labor lawAdivision of labor law center

Today, let’s talk about the HIPAA law. The HIPAA law protects employees against discrimination due to medical condition. It also helps ensure continued medical coverage when employees change jobs. Most of all, HIPAA mandates that employees medical information remain confidential.

The Health Insurance Portability and Accountability Act of 1996 is usually referred to by the acronym of HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. It offers protections for millions of American workers that improve portability and continuity of health insurance coverage.

HIPAA specifically prohibits employers from discriminating against employees based on their medical diagnosis. This means that an employer can’t refuse to hire someone who has been treated for cancer or a heart condition in the past, if they are able to perform the job. HIPAA was enacted because too many employers sought to save money on health insurance premiums by hiring only healthy people.

HR directors and others who are privy to employee’s medical information should regard the diagnosis as highly confidential. Medical and employment records should be kept in a locked file cabinet. Employers should even go so far as trying to put the medical information out of their minds. Philip Cohen, a noted VP of Human Resources in Florida, goes even further. “Once the benefits question has been addressed, employers need to forget any confidential medical information that they learned.”

A key feature of the HIPAA law, frequently called the Privacy Act, is this guarantee of privacy regarding medical information. Unfortunately, in the past, too many employers treated this confidential information as juicy office gossip. An employee’s personal health information, such as being HIV positive or having cancer, was often shared with coworkers. HIPPA makes such action by employers or even coworkers illegal.

Under the HIPAA law, employers need to treat any medical information they may encounter on employees as confidential. Often employers learn of an employee’s medical diagnosis when acting as a liason with the health insurance provider. At other times, an employee will share a diagnosis with an employer to explain why he or she is taking time off work.

Prior to the HIPAA law, employees were often reluctant to change jobs because it involved a change in health care coverage. Usually the new policy limited or even excluded treatment for preexisting conditions, altogether. Thus, an employee who had a heart attack or cancer surgery which was covered with the old employer, would find herself without coverage for the same illness, with a new employer. HIPAA solved that problem.

Last 10 posts by Amelia

• COBRA Subsidy Extended Again - March 5th, 2010
• New York Uniform, Meals and Lodging Rules - February 10th, 2010
• New York Non-Exempt Employee Rules - February 3rd, 2010
• New York Tipped Minimum Wage is $4.75 - January 27th, 2010
• Oklahoma Direct Deposit - January 20th, 2010
• 2010 Minimum Wage Recap - January 1st, 2010
• Vermont Minimum Wage 2010 is $8.06 - December 30th, 2009
• New GINA Regulations - December 23rd, 2009
• Kansas 2010 Minimum Wage Increases to $7.25 - December 9th, 2009
• 2010 Washington Minimum Wage is $8.55 - December 2nd, 2009

1. Posted by: Alex

   As an employer, who (internally) should have access to HIPPA information other than the designated plan administrator?

2. Posted by: Amelia

   Alex, only supervisors and managers with a genuine need to know an employee’s medical information should be privy to it. For example, in the course of granting a reasonable accommodation for a disabled employee, the HR Director may be informed of the employee’s diagnosis or medical condition. However, the HR Director would be prohibited from sharing it with anyone else in the company — even the employee’s immediate supervisor — unless there is a valid need for them to know. In fact, there may be times when not even the plan administrator is aware of an employee’s diagnosis. Under FMLA, for example, a medical professional can certify that an employee has a “serious health condition” but is not required to specify what it is. For more complete answers to all your HR questions, feel free to post them on our sister site http://www.humanresourceblog.com. And, thanks for reading! Amelia

3. Posted by: steve hughes

   Can my employer ask for my daughter’s medical records? She is over 18.

4. Posted by: Amelia

   Hi Steve! Well, your employer can ASK for anything, but you are under no obligation to provide your daughter’s medical records and the employer can’t take a negative employment action against you for refusing to comply.

   If you are requesting leave under FMLA or to care for a disabled daughter, then the employer has the right to request medical certification from your daughter’s doctor that she is disabled or has a serious health condition. But that certification is just filling out a single form — it does not mean providing the employer with your daughter’s complete medical records.

