information in workers' compensation records?

It depends.  Initial workers' compensation claims are not public records, but when a claim is appealed to the Workers’ Compensation Appeals Board (WCAB), it becomes a public record. Employers may access WCAB records only if a work-related injury may interfere with your ability to perform a certain job.


In California, workers’ compensation claim records may not contain individually identifiable information—which would include any medical information that is linked to you—when accessed by someone who is not a party to the claim.  An exception to the law allows someone who is not party to a claim, but who identifies himself and the reason for the request, to access an identifiable record. Cal. Labor Code § 138.7(a)


In California, employers can access these records only after a job offer has been made and they cannot rescind the offer based on information in the record. Cal. Labor Code §132(a)


Note that if a workers’ compensation record includes prior claims that you did not disclose during the job application process, it may be grounds for denying employment or for termination if you have already been hired. 

7.  What protections exist for medical records of disabled job applicants and employees?

A federal law, the Americans with Disabilities Act (ADA), applies to workplaces with 15 or more employees and prohibits discrimination against people with disabilities in the workplace.  It sets out strict rules for covered employers, which include private employers, state and local governments, employment agencies, and labor organizations.


Under the ADA:

  • Prior to employment, employers are prohibited from asking whether a potential employee has a disability or has any past or present medical conditions.
  • Pre-employment medical examinations are prohibited.  However, after you have been offered employment, and prior to the start date, an employer may require a medical examination if the policy applies to all new employees holding similar jobs.  If you are turned down for work based on the results of a medical examination, the employer must prove that it is physically impossible for you to do the work required.
  • The employer also may not ask a potential employee to disclose workers’ compensation history.
  • Disabled employees’ medical records be kept confidential and separate from other employment records.  They may be disclosed to a supervisor making a “reasonable accommodation” for a disabled worker; to safety and first aid workers, in the event that a disabled employee needs to be treated or evacuated; to insurance companies that require a medical exam, for example, in the case of accident or fire insurance for the work site; and otherwise as required by law.

You can file a charge for discrimination, including ADA-based discrimination, against an employer with the U.S. Equal Employment Opportunity Commission (EEOC).


The California Attorney General offers a helpful pamphlet titled Legal Rights of Persons with Disabilities, as well as a list of resources and reports concerning disability, housing and employment assistance.  The Equal Employment Opportunity Commission has a section titled Facts About the Americans With Disabilities Act on its website. The Council for Disability Rights also has an FAQ written expressly for non-lawyers.


See 42 U.S.C. § 12101 et. seq. For information about California’s disability law, part of the Unruh Civil Rights Act, see Cal. Civ. Code §§ 54–55.3.


8.  If your employer sponsors your health plan, does it have access to your medical information?

If the employer-sponsor has access to its employees’ protected health information, it must ensure that the information is used only for administrative functions, such as paying benefits.  The employer must build a firewall between its legally-covered (CMIA/HIPAA) functions and its non-covered functions in order to keep employee health claims data separate from other employee data. 


Examples of non-covered functions are maintaining payroll records and human resources files.


Employers with this type of plan must notify employees about personnel in the company who have access to employee medical records. It must also train those outside the firewall to refer health plan questions to those inside the firewall. In addition, employers must appoint a privacy officer; establish policies and procedures for HIPAA compliance; train employees who work with medical records and sanction if they fail to follow procedures; and enter into business associate agreements with any third parties involved in handling employee medical records.


Tip: If your health insurance is through an employer-sponsored plan, you should identify the company’s privacy officer. If there is one, you can direct your questions there.  If the company does not have a privacy officer, you may have discovered a problem your employer needs to address.

For more information about health insurance plans generally, including how to make inquiries and complaints, see the California Department of Insurance Health Insurance Guide.


9.  Must your employer protect medical information it receives?

Yes. California law obligates an employer who receives medical information “to ensure the confidentiality and protection from unauthorized use and disclosure of that information.”  An employee who experiences economic loss or personal injury because an employer fails to maintain the confidentiality of her medical information may sue for damages and legal costs.  See Cal. Civ. Code § 56.20.  However, employers often receive health or medical-related information that doesn’t clearly fit within this requirement.


In addition, there are a number of exceptions to the requirement that employers protect the privacy and security of any employee medical information they receive. These circumstances include (but aren’t limited to):

  • judicial or administrative process that compels disclosure (for example, a court subpoena);
  • when medical information is relevant to a lawsuit, arbitration, or other claim, and you (the employee) have raised the issue in the case;
  • administering employee benefit plans, such as disability and workers' compensation, and determining eligibility for paid or unpaid medical leave from work;
  • in an emergency situation when you or a designee is unable to authorize disclosure. 

