HIPAA Does Allow Disclosure Of Employee Medical Records
The Health Insurance Portability and Accountability Act (HIPAA) has been known to cause employer consternation. Below you’ll find the answers to a pressing HIPAA question: Does the privacy rule absolutely prohibit the disclosure of employment records containing medical information?
A terminated employee filed a discrimination lawsuit. To build her case, she sought disclosure of her employer’s records of other employees’ leaves of absences. The company argued that the HIPAA privacy rule barred it from disclosing the requested documents because they contained medical records, return-to-work evaluations, and other health information, including materials prepared by doctors and other health professionals whose job function was to determine employees’ fitness for duty.
The HIPAA privacy rule does not bar disclosure, ruled a district court, based on these three reasons.
Only covered entities are subject to the privacy rule, and the court found no evidence that the employer was a covered entity. The privacy regs define a covered entity as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a covered transaction.
The company held the leave records in its role as an employer, and such records are not subject to the privacy rule. Other records not subject to the rule include education records covered by the Family Educational Rights and Privacy Act and education records described at 20 U.S.C.
The privacy rule allows covered entities to release protected health information — individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium — in the course of judicial proceedings if the disclosure is:
in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or
in response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: a) the covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or b) the covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order.
The court did conclude, however, that the federal psychotherapist-patient privilege might apply to some of the leave records and directed the company to review the records individually to determine which ones might be protected under this privilege. (Beard v. City of Chicago, N.D.IL, No.03-C-3527, 2005)
Even though the employer in this case lost its disclosure argument, the court’s decision can be seen as distinctly pro-employer in the bigger HIPAA picture. Not only did the court confirm that employment records containing health information are not subject to the privacy rule, but it also concluded that employing health professionals to make fitness-for-duty determinations did not make an employer a covered entity because those professionals provided no medical treatment.