Data Privacy Rules on Employer Request for Medical Records Philippines

1) The Core Issue

Employers in the Philippines often request medical information for legitimate reasons—pre-employment medical exams, fitness-for-work clearance, sick leave validation, workplace safety, accommodation for disability, or assessment of occupational disease. But medical records are sensitive personal information. As a rule, an employer cannot demand or collect medical records without a lawful basis and strict safeguards, and an employee generally has the right to limit disclosure to what is necessary.

This topic sits at the intersection of:

  • Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations (IRR),
  • NPC (National Privacy Commission) principles and standard expectations for organizational compliance,
  • Labor and employment practice (fitness for work, occupational safety, leave administration),
  • Patient confidentiality and medical ethics (for doctors and clinics), and
  • Anti-discrimination and workplace accommodation principles (e.g., disability).

2) Why Medical Records Are “Sensitive Personal Information”

Under the Data Privacy Act (DPA), sensitive personal information includes information about an individual’s health, medical treatment, and any records that can reveal diagnosis, condition, medication, mental health status, and similar data.

Because of this classification:

  • The threshold for lawful processing is higher than for ordinary personal information.
  • Employers must satisfy an applicable lawful criterion and comply with core privacy principles.
  • Mishandling can result in administrative liability and, in serious cases, potential criminal exposure under the DPA.

3) The Governing Privacy Principles Employers Must Follow

Even when an employer has a lawful basis, it must still comply with these baseline rules:

A) Transparency

Employees must be informed of:

  • What medical data is being collected,
  • Why it is needed,
  • How it will be used,
  • Who will have access,
  • How long it will be retained, and
  • The employee’s rights (access, correction, objection, etc.).

B) Legitimate Purpose

The employer must have a specific, lawful, and legitimate purpose, not vague catch-all purposes like “company records.”

C) Proportionality (Data Minimization)

The employer must collect only what is necessary for the declared purpose.

Practical meaning: If “fit to work / unfit to work” is enough, requiring full diagnosis details or entire hospital charts is usually excessive.

D) Security (Organizational, Physical, and Technical)

Employers must implement safeguards appropriate to sensitive health data:

  • Need-to-know access control,
  • Secure storage,
  • Confidential handling and transmission,
  • Limited copies,
  • Audit trails where feasible,
  • Clear disposal/retention rules.

E) Accountability

The employer must be able to demonstrate compliance (policies, training, privacy notices, contracts with clinics, incident response plan).

4) When an Employer May Lawfully Request or Process Medical Records

There is no one-size-fits-all “employer right” to medical records. Legality depends on purpose, scope, and lawful basis.

Common legitimate scenarios:

A) Pre-employment / employment medical examinations

Employers may require a pre-employment medical exam to determine fitness for the job—especially where physical or safety requirements exist. However, the employer typically should receive a result summary (e.g., fit, fit with restrictions, temporarily unfit) rather than full clinical records unless truly necessary.

B) Fitness-for-work clearance and return-to-work evaluation

After illness/injury, employers may ask for a medical certificate or clearance indicating whether the employee can safely perform duties and any restrictions.

C) Sick leave verification and benefits administration

To validate sick leave or medical reimbursement, employers may request documentation. But proportionality still applies: often, a medical certificate or billing summary is enough.

D) Occupational safety and health / workplace hazard management

Where work poses risk to self/others (e.g., operating heavy machinery, safety-critical roles), health information may be required to manage risks and comply with workplace safety obligations. Even then, the employer must limit collection to what is required to assess safety.

E) Reasonable accommodation and disability-related adjustments

Health information may be necessary to assess accommodations or modified duties. The employer should collect only information relevant to functional limitations and required accommodations, not unrelated health history.

5) Consent: When It Is Used, and Why It’s Tricky in Employment

A) Consent is not always the best “legal basis” in employment

In employer-employee relationships, consent can be questioned as not freely given due to imbalance of power. In practice, employers often rely on consent forms, but privacy compliance should not rest on consent alone when another lawful criterion applies.

B) If consent is used, it must be valid

Valid consent must be:

  • Specific and informed,
  • Freely given,
  • Time-bound and purpose-bound,
  • Documented,
  • Revocable (with consequences explained if refusal makes the employer unable to process a legitimate request).

C) Practical result: “Limited consent” is common

Employees may consent to disclosure of:

  • Fitness status, restrictions, expected duration of incapacity,
  • Work limitations,
  • Confirmation of consultation and general nature (when appropriate), without consenting to disclosure of full diagnostic records.

6) The Employer’s “Need to Know” vs. “Nice to Know”

A) What employers usually may ask for (proportionate examples)

  • Fit/unfit to work, with restrictions
  • Expected duration of inability to work
  • Work limitations (e.g., no lifting >10kg)
  • Whether condition is contagious (when relevant to workplace safety)
  • Whether medication affects safety-critical tasks (when relevant)

B) What is often excessive or high-risk

  • Full hospital charts or complete medical history
  • Detailed psychiatric notes or therapy records
  • HIV status, pregnancy details, fertility treatments, genetic data—unless clearly required by law or strictly necessary for a specific legitimate purpose and handled with heightened safeguards
  • “Any and all medical records” blanket authorizations

Key point: Employers should focus on capacity/function and work restrictions, not detailed diagnosis, unless the job risk profile or a specific legal duty makes it necessary.

