Medical Privacy
As an employee, there are just some things that an employer does not need to know. For example, that one time you broke your arm bike riding in college, or that time you had your blood drawn to test for pregnancy. While this information may seem irrelevant and, at times, highly sensitive, your employer may have access to such information. Some employers can even require you to take medical tests or inquire about your medical history. While these requirements are job and state specific, there are certain healthcare protections that help to maintain the privacy of your medical records. To learn more about medical privacy and what information is and is not protected, read below:
Medical records are created when you receive treatment from a health professional such as a physician, nurse, dentist, chiropractor, or psychiatrist. Records may include your medical history, details about your lifestyle (such as smoking or involvement in high-risk sports), and family medical history.
In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. Your records could also include the results of genetic testing used to predict your future health. And they might include information about your participation in research projects.
Information you provide on applications for disability, life, or accidental insurance with private insurers or government programs can also become part of your medical file.
All of these types of medical records present privacy implications for you as an employee, if there is a possibility of your employer accessing this information.
For medical files that are covered under the HIPAA Privacy Rule, all individually identifiable information is protected. Individually identifiable information is information, including demographic data, that relates to:
- The individual’s past, present, or future physical or mental health condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
Your employer has a number of ways to obtain medical information about you, whether it’s because you volunteer it when you call in sick or tell co-workers, or because you provide requested information on health insurance application or workers compensation claim forms. However, just because your employer has the information does not mean that it should be shared with everyone in the workplace, especially when you have not chosen to do so.
The basic legal principle that employers should follow is not to reveal medical information about you unless there is a legitimate business reason to do so. But because that standard is fairly vague, there are laws which more specifically protect the privacy of your medical records, such as the Americans with Disabilities Act, the law which makes it illegal to discriminate on the basis of an employee’s disability. State laws may also provide additional protection.
The HIPAA Privacy Rule may control how a health plan or covered healthcare provider discloses protected health information to an employer, including your manager or supervisor if you are a patient of the provider or a member of a health plan. However, it does not protect your employment records even with respect to health related information. Therefore, the Privacy Rule does not prevent a supervisor from asking you for a doctor’s note if the employer needs the information for administrative purposes such as sick leave or workers’ compensation. However, your employer cannot obtain information about you from your health care provider directly without your authorization, unless other laws require them to disclose it. However, if you work for a health plan or a covered health care provider, the Privacy Rule does not apply to your employment records.
Under the Americans with Disabilities Act, an employer may not ask a job applicant whether they have a disability (or about the nature of an obvious disability). Furthermore, you cannot be required by an employer to take a medical examination before you are offered a job. Following a job offer, however, an employer can condition the job offer on your passing a required medical examination, but only if all entering employees for that job category have to take the exam and the exam is job-related and consistent with the employer’s business needs. (You cannot be singled out for an exam merely because you have, or your employer believes you have, a disability.)
However, an employer cannot reject you because of information about your disability revealed by the medical examination, unless the reasons for rejection are job-related and necessary for the conduct of the employer’s business. The employer cannot refuse to hire you because of your disability if you can perform the essential functions of the job with an accommodation.
The results of all medical examinations must be kept confidential and maintained in separate medical files apart from your regular personnel files.
For more information, see our website’s page on disability discrimination.
Under the Americans with Disabilities Act, once you have been hired and started work, your employer cannot require that you take a medical examination or ask questions about your disability unless they are related to your job and necessary for the conduct of your employer’s business. For example, if you appeared to be homicidal or suicidal, your employer might have a duty to require a psychological exam and/or inform your coworkers, to keep the workplace safe.
However, your employer may conduct voluntary medical examinations that are part of an employee health program and may provide medical information required by State workers’ compensation laws to the agencies that administer such laws.
The results of all medical examinations must be kept confidential and maintained in separate medical files apart from your regular personnel files.
For more information, see our website’s page on disability discrimination.
The federal Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for privacy of health information, which applies to how medical records are used and disclosed. Entities covered by HIPAA must:
- Give notice of written privacy procedures;
- Place restrictions on the use of health information; and,
- Appoint a privacy officer and train staff.
But the law only applies to medical records maintained by health care providers, health plans, and health clearinghouses–and only if the facility maintains and transmits records in electronic form. Any health-related information which exists outside of health care facilities and the files of health plans is not covered by HIPAA, which means that workplace health records that relate to other employee benefits such as life insurance, disability, workers compensation, or long-term care insurance are not covered. Nor are records that relate to your employer’s compliance with laws that govern safety and health risks in the workplace.
How you’re protected by HIPAA in the workplace in conjunction with employer-provided health insurance depends on whether your employer has you enrolled in a group health plan, or whether your employer is self-insured.