   It would be interesting to know more about the circumstances, but no, the employer probably cannot require a copy of your daughter’s medical records. For more into, post your question on our sister site at http://www.laborlawtalk.com. HTH, and thanks for reading the blogs!~ Amelia

5. Posted by: maryanne f

   My boss told a group of my co workers that I had went to the hospital to have a medical procedure and that I wouldn’t be back to work, is this illegal and can I contact an attorney on the matter?

6. Posted by: Amelia

   Hi Maryanne!

   This is a complicated question. If your boss literally told your coworkers “Maryanne went to the hospital for a medical procedure and won’t be back to work this week (or today)” that was probably appropriate communication. Would it have been better if your boss let your coworkers think that you had died, or quit with no notice?

   However, if the boss provided details of your medical procedure (example: “Maryanne is having a breast lump removed.”) that was unwise and inappropriate. But it may have been legal, especially if you volunteered the information on your health.

   Just for future reference, even when you are taking time off under FMLA, you do not have to provide your employer with a specific diagnosis or details on your medical problems.

   HIPAA prohibits healthcare providers from sharing private health information without your permission. It also applies to third part administrators of health insurance companies. So if your employer is self-insured, or you revealed medical information to your boss during a discussion of health insurance benefits, then that information was probably covered under HIPAA. But if you volunteered the information to your boss separate from a discussion on group health insurance, it probably was not covered by HIPAA. It will take a court to decide.

   Which brings us to the last part of your question. Can you contact an attorney on this matter? You certainly can. The great thing about this country is that anyone can contact an attorney and file a lawsuit at any time. Whether or not you will win, is a different story. HTH, and thanks for reading the blogs!~ Amelia

7. Posted by: kay

   A co-worker removed my private medical information off of the fax machine at work, made copies of it and gave them out and talked about the results with other co-workers.

   is this illegal? do i have legal recourse?

8. Posted by: Amelia

   Hi Kay! Obviously this is a bad situation and your coworker should be disciplined. However, what she has done may not be illegal.
   If the employer is self-insured, then any communication about your private health information with your supervisor or HR must be confidential. If your employer is not self-insured, then private health information disclosed to your supervisor or HR during a conversation about benefits, may be covered.
   What your coworker did is wrong, but it is not necessarily illegal. Your best bet would be to report this to management, and ask them to take appropriate action.
   It’s also best practice in HR to have a fax machine in a secure location for private health information and other confidential documents. It is not clear why your private medical information would be on a public fax.
   You could also contact an attorney about suing the coworker. HTH, and thanks for reading the blogs!~ Amelia

9. Posted by: kay

   Amelia,
   thanks for the reply and the advice. i did not mention that i am on fmla for a chronic condition and the fax information came to the nurse’s desk (i am a nurse) because one of the doctor’s in our practice in consulting with my neurologist on my treatment.
   if that changes anything please let me know. thanks for responding so quickly and for the advice.
   Kay

10. Posted by: Amelia

    Hi Kay! Yes, that changes everything because your employer is also your healthcare provider — and therefore is bound by HIPAA, just as they would be for any other patient.
    In most medical practices, an employee who acted as your coworker did would be immediately terminated. Some practices are even firing people for looking at a patient’s medical records online without a valid business reason to do so.
    If the employer is not addressing this issue to your satisfaction, you should contact the Department of Health and Human Services at hhs.gov. Under a new law, you also have the right to sue for a HIPAA violation.
    This is also likely a violation of the ADA, the Americans with Disabilities Act. New 2009 regulations make almost any impairment or ongoing physical problem a disability under ADA. By law, employers must keep info on an employee’s disability confidential. So this is probably discrimination under ADA, which you should report to the EEOC at eeoc.gov. These actions may well have created a hostile work environment for you, based on your disability. HTH, and thanks for reading the blogs!~ Amelia

11. Posted by: Bob

    I am currently under a private doctors care Now my employer wants me to see thier doctor They can do this if there is doubt about the illness it’s in our contract
    What I wanted to know what rights do I have under the HIPPA laws?
    Do I have to disclose my illness to another doctor if I’m under care of a private one?

