Medical Privacy: Does the HIPAA Privacy Rule prohibit employer announcements of births, employee hospitalizations or family medical emergencies to other employees?

Jun 15, 2016

The HIPAA Privacy Rule would most likely not apply to these situations if the employee disclosed the information directly to the employer. If the employer obtained the information from the health care plan or provider, the Privacy Rule would apply as there would be protected health information (PHI) involved. In any event, before an employer discloses or announces any employee's personal and health-related information, it should follow the best practice of obtaining the employee's permission to do so.  

The Department of Health and Human Services (DHSS) in its Summary of the HIPAA Privacy Rule states:

"The Privacy Rule protects all 'individually identifiable health information' held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information 'protected health information (PHI).' 'Individually identifiable health information' is information, including demographic data, that relates to:

  • the individual's past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,
    and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)."
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer.  An employer is not defined as a covered entity based solely on being an employer unless it is self-insured. When an employer sponsors an ERISA health plan, the entity administering the employee health plan is the "covered entity." Typically covered entities are medical plans, health care providers and health care clearinghouses. Since medical information that is protected must be both individually identifiable PHI and information that falls under the administration of a covered plan or entity, employers that are not health care providers or clearinghouses are generally not covered entities. Whether information in question is HIPAA-covered will be best determined based on whether the information is related to, or derived from, administration of the employer's health care plan(s). 

For example, if during their conversation about the upcoming long weekend Roger discloses to his manager that his wife is pregnant, the HIPAA Privacy Rule does not apply. And Sally's migraine causing her to leave early from work and request time off under the company attendance policy is not a Privacy Rule matter either. But if Wanda, the company CHRO, reads in the company benefits plan quarterly report that Peter has pancreatitis, she ought to know this information is protected under the HIPAA Privacy Rule.

Express Requests
The HR Knowledge Center has gathered resources on current topics in HR Management. Click here to view and request information.

Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect