Recently a question was asked about an employee who is also a patient of the practice:
Under HIPAA, what is the obligation of an upper level administrative employee to report their medical condition to their employer? If the employee receives medical care from one of the providers that the employee works for, what is the obligation of the provider to maintain the privacy of the medical information of the employee from fellow providers in the practice?
Healthcare Compliance Pros Response
Under the HIPAA Privacy Rule, a covered entity may use or disclose PHI for its own or another provider's treatment activities, and in certain circumstances, for payment and health care operations purposes, without an authorization. Covered entities must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. These minimum necessary policies and procedures also reasonably must limit who within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business. The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes.
- Treatment generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
- Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
- Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.
Under the HIPAA Privacy Rule, an employee's medical or health plan records are protected if that employee is a patient of the covered health care provider.
Generally Covered health care providers must have the authorization of the patient to disclose protected health information made by the healthcare provider to their employer.
Based on the facts restated above, in our opinion and this is by no means legal advice, if the disclosure about the employee was between the providers of the practice for treatment purposes, authorization from the patient would not be required. If the disclosure is to the employer and reporting about the patient's medical condition, we would recommend having authorization from the patient first. Generally, a covered entity may not use or disclose PHI for any reason (other than for treatment, payment, or health care operations or as otherwise permitted by the Privacy Rule) without a valid Authorization.
If you have any compliance questions, please feel free to comment below or send us an email at [email protected] or reach us by phone toll-free at 855-427-0427.