You may also ask that your health information not be shared for advertising or marketing and may ask your doctor or pharmacy to not share your protected health information with your health plan, if you pay out of pocket for an item or service.
If you are a member of a group health plan, your employer pays a premium to the health plan which covers your health care costs. In return for the premium paid, the health care plan assumes the risk of paying for your health care expenses covered by the plan.
Group health plans are covered by the HIPAA Privacy Rule as long as the plan has 50 or more participants. The HIPAA Privacy Rule applies to the plan itself, but not your employer, but still attempts to limit the use of medical information for employment purposes.
Under HIPAA, the group health plan can tell your employer whether you are enrolled in the plan or not, and can provide the employer with “summary information” that it can use to evaluate and compare premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures to keep the information private much like that of an entity that is covered by HIPAA. However, a fully insured group health plan that does not create or receive protected health information other than summary health information and enrollment or disenrollment information is not required to have or provide a notice of privacy practices. Most health plans are also required to avoid intimidation or any retaliatory acts and from requiring an individual to waive their privacy rights.
Self-insured plans are health plans often offered by large employers as an employee benefit, in which the employer itself assumes the risk of health care costs and pays health care claims out of the company’s operating funds. Some companies process their own claims internally, using company personnel, while other companies contract out the work of processing and maintaining the records to another company.
It can be scary to have such a close relationship between your boss and the person who processes your health claims: you may not really want Jane in the HR department knowing that you’re seeing a psychiatrist, that your husband just had a vasectomy, or that you’ve been diagnosed with cancer, when she’s the person you go to when you’re having problems with your supervisor.
Under HIPAA, if your employer is also the insurer of your health benefits, it is in a category called a “hybrid” entity, which means that the portion of the company’s operations that deal with processing health claims is covered by HIPAA. Although HIPAA requires that hybrid entities erect “firewalls” between the parts of the company handling health claims and the parts that do not, it is not yet clear whether this procedure is enough to be effective against the disclosure of private medical information. If you work for a company that is self-insured, and you believe there has been unauthorized disclosure of your medical records within your company, you may want to consult with a local attorney to determine whether the policy appears to violate any laws.
An on-site health clinic at your place of employment may be another example of what the HIPAA Privacy Rule calls a “hybrid” entity. This depends on whether the health clinic transmits information electronically and engages in standard transactions under HIPAA’s electronic data interchange rule (for example, if the clinic bills an employee’s health plan). If so, the records maintained by the health clinic are subject to the same protections that apply to other covered entities. However, if the clinic does not transmit information electronically or bill your employer, it would be specifically excluded from HIPAA’s protections.
Before you disclose any information to the company’s health clinic that you would not want your employer to know, you should ask whether the clinic is subject to HIPAA or has a privacy policy that governs how your medical information is used.
An employee assistance program may be another type of “hybrid” entity, depending on how its information is transmitted and transactions are conducted. If so, the records maintained by the health clinic are subject to the same protections that apply to other covered entities. “Referral only” EAPs, which provide only referrals to mental health counselors are not subject to HIPAA, nor are EAPs provided through a disability income insurance policy.
Before you disclose any information to a counselor through the EAP program that you would not want your employer to know, you should ask whether the program is subject to HIPAA or has a privacy policy that governs how your medical information is used and whether a release of information is required in the event the employee seeks an accommodation for a physical or emotional problem. However, if any instances of child abuse or neglect are suspected, then the employer must report it to State or local authorities.
The Americans with Disabilities Act recognizes that employers may sometimes have to disclose medical information about applicants or employees. Therefore, the law contains certain exceptions to the general rule requiring confidentiality. Information that is otherwise confidential under the ADA may be disclosed:
- To supervisors and managers where they need medical information in order to provide a reasonable accommodation or to meet an employee’s work restrictions;
- To first aid and safety personnel if an employee would need emergency treatment or require some other assistance (such as help during an emergency evacuation) because of a medical condition;
- To individuals investigating compliance with the ADA and with similar state and local laws; and,
- As required for workers’ compensation claims (for example, to a state workers’ compensation office in order to evaluate a claim) or for insurance purposes.
If the information is not necessarily medical in nature, and the employee directly and voluntarily disclosed the information to the employer, the HIPAA privacy rule most likely does not apply. However, discussions about medical related information is specifically protected by HIPAA. Employers should not disclose medical information about employees to other employees without consent.
Most job applicants or employees who live with HIV do not have to disclose their HIV status to their employers. The only exception is if you work at a job where HIV infection poses a direct threat to the health of others, like if you work as a surgeon or other health care worker performing invasive procedures. Not every health care worker has public contact. HIV-positive chiropractors, manicurists, food handlers, chefs, bank tellers, veterinarians, hairdressers, and barbers do not pose a direct threat.
