Employment Law Basics: Navigating Privacy Issues Under HIPAA

Employment laws can be confusing and downright scary.

They don’t have to be. As a public service, from now until my special Halloween webinar Answers to the World’s Scariest Employment Law Questions, I’ll be tackling each major law one by one to give you what you REALLY need to know. By the end, you’ll have handy one-page cheat sheets for each and every law and your terror level will be reduced to zero.

Today’s Topic: HIPAA

Here is basically everything you need to know about the Health Insurance Portability and Accountability Act (HIPAA) in one handy post.


What does HIPAA do?

HIPAA protects the privacy of medical records and personal health information.

What information is protected?

Information created or received by a health care provider, health plan, employer, etc., that relates to the past, present or future physical or mental health of an individual, the provision of health care to an individual or the payment for provision of health care to an individual.

When does HIPAA impact employers?

  • When they need to obtain and use protected information.
  • If they administer their own health care plan or review health benefit decisions.

Note: Additional restrictions/obligations apply to health care plans and other health care-related entities.

What are some circumstances where an employer may need to obtain protected information?

Article Continues Below

When obtaining medical information for FMLA purposes:

  • To determine whether an employee has a serious medical condition;
  • To determine whether an employee is able to return to work;
  • When trying to determine the parameters of a reasonable accommodation under the ADA;
  • When trying to determine an appropriate modified work schedule for an employee returning to work after suffering a work-related injury.

How may an employer obtain protected information?

The employer must obtain a valid authorization that includes the following:

  • A description of the information;
  • The identity of the person/entity authorized to make the disclosure;
  • The identity of the person/entity to which the disclosure may be made;
  • A description of each purpose of the requested information;
  • The signature of the individual whose information is sought;
  • Certain statements notifying the individual of his or her rights, including that s/he is entitled to revoke the authorization and receive a copy of the requested information;
  • An expiration date.

What are the potential penalties?

  • Civil and criminal fines;
  • Imprisonment.

Top HIPAA tips

  • Keep all health information confidential and separate from other employee files.
  • Limit use of any protected information to those specifically provided in the authorization signed by the employee.
  • Request and use only the minimum amount of medical information necessary for your purpose.

Stay tuned for more. Tomorrow we’ll de-scare-ify Immigration Reform and Control Act (IRCA).

This was originally published on Manpower Group’s Employment Blawg.

Mark Toth has served as Manpower Group North America's Chief Legal Officer since 2000. He also serves on the company’s Global Leadership Team, Global Legal Lead Team and North American Lead Team. Mark is recognized as an expert on legal issues affecting the U.S. workplace and is frequently quoted in media from The Wall Street Journal to 60 Minutes. He is also a past Chair of the American Staffing Association and is a certified Senior Professional in Human Resources. Contact him at mark.toth@manpowergroup.com.


Leave a Comment

Your email address will not be published. Required fields are marked *