Google employees were recently required to share personal health information with a third-party AI tool or else forego health benefits. Amid significant employee concerns for medical privacy, Google retracted this policy, making disclosure optional. But worker medical privacy remains under attack nationally.
Despite over 2.5 million job-related injuries and illnesses annually and the proliferation of patient medical information as technology grows, injured workers often do not enjoy medical privacy protections that even prisoners can count on.
This surprising denial of medical privacy is the result of our current approach to workers’ compensation. State constitutional and statutory privacy protections may not apply to workers who file for workers’ compensation. And federal medical privacy protections are judicially construed to exempt workers’ compensation processes.
As a result, injured workers — many with severe disabilities — face a difficult choice: file for workers’ compensation benefits for their injuries or else protect their medical privacy.
The situation is different for almost all other patients who seek medical care. The federal Health Insurance Portability and Accountability Act’s privacy rule requires that physicians who maintain electronic health or billing records must protect “individually identifiable health information.”
Such information includes diagnoses and even demographic information, such as residential addresses, which may be used to identify a patient. Outside patient treatment, disclosures are often limited to the “minimum necessary.” The goal is to protect patients from unwanted disclosures that may be stigmatizing or otherwise harmful.
Medical disclosures may indeed prove very stigmatizing. Without protection, unrelated medical information such as mental health information could be prejudicially used to deny workers’ compensation claims. Stigmatizing information could be disclosed to third parties affecting future employment and insurability. Prejudicial communications may also occur between employers and their agents and treating physicians.
In fact, these types of disclosures are routinely outlawed in medical malpractice and employment discrimination claims due to the potential harms they may cause.
Further, lack of medical privacy for workplace injuries is especially concerning because, in most states, workers cannot sue their employers for their injuries and may only obtain compensation and medical care for workplace injuries through workers’ compensation.
How we arrived here is a complex story of federalism, judicial interpretation and state inaction.
States historically protected the privacy of their citizens and administered their own workers’ compensation systems under their 10th Amendment powers. Federal medical privacy regulations thus contain an exception for workers’ compensation that assumes states will address injured workers’ privacy through their own laws.
This exception has been widely misinterpreted by courts as eliminating federal privacy protections if states fail to act. And states have not filled in the gaps of privacy protection.
In a 2025 published survey, states failed to protect workers’ privacy in five areas: scope of disclosure, authorization for disclosure, ex parte communications (i.e., communications between opposing parties and treating physicians), notice of such communications and protective orders (i.e., orders issued by a court to limit the scope of disclosure).
To be sure, states have the power to administer their own workers’ compensation schemes and must be able to process claims efficiently. Many states impose a limited window on obtaining medical information and distributing benefits.
It would not be in the spirit of the federal medical privacy laws to let workers impede the administration of claims by failing to disclose information or delay its disclosure — perhaps by pressuring their physicians to limit or not disclose relevant medical information. But there is a significant difference between the efficient administration of workers’ compensation claims and voiding medical privacy requirements altogether.
The solution could be judicial, legislative or both. Courts could adopt the federal privacy standards as a floor for privacy protections, perhaps following clarification from Health and Human Services that the exemption for workers’ compensation was not intended as a waiver of medical privacy.
States could pass laws consistent with this standard, but responsive to their unique circumstances. If states fail to adopt privacy protections, the federal standards could apply.
Alternatively, states could promulgate their own standards and rules to protect privacy, informed by the best practices of some states. For example, states could limit the scope of disclosure strictly to the injury at issue, adopt a relevant time frame for medical record disclosure and require authorization for disclosure. Ex parte communications could be prohibited altogether or subject to notice requirements and protective orders to limit scope.
Injured workers deserve the same privacy protection as other patients.
Ani B. Satz, Ph.D., JD, is professor of Law and Public Health and director of the Project on Health Law, Policy & Ethics at Emory University. Her expertise focuses on tort and health law and she is the author of a body of work about workers’ compensation and medical privacy.
