Employee Medical Confidentiality & Privacy in the Philippine Workplace: A Complete Guide

For HR leaders, company physicians, safety officers, unions, and employees who need a clear, practice-ready reference.

1) The Big Picture

In the Philippines, health information in the workplace sits at the intersection of labor law, occupational safety and health (OSH), and data protection. The anchor rules are:

Data Privacy Act of 2012 (R.A. 10173) and its IRR — governs how employers, clinics, and HMOs process employee health data (a type of sensitive personal information).
Labor Code and OSH framework (R.A. 11058 and its IRR/DOLE issuances) — require employers to protect workers and manage medical surveillance/first aid, but without over-collecting or over-disclosing.
Sectoral statutes that heighten confidentiality, e.g., Mental Health Act (R.A. 11036), HIV and AIDS Policy Act (R.A. 11166), Magna Carta for Women (R.A. 9710), and Magna Carta for Persons with Disability (R.A. 7277, as amended).

Key principle: collect the minimum health data necessary for a lawful, specific purpose; secure it; disclose on a strict need-to-know basis; and respect employee rights.

2) What Counts as Medical/Health Data?

Sensitive personal information includes any data about health condition, medical history, diagnostics, lab results, medications, vaccination status, disability status, mental health notes, pregnancy, and drug test results.
Derived or inferred data (e.g., “unfit for driving” after a vision test) is still health data if it reveals health status.
Non-medical indicators (e.g., frequent sick leaves) are not health data by themselves, but entries that explain the reason (migraine, depression, pregnancy complications) are.

3) Lawful Bases for Processing Employee Health Data

Under the Data Privacy Act, at least one lawful basis must apply. In employment contexts, consent is often weak because of power imbalance; prefer these:

Legal obligation: OSH compliance, reportable accidents/illnesses, government reporting (SSS sickness benefits, PhilHealth claims), mandatory pre-employment and periodic medical exams for safety-sensitive roles, legally required drug testing in specific sectors.
Contract necessity: fitness-for-work certifications related to the employment contract.
Vital interests: medical emergencies (disclose only what’s necessary to responders or hospitals).
Medical purposes: processing by licensed health professionals (company physician, clinic, HMO) who are bound by professional secrecy.
Legitimate interests: narrowly tailored measures to protect workplace safety or business continuity, provided they pass proportionality and transparency tests.

Never process out of curiosity or for general profiling.

4) Core Privacy Principles Applied to Workplace Health Data

Purpose limitation: state the exact reason (e.g., “fitness to work,” “respiratory surveillance for welders”).
Data minimization: supervisors typically need work-ability status (“fit,” “fit with restrictions,” “unfit”)—not diagnoses.
Accuracy: update records when new medical certificates supersede prior restrictions.
Security: role-based access, locked cabinets or encrypted systems, separate storage from personnel files, audit logs, confidentiality undertakings.
Retention: keep only as long as necessary. OSH/safety records usually outlive employment for legal defense and statutory periods; set written retention schedules and securely dispose when lapsed.
Transparency: provide privacy notices explaining what is collected, by whom, for what purpose, retention, sharing, rights, and contact details of the Data Protection Officer (DPO).

5) Confidentiality Duties by Role

Company Physician/Clinic

Owes doctor–patient confidentiality and must segregate clinical records from HR files.
Releases only fitness conclusions and necessary restrictions (e.g., “no night shift,” “no chemical exposure”), not lab values or diagnosis—unless the employee expressly authorizes or a law requires limited disclosure.

HR and Line Managers

Can receive: fit-to-work status, work limitations, and duration of restrictions.
Should not receive: diagnoses, full medical histories, HIV status, psychotherapy notes, genetic information, pregnancy test results (unless the employee volunteers for accommodation), or medication lists.

HMO/Insurer and Occupational Health Providers

Are separate personal information controllers/processors. Use data sharing agreements (DSA) or processing contracts. Share on a minimum necessary basis.

