May 18, 2022

Employers, Employees, & HIPAA, Oh My!

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all OnPractice content. Your subscription is free.
Subscribe Now

Oftentimes, healthcare entities' employees are also patients of the healthcare entity, creating a dual role as employer and employee as well as doctor and patient. But what can an employer do when they need to access an employee's medical records? Are these medical records treated differently than non-employee patients? Throughout the last few years, we have seen an increasing number of healthcare entities with these exact questions.

Pursuant to 65 FR 82612, HIPAA does not apply to employment records held by a healthcare entity. However, "[i]ndividually identifiable health information maintained or transmitted by a covered entity in its health care capacity [will] continue to be treated as protected health information" under HIPAA. (67 FR 53191). In fact, "identifiable health information the healthcare entity holds as a covered health care provider . . . is protected health information and generally may not be shared with the employer for employment purposes without the individual's authorization." 78 FR 5589. Therefore, HIPAA does classify a distinction between employment records and employee's medical records.

There are several examples of how to distinguish between employment records and employee's medical records that contain protected health information: "drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee's authorization, the test results are provided to the provider acting as employer and placed in the employee's employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer pursuant to the employee's authorization." 67 FR 53192.

If the records a healthcare entity needs to obtain are medical records of their employee, then HIPAA exceptions would apply just as they would to any other non-employee patient. The main exception we see in this dual role scenario is that a covered entity is permitted to use or disclose protected health information for treatment, payment, or health care operations, as permitted by and in compliance with 164.506. (The "Healthcare Operations Exception"). 45 CFR 164.502(a)(1)(ii).

The Healthcare Operations Exception includes several permitted activities, but the most commonly utilized activities for healthcare entities in the dual role of employer and provider include: conducting quality assessment and improvement activities; reviewing the competence or qualifications of health care professionals; and conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs. 45 CFR 164.501.

The caveat is that "when using or disclosing protected health information . . . a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." 45 CFR 164.502(b). As such, if the healthcare entity does need to look into an employee's medical record under the Healthcare Operations Exception, they must do so for an extremely limited purpose.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Dickinson Wright PLLC

401(k) Plan Sponsors - It Doesn't Pay To Ignore Your Plan's Definition Of Compensation

By Jordan Schreier Dickinson Wright PLLC June 06 , 2022

One of the most common errors in 401(k) plan administration continues to be a mismatch between a plan’s definition of compensation and the actual compensation taken into account for plan purposes despite this problem being common enough for the IRS to include it in its “401(k) Plan Fix-It Guide”.

All My Exes Live In Texas: Texas' New Laws In The Wake Of #METOO And A Growing Economy

By Adrian Acosta Dickinson Wright PLLC May 23 , 2022

With Texas growing and business booming, the Lone Star State has changed its laws that affect employers in response to the #MeToo movement.

UPDATE: FEC Candidate Loan Repayment Limitation Ruled Unconstitutional in Supreme Court Decision

By Katherine N. Reynolds Dickinson Wright PLLC May 18 , 2022

On May 16, 2022, the United States Supreme Court ruled that limiting the repayment of candidate loans to their own campaign to $250,000 (codified under 52 U.S.C. § 30116(j)) is unconstitutional. The Plaintiffs, Ted Cruz for Senate and Senator Ted Cruz, filed suit against the Federal Election Commission (“FEC”), stating that the repayment limitation unconstitutionally infringes the First Amendment rights of the Senator, the Campaign, and any individuals who might seek to make post-election contributions.

More From Health Care

Data transfers from a controller in the EEA, to another controller in the EEA, to a processor outside of the EEA

By David A. Zetoony Greenberg Traurig August 02 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Ransomware: To Pay or Not to Pay? It Just Got More Complicated

By Scott Ferber McDermott Will & Emery July 25 , 2022

When an organization experiences a ransomware attack, it must address significant—and sometimes competing—challenges under pressing deadlines.

Companies Offering to Cover Travel for Out-of-State Abortions Will Face Daunting Patchwork of Laws

By Sarah G. Raaii McDermott Will & Emery July 19 , 2022

Employers “would really need to do a state-by-state analysis of what the abortion laws are, whether and under what circumstances abortion is legal in most states,” said Sarah Raaii, an associate at McDermott Will and Emery.

Featured Stories