• E-mail
• Print
• RSS

Can we ever disclose PHI to a patient's employer without authorization?

HIPAA Weekly Advisor, April 24, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Can we ever disclose PHI to a patient's employer without authorization?

A: The privacy regulations permit such disclosure in limited circumstances concerning work-related injuries and illnesses, or workplace medical surveillance. Only health care providers can disclose protected health information (PHI) to employers in these circumstances. All other such disclosures to an employer would require a signed authorization, even apparently disclosures to an employer that may be required by law under programs such as the Department of Transportation (DOT) drug screening and physical exams and the Drug-Free Workplace.

Although the employer is entitled to the results under law, the HHS commentary to the HIPAA privacy regulations states: "It is our understanding that DOT requires drug testing of all applicants for employment in safety-sensitive positions, or of individuals being transferred to such positions. Employers, pursuant to DOT regulations, may condition an employee's employment or position upon first obtaining an authorization for the disclosure of results of these tests to the employer. Therefore, we do not believe the final rules conflict with the DOT requirements, which do not prohibit obtaining authorizations before such information is disclosed to employers."

The disclosure is permitted without authorization if the covered entity is a health care provider who belongs to the employer's workforce, or who provides health care to the individual at the request of the employer, in the following circumstances:

• The health care provider is conducting an evaluation relating to medical surveillance of the workplace; or is evaluating whether the individual has a work-related illness or injury
• The employer needs such findings in order to comply with its obligations to the Occupational Safety and Health Administration (OSHA) or the Mine Safety and Health Administration (MSHA), or to a state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance

The PHI disclosed must consist only of findings concerning a work-related illness or injury, or a workplace-related medical surveillance.

Authorization is not required if the disclosure is for OSHA, MSHA, or similar state law as discussed herein. The covered health care provider, however, must provide written notice to the individual that PHI relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer in either of the following two ways:

• By giving a copy of the notice to the individual at the time the health care is provided
• If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided

Note that this notice requirement is separate from the notice of privacy practices.

Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLPand The Quality Management Consulting Group, Ltd. E-mail: mbaxter@bricker.com or gmcbeath@bricker.com

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive