Topic of the Week Medical Privacy
- What types of medical information might be part of my employer's records about me?
- Do I have a right to have my medical information kept private in the workplace?
- I am part of a group health plan at work. How does HIPAA protect my health information?
What types of medical information might be part of my employer's records about me?
Medical records are created when you receive treatment from a health professional such as a physician, nurse, dentist, chiropractor, or psychiatrist. Records may include your medical history, details about your lifestyle (such as smoking or involvement in high-risk sports), and family medical history.
In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. Your records could also include the results of genetic testing used to predict your future health. And they might include information about your participation in research projects.
Information you provide on applications for disability, life, or accidental insurance with private insurers or government programs can also become part of your medical file.
All of these types of medical records present privacy implications for you as an employee, if there is a possibility of your employer accessing this information.
For medical files that are covered under the HIPAA Privacy Rule, all individually identifiable information is protected. Individually identifiable information is information, including demographic data, that relates to:
- The individual’s past, present, or future physical or mental health condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
Do I have a right to have my medical information kept private in the workplace?
Your employer has a number of ways to obtain medical information about you, whether it's because you volunteer it when you call in sick or tell co-workers, or because you provide requested information on health insurance application or workers compensation claim forms. However, just because your employer has the information does not mean that it should be shared with everyone in the workplace, especially when you have not chosen to do so.
The basic legal principle that employers should follow is not to reveal medical information about you unless there is a legitimate business reason to do so. But because that standard is fairly vague, there are laws which more specifically protect the privacy of your medical records, such as the Americans with Disabilities Act, the law which makes it illegal to discriminate on the basis of an employee's disability. State laws may also provide additional protection.
The HIPAA Privacy Rule may control how a health plan or covered healthcare provider discloses protected health information to an employer, including your manager or supervisor if you are a patient of the provider or a member of a health plan. However, it does not protect your employment records even with respect to health-related information. Therefore, the Privacy Rule does not prevent a supervisor from asking you for a doctor's note if the employer needs the information for administrative purposes such as sick leave or workers' compensation. However, your employer cannot obtain information about you from your health care provider directly without your authorization, unless other laws require them to disclose it. However, if you work for a health plan or a covered health care provider, the Privacy Rule does not apply to your employment records.
I am part of a group health plan at work. How does HIPAA protect my health information?
If you are a member of a group health plan, your employer pays a premium to the health plan which covers your health care costs. In return for the premium paid, the health care plan assumes the risk of paying for your health care expenses covered by the plan.
Group health plans are covered by the HIPAA Privacy Rule as long as the plan has 50 or more participants. The HIPAA Privacy Rule applies to the plan itself, but not your employer, but still attempts to limit the use of medical information for employment purposes.
Under HIPAA, the group health plan can tell your employer whether you are enrolled in the plan or not, and can provide the employer with "summary information" that it can use to evaluate and compare premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures to keep the information private much like that of an entity that is covered by HIPAA. However, a fully insured group health plan that does not create or receive protected health information other than summary health information and enrollment or disenrollment information is not required to have or provide a notice of privacy practices. Most health plans are also required to avoid intimidation or any retaliatory acts and from requiring an individual to waive their privacy rights.