SHARE

May 16, 2022

Employers, Employees, & HIPAA, Oh My!

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Oftentimes, healthcare entities' employees are also patients of the healthcare entity, creating a dual role as employer and employee as well as doctor and patient. But what can an employer do when they need to access an employee's medical records? Are these medical records treated differently than non-employee patients? Throughout the last few years, we have seen an increasing number of healthcare entities with these exact questions.

Pursuant to 65 FR 82612, HIPAA does not apply to employment records held by a healthcare entity. However, "[i]ndividually identifiable health information maintained or transmitted by a covered entity in its health care capacity [will] continue to be treated as protected health information" under HIPAA. (67 FR 53191). In fact, "identifiable health information the healthcare entity holds as a covered health care provider . . . is protected health information and generally may not be shared with the employer for employment purposes without the individual's authorization." 78 FR 5589. Therefore, HIPAA does classify a distinction between employment records and employee's medical records.

There are several examples of how to distinguish between employment records and employee's medical records that contain protected health information: "drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee's authorization, the test results are provided to the provider acting as employer and placed in the employee's employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer pursuant to the employee's authorization." 67 FR 53192.

If the records a healthcare entity needs to obtain are medical records of their employee, then HIPAA exceptions would apply just as they would to any other non-employee patient. The main exception we see in this dual role scenario is that a covered entity is permitted to use or disclose protected health information for treatment, payment, or health care operations, as permitted by and in compliance with 164.506. (The "Healthcare Operations Exception"). 45 CFR 164.502(a)(1)(ii).

The Healthcare Operations Exception includes several permitted activities, but the most commonly utilized activities for healthcare entities in the dual role of employer and provider include: conducting quality assessment and improvement activities; reviewing the competence or qualifications of health care professionals; and conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs. 45 CFR 164.501.

The caveat is that "when using or disclosing protected health information . . . a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." 45 CFR 164.502(b). As such, if the healthcare entity does need to look into an employee's medical record under the Healthcare Operations Exception, they must do so for an extremely limited purpose.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Dickinson Wright PLLC

401(k) Plan Sponsors - It Doesn't Pay To Ignore Your Plan's Definition Of Compensation

By Jordan Schreier Dickinson Wright PLLC June 06 , 2022

One of the most common errors in 401(k) plan administration continues to be a mismatch between a plan’s definition of compensation and the actual compensation taken into account for plan purposes despite this problem being common enough for the IRS to include it in its “401(k) Plan Fix-It Guide”.

All My Exes Live In Texas: Texas' New Laws In The Wake Of #METOO And A Growing Economy

By Adrian Acosta Dickinson Wright PLLC May 23 , 2022

With Texas growing and business booming, the Lone Star State has changed its laws that affect employers in response to the #MeToo movement.

UPDATE: FEC Candidate Loan Repayment Limitation Ruled Unconstitutional in Supreme Court Decision

By Katherine N. Reynolds Dickinson Wright PLLC May 18 , 2022

On May 16, 2022, the United States Supreme Court ruled that limiting the repayment of candidate loans to their own campaign to $250,000 (codified under 52 U.S.C. § 30116(j)) is unconstitutional. The Plaintiffs, Ted Cruz for Senate and Senator Ted Cruz, filed suit against the Federal Election Commission (“FEC”), stating that the repayment limitation unconstitutionally infringes the First Amendment rights of the Senator, the Campaign, and any individuals who might seek to make post-election contributions.

More From Health Care Law

5 Trends to Watch in 2023 in Texas Health Care

By Joseph F. Coniglio Greenberg Traurig January 19 , 2023

Observers believe that the COVID-19-related public health emergency (PHE) will be extended until April of 2023.

Trending in Telehealth: January 9 - 16, 2023

By Amanda Enyeart McDermott Will & Emery January 19 , 2023

Trending in Telehealth is a new weekly series from the McDermott Digital Health team where we track telehealth regulatory and legislative activity.

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Featured Stories
Closeclose
Search
Menu

Working...