HIPAA Doesn’t Protect All Employee Medical Information


It’s safe to say that the U.S. is discussing health care, regardless of your political views. Today’s post isn’t to tell anyone how they should feel about the Affordable Care Act (ACA). However, with the discussion about health care comes a lot of disclosures about medical information. As in, “I’m an employee who has XX medical condition and this is what I think about ….” or “My spouse/child/etc. has XX medical condition and therefore, we need to do…”

In the latest newsletter from the firm of  Foley & Lardner LLP, labor and employment attorney Mark Neuberger reminded employers about the privacy rule under the Health Insurance Portability and Accountability Act (HIPAA). I thought the information was timely, so asked him if he would share his knowledge and luckily, he said yes.

Please remember that Mark’s comments should not be construed as legal advice or as pertaining to any specific factual situations. If you have detailed questions, you should address them directly with your labor counsel.

Mark, give us a brief description of HIPAA.

[Neuberger] The Health Insurance Portability and Accountability Act of 1996 or as it is more commonly known, HIPAA is a federal law that was enacted to ensure protection of individuals’ protected health information (PHI). The Standards for Privacy of Individually Identifiable Health Information (aka the ‘Privacy Rule’) issued by the Department of Health and Human Services (HHS) established detailed national standards for the protection of PHI.

In general, HIPAA protects individuals from the unauthorized use or disclosure of any PHI. Most employers, knowing they almost always have some health-related information on their employees gathered from things such as workers’ compensation claims, fringe benefit administration, and administration of leave and absenteeism policies should be rightfully concerned about their compliance with HIPAA’s Privacy Rule.

Why should HR professionals be focused on HIPAA’s Privacy Rule?

[Neuberger] I’ve been fielding lots of calls from HR managers lately who always start with the proposition that any medical information they have about their employees is protected by the HIPAA Privacy Rule. In most instances, this is not the case.  

HR professionals should develop policies and procedures to secure what employees believe are their confidential medical records. Train your management to know what they can ask and what they would be better off not asking. It may not be PHI but that doesn’t mean you want TMI (Too Much Information). TMI is information you don’t really need to make appropriate management decisions. The fact you have TMI can be used by an employee to make out the elements of a discrimination claim.

TMI negates the ‘Huh, I didn’t know defense.’ The best way to defend a claim of discrimination is by being able to say ‘How could I have discriminated against the employee when I had no idea they (had cancer, are taking lithium, seeing a psychiatrist, etc.)’. If you have TMI and know these things because you made inquiries into things you maybe should not have, you can’t invoke the ‘Huh, I didn’t know defense.’

Does the HIPAA Privacy Rule apply to all employers?

[Neuberger] The HIPAA Privacy Rule only applies to ‘Covered Entities’ which are defined by the regulations as:

1.       A health plan;

2.       A health care clearinghouse and;

3.       A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter, and their ‘Business Associates,’ which are vendors that provide services for or on behalf of Covered Entities involving PHI.

Under this definition, Covered Entities are health plans, health care clearinghouses, and health care providers. Thus, the Privacy Rule WILL apply to employers if they somehow operate as a health plan, a health care clearing house, or a health care provider. Most other employers will not be ‘Covered Entities.’ Note that many employers function as the plan sponsor of a group health plan, but that does not make the employer itself a ‘Covered Entity’ under HIPAA.

You recently helped answer a  reader question on the HR Bartender blog about “Keeping Employee Records Secure”. Where is PHI typically found?

[Neuberger] Most of the information contained in an employer’s personnel files and records is not PHI. The regulations state ‘Protected health information excludes individually identifiable health information…in employment records held by a covered entity in its role as an employer.’ Thus, even the information held in employment records by healthcare institutions is generally not governed by HIPAA.

The fact that the information you maintain in employment records about your employees is not regulated by HIPAA should not be the basis to ignore legitimate privacy concerns of your employees. You may be subject to various state privacy laws which afford different and additional protections to your employees than does HIPAA. Additionally, employers may have to deal with a knowledge gap in that many employees firmly but wrongly believe they are entitled HIPAA protection over their workplace medical records.

HR professionals sometimes hear about medical information when discussing workers’ compensation claims. Does this factor into the Privacy Rule?

[Neuberger] The Privacy Rule gives employers a break. The rule recognizes that employers, their workers’ compensation insurers and claims administrators have a legitimate need to access detailed medical records in order to efficiently administer the workers’ compensation system. In many cases, the Privacy Rule allows covered entities, those providing the medical treatment to your injured employees, to disclose treatment information without violating HIPAA.

Last question. What are 1-2 things HR professionals can do to stay on top of HIPAA’s Privacy Rule?

[Neuberger] This is a complicated and constantly evolving area of the law so employers should get smart and stay smart as to all the applicable laws. Don’t forget the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA). These laws have plenty to say about employee medical records.

·         Title I of the ADA provides that information obtained by an employer regarding the medical condition or history of an applicant or employee must be collected on separate forms, kept in separate medical files, and be treated as a ‘confidential medical record.’ 29 C.F.R. §1630.14(b)(1).

·         Similarly, if an employer has genetic information obtained under one of GINA’s limited exceptions, they must also keep this information separate from personnel files and treat it as a confidential medical record. This information may be maintained in the same file as medical information obtained under the ADA. 29 C.F.R. §1635.9.

Finally, when asking your employees to provide any medical information be it to administer leave, fringe benefits, or workers’ compensation, get a properly drafted release and consent from the employee.

My thanks to Mark for sharing his knowledge. If you want to stay on top of HIPAA and other legal issues, be sure to check out SHRM’s HIPAA resources located under the resources and tools section of their website.

Whenever there’s a new administration, there are new laws. Sometimes we can get so focused on what might happen that we lose sight of the laws currently in place - complicated laws like HIPAA. Reading a blog article or going to a SHRM chapter meeting can be a good reminder of the compliance actions we need to stay current.



The SHRM Blog does not accept solicitation for guest posts.

Add new comment

Please enter the text you see in the image below: