Our HR department receives individually identifiable health information from employees, health care providers, or health plans in connection with an employee's request for sick leave or Family Medical Leave Act (FMLA) or a reasonable accommodation under the Americans with Disabilities Act (ADA). Is any of this information subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules?
The answer depends upon where the information came from, who has it now, and why they have it. The privacy rules apply to "covered entities" only- that is, health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with any of the transactions covered by the HIPAA administrative simplification regulations. Employers are not covered entities under those regulations.
However, sometimes an employer performs administration functions on behalf of its health plan. In those cases, information that an employer uses or discloses in performing plan administration functions is affected by the privacy rules.
Information that an employee turns over to an employer for employment-related functions, such as responding to leave or accommodation requests, is not subject to the privacy rules. However, the same information is generally subject to the privacy rules when in the hands of covered entities.
Accordingly, if the employer wants to obtain the information directly from a covered entity (such as a provider or plan), rather than from the employee, the health care provider or plan must comply with the privacy rules before making disclosure. Generally, the provider or plan will not disclose information to the employer without an authorization satisfying HIPAA's requirements. Once an employer receives information from a provider or plan for employment-related functions, however, the employer has no HIPAA privacy obligations as to that information.
Can our HR department contact a health care provider regarding information on the FMLA medical certification form for an employee’s serious health condition?
The FMLA regulations indicate that contact between an employer and an employee’s health care provider must comply with the HIPAA privacy regulations. Under the regulations, employers may contact an employee’s health care provider for authentication or clarification of the medical certification by using a health care provider, a human resource professional, a leave administrator, or a management official.
In order to address employee privacy concerns, the regulations makes clear that in no case may the employee’s direct supervisor contact the employee’s health care provider. In order for an employee’s HIPAA-covered health care provider to provide an employer with individually identifiable health information, the employee will need to provide the health care provider with a written authorization allowing the health care provider to disclose such information to the employer. Employers may not ask the health care provider for additional information beyond that contained on the medical certification form.