Under the HIPAA Privacy Rule, do I need to obtain authorization from my employees for every situation involving health-related information?
No. There are several circumstances where HIPAA does not apply in the workplace. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to an employer's group health plan (except for self-administered plans with fewer than 50 participants). Fully-insured group health plans that do not create or receive protected health information other than summary health information have limited requirements under the Privacy Rule.
In general, the Privacy Rule requires employers to obtain authorization from an employee when protected health information (PHI) received through the group health plan is used for purposes other than treatment, payment or health plan operations.
According to the U.S. Department of Health & Human Services, "An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date and, in some cases, the purpose for which the information may be used or disclosed."
Workers' compensation claims do not require authorization as transactions necessary to comply with state workers' compensation laws are specifically exempted from HIPAA.
Other records are considered employment records rather than health care records and are not protected by HIPAA, including:
- Family and Medical Leave Act (FMLA) medical certifications.
- Requests for accommodation under the Americans with Disabilities Act (ADA) and related documentation.
- Doctor's notes provided under the terms of an employer's absence policy.
Because doctors and other health care professionals are covered entities under HIPAA, there may be times when an employee will need to provide an authorization to the health care provider to have PHI released directly to the employer. For example, an employer may contact a health care provider for authentication or clarification of an FMLA medical certification and the provider must obtain authorization from the individual before releasing any medical information.
To create firewalls between health records and employment records, employers should maintain those categories of records in separate files.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.