According to the letter, employees who are not authorized to have access to employee medical information often overhear conversations medical records custodians have by telephone and in person discussing employees’ medical conditions and may also pick up and read medical documents from a shared fax machine. The EEOC letter advises that the employer “should take steps to guarantee the security of each employee’s medical information.” The letter goes on to state:

“First, you should remind all employees that medical information is confidential and that only MRCs are authorized to have access to such information on a need-to-know basis. For example, you might issue a memorandum informing all employees that anyone who discusses another employee’s medical information with unauthorized persons or reads medical documents not intended for him or her will be disciplined. Further, to ensure that other employees, including other MRCs, cannot overhear conversations about an employee’s confidential medical information, you could provide an office with a door that an MRC can use when he or she needs to discuss an employee’s medical condition or history by telephone or in person. A fax machine that is shared only by other MRCs also could be installed in this office with the door kept locked except when in use by an MRC. Further, you should remind MRCs to keep any employee medical information in a locked file cabinet in their cubicles or in a file cabinet in the shared office to which only other MRCs have access. Finally, you should periodically audit your policies and procedures to make sure that you are doing everything possible to guarantee the confidentiality of employee medical information and protect against unauthorized disclosures.”