2024
2023
2021
- Denial of Work-From-Home Requests: A New Era of Discrimination?
- April Showers Bring
- Restrictions on Employee Social Media
- Can Employees Be Forced to Get the Covid-19 Vaccination?
2020
- Holidays...To Pay or Not to Pay, What is Required
- EEOC Update on COVID-19
- Protection of Employee Health Information
- Civil Rights Win for LGBTQ Employees
- OSHA Recordkeeping Requirements During the COVID-19 Pandemic
- The Line Between At-Will Termination and Wrongful Termination
- Regulating Firearms in the Workplace
- Social Media Use in Hiring
2019
2018
- What Not to Wear
- Vicarious Liability for Unlawful Harrassment
- Employee Surveillance & Union Formation
- A Lesson in Retaliation
- Employers May Sometimes Judge a Book By Its Cover
- Mind Your P’s and Q’s . . . and BFOQs
- Severance Agreements
- U.S. Department of Labor "Paid" Program
- Revisiting Records Retention
- Calculating the Regular Rate
- Independent Contractor or Employee?
2017
- Sexual Orientation Discrimination
- DRI Membership: It’s Personal
- Is Extended Leave a Reasonable Accommodation?
- Parental Leave
- Pay Disparity
- Religious accomodation in the workplace
- Equal pay and prior salary information
- I quit! How to avoid constructive discharge
- You Can't Shred Email
- Navigating Unemployment Claims
- Considering Criminal History in Pre-Employment Decisions
- Defamation Claims from Former Employees
- Mixed Motive Causation
2016
- Requesting Accomodation: Kowitz v. Trinity Health
- Antitrust Law in Human Resources
- An Evolving Standard: Joint-Employment
- What Does At-Will Employment Mean for Employers?
- Let's Talk About Wages
- THE FLSA: CHANGES ARE COMING
- Follow Up: Obesity and the ADA
- The Importance of Social Media Policies
- Is Obesity a Qualifying Disability under the ADA?
- Retaliation on the Rise: The EEOC Responds
- What Motivates You?
2015
- "But I thought ...
- Who’s expecting? And what is he expecting?
- Are You Still Doing Annual Performance Reviews?
- Who is Your Employee?
- The unpaid intern trap Part II
- “We’ve been the victim of a cyber-attack”
- So, a Hasidic Jew, a nun in a habit and a woman wearing a headscarf walk into your office?
- The unpaid intern trap
- Pregnancy in the workplace
- Let's talk about honesty.
- "Did You Know" Series - Part I
- Conducting an Internal Investigation
- What HR can look forward to in 2015!
2014
- The chokehold of workplace technology
- Does your company have trade secrets?
- North Dakota Construction Law Compendium for 2014
- Does the North Dakota baby boom affect you?
- Ban the Box? Why?
- The end of the world as we know it
- Everybody has an opinion
- Changes, Changes, Changes!
- Nick Grant presents at North Dakota Safety Council's 41st Annual Safety and Health Conference
- Email impairment: A potentially harmful condition
Sep 03, 2020
Employers come into the possession of employee health information in a number of ways. For example, an employee providing a doctor’s note to use sick leave, obtain workers’ compensation, participate in wellness programs or health insurance, and to gain access to disability accommodations. Employers that receive such information should be aware of how certain laws require that information to be stored and when it can be disclosed.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral; this information is called “protected health information” (PHI). Generally, HIPAA does not apply to employee health information that is held by an employer. However, an employer is considered a covered entity and must comply with HIPAA laws if it operates as a health plan, a health care clearing house, or a healthcare provider.
A covered entity under HIPAA may not use or disclose PHI unless the individual who is the subject of the information (or the individual’s personal representative) is requesting the information or authorizes it in writing that it may be used or disclosed, or if it is being disclosed or requested by the United States Department of Health and Human Services when it is undertaking a compliance investigation or review or enforcement action.
