In 1996, the Health Insurance Portability and Accountability Act or the HIPAA was endorsed by the U.S. Congress. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally-recognizable regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually-identifiable health information or the PHI (Personal Health Information). ‘Covered entities’ is a term often used in HIPAA-compliant guidelines. This definition of a covered entity is specified by [45 CFR § 160.102] of the Privacy Rule. A covered entity can be a:
It is generally thought that the Health Insurance Portability and Accountability Act (HIPAA) does not apply to providers of employee tests used for job screens such as physical agility or fit for duty examinations. The minimally established requirements of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended under the Health Information Technology and Clinical Health Act (HITECH) and expanded under the HIPAA Omnibus Rule of 2013 apply specifically only to employer-sponsored health plans and certain health care providers and, in certain circumstances, to employers that provide self-funded health plans, and generally protects only individually identifiable health information created or maintained by health plans and health care providers. Moreover, HIPAA does not itself provide an individual cause of action when a covered entity violates HIPAA.
However, in an abundance of caution, WorkSaver maintains compliance with HIPAA in its handling of its fit for duty tests and recommends that HIPAA confidentiality guidelines be applied by employers and employer associations not directly regulated by HIPAA, guarding against disclosure of medical or disability information obtained by employers or employee associations during employment screening procedures, such as post-offer pre-placement medical examinations or inquiries.
The reason for this cautionary advice is two-fold:
(1) While HIPAA does not generally provide a cause of action applicable to unconsented disclosure of health information collected in the course of hiring practices or in the course of the employment relationship, HIPAA standards and protections have been cited to support a claim of invasion of privacy.
As case in point, in Poli v. Mountain Valleys Health Center, et al., [Case No. 2:05-2015-GEB-KJM, 2006 WL 83378 (E.D.Cal.). Jan.11, 2006] an employer obtained an employee’s prescription drug records without authorization, terminated his employment, and shared information with police. The employee stated a claim for invasion of privacy. HIPAA was cited as part of “community norms” that determine what is a highly offensive disclosure.
Based on this case, WorkSaver’s attorney recommends that HIPAA confidentiality guidelines be applied even by non-covered entities in order to avoid potential invasion of privacy lawsuits under the “community norms” legal theory relied upon in Poli v. Mountain Valleys Health Center.
(2) The HITECH Act supplemented HIPAA by mandating that the Office of Civil Rights (OCR) enforce data privacy and security strategies updated for electronically stored or transmitted health data. The effect is to hold HIPAA business associates to the same standards for protecting electronically stored Personal Health Information (PHI) as covered entities, including subcontractors of business associates.
As defined by the HIPAA, a business associate is any organization or person working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records. (PHR). In 2013 HHS enacted a final omnibus rule that strengthened HIPAA by implementing a number of provisions of the HITECH Act to strengthen the privacy and security protections prohibiting disclosure of PHI by business associates.
For more information, please contact WorkSaver at (800) 414-2174