I often receive calls from current and former employees concerned that an employer has violated their HIPAA rights. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, was enacted to ensure protection of protected health information or personally identifiable health information (PHI). In general, HIPAA protects from unauthorized disclosure any PHI pertaining to a consumer of health care services. The common relevant question, in the context of employment law, is whether employers are covered by HIPAA and therefore required to abide by the HIPAA privacy rules.
Most Employers are Not “Convered Entities” Under HIPAA
Employees are often concerned that employers, who may have gained information about employee health conditions through leave requests or requests for accommodation, have improperly shared that information with other employees. For example, a supervisor may learn an employee is receiving radiation treatments for cancer, but the employee may prefer that information remain private from other employees. Individuals are often surprised to learn that many employers are not “covered entities” under HIPAA and therefore aren’t bound by those rules. In other words, HIPAA does not prevent an employer from sharing employee health information with other employees in most cases.
HIPAA Only Applies to Healthcare Providers, Which Usually Excludes Employers
Covered entities under HIPAA are health plans, health care clearinghouses, and health care providers. Privacy rules established by HIPAA apply ONLY to employers if they somehow operate in one or more of those capacities – as a health plan, a health care clearing house or a self insured health care provider. The same standards apply to covered entities in both the public and private sectors. In other words, unless your employer has any kind of health clinic operations available to employees, or provides a self-insured health plan for employees, or acts as the intermediary between its employees and health care providers, it will not be handling the kind of PHI protected by the HIPAA privacy rule.
Sharing Health Info Can Lead to Job Discrimination or Other Legal Violations
What does this mean for employees? It means if you suspect your employer has shared your health information with other employees or colleagues, you will only be able to claim a HIPAA violation if your employer is a health plan, a health care clearinghouse or a health care provider. If your employer is not self-insured, does not provide health care facilities for employees or does not act as intermediary between medical providers and employees, you will need to seek other avenues of redress to deal with the disclosure. For instance, if the health information is shared and relied upon in the context of making a termination decision, that may be grounds for a disability discrimination claim. Similarly, if health information is referenced in a performance review that results in a demotion or loss of pay, there may be other avenues of redress. Or, if you are approved to return from medically approved leave but your employer refuses to place you in your old job, you may have a claim for violation of medical leave laws.