If the PHI is being stored electronically, a covered entity must implement safeguards to protect, detect, contain, and correct security violations for electronic PHI. These safeguards include:
Americans with Disabilities Act (ADA)
The ADA addresses the confidentiality of employee medical information. An employer that obtains employee or prospective employee medical information during a permitted medical examination or inquiry must maintain the information in a confidential medical file. This file must be kept separate from the employee’s or prospective employee’s personnel file. Such information may be disclosed only in limited situations. For example:
The Takeaway:
An employer that obtains an employee’s protected health information or any medical records must maintain the confidentiality of those records. Some employers may have heightened obligations if they are considered a “covered entity” under HIPPA. Actions that may ensure compliance include:
Our law firm’s goal is to give understandable information and to foster discussion about real-life issues facing human resource professionals. If we are not achieving that goal or if you would like us to address other employment law issues, please email us at mcerkoney@ndlaw.com or amann@ndlaw.com. We promise to take your comments and ideas to heart.
Disclaimers
(Otherwise known as “the fine print”)
We make a serious effort to be accurate in these writings. These articles are not exhaustive treatises, though, so do not consider them complete or authoritative. Providing this information to you does not create an attorney-client relationship. Do not act upon the contents of this or of any article on our homepage or consider it a replacement for professional advice.
Reprinted with permission from an article submitted for publication in the September, 2020 Southwest Area Human Resource Association newsletter.
Protection of Employee Health Information
By: Allison MannEmployers come into the possession of employee health information in a number of ways. For example, an employee providing a doctor’s note to use sick leave, obtain workers’ compensation, participate in wellness programs or health insurance, and to gain access to disability accommodations. Employers that receive such information should be aware of how certain laws require that information to be stored and when it can be disclosed.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral; this information is called “protected health information” (PHI). Generally, HIPAA does not apply to employee health information that is held by an employer. However, an employer is considered a covered entity and must comply with HIPAA laws if it operates as a health plan, a health care clearing house, or a healthcare provider.
A covered entity under HIPAA may not use or disclose PHI unless the individual who is the subject of the information (or the individual’s personal representative) is requesting the information or authorizes it in writing that it may be used or disclosed, or if it is being disclosed or requested by the United States Department of Health and Human Services when it is undertaking a compliance investigation or review or enforcement action.
If the PHI is being stored electronically, a covered entity must implement safeguards to protect, detect, contain, and correct security violations for electronic PHI. These safeguards include:
(1) Performing a risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity.
(2) Implementing risk management strategies to reduce risks and vulnerabilities.
(3) Applying appropriate sanctions against workforce members who fail to comply with the security policies and procedures.
(4) Implementing procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Americans with Disabilities Act (ADA)
The ADA addresses the confidentiality of employee medical information. An employer that obtains employee or prospective employee medical information during a permitted medical examination or inquiry must maintain the information in a confidential medical file. This file must be kept separate from the employee’s or prospective employee’s personnel file. Such information may be disclosed only in limited situations. For example:
(1) Supervisors and managers may be made aware of necessary restrictions on the work or duties of the employee to provide necessary accommodations;
(2) Safety personnel may be informed, when appropriate, if the disability might require emergency treatment; and
(3) Government officials investigating compliance with the ADA can be provided relevant information on request.
The Takeaway:
An employer that obtains an employee’s protected health information or any medical records must maintain the confidentiality of those records. Some employers may have heightened obligations if they are considered a “covered entity” under HIPPA. Actions that may ensure compliance include:
- Conducting a risk assessment to determine whether HIPPA applies to the employer;
- Adopting a written privacy policy addressing standards to ensure confidentiality of medical information;
- Keeping confidential medical records separate and distinct from an employee’s regular personnel file;
- Providing training to the individuals that have access to employee medical information and PHI; and
- Ensure compliance with adopted policies by reviewing them regularly.
Our law firm’s goal is to give understandable information and to foster discussion about real-life issues facing human resource professionals. If we are not achieving that goal or if you would like us to address other employment law issues, please email us at mcerkoney@ndlaw.com or amann@ndlaw.com. We promise to take your comments and ideas to heart.
Disclaimers
(Otherwise known as “the fine print”)
We make a serious effort to be accurate in these writings. These articles are not exhaustive treatises, though, so do not consider them complete or authoritative. Providing this information to you does not create an attorney-client relationship. Do not act upon the contents of this or of any article on our homepage or consider it a replacement for professional advice.
Reprinted with permission from an article submitted for publication in the September, 2020 Southwest Area Human Resource Association newsletter.