Q. I'd like to know if our company needs something like a HIPAA form for employees to sign when we release personal information to others. Is HIPAA only for the medical field? —B.B., New York
A. The privacy rules of the Health Insurance Portability and Accountability Act (HIPAA) apply to “covered entities.” Most employers, except those providing self-insured medical plans, are not considered covered entities, so they aren't subject to the privacy rules.
Nevertheless, certain HIPAA rules apply to all employers. For example, HIPAA requires that employers obtain a “HIPAA-compliant” authorization from employees before requesting information directly from their physicians. For that reason, it's best to avoid direct communication with employees' physicians. Also, be careful about requesting more than summary information from health insurance carriers. Such requests may trigger HIPAA's privacy rules.
HIPAA isn't the only reason to be concerned about privacy. You should keep all medical information about employees that you may need to comply with the ADA andin a separate, confidential file. Releasing that information may trigger liability under those laws.