6) High-Sensitivity Categories (Extra Protections)

HIV (R.A. 11166): strict confidentiality; unauthorized disclosure is penalized. Workplace testing cannot be coerced; results are tightly controlled.
Mental health (R.A. 11036): records are confidential; accommodation and non-discrimination are emphasized.
Pregnancy and reproductive health: disclosure must be employee-led; managers only receive necessary accommodations info. Discrimination is prohibited (R.A. 9710).
Disability (R.A. 7277 as amended): limit disclosure to accommodation needs; avoid collecting diagnosis unless essential to implement the accommodation.
Drug testing (R.A. 9165 and DOH/DOLE rules): only when mandated (e.g., drivers, security-sensitive roles) or implemented under a valid, proportionate company policy. Results are confidential and must not be used punitively outside lawful grounds and due process.

7) Typical Scenarios & What Is Allowed

A. Pre-Employment Medical Exam (PEME)

Allowed: exams relevant to job requirements (vision for drivers, spirometry for dusty environments).
Not allowed: broad fishing expeditions unrelated to the role; sharing full PEME results with recruiters or line managers.
Output to HR: “fit,” “fit with restrictions,” or “unfit,” plus specific work limitations—no diagnosis.

B. Periodic Surveillance for OSH

For exposure-prone roles (chemicals, noise, confined spaces), periodic checks are lawful.
Keep aggregate, anonymized health trends for OSH programs; individual results remain confidential.

C. Sickness/Medical Leave & Return-to-Work

HR may ask for a medical certificate to justify leave and assess fitness to resume work.
Certificates should avoid diagnosis where possible; “unfit for work from [date] to [date] due to medical condition” is generally sufficient. If restrictions are needed, state them neutrally.

D. Vaccination/Immunization Records

If required by law or OSH risk assessment, collect only proof of compliance or contraindication. Avoid storing full immunization histories unless necessary.

E. Emergencies & Contact Tracing Contexts

Disclose only what responders need. Broad broadcast of an employee’s condition to the workforce is not appropriate; use neutral notifications (e.g., “A colleague in [unit] tested positive; here are next steps…”) without naming, unless strictly necessary and lawful.

F. Reasonable Accommodation

The employee may disclose health info to trigger accommodation. HR shares only the operational restrictions with managers; diagnosis remains with clinic/DPO.

8) Employee Rights Over Their Health Data

Right to be informed: clear notices about data collection and use.
Right to access: copies of their medical records and data held by the employer/clinic (subject to reasonable procedures).
Right to rectification: correct inaccuracies (e.g., wrong date, misattributed result).
Right to object/withdraw consent: where consent is the sole basis and no overriding legal basis exists.
Right to erasure/blocking: where processing is unlawful or retention has lapsed.
Right to data portability (when technically feasible for structured data).
Right to damages and to complain to the National Privacy Commission (NPC) for violations.

9) Disclosures: When Are They Lawful?

Disclose only if one of the following applies and you keep to the minimum necessary:

Required by law/regulation (e.g., reportable diseases, OSH injury logs).
Needed to establish, exercise, or defend legal claims (turnover to counsel).
Medical emergency or to protect vital interests.
Employee authorization (specific, informed, time-bound; ideally in writing).
De-identified or aggregated data for OSH statistics or wellness programs.

Forbidden examples: emailing a team about someone’s diagnosis; asking peers to confirm rumors about a colleague’s mental health; posting lab results in shared drives.

10) Security Controls that Pass Muster

Governance: appoint a DPO; maintain a privacy management program; do DPIAs (privacy impact assessments) for high-risk processing (e.g., drug testing, telemedicine).
Access control: “clinic-only” access for charts; HR sees only fit-status. Implement role-based access and need-to-know approvals.
Technical: encryption at rest/in transit, MFA for EHR systems, audit trails, automatic log-off, encrypted backups, secure telemedicine platforms.
Physical: locked file rooms, visitor logs, shredders, clean-desk rules.
Vendor management: DSAs/processing agreements with HMOs, labs, cloud providers; due diligence and periodic audits.
Training: annual privacy and confidentiality training; specific playbooks for managers on “what to say/not say.”
Breach response: detect, contain, assess risk, notify the NPC and affected employees when thresholds are met; document root cause and corrective actions.