7) Who in the Company May Access Medical Records

Because medical data is sensitive, access should generally be limited to:

  • Occupational health physician/company doctor or medical unit,
  • A restricted HR subset responsible for leave/benefits,
  • Compliance/safety officers where needed,
  • Management only to the extent necessary (e.g., work restrictions without diagnosis details).

A best-practice setup is a two-layer model:

  • Medical unit holds detailed information,
  • HR/management receives only functional restrictions and clearance status.

8) Third Parties: Clinics, Company Doctors, and Processors

Employers often engage:

  • A clinic for annual physical exams,
  • A hospital for medical clearance,
  • A third-party HMO administrator.

In privacy terms:

  • The clinic/HMO may be a separate personal information controller for its own purposes (patient care).
  • When processing for the employer’s defined purpose, a third party may act as a processor.

Employers should have:

  • A written agreement setting confidentiality and security obligations,
  • Clear rules on what the clinic is allowed to disclose to the employer,
  • A defined reporting format (e.g., “fit/unfit” outcomes).

9) Employee Rights When an Employer Requests Medical Records

Employees generally have rights to:

  • Be informed (privacy notice)
  • Object (especially when request is excessive)
  • Access and correct information held by the employer
  • Data portability (where applicable)
  • File a complaint for misuse or overcollection
  • Claim damages under applicable civil principles if harmed, depending on facts

In practice, an employee can:

  • Ask for the specific purpose and legal basis
  • Offer an alternative document (e.g., a medical certificate stating restrictions) instead of full records
  • Ask who will receive/access the information
  • Ask the retention period and security measures

10) Handling Refusal: Can an Employee Decline?

A) It depends on necessity

An employee may reasonably refuse if:

  • The request is overly broad,
  • The employer cannot articulate a legitimate purpose,
  • The employer refuses to apply proportionality.

However, if the information is truly necessary to:

  • Determine fitness for duty,
  • Manage workplace safety risks,
  • Process benefits/leave that require documentation,

…then refusal may have employment consequences (e.g., inability to grant certain benefits or inability to allow return to safety-critical work) provided the employer’s request is lawful, proportionate, and properly documented.

B) The lawful middle ground

The common practical solution is partial disclosure:

  • Provide fit-to-work clearance and restrictions without full diagnosis,
  • Allow the company doctor to validate details while HR gets a limited output.

11) Confidentiality Breaches and Common Employer Mistakes

A) Common violations

  • HR circulating diagnosis details to managers or teams
  • Posting medical information in group chats or shared drives
  • Using medical details to shame or pressure employees
  • Using medical records to discriminate (promotion/termination decisions) without lawful basis
  • Keeping medical records indefinitely “just in case”
  • Collecting health data unrelated to work

B) Breach response obligations (practical)

Organizations should have:

  • Incident response procedures,
  • Internal reporting,
  • Containment and remediation,
  • Assessment whether the breach is notifiable (depending on severity and risk),
  • Documentation of actions taken.

12) Special Topics Often Involved

A) Mental health records

Mental health information is particularly sensitive. Employers should generally avoid collecting detailed therapy notes or psychiatric records. Fitness-for-work certification and functional limitations are usually sufficient.

B) Infectious diseases

For workplace safety, employers may need limited information (e.g., whether the employee is cleared to return, required isolation period). Overcollection remains improper.

C) Drug testing

Drug test results are sensitive. Employers should ensure:

  • Clear policy basis,
  • Strict access control,
  • Only authorized personnel receive results,
  • Procedures are consistent and nondiscriminatory.

D) Pregnancy and reproductive health

Employers should avoid unnecessary collection and ensure decisions do not discriminate unlawfully. Focus on workplace restrictions and accommodations.

13) Retention and Disposal: How Long Can Employers Keep Medical Records?

There is no single universal retention period for all employers, but under privacy principles:

  • Keep medical records only as long as necessary for the declared purpose,

  • Align retention with:

    • statutory retention requirements (if applicable),
    • limitation periods for claims,
    • audit requirements for benefits.

Employers should implement:

  • A retention schedule (e.g., shorter for routine certificates; longer for occupational exposure records if required),
  • Secure destruction procedures (shredding, secure deletion),
  • A policy for separation/resignation cases.

14) Best-Practice Compliance Model for Employers

A compliant process typically looks like:

  1. Publish a clear privacy notice for employee health data
  2. Use standardized forms that request minimal necessary data
  3. Route details through company doctor/medical unit
  4. Provide HR/management with restricted outputs (fit status/restrictions)
  5. Restrict access via role-based permissions
  6. Store records in a segregated, secured repository
  7. Train HR and supervisors on confidentiality
  8. Apply retention limits and secure disposal
  9. Establish a breach response mechanism
  10. Document decisions to demonstrate accountability

15) Practical Takeaways for Employees and Employers

For employees

  • Employers may request medical information, but only for legitimate, specific purposes and only to the extent necessary.
  • It is generally reasonable to provide clearance/restrictions rather than full records unless there is a strong justification.
  • Ask for the privacy notice, purpose, recipients, retention period, and safeguards.

For employers

  • Medical records are sensitive personal information—treat them as high-risk data.
  • Avoid blanket authorizations and diagnosis collection unless necessary.
  • Use the company doctor/clinic model to minimize internal exposure.
  • Implement strict access controls and retention rules to reduce liability.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login