During the COVID-19 pandemic, questions about employee health-privacy-related symptoms, testing, and vaccination became prevalent in discussions about the workplace at all levels—from “the water cooler” to national news. While the pandemic brought many employee health-privacy issues to the forefront of discussion across all industries, those questions are particularly complex in the healthcare industry, where healthcare employers must navigate additional layers of privacy implications that arise under the Health Insurance Portability and Accountability Act (HIPAA) when employees are also patients. Indeed, healthcare employers have and will continue to grapple with these issues long before and after the pandemic. This article focuses on employee-patient privacy issues that arise in healthcare employment outside of the COVID-19 context; for more information about COVID-19 specific healthcare employee privacy issues, please refer to the Schwabe article “Healthcare Employee Data Privacy during the COVID-19 Pandemic.”
Navigating the Blurred Lines between Employee and Patient
HIPAA applies only to “covered entities,” which are defined as: (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers (and certain “business associates” of covered entities) that electronically transmit certain health information (and certain “business associates” of covered entities). If an employer does not fall into one of those categories, HIPAA does not apply to employee health information contained “in employment records held by a covered entity in its role as an employer.” Indeed, even if an employer is a “covered entity,” HIPAA still does not apply to employee health information maintained in its capacity as an employer.
However, when an employee is a patient of a covered entity employer, HIPAA does apply to the employee’s protected health information (PHI) maintained in its capacity as a covered entity. In such a case, the entity (and individuals involved in the employee-patient’s care) may not disclose the employee-patient’s PHI to other individuals within the organization who are acting in their role as the employer—such as the employee’s manager or human resources (HR) personnel—unless expressly authorized by the employee or applicable law. Put another way, a supervisor or HR cannot simply access or ask the provider for the employee’s patient medical records to obtain information about the employee-patient’s health or treatment to use that information for employment purposes. Rather, they must treat the request the same as any other request to a third-party healthcare provider and should not contact the employee’s provider or access the employee’s medical records directly without a valid authorization from the employee, even if the provider is employed by the employer or is part of the same health network or electronic health records system.
This can arise in a variety of ways outside the context of COVID screening, testing, or vaccination, particularly for rural healthcare providers and large health networks where employees are likely to seek care from their employer. For example, this often comes up when an employee requests protected family or medical leave or a workplace accommodation for a disability or pregnancy. It can also arise in other situations, such as if supervisor is suspicious of an employee’s use of sick time or leave request or if is concerned that the employee might have a communicable disease or condition that affects their work and wants to go straight to the source to check with the employee’s provider or medical records. Less commonly, this can also come up in more nefarious scenarios in which a supervisor or co-worker wants to obtain private health or personal information about another employee to use against them in some way. On the other hand, sometimes the situation could involve a well-intended (but misguided) supervisor or provider who is concerned about the employee’s health and thinks they are helping the employee by initiating the communication.
These situations vary in motivation and purpose, and the ultimate conclusion about whether or not use and disclosure of the employee’s PHI are permissible could depend on a case-by-case evaluation to determine if an exception to HIPAA applies. What is critical in every circumstance, is that a covered entity employer evaluate whether the use or disclosure is permitted by HIPAA (and any other applicable privacy laws) before using or disclosing employee-patient PHI even for internal employment purposes. For example, HIPAA permits use and disclosure of PHI without an employee-patient’s authorization in some circumstances (provided certain criteria are met), including:
- for the covered entity’s own treatment, payment, and healthcare operations (as defined by the HIPAA regulations);
- incident to an otherwise permitted use and disclosure; and
- certain public interest or benefit purposes (including when required by law, public health activities, situations of abuse/neglect/domestic violence, health oversight activities, judicial and administrative proceedings, law enforcement purposes, regarding decedents, cadaveric organ/eye/tissue donation, for research, a serious threat to health or safety, essential government functions, or workers’ compensation).
Additionally, even when HIPAA permits a use or disclosure of employee-patient PHI, covered entity employers should keep in mind that, an overarching “minimum necessary” standard applies to limit the scope of PHI accessed or disclosed to the minimum necessary to the permissible reason for such use or disclosure.
Safeguarding Employee-Patient PHI
When HIPAA Applies: When an employer qualifies as a covered entity to which HIPAA applies, it must comply with all applicable HIPAA regulations and standards, regarding the safeguarding of employee-patient PHI it maintains or transmits in its capacity as a covered entity, set forth in 45 C.F.R. Part 164, including the Privacy Rule, Security Rule, and Breach Notification Rule. The Privacy Rule sets forth standards for the protection, use, and disclosure of PHI by covered entities and their business associates and requires them to provide certain privacy notices to individuals; implement written policies, procedures, training, and administrative, technical, and physical safeguards against intentional or unintentional impermissible disclosures of PHI; and address complaints. The Security Rule sets forth standards for protecting the confidentiality, integrity, and availability of electronic protected health information, including requiring appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.