12. Posted by: Amelia

    Hi Bob! Yes, the employer can ask that you see their doctor if you have applied for short term disability, FMLA or workers comp. Technically, you can refuse under HIPAA. However, then the employer can deny the short term disability, FMLA or workers comp. Current FMLA certification forms do not require a diagnosis — the doctor simply has to give an opinion on whether this is a *serious health condition* or not. You can require that the new doctor not list the diagnosis on the certification, if this is for FMLA. It sounds like you are working under a union contract, which may give you additional rights. HTH, and thanks for reading the blogs!~

13. Posted by: Bob

    They are requiring me to bring medical records for this current illness I have
    Do I have to comply under HIPAA?

14. Posted by: Amelia

    Hi Bob! No, you are not required to furnish the employer with your medical records for FMLA. In fact, you are not even required to furnish the employer with a diagnosis. For workers comp or FMLA, the employer can require that you visit a doctor of their choice (at their expense) for a second or third opinion. But they cannot require that you turn over your medical records to the employer. If they continue to make this demand, contract the U.S. Department of Labor or an attorney.
    Perhaps we have misunderstood, and the employer is asking that you provide the medical records to the doctor that the employer has paid? That would probably be a reasonable request. You would have to check with the U.S. Department of Labor on whether or not you could be terminated for denying it. HTH, and thanks for reading the blogs!~ Amelia

15. Posted by: Jen

    I have recently been given by my primary care doctor, a month off of work. My employer insists that they need a better note than the one my doctor provided. The note stated that it was for medical reasons and my employer has stated that my doctor is wrong and needs to provide them with a detailed reason for my time off. My doctor says that it is against my privacy rights for them to ask for a detailed note. Please help me with an answer to this very stressful situation, I feel as if my job is in jeopardy. Thanks for your time.

16. Posted by: Amelia

    Hi Jen! Both the employer and the medical provider are partially right — and partially wrong. We are going to assume that you qualify for unpaid, job-protected leave under FMLA, the federal Family and Medical Leave Act, and that your condition is not work-related. The employer does not have to accept a simple note from your doctor. FMLA permits the employer to request certification of an employees “serious health condition.” There is a link at the bottom of this post for the certificaiton form. We suggest that you print it out, and have your doctor complete it.
    However, your doctor is also right — there is no requirement that the employer be furnished with a diagnosis of your condition. It is optional to put the diagnosis on the form. Let the doctor know that you prefer that he or she does not.
    Ideally, the employer should have provided you with this certification form. Since they did not, however, print it out and use it yourself.
    Even if you do not qualify for FMLA, the employer cannot legally demand a diagnosis and the certification form should be enough. HTH, and thanks for reading the blogs!~Amelia
    FMLA certification form: http://www.dol.gov/esa/whd/forms/WH-380-E.pdf

17. Posted by: Virgil

    My post is similar to Jen’s above. Before returning to work, my boss asked for a doctor’s clearance note, which was faxed over, authorizing me for full duty. My boss did not accept it because my diagnosis was not indicated. (I physically touch patients at work.) Not wanting to reveal what I felt was private information, my boss told me not to return to work unless a new doctor’s note with my diagnosis was included. I lost my job over this.

    Was this lawful that I was not allowed back to work because his demands were not met, and does it make a difference if I’m hired as an independent contractor?

18. Posted by: Amelia

    Hi Virgil! Does it make a difference if you were an independent contractor? Yes, it does. An independent contractor is not an employee, and no employment laws apply. So HIPAA does not apply to an independent contractor. (Neither do FMLA, minimum wage, overtime, unemployment, etc.) If you feel you were classified as an independent contractor in error (and you may have been) then contact your state department of labor or the US Department of Labor.
    Terminating you because you would not disclose a diagnosis would not have been lawful if you were an employee. It violates both HIPAA and ADA. HTH, and thanks for reading the blogs!~ Amelia

19. Posted by: Marci

    My question is: With the HIPAA laws in play how do I handle an injured employee with HIV receiving emergency response from a fellow employee who came into contact with his blood. Our company provides the person that came into contact with the HIV infected employee the option to seek medical attention and receive an injection to offset the incounter. However would this not breech the employee with HIV’s right to privacy? Our safety department wants to implament this program and I feel that HIPAA laws are going to keep us from doing it.

