HIPAA Doesn’t Protect All Employee Medical Information


It’s safe to say that the U.S. is discussing health care, regardless of your political views. Today’s post isn’t to tell anyone how they should feel about the Affordable Care Act (ACA). However, with the discussion about health care comes a lot of disclosures about medical information. As in, “I’m an employee who has XX medical condition and this is what I think about ….” or “My spouse/child/etc. has XX medical condition and therefore, we need to do…”

In the latest newsletter from the firm of  Foley & Lardner LLP, labor and employment attorney Mark Neuberger reminded employers about the privacy rule under the Health Insurance Portability and Accountability Act (HIPAA). I thought the information was timely, so asked him if he would share his knowledge and luckily, he said yes.

Please remember that Mark’s comments should not be construed as legal advice or as pertaining to any specific factual situations. If you have detailed questions, you should address them directly with your labor counsel.

Mark, give us a brief description of HIPAA.

[Neuberger] The Health Insurance Portability and Accountability Act of 1996 or as it is more commonly known, HIPAA is a federal law that was enacted to ensure protection of individuals’ protected health information (PHI). The Standards for Privacy of Individually Identifiable Health Information (aka the ‘Privacy Rule’) issued by the Department of Health and Human Services (HHS) established detailed national standards for the protection of PHI.

In general, HIPAA protects individuals from the unauthorized use or disclosure of any PHI. Most employers, knowing they almost always have some health-related information on their employees gathered from things such as workers’ compensation claims, fringe benefit administration, and administration of leave and absenteeism policies should be rightfully concerned about their compliance with HIPAA’s Privacy Rule.

Why should HR professionals be focused on HIPAA’s Privacy Rule?

[Neuberger] I’ve been fielding lots of calls from HR managers lately who always start with the proposition that any medical information they have about their employees is protected by the HIPAA Privacy Rule. In most instances, this is not the case.  

HR professionals should develop policies and procedures to secure what employees believe are their confidential medical records. Train your management to know what they can ask and what they would be better off not asking. It may not be PHI but that doesn’t mean you want TMI (Too Much Information). TMI is information you don’t really need to make appropriate management decisions. The fact you have TMI can be used by an employee to make out the elements of a discrimination claim.

TMI negates the ‘Huh, I didn’t know defense.’ The best way to defend a claim of discrimination is by being able to say ‘How could I have discriminated against the employee when I had no idea they (had cancer, are taking lithium, seeing a psychiatrist, etc.)’. If you have TMI and know these things because you made inquiries into things you maybe should not have, you can’t invoke the ‘Huh, I didn’t know defense.’

Does the HIPAA Privacy Rule apply to all employers?

[Neuberger] The HIPAA Privacy Rule only applies to ‘Covered Entities’ which are defined by the regulations as:

1.       A health plan;

2.       A health care clearinghouse and;

3.       A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter, and their ‘Business Associates,’ which are vendors that provide services for or on behalf of Covered Entities involving PHI.

Under this definition, Covered Entities are health plans, health care clearinghouses, and health care providers. Thus, the Privacy Rule WILL apply to employers if they somehow operate as a health plan, a health care clearing house, or a health care provider. Most other employers will not be ‘Covered Entities.’ Note that many employers function as the plan sponsor of a group health plan, but that does not make the employer itself a ‘Covered Entity’ under HIPAA.

You recently helped answer a  reader question on the HR Bartender blog about “Keeping Employee Records Secure”. Where is PHI typically found?

[Neuberger] Most of the information contained in an employer’s personnel files and records is not PHI. The regulations state ‘Protected health information excludes individually identifiable health information…in employment records held by a covered entity in its role as an employer.’ Thus, even the information held in employment records by healthcare institutions is generally not governed by HIPAA.

The fact that the information you maintain in employment records about your employees is not regulated by HIPAA should not be the basis to ignore legitimate privacy concerns of your employees. You may be subject to various state privacy laws which afford different and additional protections to your employees than does HIPAA. Additionally, employers may have to deal with a knowledge gap in that many employees firmly but wrongly believe they are entitled HIPAA protection over their workplace medical records.

