[ Monday, April 09, 2007 ]
Healthcare Workers as Patients:
A question from a reader:
"I work at a hospital. Does HIPAA protect health care workers privacy or are there exceptions? For example, I work and am treated at the same hospital. If my employer suspects that I have been abusing prescription drugs, do they have the right to obtain my medical record without my consent, or to talk to my doctor about their concerns (who is also employed by the hospital). Perhaps they have not obtained the official medical record but are tracking my physician's order of a drug and then share that information with someone who is not directly involved in my care. Legal cousel stated that there is an exemption for health care workers. I find this very hard to believe.
"Any advice would be appreciated."
Answer: There's no "exemption for health care workers" as far as I know. Generally speaking, "employers" are not subject to HIPAA. However, if an employer is a covered entity under HIPAA, it is obligated under HIPAA to maintain the privacy and security of PHI in its custody, whether the PHI is that of patients that are employees or patients who are not employees. If an employer is not a hospital, physician's office or other covered entity, it is still possible that the employer's health plan is a HIPAA covered entity, in which case the health plan must protect the information. The employer cannot use information improperly received from the employer's health plan to make employment decisions.
The employer may have information on its employees that does not meet the definition of PHI, such as general employment information, information of fitness-for-duty physicals, information on properly-conducted employee drug screenings, information on on-the-job accidents or other workers compensation issues, etc.
Employers must make sure they don't improperly access or use information held by the employer's health insurance plan. When the employer is also a healthcare provider to its employees, it must be even more careful not to improperly use PHI (information on employees gained through the provision of healthcare to them) as if it were employment information (information in the employee's HR files that is properly employment-related, such as job-related drug screens or workers compensation matters).
Jeff [3:50 PM]
Blogger: HIPAA Blog - Edit your Template