20. Posted by: Amelia

    Hi Marci! We are going to assume that you are in an industry like mining where it is common to render first aid to coworkers, rather than delay until professionals arrive. (In other industries, employees are justifiably forbidden from rendering first aid due to liability issues.)

    The HIV program you are suggesting is a wise one, and nothing in HIPAA would prevent it. Before you take this step, you should also brief your first-aid workers on your company confidentiality policy, warning them not to discuss any personal or medical information that they may uncover. However, HIPAA does not strictly require this, unless you are self-insured or a healthcare provider.

    Employees should be trained to treat every encounter with blood or other bodily fluids as if the accident victim were HIV positive. This is how emergency room doctors and nurses handle the problem. They always wear gloves, masks, etc.

    If exposure does occur, you certainly can tell the first-aid worker that he or she has been exposed to HIV without specifying why you think so. (Of course the first-aid worker may realize that there is only one source of the exposure to HIV…but what the worker surmises is not a HIPAA issue.)

    Saying “John has HIV” is a HIPAA violation. Saying, “We have reason to believe that you have been exposed to the HIV virus” is not a HIPAA violation — even if the worker figures out that John is the only possible source.

    We will say that HIV is more of a medical issue today and much of the shame surrounding it 10 or 20 years ago has dissipated. Your company is under no obligation to guard this “shameful secret” any more closely than you would an employee’s arthritis or diabetes. Any medical info should be kept confidential.

    The bottom line here is that you need to take any action necessary to keep your employees safe, including safe from the spread of HIV. HTH, and thanks for reading the blogs!~ Amelia

21. Posted by: Carrie

    I have recently been in the emergency room in the past week. I work as a Paramedic in EMS for a county agency. While in the emergency room, my captain just walked in to my room. He knew I was there because I had called out sick and a family member told him they were taking me there. To my knowledge this has never been done before with any other employee. I asked the nurse how he got in and she said that he told her he was my friend. He was also in his uniform to which I feel he used to his advantage. I felt this was a huge violation of my privacy. He also called me a couple days later and stated he needed a list of all medications I was taking before returning to work. Again, this hasn’t been done with any other employee. Is this a HIPPA violation?

22. Posted by: Amelia

    Hi Carrie! No, this is probably not a HIPAA violation, but it may be illegal discrimination.
    A HIPAA violation occurs when a healthcare worker shares a patient’s private medical information without the patient’s permission. That does not seem to have occurred here. Your family member volunteered the information that you were in the emergency room — which was a dumb thing to do. Your employer is not entitled to that information, but it was volunteered.
    It sounds like the hospital let the Captain into your hospital room as a visitor. They may have assumed that he was your significant other, or a close family member, or that you were injured in the line of duty. If he was allowed in as a normal visitor, it does not appear to us that the hospital has done anything wrong. Many bosses visit workers in the hospital, and employees often appreciate it.
    You do not owe your boss a list of all medications that you are taking. He can request that you supply a fitness-for-duty release from your doctor that covers driving or your usual duties. But in most cases, it is inappropriate for your boss to require a diagnosis, treatment plan or list of prescription drugs. You should refuse his request for a complete list of your prescription drugs. (If your doctor gave him such a list without your permission, the doctor would be guilty of a HIPAA violation.)
    The only part of our post that we find troubling is when you say that this has not been required of other employees. This may be illegal discrimination based on a disability, or on a perceived disability. For example, if you have epilepsy, your employer may be treating you differently than other employees, and that could be illegal discrimination under ADA, the Americans with Disabilities Act. Or, if you have depression or are HIV positive, he may perceive that as a disability and again, that would be illegal discrimination under ADA.
    If the employer were treating you this way due to your sex, age (between 40 and 70), race, color, etc., that would also be discrimination. The ADA and other discrimination laws are enforced by the EEOC at http://www.eeoc.gov. If this situation continues, you would be justified in filing a complaint with them. First, though, complain to the HR department if your employer has one. Feel free to post any additional questions that you may have. HTH, and thanks for reading the blogs!~ Amelia