HR professionals sometimes hear about medical information when discussing workers’ compensation claims. Does this factor into the Privacy Rule?

[Neuberger] The Privacy Rule gives employers a break. The rule recognizes that employers, their workers’ compensation insurers and claims administrators have a legitimate need to access detailed medical records in order to efficiently administer the workers’ compensation system. In many cases, the Privacy Rule allows covered entities, those providing the medical treatment to your injured employees, to disclose treatment information without violating HIPAA.

Last question. What are 1-2 things HR professionals can do to stay on top of HIPAA’s Privacy Rule?

[Neuberger] This is a complicated and constantly evolving area of the law so employers should get smart and stay smart as to all the applicable laws. Don’t forget the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA). These laws have plenty to say about employee medical records.

·         Title I of the ADA provides that information obtained by an employer regarding the medical condition or history of an applicant or employee must be collected on separate forms, kept in separate medical files, and be treated as a ‘confidential medical record.’ 29 C.F.R. §1630.14(b)(1).

·         Similarly, if an employer has genetic information obtained under one of GINA’s limited exceptions, they must also keep this information separate from personnel files and treat it as a confidential medical record. This information may be maintained in the same file as medical information obtained under the ADA. 29 C.F.R. §1635.9.

Finally, when asking your employees to provide any medical information be it to administer leave, fringe benefits, or workers’ compensation, get a properly drafted release and consent from the employee.

My thanks to Mark for sharing his knowledge. If you want to stay on top of HIPAA and other legal issues, be sure to check out SHRM’s HIPAA resources located under the resources and tools section of their website.

Whenever there’s a new administration, there are new laws. Sometimes we can get so focused on what might happen that we lose sight of the laws currently in place - complicated laws like HIPAA. Reading a blog article or going to a SHRM chapter meeting can be a good reminder of the compliance actions we need to stay current.



The SHRM Blog does not accept solicitation for guest posts.


I am transitioning from a covered entity to an uncovered entity and have had some "uncomfortable" moments. A SR VP asked me what kind of doctor an employee was seeing because the employee is on FMLA leave. The company does not provide disability so the employee is not being paid. I told him that the leave was approved and that I had documentation from the doctor. He pressed and wanted to know if this was "ongoing" or a temporary thing. I told him that it appeared to be temporary. I was very uncomfortable and it bothered me that he wanted so much information as I had a RTW date. Was I right in giving him no details?

Im asking for my husband, on what rights he has.
He has been working at this wood beam company for over 7 years know. His hands started to bother him last year, he told them about every week for 9 months till his work finally scheduled him a doc apt. Doctor said he needed surgery done on both hands due to his hands getting to stage 8 carpal tunnel. He had the surgery was off work for 3 weeks after first doctors apt they put no work on his work form for an other 3 weeks since he could not drive or do anything with his hands. She. We gave form to HR words were said. She called his Doctor's General manager and got him Released for work 2 and a half weeks early. We talked to corporate about her. 4 months Later his hands have not gotten better, so doctor scheduled him an appointment 5 weeks with a restriction weight of 25 to push and pull ( for the past 4 months appointment tents were 3 to 4 weeks apart) HR did not like that and my hub got a call from the Doctors 2 days after last appointment saying His He lady called
To schedule a new doctors appointment to change his restrictions. (BECAUSE a workl injury I know they can discuss treatment with his work but does his work have a right to make and change appointment dates as well as his doctor restrictions)
Also he has been going to physical therapy, got approved by doctors and corvel (workmans comp )
To for physical therapy. He left work at the time he is suppose to get off work, went to his therapy after, while there got told that his HR had called them asking his schedule appoint and that she had called his doctors that they did not know he(my husband) had physical therapy still and that she did not know he was still going through therapy and needed to know his schedule as to what time his appointments are and when he left his appointments (she also did this with his doctors to find out times he was at his a pool t and times he left)
Just wanted to know if she is allowed to do this?

Add new comment

Please enter the text you see in the image below: