Physician Practice

Q&A: You've got questions! We've got answers!

Physician Practice Insider, June 26, 2017

Q. Our human resources department does not accept certificates of work absences without diagnoses. If the certificate does not have the diagnosis, they do not accept it and deduct the period of absence from accumulated vacation or paid time, rather than days sick.

Many doctors do not want to write the diagnosis because of HIPAA, and to maintain confidentiality, employees often do not want to report their diagnosis or medical reason for absence to their employers.

How does HIPAA apply in this situation? In what section of HIPAA can I find if the employee is covered by HIPAA?

A. Employers are not covered entities (CE) under HIPAA, so they are not required to comply with the HIPAA Privacy Rule. Healthcare providers, like physician practices, are CEs. Under the Privacy Rule, healthcare providers cannot release the patient’s PHI (including diagnoses) to the patient’s employer without the patient’s written authorization. Therefore, the physician’s office would have to get written authorization from the patient to include diagnoses on the certificate of work absence.

In the interest of patient privacy, this issue should be discussed with the leader of the human resources (HR) department. Unless HR changes its policy, employees will be forced to share their private health information or forego the use of sick time for legitimate illnesses.

This Q&A originally was published in Revenue Cycle Advisor.

Editor’s note: Email your questions to Editor Karen Long Rayburn at

Most Popular