Otherwise, it is your choice whether or not to disclosure your HIV status to your employer, for example, if you need an accommodation of your disability, or wish to take leave covered by the Family & Medical Leave Act. It is important to note that your insurance company may provide usage reports to your employer which contain how much care employees are using and for a small employer it may be possible to figure out whose claims are related to HIV/AIDS.
It is not legally required or otherwise necessary to disclose your HIV status (or any medical condition) to your employer in order to receive a reasonable accommodation of your disability.
To receive accommodation of your disability, you have to identify yourself to the employer as a person living with a disability, but you do not have to identify the specific disability or diagnosis. To request accommodation, you must tell your employer what your functional limitations are.
For example: You do not have to request reasonable accommodation for your HIV-related diarrhea. Instead, you request reasonable accommodation because your disability limits your ability to stay at your workstation without more frequent bathroom breaks. When you request the reasonable accommodation, it is important to clearly state what you need and you may possibly need a doctor’s note to support the request.
It is not legally required or otherwise necessary to disclose your HIV status (or any medical condition) to your employer in order to receive family and medical leave.
To receive family and medical leave, all you have to communicate is information sufficient for the employer to understand that you need leave for FMLA-qualifying reasons. In other words, you do not need to mention FMLA or your diagnosis when requesting leave, but must only explain why the leave is needed. While your employer can request medical certification from your health care provider of your need for leave, all your health care provider must communicate is a description of the serious health condition, the date that the condition began or treatment became necessary, and the expected duration of the condition or treatment.
As discussed in the previous two questions, it is not legally required or otherwise necessary to disclose your HIV status to your employer in order to receive either family and medical leave or a reasonable accommodation of your disability.
However, if you have already disclosed your HIV status to your employer, you may be protected by state laws regarding the confidentiality of medical information and/or an HIV/AIDS diagnosis. Some state laws apply only to health care providers, and not employers. If you have concerns about what your employer is required to keep confidential, you may want to consult with a local attorney or legal services agency that provides services to persons living with HIV to determine whether a disclosure of your HIV status would violate any laws.
No. Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA), is a federal law which prohibits genetic information discrimination in employment.
If your employer requires genetic testing, or appears to be discriminating against you on the basis of a genetic test, you may want to consult with a local attorney.
While applications on cell phones and websites can provide many benefits and convenient advantages, it is important to be aware of how your personal data could be released to third parties. Although Fitness and Health Apps are popular and widespread today, some apps may gather your personal health information not only for your personal use but to ultimately sell it to third parties. Your personal data is valuable to third party companies as they may use this information for marketing or financial risk profiling. For example, your weight, diet or exercise patterns are valuable to third parties and this information could potentially be used against you as third parties are not subject to HIPAA privacy regulations.
While the FDA regulates the safety and effectiveness of these devices, they do not regulate the storage or disclosure of your personal information. Because this area of advancing technology has not been addressed by legislation or litigation, it is important to be aware of the disclosure of your data. Some companies such as Apple have taken steps to protect collected and stored data on their devices, however it is unclear who is monitoring the apps. It is also important to take the time to read electronic contracts as some companies may obtain a consumer’s consent to share personal data with third parties.
How you can respond to an unauthorized disclosure of your medical information depends on what law or laws were violated by the disclosure: the ADA, HIPAA, or state protections. Some laws allow what is called a “private right of action,” which means that you can sue in court, while others require that you file with an administrative agency. If you believe your privacy rights have been violated, you may want to consult with a local attorney to determine whether your employer has violated any laws, and if so, how you should proceed. In the event that a covered entity or a business associate committed a violation, you may file a complaint with the Office for Civil Rights (OCR) who will investigate the complaint. In order to file the complaint, you must file the complaint in writing, name the covered entity or business associate involved, describe the act you believe violated the privacy requirements and file within 180 days of when the act or omission occurred. OCR may extend the 180 day period of you can show good cause.
HIPAA requires healthcare providers who are covered entities such as nurses to protect patient privacy by not using or disclosing protecting patient health information except as required under federal and state law. However in the event that a nurse needs legal advice about a patient, the nurse may disclose and discuss protected healthcare information with an attorney but under specific circumstances.
Federal whistleblower regulations exist to protect the employee who in good faith discloses protected health information to the attorney for the purpose of obtaining legal counsel otherwise this would otherwise violate the HIPAA standards that apply to covered entities. However this information must be disclosed carefully and de-identified so the disclosure would not disclose any identifying information and would appear as Patient A, Patient B. Also, it is best to have the employee write a summary without including any names or identifying information for the patients in question.