May 16, 2022

Employers, Employees, & HIPAA, Oh My!

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all OnPractice content. Your subscription is free.
Subscribe Now

Oftentimes, healthcare entities' employees are also patients of the healthcare entity, creating a dual role as employer and employee as well as doctor and patient. But what can an employer do when they need to access an employee's medical records? Are these medical records treated differently than non-employee patients? Throughout the last few years, we have seen an increasing number of healthcare entities with these exact questions.

Pursuant to 65 FR 82612, HIPAA does not apply to employment records held by a healthcare entity. However, "[i]ndividually identifiable health information maintained or transmitted by a covered entity in its health care capacity [will] continue to be treated as protected health information" under HIPAA. (67 FR 53191). In fact, "identifiable health information the healthcare entity holds as a covered health care provider . . . is protected health information and generally may not be shared with the employer for employment purposes without the individual's authorization." 78 FR 5589. Therefore, HIPAA does classify a distinction between employment records and employee's medical records.

There are several examples of how to distinguish between employment records and employee's medical records that contain protected health information: "drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee's authorization, the test results are provided to the provider acting as employer and placed in the employee's employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer pursuant to the employee's authorization." 67 FR 53192.

If the records a healthcare entity needs to obtain are medical records of their employee, then HIPAA exceptions would apply just as they would to any other non-employee patient. The main exception we see in this dual role scenario is that a covered entity is permitted to use or disclose protected health information for treatment, payment, or health care operations, as permitted by and in compliance with 164.506. (The "Healthcare Operations Exception"). 45 CFR 164.502(a)(1)(ii).

The Healthcare Operations Exception includes several permitted activities, but the most commonly utilized activities for healthcare entities in the dual role of employer and provider include: conducting quality assessment and improvement activities; reviewing the competence or qualifications of health care professionals; and conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs. 45 CFR 164.501.

The caveat is that "when using or disclosing protected health information . . . a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." 45 CFR 164.502(b). As such, if the healthcare entity does need to look into an employee's medical record under the Healthcare Operations Exception, they must do so for an extremely limited purpose.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Dickinson Wright PLLC

401(k) Plan Sponsors - It Doesn't Pay To Ignore Your Plan's Definition Of Compensation

By Jordan Schreier Dickinson Wright PLLC June 06 , 2022

One of the most common errors in 401(k) plan administration continues to be a mismatch between a plan’s definition of compensation and the actual compensation taken into account for plan purposes despite this problem being common enough for the IRS to include it in its “401(k) Plan Fix-It Guide”.

All My Exes Live In Texas: Texas' New Laws In The Wake Of #METOO And A Growing Economy

By Adrian Acosta Dickinson Wright PLLC May 23 , 2022

With Texas growing and business booming, the Lone Star State has changed its laws that affect employers in response to the #MeToo movement.

UPDATE: FEC Candidate Loan Repayment Limitation Ruled Unconstitutional in Supreme Court Decision

By Katherine N. Reynolds Dickinson Wright PLLC May 18 , 2022

On May 16, 2022, the United States Supreme Court ruled that limiting the repayment of candidate loans to their own campaign to $250,000 (codified under 52 U.S.C. § 30116(j)) is unconstitutional. The Plaintiffs, Ted Cruz for Senate and Senator Ted Cruz, filed suit against the Federal Election Commission (“FEC”), stating that the repayment limitation unconstitutionally infringes the First Amendment rights of the Senator, the Campaign, and any individuals who might seek to make post-election contributions.

More From Health Care Law

Supreme Court Rules that Medicaid's Secondary Payer Provision Applies to Future Medical Expenses

By Robert P. Charrow Greenberg Traurig June 14 , 2022

On June 6, the Supreme Court in Gallardo v. Marstiller resolved an ambiguity in the Medicaid statute that could have significant ramifications for those seeking to settle personal injury cases involving a plaintiff who is on Medicaid.[1] The case focused on a provision in the Medicaid Act requiring states to compel Medicaid beneficiaries to assign their rights “to payment for medical care from any third party[.]”

Lawmakers Unveil Draft Version Of The American Data Privacy And Protection Act

By David P. Saunders McDermott Will & Emery June 07 , 2022

With time running out in this US Congress, and with midterms around the corner, a bipartisan group of legislators is making what may be a last-gasp attempt at a federal privacy law compromise. On June 3, 2022, House Energy and Commerce Committee Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a draft of a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (ADPPA).

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

By Kyle R. Freeny Greenberg Traurig May 24 , 2022

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

Featured Stories