Fair Measures - Ask the Lawyers

Get Hip to HIPAA! 05-07-03

The sweeping medical privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA) went into effect for most healthcare providers and group health plans on April 14, 2003. Most of HIPAA's burdens will fall on physicians, dentists, hospitals, and insurance companies. If you work in one of those capacities, you need detailed information about HIPAA, which is beyond the scope of this article. But if you are an employer in a non-medical field, do you have obligations under HIPAA? Yes.

Employers receive health information about their employees in connection with the Family and Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), state disability, workers compensation, accidents, and requests for sick leave. Health information you receive may include information about treatment for mental illness, dental and vision care, and prescription drug use.

You should always treat health information with strict privacy, because even if HIPAA does not apply, every state protects privacy to some extent. Historically, health information is considered to be extremely confidential. The biggest change HIPAA makes to existing law in most states is the requirement to give out a written notice of the person's privacy rights.

If the health information you receive is in connection with an "employment-related purpose" the information is NOT covered under HIPAA. Thus, when an employee applies for a medical leave of absence, that is an employment related purpose and not covered by HIPAA, and there is no requirement to give a written notice. But the health information may be protected by the FMLA, ADA or other statutes, and must be held in strict confidence.

Employers must give HIPAA notices and protect privacy only if the medical information they receive relates to "benefit payments" or "eligibility for coverage." For example, if employees are injured at work, they are entitled to workers compensation. Some companies augment the workers comp payments, and thus staff in Human Resources may become aware of the employee's health information in connection with "benefit payments." Or there may be some question as to whether the employee is eligible for workers compensation - perhaps the employer believes the employee was not injured at work. During the course of the ensuing investigation, the employee's manager may become aware of health information related to eligibility for coverage.

In these and other cases, the prudent employer will give employees the notice of privacy rights under HIPAA. The privacy form is available online, though as of this writing it is not easy to find. Go to http://www.hhs.gov/ocr/hipaa and click on the PDF or RTF version of the Summary of HIPAA rule. On page 11 is a link to the download for "OCR Notice Guidance."

Whether or not HIPAA becomes part of your life, now is a good time to go through your working files and make sure you do not have any unnecessary health information. If you must keep worker health information, review your privacy procedures and ensure the information is kept locked up or in password-protected files.

Information here is correct at the time it is posted. Case decisions cited here may be reversed. Please do not rely on this information without consulting an attorney first.