Employers continue to struggle with issues related to the privacy of employee medical records.
Although the new federal privacy rule (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not regulate businesses in their capacity as employers, the rule nevertheless generates a great deal of anxiety and confusion among employers, including:
In the case of employee medical records, however, a little Privacy Rule information goes a long way. The following questions and answers not only address the most commonly asked questions about employee medical records and the Privacy Rule, they also offer a basic understanding of the Privacy Rule from an employer’s perspective.
Q. What does the Privacy Rule regulate?
A. The Privacy Rule does not regulate every business entity and does not protect every medical record. Instead, the Privacy Rule places limits on the use or disclosure of health information related to an individual (referred to as Protected Health Information or PHI) by a covered entity (CE).
The regulatory definition of a CE is quite narrow. It only includes health care providers who engage in certain electronic transactions, group health plans, and health care clearinghouses (entities that process certain health care information). Employers not engaged in these health care-related activities are not CEs and are therefore not covered by the Privacy Rule.
Furthermore, employment records are excluded from the definition of PHI. This means that the Privacy Rule does not cover health information or medical records contained in employment records. You might think the analysis ends there. Unfortunately, it does not.
Q. If the Privacy Rule does not apply to my company or employment records, what do I have to worry about?
A. An employer’s responsibilities under the Privacy Rule can be quite tricky. For example, even if your company is not a CE, your company’s group health plan may bring it within the definition of a CE for the purposes of Privacy Rule compliance.
Although the Privacy Rule does not cover employers, certain health plans do fall within the definition of a CE. Since there may be little practical distinction between an employer and its health plan, many employers must comply with the Privacy Rule if they sponsor certain health plans.
Unless your company’s group health plan has fewer than 50 participants (as defined under ERISA) and it is self-administered, it is covered by the Privacy Rule. Employee assistance programs, flexible spending accounts, and vision and dental plans may also fall within the Privacy Rule’s definition of a health plan.
If such health plans are completely administered by a third party, leaving your company with no plan administration duties, your company may rely on the third party for compliance. Otherwise, your company must determine its obligations and adopt the necessary policies and procedures under the Privacy Rule. Remember, though, even if the Privacy Rule covers your health plan, your company’s employment records not related to the health plan remain exempt from the Privacy Rule.
Q. How do we handle employee medical records for the purpose of the FMLA and ADA?
A. In order to comply with the ADA, an employer may need medical information in order to accommodate an employee’s disability or determine whether an employee is capable of performing a particular job or task. An employer may also seek medical records for certification purposes under the FMLA. In most cases, the Privacy Rule prevents a CE from disclosing medical information absent the patient’s written authorization.
Since your employee’s health care provider is most likely a CE, your requests for medical information from your employee’s health care provider must comply with the Privacy Rule’s authorization rules. You can, however, avoid the Privacy Rule altogether by having the employee obtain the information from his or her physician and then provide it to you.
Regardless of which way you obtain the information, once it is part of the employee’s employment record, it is not covered by the Privacy Rule, although you may have continuing obligations under the ADA or state law to protect the confidentiality of that information.
Q. Will HIPAA affect the way we handle workers’ compensation claims?
A. The Privacy Rule allows a health care provider to disclose medical information to an employer if the information is needed to comply with state workers’ compensation laws. Thus, your state laws will continue to determine the extent to which a health care provider is required to disclose health information related to a workers’ compensation claim.
Q. How do we handle employee drug tests, pre-employment physicals, and fitness for duty examinations?
A. As is the case with the disclosures discussed above, an employer must obtain an employee’s prior written authorization in order to get the employee’s medical information or lab results from a CE. Once the medical information or lab results become employment records, the Privacy Rule does not cover them. You must not, however, overlook state and federal laws that may require special treatment of this type of medical information.
Q. How will HIPAA affect our on-site clinic?
A. In order to be a CE, a health care provider must engage in certain electronic transactions regulated by the federal government. These electronic transactions involve enrollment and disenrollment in a health plan; claims or encounter information; determining eligibility for the health plan; referral certification and authorization; health care claim status inquiries; payment and remittance advice; health plan premium payments; and coordination of benefits. Because most on-site clinics do not engage in these electronic transactions, they are not CEs and, consequently, do not have to comply with the Privacy Rule.
John A. Cogan, Jr. is an associate in the health care practice group at Partridge Snow & Hahn LLP in Providence, R.I. He focuses on health care regulatory compliance, providing counsel in areas such as HIPAA, Medicare and Medicaid.