By Kelly S. Riggs and Chris Olmsted with Ogletree Deakins
Employers obtain employee health information in a number of ways-most commonly, in relation to a work-related injury or when an employee requests medical leave or a disability accommodation. Most employers understand that such information is “confidential,” but may not fully understand what that means or what they should do to protect it.
HIPAA Generally Does Not Apply to Employers
It is a common misconception that the Health Insurance Portability and Accountability Act (HIPAA) applies to employee health information. In fact, HIPAA generally does not apply to employee health information maintained by an employer.
HIPAA applies only to “covered entities,” which are defined as: (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers that electronically transmit certain health information (and certain “business associates” of covered entities). If an employer does not fall into one of those categories, HIPAA does not apply to it at all. Indeed, even if an employer is a “covered entity,” HIPAA still does not apply to health information contained “in employment records held by a covered entity in its role as an employer.” So even for those employers, although HIPAA may apply to health information they acquire in their capacities as covered entities, it does not apply to health information they acquire in their roles as employers.
Employers should not forget, however, that HIPAA does apply to an employer’s request for health information from a covered entity. A covered entity may not disclose protected health information to an employer without the employee’s authorization or as otherwise allowed by law. This is true even where the employee is also a patient or member of the covered entity; information maintained in that capacity may not be shared with human resources or an employee’s managers, except as expressly authorized by the employee or applicable law.
California’s Version of HIPAA
California’s Confidentiality of Medical Information Act (CMIA) provides stronger privacy protections for medical information than HIPAA. Note that CMIA’s definition of provider of health care is much broader than under HIPAA. It includes contractors of health care providers and others. For example, a business that offers software such as a mobile app, that is designed to maintain medical information could be considered a provider of health care.
Most importantly, CMIA also requires employers who receive medical information to safeguard that information, and prohibits them from disclosing medical information without employee authorization (though there are exceptions). Outside of legal disutes or government official actions, disclosures must be authorized in writing by the employee.
Internally to the company, the information may be used only for the purpose of administering and maintaining employee benefit plans, including health care plans and plans providing short-term and long-term disability income, workers’ compensation and for determining eligibility for paid and unpaid leave from work for medical reasons.
Accordingly, in order to ensure compliance with these privacy requirements, employers in California should maintain all employee health information in separate, confidential medical files with restricted access, and should implement clear policies, safeguards, and training to help employees understand and comply with the requirements.
Protecting Employee Health Information
Even when HIPAA does not apply, employers still have other legal obligations to protect the confidentiality of employee health information in their possession.
For example, the Americans with Disabilities Act (ADA) requires employers that obtain disability-related medical information about an employee to maintain it in a confidential medical file that is kept separate from the employee’s personnel file. Such information may be disclosed only in limited situations and to individuals specifically outlined in the regulations:
(1) supervisors and managers who need to know about necessary work restrictions or accommodations;
(2) first aid and safety personnel, if a disability might require emergency treatment;
(3) and government officials investigating compliance with the ADA.
Similarly, the Genetic Information Nondiscrimination Act (GINA) requires employers that acquire an employee’s genetic information (although they generally should not request it) to treat it as a confidential medical record in a separate medical file. It can be maintained in the same confidential medical file as disability-related information. However, different rules regarding when and to whom genetic information may be disclosed apply-which do not include supervisors, managers, or first aid or safety personnel, but do include others not on the list for disclosure of disability-related information.
Handling Requests for Employee Health Information
Notwithstanding the above, employers may disclose employee health information with an employee’s express authorization (which should be in writing). Employers also may, if certain legal requirements are met, disclose such information in response to subpoenas, court orders, or other legally authorized requests, but should examine such requests closely and limit disclosure of health information only to the extent specifically requested and authorized by the employee or applicable law.