Cal. Civ. Code §§ 56.20-56.245


10. Do you have to provide your employer with medical records to take leave under The Family and Medical Leave Act?

The Family and Medical Leave Act (FMLA) gives most workers the right to 12 weeks of unpaid leave annually for reasons of personal and family health. If the reason for an FMLA request is a serious illness, your employer may want a doctor’s certification, but cannot require you to provide actual medical records. The U.S. Department of Labor offers complete information on the operation of the FMLA, for both employees and employers.


11.  Can an employer require you to provide your genetic information?

California law prohibits employers from requiring employees or job applicants to submit to genetic testing unless the request is based on a bona fide occupational qualification. Cal. Gov’t Code § 12940


An example of an occupational qualification would be employment in a workplace where exposure to toxic substances or radiation is monitored.


a. What is genetic information?

Genetic information includes:

  • your genetic test results, and also those of family members;
  • your family medical history, which is often used to assess your future risk of getting a certain disease;
  • your or a family member’s request for, or receipt of, genetic services, or participation in clinical research that includes genetic services;
  • the genetic information of a fetus carried by you or a family member; and
  • the genetic information of any embryo legally held by you or a family member for assisted reproductive technology.
  • Information about your own or your family’s medical history that you voluntarily give up on medical, genealogy, or social networking websites is not protected by any laws that regulate the use or privacy of genetic information.

b. What legal protections are in place for genetic information?

The federal Genetic Information Nondiscrimination Act (GINA) prohibits employers and most health insurers from requesting or requiring employees to provide genetic information.  GINA also prohibits discrimination—for instance, denying employment or health benefits—based on genetic information.

The Equal Employment Opportunities Commission (EEOC), which enforces GINA, has information for individuals about the Act and its application.  The Council for Responsible Genetics also has resources.

California’s Fair Employment and Housing Act (FEHA) and the Unruh Civil Rights Act further reinforce GINA’s prohibition against discrimination based on genetic information. See Cal. Gov’t Code §§ 12921, 12940(a)-(c); Cal. Civ. Code § 51.

Employers may not discriminate based on genetic information, and they are obligated to protect such information and not use it in any legally prohibited way.


c. When may an employer obtain your genetic information?

There are circumstances under which an employer might obtain such information.  These circumstances may include:

  • information acquired inadvertently, such as by a supervisor who overhears your conversation about your or a family member’s genetically based illness;
  • information (such as family medical history) you voluntarily give up as part of a health, genetic services, or wellness program offered by your employer;
  • information about family medical history that’s included in the certification process for Family and Medical Leave Act (FMLA) leave;
  • information acquired from commercial or publicly available sources, including data brokers, newspapers or websites, as long as the employer is not searching those sources for the purpose of finding genetic information about you;
  • information collected through a genetic monitoring program of the biological effects of toxic substances in the workplace where the monitoring is required by law or, under some circumstances, voluntary;
  • employee genetic information collected by employers who do DNA tests for law enforcement purposes or to identify human remains, but only to analyze DNA markers for quality control to detect sample contamination.

12.  Can your employer access health and medical information through employee wellness and harm risk reduction programs?

It depends, and you will need to ask questions about your employer’s program.


a. What is an employee wellness and harm/health risk reduction program?

Employee wellness programs are popular tools intended to help reduce healthcare costs, promote healthier lifestyles, and prevent diseases. Improving employee health through various types of employer-sponsored health monitoring and behavior modification is seen as a way to create savings on medication and treatment.   Wellness programs can cover everything from dealing with violence and bullying in the workplace to specific health-related programs. For example, they may involve on-site exercise rooms and healthy food choices in the cafeteria, immunizations paid for by an employer, health fairs and health education, smoking cessation and weight-loss programs, nutrition classes, health risk assessments, and on-site “health coaches.”


b. What privacy concerns do employee wellness programs raise and are there any legal protections?

Employee wellness programs may collect and generate a lot of health information about you, and a program may or may not be covered by privacy laws depending on how it is offered.


If the program is a benefit of an employer-sponsored health plan (that is, the plan pays for it), the vendor must have a business associate agreement with the employer-sponsor, which obligates it to comply with HIPAA and California’s Confidentiality of Medical Information Act. If the vendor’s agreement with the employer does not involve an employer-sponsored health plan, but is instead an agreement to provide a service, the privacy protections that apply are those in the vendor’s privacy policy, assuming it has one.


