Management attorneys often use HIPAA as a basis to refuse to provide requested information. While HIPAA generally prohibits disclosure of protected health information, there is an explicit exception for employment records held by a covered entity in its role as employer. Thus, the HIPAA privacy rule generally does not apply to information requested in connection with union grievances, arbitrations, NLRB proceedings or collective bargaining. This exception is critical for union lawyers to bear in mind, particularly when representing unions in the healthcare industry.
Does HIPAA apply to my case?
To answer this question, determine: (1) whether the entity holding the information is a “covered entity” under HIPAA, (2) whether the information sought is “protected health information” (PHI), (3) whether the information falls within an exception to the HIPAA Privacy Rule, and (4) whether, if covered, there is a valid release authorizing disclosure of the information.
The HIPAA Privacy Rule applies only to health plans, healthcare providers, healthcare clearinghouses, and their business associates. Health care clearinghouses are billing services, repricing companies, health management information systems, etc. that process health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction (or vice versa). Business associates are the individuals and entities who conduct business on behalf of covered entities and who come into contact with PHI through those activities.
Employers qua employers are not covered entities. It should also be noted that employees are not covered entities. Thus, HIPAA does not prevent employers from asking employees to provide doctors notes, or from asking for information related to an employee’s health in order to administer sick leave, workers’ compensation, wellness programs, or health insurance. While the ADA regulates an employer’s ability to question employees about their health, HIPAA does not concern itself with exchange of information between employers and current or prospective employees or retirees.
Protected Health Information
The Privacy Rule regulates only the disclosure of “individually identifiable health information.” Protected health information (PHI) either identifies an individual or could reasonably be believed to provide a basis for identifying the individual. Information is “identifiable” if it includes one or more of the following, all of which must be removed for information to be considered “de-identified”:
- Address information (including any geographic subdivision smaller than a state, including street address, city, county, precinct, and zip code), as well as email addresses, phone and fax numbers
- Birth date, treatment dates and other identifying dates
- Social Security number, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, including license plate numbers, and any other unique identifying number, characteristic, or code
- Full face photographic images, or biometric identifiers, such as fingerprints or voice prints
- Device identifiers and serial numbers, URLs, IP addresses
“De-identified” information, in which any of the above data has been removed, is not PHI and may be freely used and disclosed. See 45 C.F.R. §§ 164.502(d) and 164.514(a) and (b) for standards regarding de-identification.
Example: A physician mentions to a friend that the lead actor from a particular movie broke her nose during filming and came to him to get it fixed. The disclosure violates HIPAA because the doctor had given enough information about the actor to identify him. However, if the production company issued a press release about the actor’s broken nose (or any other health information) that would not violate HIPAA, because employers are not covered entities.
Note: “Protected Health Information” does not include results of employment-related drug tests. The facility performing the drug test does not need the employee’s or applicant’s permission to disclose the results of the drug screening to the employer, and the employer has no obligation (under HIPAA at least) to keep positive drug test results confidential.
Exceptions to HIPAA Coverage:
- Employment Records. Importantly, information that is contained in “employment records held by a covered entity in its role as employer” is not PHI. 45 C.F.R. § 160.103. Thus, when an employer has access to health information in its role as an employer, none of that health information is protected by HIPAA, even if that employer also happens to be a healthcare provider. Example: In an arbitration concerning the discharge of a nursing attendant who allegedly failed to pass medication, the employer must comply with a request for patient charts and doctor’s orders relevant to the medication regimen. The Employer may choose to redact the patient’s name, but if other demographic information – such as the age, sex or diagnosis of the patient – are relevant to the grievance, that information should be produced.
- Information to Which the Union is Entitled by the NLRA. Disclosures that are “required by law” are not protected by HIPAA. 45 C.F.R. § 164.512. The U.S. Department of Health & Human Services has explicitly identified disclosures legally required in the course of collective bargaining as disclosures “required by law”. Standards for Privacy, 65 Fed. Reg. at 82,598. Thus, “[t]o the extent a covered entity is required by law to disclose protected health information to collective bargaining representatives under the NLRA, it may [do] so without an authorization.” Id.
- Workers Compensation. HIPAA permits any covered entity to “disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.” 45 C.F.R. § 164.512(l). Accordingly, in workers’ compensation cases, the communication of medical information will be governed by the workers’ compensation laws.
- Healthcare Operations. Disclosures that are necessary to advancing a covered entity’s healthcare operations are not protected from disclosure by HIPAA. The definition of “health care operations” at 45 C.F.R. § 164.501 permits disclosures to employee representatives for purposes of grievance resolution.
Minimum Necessary Disclosure
Where a covered entity does disclose PHI, it must only disclose the amount necessary to accomplish the intended purpose.
Example: If I authorize my doctor to release the results of a pre-employment medical exam to my prospective employer, my doctor may not release any other information contained in my medical files.
Even where information is subject to the HIPAA Privacy Rule, it should be disclosed where there has been an appropriate release clearly identifying who is releasing the information and who is receiving it, clearly describing the information to be released, and signed by the person authorizing the release. Such a release is valid for no more than 1 year following the date it is signed.
Finally, remember to consult state law. In New York state, there are broader protections than are provided by HIPAA, but each state varies and no state can go below the floor provided by HIPAA in terms of privacy rules. Employers may also maintain their own privacy policies that should be requested and reviewed by the Union.
No Private Right of Action
Those who believe that their PHI has been improperly disclosed in violation of HIPAA have no private right of action. Instead, Congress has provided for administrative enforcement by the Secretary of Health and Human Services and by State Attorneys General. 42 U.S.C. §1320d-5, §1320d-6.