Covered entities under HIPAA are also employers. For their employment functions, they create records which may contain health-related information (e.g., documentation of use of sick leave). In their health roles, they create records containing protected health information (PHI) for any employees for whom they provide health services.

Employment records are excluded from the definition of PHI, and so not subject to the protections of HIPAA. Other laws and regulations that cover uses and disclosures of information in such records do apply -- such as OSHA, Family and Medical Leave Act (FMLA), workers' compensation, and alcohol and drug free workplace laws.

Health records on covered entities' employees are HIPAA-protected just like the records of any other facility patient or plan enrollee. In most cases the covered entity will need the employee's authorization to access or use the health information therein for employment purposes.

If the individual gives his or her authorization, or provides the medical information directly to the covered entity as the employer (e.g., submission of a drug test result required for employees) that medical information becomes part of the employment record and is no longer PHI. (It is not the nature of the information, but the capacity in which it was generated or received, that determines whether it is subject to HIPAA.)

HIPAA's statutory language excludes employers per se as covered entities. But DHHS has noted that health plans, providers and clearinghouses must "remain cognizant" of their dual roles in this regard, taking care not to mix records derived from health care services for their employees with those related to employment functions.

At present, there are no special provisions, similar to the "adequate separation" requirements for disclosure of PHI from group health plan to plan sponsor (see 45 CFR 164.504(f)), to heighten the protection for an employee's individually identifiable health information when moving between a covered entity's health care functions and its employer functions.

See also:

• designated records set (HIPAA)

  Last modified: 11-May-2005 [RC]