Clarification on three common HIPAA misconceptions

© Natalya Merzlyakova - stock.adobe.com

Despite the Health Insurance Portability and Accountability Act of 1996 (HIPAA) being around since August 1996 and the Final Omnibus Rule being promulgated in the Federal Register on Jan. 25, 2013, it never ceases to amaze me when individuals ask me the following questions, often times after receiving inadequate training or wrong advice. So, here goes – three common items and the correct responses.

1. Employee health records fall under HIPAA.

False. While entities have a duty to keep employee health records, whether it is vaccinations, incidents or doctors notes secure and respect the privacy and security of the records, Employee Records that are kept internally do not fall under the HIPAA umbrella. Both the DOL and HHS have highlighted this notion. Moreover, the Occupational Safety and Health Standards (OSHA) provides a right of access for employees or a personal representative via OSHA Standard No. 1910.1020(a):

The purpose of this section is to provide employees and their designated representatives a right of access to relevant exposure and medical records; and to provide representatives of the Assistant Secretary a right of access to these records in order to fulfill responsibilities under the Occupational Safety and Health Act. Access by employees, their representatives, and the Assistant Secretary is necessary to yield both direct and indirect improvements in the detection, treatment, and prevention of occupational disease. Each employer is responsible for assuring compliance with this section, but the activities involved in complying with the access to medical records provisions can be carried out, on behalf of the employer, by the physician or other health care personnel in charge of employee medical records. Except as expressly provided, nothing in this section is intended to affect existing legal and ethical obligations concerning the maintenance and confidentiality of employee medical information, the duty to disclose information to a patient/employee or any other aspect of the medical-care relationship, or affect existing legal obligations concerning the protection of trade secret information.

2. If an employee of a covered entity or a business associate’s workforce member is treated at or receives prescriptions/products from a covered entity in which they are a workforce member, then another workforce member can view their medical record.

False. Without the proper authorization from the employee, absolutely not. As June 15, 2023 HHS enforcement action illustrates, snooping in medical records by either a workforce member of a covered entity or a business associate is a HIPAA violation.

OCR investigated allegations that several security guards from Yakima Valley Memorial Hospital impermissibly accessed the medical records of 419 individuals. HIPAA is a federal law that protects the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care organizations and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information. To voluntarily resolve this matter, Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information and train its workforce members to prevent this type of snooping behavior in the future.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

3. An employer can reach out to an employee’s medical provider without authorization.

False. See 45 C.F.R. §§ 160.103 and 164.512(b)(1)(v). While an “employer can ask you for a doctor’s note or other health information if they need the information for sick leave, workers’ compensation, wellness programs, or health insurance.” The caveat – “if your employer asks your health care provider directly for information about you, your provider cannot give your employer the information without your authorization unless other laws require them to do so.”

These are three areas that can land persons in a heap of trouble, whether under HIPAA, the Federal Trade Commission’s enforcement authority, and/or a state law (i.e., Texas HB 300).

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.