The California Online Privacy Protection Act requires any vendor that collects personal information online (or through an app) from a California resident to have a privacy policy, but this doesn’t necessarily mean that the company has good privacy practices. Cal. Bus. & Prof.  Code, §§ 22575 – 22579

It is also possible that a wellness or harm risk reduction program vendor could be covered under California’s Confidentiality of Medical Information Act as:

“[a]ny business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual”
Cal. Civ. Code § 56.06


Note that this has not yet been interpreted by the courts.


The U.S. Department of Health and Human Services (HHS) has a brief FAQ on HIPAA and wellness programs: HIPAA Privacy and Security and Workplace Wellness Programs.  For an analysis of what is meant by wellness programs for regulatory purposes, and how they are supposed to be structured in order to be non-discriminatory, see Nolo Press, Final Rules for Wellness Programs under Obamacare.


c. Wellness programs and genetic information

The federal Genetic Information Non-Discrimination Act (GINA) has an exception to the general prohibition against employers acquiring genetic information of job applicants or employees in the case of voluntary health or genetic services offered by an employer to employees and family members included in their health plans, which could include wellness programs. An employer may offer incentives, such as health premium reductions or various prizes, to employees or their family members for answering health-related questions or having a medical exam as part of a wellness program.

An EEOC rule permits an employer to offer a limited incentive to participate in a voluntary wellness program. The EEOC sets the incentive at no more than 30 percent of the cost of the primary insured’s health plan coverage, not the cost with additional family members included.


d. Wellness programs and the Americans with Disabilities Act

The Americans with Disabilities Act (ADA) generally prohibits employers from making disability-related inquiries to employees or requiring employees to undergo medical examinations, although an employer may require an applicant who has been offered a job to have a medical exam if all new employees holding similar jobs must do the same. Another exception exists for disability-related inquiries and medical exams that are voluntary. In the context of employee wellness plans, this means:

  • There is no requirement to participate and no penalty for not participating, such as denial of coverage or any workplace discrimination.
  • Employees are fully notified of what medical information will be collected; how it will be used and disclosed; and what the employer will do to prevent improper disclosure.
  • The incentive for participation is limited to no more than 30 percent of the amount of the primary insured employee’s coverage, not 30 percent of the cost with other family members included.

Meritain Health, a division of Aetna, offers an explanation (in table form) of wellness programs, GINA, and the ADA: Final Wellness Rules under GINA and ADA.


e. What should you ask before enrolling in an employee wellness program?

Don’t hesitate to ask you employer questions about its wellness plan.  At minimum, it is important to ask these important questions:

  • What information will be collected about you and by whom?
  • Who has access to it, and for what purposes?
  • What privacy and security protections do they have in place?
  • Do you have any control over the use and dissemination of the information that is collected?
  • Do they comply with HIPAA or any state privacy laws?

13. Additional Resources


PRC Resources on Employee Privacy


Federal Government Agencies:

U.S. Department of Health and Human Services
Toll Free: 1-877-696-6775

For more on health information in the workplace, see the U.S. Department of Health and Human Services webpage on Employers and Health Information in the Workplace.


U.S. Department of Labor
Toll Free: 1-866-4-USA-DOL (1-866-487-2365), TTY: 1-877-889-5627


Equal Employment Opportunity Commission
Phone: (202) 663-4900; TTY: (202) 663-4494


Federal Trade Commission
Toll-free helpline: 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261

FTC resources on employment background checks


To learn about employers’ responsibilities regarding employee background checks, see the Federal Trade Commission’s Using Consumer Reports: What Employers Need to Know.


California Government Agencies:

California Department of Insurance
Consumer Services Division
(800) 927-HELP (4357)  (within California)
(213) 897-8921   (Outside California)
(800)-482-4833  (TDD)


California Department of Industrial Relations


California Department of Fair Employment and Housing

 The California Department of Fair Employment and Housing's (DFEH) publication titled Employment Inquiries describes what an employer can and cannot ask of a job applicant, an applicant who has been offered a job, or a current employee.


California Law:

California legislative information.



The National Workrights Institute advocates for workplace justice and the enforcement of human rights in the workplace.

See the Council for Disability Rights’ publication Employment Rights Under the Americans with Disabilities Act (and other related laws).


Originally funded in 2012 with cy pres award from Rodriguez et al. v. NDHealth et al.

Updated in 2017 with funding from the Rose Foundation for Communities and the Environment.