Can an Employer Use the Information Contained in My Medical Records Against Me?
While most employers are not covered entities, many administer health plans that are covered by HIPAA regulations and, therefore, they must make sure these plans are HIPAA compliant. In addition, employers may be a covered entity if their health plan is self-insured or if health benefits are administered internally.
HIPAA does not prevent an employer from asking an employee for a doctor's note in order to administer programs related to sick leave, workers' compensation, wellness or health insurance. However, if employers ask health care providers for information about employees, health care providers cannot disclose information without employee consent and authorization. And while HIPAA doesn't protect employment records, even if there is health-related information contained in those records, the information may only be used for the purposes expressly stated in the authorization that has been provided to the physician.
The Privacy Rule permits a covered entity to use and disclose PHI, with certain limits and protections, for TPO activities [45 CFR § 164.506]. Certain other permitted uses and disclosures for which authorization is not required follow. Additional requirements and conditions apply to these disclosures. The Privacy Rule text and OCR guidance should be consulted for a full understanding of the following:
Required by law.
Disclosures of PHI are permitted when required by other laws, whether federal, tribal, state, or local. Public health. PHI can be disclosed to public health authorities and their authorized agents for public health purposes including but not limited to public health surveillance, investigations, and interventions.
A covered entity can use or disclose PHI for research without authorization under certain conditions, including 1) if it obtains documentation of a waiver from an institutional review board (IRB) or a privacy board, according to a series of considerations; 2) for activities preparatory to research; and 3) for research on a decedent's information.
Abuse, neglect, or domestic violence.
PHI may be disclosed to report abuse, neglect, or domestic violence under specified circumstances.
Covered entities may, under specified conditions, disclose PHI to law enforcement officials pursuant to a court order, subpoena, or other legal order, to help identify and locate a suspect, fugitive, or missing person; to provide information related to a victim of a crime or a death that may have resulted from a crime, or to report a crime.
Judicial and administrative proceedings.
A covered entity may disclose PHI in the course of a judicial or administrative proceeding under specified circumstances.
Cadaveric organ, eye, or tissue donation purposes.
Organ-procurement agencies may use PHI for the purposes of facilitating transplant.
Oversight. Covered entities may usually disclose PHI to a health oversight agency for oversight activities authorized by law.
The Privacy Rule permits disclosure of work-related health information as authorized by, and to the extent necessary to comply with, workers' compensation programs.
Other Authorized Disclosures
A valid authorization is required for any use or disclosure of PHI that is not required or otherwise permitted without authorization by the Privacy Rule. In general, these authorizations must specifically identify the PHI to be used or disclosed; provide the names of persons or organizations, or classes of persons or organizations, who will receive, use, or disclose the PHI;
state the purpose for each request; notify individuals of their right to refuse to sign the authorization without negative consequences to treatment, payment, or health plan enrollment or benefit eligibility, except under specific circumstances; be signed and dated by the individual or the individual's personal representative; be written in plain language; include an expiration date or event; notify the individual of the right to revoke authorization at any time in writing, and how to exercise that right, and any applicable exceptions to that right under the Privacy Rule; and explain the potential for the information to be subject to redisclosure by recipient and no longer protected by the Privacy Rule.
See the following for further discussion: