Everything You Know About HIPAA Is Wrong. Here’s the 411.

HIPAA could possibly be the most misunderstood law in the history of the American workplace.  I often hear the law misquoted, misused, even misnamed – HIPPI, HIPPO, HIPPUP…the list is endless (and hilarious).  But the wrongful disclosure and discussion of medical and health information isn’t funny, and can subject an employee to horrific discrimination, harassment and ridicule.  So what is HIPAA, and what does it do?
Here’s the short scoop on the Health Insurance Portability And Accountability Act of 1996:
  1. HIPAA APPLIES TO THREE KINDS OF ORGANIZATIONS. YOUR EMPLOYER ISN’T ONE OF THEM. In other words, HIPAA is generally not even applicable to the typical employer or workplace. The organizations covered by HIPAA include (a) “Health Plans” (such as health insurance companies, HMOs, company health plans, and certain government programs like Medicare and Medicaid), and (b) Health Care Providers (such as most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies and dentists) and (c) Health Care Clearinghouses (such as companies that receive health information and then may reformat or process the information for use by others).
  2. HIPAA CREATES TWO BASIC RULES. The “Privacy Rule” strictly limits when and to whom your personal health information can be disclosed.  This is the rule most of us think about when we think of HIPAA.  The other rule is the “Security Rule.” It requires an entity to have safeguards in place to prevent the accidental (or intentional but improper) release of your medical information.  Those safeguards includes administrative, physical, and technical steps to ensure the confidentiality, integrity, and availability of electronic protected health information.
  3. EMPLOYERS ARE NOT REQUIRED TO FOLLOW EITHER THE PRIVACY RULE OR THE SECURITY RULE. That’s right.  Read that one again.  The Privacy Rule does not protect your employment records, even if the information in those records is health-related. Generally, the Privacy Rule also does not apply to the actions of an employer, including the actions of a manager in your workplace. If you happen to work for a health plan or covered health care provider, the Privacy Rule likewise does not apply to your employment records.  It does, however, protect your medical or health plan records if you are a patient of the provider or a member of the health plan.
  4. THE HIPAA PRIVACY RULE, WHICH IS WHAT MOST PEOPLE THINK OF, APPLIES TO DISCLOSURES MADE BY YOUR HEALTH CARE PROVIDER, NOT TO QUESTIONS ASKED BY EMPLOYERS. The Privacy Rule does not prevent your supervisor, human resources worker or others from asking you for a doctor’s note or other information about your health if your employer needs the information to administer sick leave, workers’ compensation, wellness programs, or health insurance.  However, if your employer asks your health care provider directly for information about you, your provider cannot disclose the information in response without your authorization.  Covered health care providers must have your authorization to disclose this information to your employer, unless other laws require them to disclose it.
  5. PROTECTED HEALTH INFORMATION CAN SOMETIMES BE OBTAINED, EVEN FROM HIPAA-COVERED ENTITIES, THROUGH COURT ORDERS OR SUBPOENAS.  A covered health care provider or health plan may disclose protected health information required by a court order, including the order of an administrative tribunal. However, the provider or plan may only disclose the information specifically described in the order.   A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order.  A covered provider or plan may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule are met.  Before the covered entity may respond to the subpoena, the Rule requires that it receive evidence that reasonable efforts were made to either: notify the person who is the subject of the information about the request, so the person has a chance to object to the disclosure, or to seek a qualified protective order for the information from the court.
  6. INDIVIDUALS CAN’T SUE FOR HIPAA VIOLATIONS, BUT MIGHT BE ABLE TO SUE FOR PRIVACY VIOLATIONS RELATING TO MEDICAL INFORMATION ON OTHER GROUNDS. The U.S. Congress, in passing HIPAA, did not give individuals the right to sue for violations. But there are other grounds upon which a victim of wrongful disclosures can sue. Claims could include invasion of privacy, negligence or the intentional infliction of emotional distress.  You should consult with an experienced employment discrimination lawyer about your rights if you feel a medical record, or information about your health, is being improperly disclosed.  The fact that HIPAA itself might not be a basis for your claim doesn’t mean you have no remedy.   Loose discussion of an employee’s medical situation in the workplace is rarely appropriate, and can adversely affect the way the employee is treated. The law may provide a range of remedies, even if HIPAA doesnt.

Categories: HIPAA & Medical Information

Tags: , , , , , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: