entities under HIPAA are also
employers. For their employment functions, they create records
which may contain health-related information (e.g., documentation
of use of sick leave). In their health roles, they create
records containing protected
health information (PHI) for any employees for whom they
provide health services.
are excluded from the definition of PHI, and so not subject
to the protections of HIPAA. Other laws and regulations that
cover uses and disclosures of information in such records
do apply -- such as OSHA, Family and Medical Leave Act (FMLA),
workers' compensation, and alcohol and drug free workplace
on covered entities' employees are HIPAA-protected just like
the records of any other facility patient or plan enrollee.
In most cases the covered entity will need the employee's
authorization to access
or use the health information therein for employment purposes.
If the individual
gives his or her authorization, or provides the medical information
directly to the covered entity as the employer (e.g., submission
of a drug test result required for employees) that medical
information becomes part of the employment record and is no
longer PHI. (It
is not the nature of the information, but the capacity in
which it was generated or received, that determines whether
it is subject to HIPAA.)
language excludes employers per se as covered entities. But
DHHS has noted that health plans, providers and clearinghouses
must "remain cognizant" of their dual roles in this
regard, taking care not to mix records derived from health
care services for their employees with those related to employment
At present, there
are no special provisions, similar to the "adequate separation"
requirements for disclosure of PHI from group health plan
to plan sponsor (see 45 CFR 164.504(f)), to heighten the protection
for an employee's individually identifiable health information
when moving between a covered entity's health care functions
and its employer functions.