23. Posted by: Carrie

    You are right about my significant other telling him that we were going to the emergency room. I was having respiratory distess and couldnt talk. I had called in to work earlier that morning, and he called my phone as we were on our way out the door. The County has discriminated against me for over a year now, and it just seemed wrong to have him show up in my hospital room, especially when that hasnt been done to any other employee. In fact another EMS employee was taking to the emergency room by ambulance the night before for chest pains and a captain didn’t show up in her room, nor was she required to give a list of meds before returning to work. He definately didn’t do it out of concern. I did contact human resources and got in trouble for going out of my chain of command. I did have to provide my medication list otherwise he said I wouldn’t be able to return to work. I was very uncomfortable with the whole situation. The doctor had given me a note as to the date I could return to full duty, and as far as I’m concerned that’s all he would need. I’m really not sure what to do at this point. Thank you for your quick response!

24. Posted by: Amelia

    Hi Carrie! Again, you can file a complaint for illegal discrimination under ADA with the EEOC at http://www.eeoc.gov. They will investigate the claim, and if they find it has merit, they will file a lawsuit for you. There is no charge to you for this service. It is paid by your tax dollars. (You can file a complaint about having to provide the list of meds, even though you complied.) It is unlawful for an employer to retaliate against an employee who files a complaint with the EEOC. (If you work for a state or local government, a state anti-discrimination law may apply instead.)
    If you feel that the employer is discriminating against you based on your race, color, religion, sex, pregnancy, disability, age (between 40 and 70), or national ancestry, that would be unlawful. But if the captain is treating you differently simply because he doesn’t like you, or doesn’t think you do a good job, that is not illegal discrimination.
    An employer has the right to check up on an employee. In this case, it sounds like the captain did not believe that you were going to the emergency room, and checked up on it. That is not unlawful.
    If your captain got information on your medical condition from the hospital because he is an emergency worker, that would be a HIPAA violation by the hospital. If he used his job to access your medical records directly, that would be a HIPAA violation. But it doesn’t sound like either of these two situations occurred. HTH, and thanks for reading the blogs!~ Amelia

25. Posted by: Jennifer

    I am currently off work after spending 8 days in the hospital. My STD leave was originally up on 11/18, however, when I saw my doctor on 11/17 he determined that I was not able to return to work yet. He gave me a copy of his “confidential patient notes” to send in to the STD company. It was a pretty detailed list of his exam and ended with a note saying that I could not return as of yet and said that we were changing my medication regimine and he would continue to observe my progress. I emailed the STD rep and also my HR rep to advise them that I was not able to return to work yet. The HR rep told me to fax the medical records to the STD company and to her attention…which I did. Now both my employer and the STD company are wanting more records. The STD rep says that her medical records people need more info to determine if I am unable to work…isn’t that my doctor’s job to determine that? Is it violating my right privacy for my employer to ask for copies of my records? Thanks!

26. Posted by: Amelia

    Hi Jennifer! Frankly, you have probably provided too much information to both the HR rep and the STD insurance company, already. Normally your doctor would simply write out a statement that you are unable to return to work, and that would be enough. If you are on FMLA, and your employer doubted your doctor’s word, they could request (and pay for) a second opinion. But they have no right to your complete medical records.
    In this case, you “volunteered” a great deal of information including exam details and info on treatment to the employer. Be aware that the employer is under no obligation to keep this information confidential. They can share it with anyone and everyone, within or outside of the company. The HR rep can ask for anything, including a million dollars in gold bricks. You do not have to comply. Simply tell the HR rep that you are not comfortable disclosing any more info under HIPAA. (That’s a little bit like shutting the barn door after the horse gets out, but it’s the best you can do at this point.) You should certainly have your doctor write out a simple statement (on letterhead or a prescription pad) that states you are not able to return to work at this time, and sign it.
    Sorry, but we only deal with employment law. You’ll need to find a site that answers questions regarding insurance to get the question about STD answered. HTH, and thanks for reading the blogs!~ Amelia

27. Posted by: Jennifer

    Thank you for responding so quickly! I realized right after I sent the fax that it was probably too much information.