To help address the additional privacy and security risks when employees are also patients, covered entity employers should consider incorporating specific provisions into those policies, procedures, and trainings to prevent improper internal access to or use or disclosure of an employee-patient’s PHI. Further, if the covered entity learns of a potentially improper internal access, use, or disclosure of an employee-patient’s PHI, they should promptly conduct a HIPAA breach analysis to determine if a breach, in fact, occurred and if any notices or other actions are required or warranted as a result.
When HIPAA Does Not Apply: The stringent HIPAA privacy and security requirements that apply to an employee-patient’s PHI maintained in the role as a covered entity do not apply to employee health information received and maintained by the same entity in its role of employer. This is true even if the data includes information or records originally considered employee-patient PHI that was validly disclosed to the entity for employment purposes and is now maintained by the entity in its capacity as employer. That said, even when HIPAA does not apply to health records the employer maintains in this capacity, separate employee privacy laws—including federal laws like the Americans with Disabilities Act and Genetic Information Nondiscrimination Act and similar state laws—still apply. Employers should maintain employee health information that is for employment purposes in separate, confidential medical files with restricted access and should implement clear policies, safeguards, and training to help employees understand and comply with the requirements.
Responding to Third-Party Requests for Employee-Patient Information
Covered entities often receive third-party requests for patient PHI, and employers often receive requests for employee information. When a covered entity employer receives a third-party request for information about an individual who is both a patient and an employee, it should first review the request carefully to determine whether the information is maintained in its capacity as a covered entity, an employer, or both.
When HIPAA Applies: If the request seeks PHI maintained in its capacity as a covered entity, the entity may only disclose the data if authorized under HIPAA and other applicable state health information privacy laws. For example, if pursuant to a valid written authorization signed by the employee-patient (which meets all requirements for a valid HIPAA authorization under the regulations), subpoena, or court order or as otherwise permitted by HIPAA. Additionally, covered entities must be careful to limit information disclosed only to the extent specifically requested and authorized by the employee-patient or applicable law.
When HIPAA Does Not Apply: If the request seeks the employee’s employment records maintained by the entity in its capacity as an employer, the stringent HIPAA requirements do not apply but, as noted above, other confidentiality protections may still protect employee health or other personnel information maintained by the employer. Accordingly, employers should take care to disclose the personnel or health information only with the employee’s express authorization (which should be in writing) or in response to valid subpoenas, court orders, or other legally-authorized requests, and only to the extent specifically requested and authorized by the employee or applicable law.
Special Considerations for Union Requests: Covered entity (and other) employers should also be aware that additional considerations may apply if the request for PHI or employee health information comes from a union. An employer’s obligations with respect to providing PHI or employee health information in response to a request from a union are more complicated, and they vary depending on whether the request is for health information maintained by an employer in its capacity as a covered entity or its capacity as a non-covered employer.
The National Labor Relations Act (NLRA) broadly requires employers to provide unions with information relevant to collective bargaining or the investigation or processing of grievances, but that requirement is anything not absolute. In Detroit Edison Company v. National Labor Relations Board, the U.S. Supreme Court recognized a balance between a union’s right to relevant information and an employer’s (or an employee’s) right to confidentiality. Thus, in some cases the union’s interest in relevant data may outweigh an employee’s privacy interests. As a result, the employer should not simply refuse to provide confidential employee health data, but should work with the union to explore reasonable alternatives—such as obtaining employee releases, limiting the scope of disclosure, limiting access, redaction, etc.—to protect confidentiality while providing the union with information it needs to perform its duties as the employees’ exclusive bargaining representative.
Indeed, even if a union request seeks employee-patient PHI maintained by an employer in its capacity as a covered entity, disclosure of such PHI may be permissible under HIPAA, subject to the same general principles of balancing interests and limiting disclosure to the minimum necessary, as discussed above. For example, HIPAA permits disclosure of PHI if it is related to “healthcare operations,” which the regulations define to include “resolution of internal grievances.” Further, HIPAA allows disclosure of PHI if such disclosure “otherwise is required by law,” and comments to the regulations state that “to the extent a covered entity is required by law to disclose protected health information to collective bargaining representatives under the NLRA, it may do so without an authorization.” The comments also provide that the definition of “health care operations” permits disclosures to employee representatives for purposes of grievance resolution. These regulations and comments thus pivot the discussion back to the balancing question of whether the employer is required to provide the union with the requested information because it is relevant to the union’s duties.
Conclusion
Covered entity employers might want to review and update their privacy-related policies and practices to ensure they address HIPAA implications related to employees who are also patients. They should also keep in mind that other federal, state, local employment, and/or data-privacy laws might apply to PHI or other employee health or personnel information.
This article summarizes aspects of the law and does not constitute legal advice. For legal advice for your situation, you should contact an attorney.
Sign up