Q. I'd like to know if our company needs something like a HIPAA form for employees to sign when we release personal information to others. Is HIPAA only for the medical field? —B.B., New York
A. The privacy rules of the Health Insurance Portability and Accountability Act (HIPAA) apply to “covered entities.” Most employers, except those providing self-insured medical plans, are not considered covered entities, so they aren't subject to the privacy rules.
Nevertheless, certain HIPAA rules apply to all employers. For example, HIPAA requires that employers obtain a “HIPAA-compliant” authorization from employees before requesting information directly from their physicians. For that reason, it's best to avoid direct communication with employees' physicians. Also, be careful about requesting more than summary information from health insurance carriers. Such requests may trigger HIPAA's privacy rules.
HIPAA isn't the only reason to be concerned about privacy. You should keep all medical information about employees that you may need to comply with the ADA andin a separate, confidential file. Releasing that information may trigger liability under those laws.
- How not to handle FMLA leave: Bank learns the hard way that following the law isn't optional
- Do holidays count when calculating FMLA or CFRA leave?
- Weigh ADA, FMLA when considering return to work following disability leave
- Rush to fire or demote pregnant employee often backfires
- Creative benefits help employees with cancer stay on the job