Employees are often required to disclose medical information to CBP, for example, in support of an absence of more than three days; in support of a request for leave under the Family and Medical Leave Act or other leave program; and in support of a request for reasonable accommodation. In addition, an employee may share medical information with a manager even when not required to—in support of an explanation for a particular incident, for example. However a manager obtains such information, the manager may not further disclose the medical information except to persons with a need to know.
There are procedures in place for dealing with unauthorized disclosures of information protected by the Privacy Act, including an employee’s medical information. Any loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or similar occurrence with respect to protected information, including medical information, is termed a “Privacy Incident,” and is governed by the Department of Homeland Security (DHS) Privacy Incident Handling Guidance (PIHG), revised December 2017. These procedures detail how DHS responds to a privacy incident, whether it occurs electronically or in paper, and informs of the obligation to protect Personally Identifiable Information (PII).
The PIHG requires DHS personnel to inform their Program Manager (i.e., a second level supervisor or higher) immediately upon discovery or detection of a Privacy Incident, regardless of the manner in which it occurred. Appendix D, DHS Privacy Playbook: Handling Process Overview, provides an overview and checklist for the incident reporting process. These procedures apply to both suspected and confirmed incidents involving PII. How CBP is required to respond to a Privacy Incident depends upon the seriousness of the incident.
When properly adhered to, CBP's privacy protocols for proper maintenance and sharing of PII represent the best practices for safeguarding PII and also help to protect CBP employees from criminal liability stemming from violations of the Privacy Act.
Suspected or confirmed privacy disclosure incidents should be reported to the CBP Security Operations Center via email at CSIRC@cbp.dhs.gov or telephone at (703) 921-6507. In the case of a privacy incident involving medical information, a statement should be provided regarding the nature (e.g., electronic, paper, verbal) of the suspected disclosure, what was disclosed, by whom, to whom, and any other facts regarding the disclosure.
Under the Privacy Incident Handling Guidance (PIHG), CBP must take mitigating action depending on the nature of the incident to try to reduce the risk of harm. In an instance of a single disclosure of one employee’s medical information beyond those with a need to know, mitigation could include having extra copies of medical records destroyed and other measures designed to limit further dissemination. Although it does not help to mitigate the disclosure, the review and/or investigation of the circumstances of disclosure may also result in counseling, discipline, or, in the instance of an intentional disclosure, referral of a criminal violation pertaining to the person who caused the disclosure.
Employees may be eligible to receive monetary damages for disclosure of private medical information. The Rehabilitation Act (Rehab Act) requires federal managers to place employee medical information on separate forms and in separate medical files, to treat those files as “confidential medical records,” and to keep all employee medical information confidential. Such medical information may not be disclosed unless permitted by a particular exception in the Rehab Act.
Any violation of this provision is by itself a violation of the Rehab Act and entitles the employee to damages---even if the employee suffers no harm. Because the Rehab Act protects access to medical information, it is a per se violation of the Rehab Act to provide unauthorized access to an employee’s medical information---even if no one actually sees the information. The amount of damages awarded is likely to depend on how the disclosure occurred (was it inadvertent or intentional) and whether the disclosure caused any harm.