Health Privacy: Navigating Barriers to Medical Condition Inquiries

Can an employer call an employee’s doctor to ask about the documentation for an employee’s request for intermittent leave? Can the employer e-mail the employee’s doctor with questions about the accommodation a disabled employee has requested?

“The answer is that employers—under a variety of different laws—can’t ask an employee’s doctor any questions that they can’t ask the employee,” said Robert Dustin, an employment and disability law attorney with Saul Ewing LLP in Washington, D.C. In other words, an employer can’t do indirectly what it can’t do directly.

Employers need to be aware of how their inquiries—which might involve the Americans with Disabilities Act (ADA), the Family and Medical Leave Act (FMLA), workers’ compensation, and short-term and long-term disability (STD and LTD)—interact with the privacy guarantees of the Health Insurance Portability and Accountability Act (HIPAA) and the Genetic Information Nondiscrimination Act (GINA).

HIPAA and GINA

Any question that an employer poses to a health care provider about employee medical information is subject to the HIPAA privacy rule, which controls when a covered entity—health care providers and health care plans—may disclose health information. A covered entity can’t give the employer any protected health information without having a signed HIPAA release from the employee. (This point is reiterated in a final rule published in the Jan. 25, 2013, Federal Register, which clarifies the definition of information “breach” under HIPAA by jettisoning a so-called “harm standard” and replacing it with a more objective four-part standard; see the SHRM Online article “HIPAA Rule Alters Definition of ‘Breach’”).

Additionally, GINA, which prohibits employers from discriminating against employees on the basis of genetic information, generally prohibits employers from requesting or acquiring an employee’s genetic information.

ADA

Under the ADA, an employer may ask employees about a disability only if the questions are job-related and consistent with business necessity. This means that the employer may seek information about when it has a reasonable belief that the employee will be unable to perform the essential functions of his or her job because of the medical condition or the employee will pose a direct threat because of the medical condition.

The ADA does not expressly prohibit direct questions to health care providers about employees’ medical information, but providers are restricted by HIPAA on what information they may divulge.

“There’s nothing in the law that prevents you from asking, but you won’t get the doctor to answer without a release from the employee,” said Dustin, “and if the employee says no to the release of information, there’s really no way to get the information.”

Action step:Ask the employee to sign a HIPAA release before calling the health care provider.

--------------------------------------------------------------------
An employer may seek information when it has
a reasonable belief the employee will be unable
to perform essential job functions or poses
a direct threat. But HIPAA restricts what providers
may reveal without an employee release.
--------------------------------------------------------------------

FMLA

The FMLA has some very specific regulations that expressly prohibit—in most cases—an employer from getting information directly from the employee’s doctor even if the employee consents and signs a HIPAA release.

The regulations provide that an employer may contact the health care provider only when the information on the employee’s FMLA certification form needs clarifying and only after giving the employee a chance to complete or clarify the form. Only an HR professional, a leave administrator or a management official may make the request—never the employee’s direct supervisor.

Action step: Although a HIPAA consent form is not required for FMLA authentication, it’s certainly advisable to ask the employee to sign one before there is any contact with the health care provider.

Disability Benefits and Workers’ Comp

HIPAA does not prevent an employer from asking an employee’s doctor for information about his or her health if the employer needs the information to administer workers’ compensation or disability benefits. In practice, however, with claims for workers’ compensation—where the parties on both sides have representation and insurers are involved—there may be procedural hurdles for an employer to directly question a doctor.

With regard to self-insured STD and LTD plans, inquiries about an employee’s medical condition are usually made by the insurer in trying to decide on the benefit claim, so it’s the insurer—not the employer—who’s asking for medical information.

Action step:Set the terms of a self-insured plan to allow information requests to a health care provider. Get a HIPAA release before contacting the health care provider.

Wellness Programs

HIPAA includes an exception for employer-sponsored wellness programs that allows employers to offer financial benefits to employees who participate and meet the goals of the program. The employer may ask health care providers about the employee’s ability to participate, but the health care provider will need a HIPAA release.

The ADA allows employers to ask medical- and disability-related questions as part of a voluntary wellness program, as long as they are job-related and consistent with a business need. Again, the health care provider will want the employee’s signed release.

Similarly, there is a broad exception for employer-sponsored wellness programs under GINA, which allows an employer to acquire genetic information about an employee or his or her family members when it offers health or genetic services under a wellness plan, with voluntary, knowing and written authorization from the employee.

Action step:Ask the employee to sign a HIPAA release before the health care provider is contacted.

Susan R. Heylman, J.D., is a freelance legal writer and editor based in the Washington, D.C., area.​​