HIPAA Employee: Know Your Rights

Since the start of the COVID crisis, there has been much discussion as to whether or not HIPAA regulates employers. In most cases, employers are not subject to HIPAA, but instances in which HIPAA applies to employers include employers that administer a group health plan. To provide guidance on HIPAA employee rights, HIPAA in the workplace is discussed.

HIPAA Employee Common Misconceptions

HIPAA Employee

HIPAA has gained a lot of notoriety over the past several months as employees have made claims that their HIPAA rights have been violated. However, in most cases, the employee complaints have been unfounded as their employers did not fall under HIPAA’s jurisdiction.

Some common HIPAA misconceptions include:

  • HIPAA prevents employers from asking employees about their COVID-19 status
  • HIPAA prevents employers from asking for confirmation of a medical condition that would prevent an employee from wearing a mask.
  • HIPAA prevents employers from asking employees to provide a doctor’s note to explain a work absence.
  • HIPAA prohibits employers from asking employees for information needed to administer a health benefits program.
  • HIPAA covers all employee benefits information (when it doesn’t cover wellness programs, life insurance, or workers and disability compensation).
  • HIPAA covers information contained in employment records (when HIPAA only applies to health information).

HIPAA Employee Rights in the Workplace

Employees’ complaints that would fall under HIPAA’s jurisdiction would include for example, an employee that issued a complaint that their employer (that administers a group health plan) uses or discloses the employee’s protected health information (PHI) for reasons other than for treatment, payment, or healthcare operations.

HIPAA and Employers

Since protected health information is only covered by HIPAA when it is used to communicate information about an individual’s past, present, or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare, employers and their employees are often not subject to the Privacy Rule, even if they come into contact with PHI.  

Take the example of a construction company worker who supplies personal information to his or her employer’s HR Department when the worker begins his or her job. Some of this information – such as the employee’s telephone number and Social Security number – is PHI. However, IF the HR Department never uses the PHI to communicate information about an individual’s past, present, or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare, the PHI – and therefore the employer – are not subject to the Privacy Rule.  There has been no transmission of or communication with respect to the PHI; therefore, the employer is not a covered entity.

For more information on HIPAA and employers, please click here.