Q. I'd like to know if our company needs something like a HIPAA form for employees to sign when we release personal information to others. Is HIPAA only for the medical field? —B.B., New York
A. The privacy rules of the Health Insurance Portability and Accountability Act (HIPAA) apply to “covered entities.” Most employers, except those providing self-insured medical plans, are not considered covered entities, so they aren't subject to the privacy rules.
Nevertheless, certain HIPAA rules apply to all employers. For example, HIPAA requires that employers obtain a “HIPAA-compliant” authorization from employees before requesting information directly from their physicians. For that reason, it's best to avoid direct communication with employees' physicians. Also, be careful about requesting more than summary information from health insurance carriers. Such requests may trigger HIPAA's privacy rules.
HIPAA isn't the only reason to be concerned about privacy. You should keep all medical information about employees that you may need to comply with the ADA andin a separate, confidential file. Releasing that information may trigger liability under those laws.
- How to Fire an Employee the Legal Way: 6 Termination Guidelines
- Think carefully about how work restrictions will play out following FMLA leave
- FMLA obligation ends when worker says he won't return
- Discovered performance problems while worker was on FMLA leave? You can fire him
- Use it or lose it! You must enforce your call-off policy