11) Retention & Destruction

Set written schedules: e.g., PEME and fitness records for the duration of employment + X years (align X with prescription periods for labor claims/OSH liabilities); incident logs per OSH rules; payroll/benefit claim docs per SSS/PhilHealth rules.
Secure destruction: cross-cut shredding and certified disposal for paper; cryptographic wipe for electronic media; keep destruction logs.

12) Discrimination & Fair Treatment

Employment decisions must be job-related and proportionate. Having a medical condition, pregnancy, HIV status, or a disability cannot be the basis for adverse action unless the condition demonstrably prevents the person from performing essential job functions even with reasonable accommodation or poses an unmanageable safety risk.
Keep medical data out of performance appraisals and disciplinary files except where strictly relevant and lawfully obtained.

13) Internal Policy Toolkit (Copy-Ready Outlines)

A. Short-Form Privacy Notice (clinic/HR)

What we collect: limited health data for fitness-for-work, OSH compliance, benefits.
Why: legal obligation/contract necessity/medical purposes.
Who sees it: clinic staff and, where needed, HR/line managers receive work-restriction summaries (not diagnoses).
How long: defined retention periods.
Your rights: access, correction, objection, etc.; DPO contact.

B. Fitness-for-Work Template (Manager-Safe)

“Employee is fit / fit with restrictions / unfit until [date]. Restrictions (if any): [e.g., no lifting >10kg; day shift only; no chemical exposure]. Review on: [date].”
No diagnosis fields.

C. Accommodation Request Flow

Employee informs HR/clinic; provides medical note with functional limitations.
HR/clinic evaluates and proposes adjustments; involve HSE/line for feasibility.
Implement and review; do not share diagnosis beyond clinic/DPO.

D. Drug-Testing Policy Highlights

Applicability (roles/conditions), lawful bases, procedures, confirmation testing, confidentiality, due process for positives, EAP/referral pathways.

14) Common Pitfalls (and How to Avoid Them)

Using consent as a crutch in employment — rely on clearer legal bases where applicable.
Diagnoses in HR emails — restrict to fitness and restrictions.
Over-retention — keep only as long as needed for OSH/legal defense.
Unvetted wellness tech — do DPIAs on apps, wearables, telemedicine.
Open-access shared drives — segregate medical files with strict permissions.
Rumor management — train managers to shut down health gossip and redirect to clinic/DPO.

15) Quick Compliance Checklist

Appoint DPO; publish privacy notices.
Separate clinic records from HR files; role-based access.
Use fitness-only outputs for HR/line; no diagnoses.
Lawful bases mapped per process (PEME, RTW, surveillance, drug testing).
DSAs/processing contracts with HMO/labs/cloud.
Retention & destruction schedule for medical data.
Annual privacy/OSH training; manager scripts.
Incident/breach response plan; notification playbook.
Accommodation workflow documented.
Regular audits of access logs and vendor controls.

16) Practical FAQs

Can HR demand to see my lab results? Generally no. HR should receive only the fitness outcome and necessary restrictions. Lab results stay with the clinic unless a law or a narrowly tailored need makes sharing essential and lawful.

Can my manager tell the team why I was on sick leave? They should not disclose your condition. Neutral communications (“on medical leave”) are sufficient.

Am I required to disclose pregnancy? No. You may disclose at your discretion to seek accommodations or benefits. Unlawful to discriminate based on pregnancy.

What if my HIV status is accidentally shared? Unauthorized disclosure can trigger criminal/civil liabilities and administrative penalties. Report to the DPO and seek remedial action immediately.

Can the company require drug testing? Only if required by law or a valid, proportionate company policy aligned with DOLE/DOH rules, with confidentiality and due process.

Who do I complain to about a privacy breach? Internally to the DPO; externally to the National Privacy Commission. Labor remedies may also be available through DOLE/NLRC if adverse action occurred.

Final Word (Not Legal Advice)

This guide distills the prevailing standards for handling employee health information in the Philippines. Implementation details can vary by industry and risk profile. For high-stakes or contested situations (e.g., mandated testing, complex accommodations, or data breaches), consult Philippine counsel and your DPO to tailor controls and communications.