Share

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.

Error message details.

Copy button
Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.

Learn More
Q&A

Under the HIPAA Privacy Rule, do I need to obtain authorization from my employees for every situation involving health-related information?

July 31, 2019


No. There are several circumstances where HIPAA does not apply in the workplace. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to an employer's group health plan (except for self-administered plans with fewer than 50 participants). Fully-insured group health plans that do not create or receive protected health information other than summary health information have limited requirements under the Privacy Rule.

In general, the Privacy Rule requires employers to obtain authorization from an employee when protected health information (PHI) received through the group health plan is used for purposes other than treatment, payment or health plan operations.

According to the U.S. Department of Health & Human Services, "An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date and, in some cases, the purpose for which the information may be used or disclosed." 

Workers' compensation claims do not require authorization as transactions necessary to comply with state workers' compensation laws are specifically exempted from HIPAA.

Other records are considered employment records rather than health care records and are not protected by HIPAA, including:

  • Family and Medical Leave Act (FMLA) medical certifications.
  • Requests for accommodation under the Americans with Disabilities Act (ADA) and related documentation.
  • Doctor's notes provided under the terms of an employer's absence policy.

Because doctors and other health care professionals are covered entities under HIPAA, there may be times when an employee will need to provide an authorization to the health care provider to have PHI released directly to the employer. For example, an employer may contact a health care provider for authentication or clarification of an FMLA medical certification and the provider must obtain authorization from the individual before releasing any medical information.

To create firewalls between health records and employment records, employers should maintain those categories of records in separate files. 


Benefits
Health Care Benefits
Health Care Privacy - HIPAA

Related Content
News
Rising Demand for Workforce AI Skills Leads to Calls for Upskilling

As artificial intelligence technology continues to develop, the demand for workers with the ability to work alongside and manage AI systems will increase. This means that workers who are not able to adapt and learn these new skills will be left behind in the job market.

A vast majority of U.S. professionals think students should be prepared to use AI upon entering the workforce.
In Focus
Employers Want New Grads with AI Experience, Knowledge

A vast majority of U.S. professionals say students entering the workforce should have experience using AI and be prepared to use it in the workplace, and they expect higher education to play a critical role in that preparation.

View All

Advertisement
Artificial Intelligence in the Workplace

​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.

Advertisement