    I was just provided the paperwork for FMLA, however, I don’t think that I am actually eligible for it. I had to be out earlier this year for two surgeries and I was told that since my location did not have more than 50 employees or another location that was within 75 miles, that I was not protected. There has not been any growth in my office over the last 8 months so I know that we have not exceeded 50 employees. FMLA coverage would be great to protect my job, but could I get into any type of “trouble” for filling out the paperwork and I wasn’t actually eligible?

28. Posted by: Amelia

    Hi Jennifer! That’s a mistake many people make — unfortunately, they haven’t invented a way to “unring the bell” yet.

    You cannot get in any trouble for completing the FMLA forms that your employer has provided. Once you turn in those forms, the employer has about 2 weeks to respond in writing, letting you know that FMLA has been granted or denied.

    Even if FMLA is denied, having the certification papers filled out may put your employer’s mind at rest that you genuinely have a serious health condition. Be aware that on the FMLA certification, a diagnosis and treatment play is optional. If you tell your doctor that you prefer not to disclose that information, he can still fill out the FMLA papers completely. Feel free to post any additional questions you might have. HTH, and thanks for reading the blogs!~ Amelia

29. Posted by: Jennifer

    I just spoke with a different HR rep. He said that they are going to place me on extended leave starting on Monday. He said it means that they are going to try to fill my position while I am out and if they fill it before I am able to return then I will be out of a job unless they have something else open. He said that if I am able to return to work before they fill it then I can have my job back.

    I asked him about the FMLA paperwork that I received and he said that I am not eligible. I advised him that another rep had sent me the paperwork and marked that I was eligible for it. He said that was an error and she is having personal issues and probably just automatically sent it. I didn’t get the paperwork until Nov 17th and I notified them of being in the hospital on Oct 20th.

    I am really confused and frustrated. What’s even worse, I signed a two year noncompete contract when I was hired. I am a CPP (certified payroll professional) and that would kick me out of the whole industry for two years.

30. Posted by: Amelia

    Hi Jennifer! Unfortunately the action the HR rep is taking is entirely lawful, and it is what most employers would do in this situation.
    Receiving FMLA papers does not necessarily signify that you qualify for FMLA leave. Here’s the process: When an employee has an absence that could be covered by FMLA, the employer sends them FMLA papers within 5 days. The employee then has 15 days to complete the papers and send them back. The employer then has a period of time to inform the employee whether or not they qualify for FMLA. So even if you had submitted flawlessly completed FMLA papers, the leave would have been denied because you are not qualified — your location does not have enough employees.

    Many employers routinely send out FMLA papers to all employees with a serious illness, to cover their butts. Simply receiving the papers does not make you eligible for FMLA. In this case, if FMLA is being denied because you work at a location with fewer than 50 employees within 75 miles, that is legitimate. (If it is being denied for another reason, that may not be legitimate.)

    Frankly, most employers would have terminated you after your first surgery, if you did not qualify for FMLA. There is no law that the employer must permit extended absences that are not covered by FMLA.

    The good news is that in nearly every state, a two-year non-compete agreement that covers the entire industry is probably unenforcable, because it interferes with your ability to support yourself. If the non-compete agreement were for a shorter period, or a limited geographical area, or if you were paid for that period, that would be different. But almost every court would find two years excessive. You may choose to ignore the non-compete agreement, or to consult with an attorney about it. HTH, and thanks for reading the blogs!~ Amelia