Undoubtedly the vast majority of human resources professionals are aware of HIPAA's Privacy Rule. Large plans were expected to comply this spring, while the compliance deadline is fast approaching for mid-size and smaller plans (April 14, 2004). However, many HR professionals continue to struggle with the question of precisely what is required when it comes to the use and disclosure of protected health information, impacting functions performed in accordance with other employment-related laws such as the Family and Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA) and Workers Compensation laws. This article explores how the HIPAA Privacy Rule affects interactions with employees under these laws.

The Family and Medical Leave Act (FMLA)

When an employee takes an FMLA leave, the human resources department is often charged with obtaining the required certification that a serious medical condition exists. This form must be completed by a physician and support the employee's request for an FMLA leave. The certification form most likely contains information related to a medical condition that is protected health information under the HIPAA Privacy Rule. Human resources professionals should therefore be certain that there is language contained in the FMLA medical certification form authorizing the release of the information to the Employer. In many states there are more stringent privacy laws than HIPAA, so it is advisable that counsel review the FMLA forms to determine what, if any, state laws may also apply.

The Americans with Disabilities Act (ADA)

Similarly, HIPAA requires that an employee authorize the release of medical information from the physician to the Employer when it pertains to disability paperwork. An Employer often seeks such information when a disability accommodation request is made, in accordance with the law. It may also be needed when an Employer is trying to ascertain whether an employee can perform the functions of a particular job. Whatever the situation, all forms used for these purposes should be reviewed to be sure they comply with HIPAA's mandates as well as any applicable state laws.

Additionally, HR professionals should note that requests for medical information under ADA must be kept in strict confidence. There are significant limitations on what medical information can be used and how that same information can be disclosed under the ADA. HR professionals may wish to consult legal counsel as these determinations are quite complex and can vary depending on the circumstances.

HIPAA Privacy and Workers Compensation

The HIPAA Privacy Rule contains a noteworthy exception for the use and disclosure of protected health information, namely where the information is provided in response to a request to comply with workers compensation laws. Specifically, this applies where a workers compensation appeals board, or similar entity, seeks information for the purpose of reviewing a workers compensation claim made by an employee. With HIPAA presenting the double-edged sword that it does for many healthcare providers (heightened patient protection and potential liability for non-compliance simultaneously), HR professionals would be well advised to seek an authorization form from the employee prior to an attempt to obtain information from a physician. It is important to note that the vast majority of health care providers will no longer provide any information without a HIPAA authorization form.

Conclusion

The HIPAA Privacy Rule clearly brings a whole new dimension to human resources management as it relates to the use and disclosure of medical information. It is clear that HIPAA prohibits the use of protected health information for employment related or non-plan purposes without specific employee authorization. This said, a human resource professional cannot exercise too much caution when it comes to the handling of employee medical information. Human resources professionals should also ensure adequate separation exists between the group health plan and the Employer. This should include designating certain staff members as representatives of the group health plan and the Employer, and erecting appropriate administrative firewalls. With some forethought and diligence, full compliance with the HIPAA Privacy Rule is achievable.