Privacy Issues in the Workplace

board, commission, or other administrative body having jurisdiction of the matter and legal authority to compel the production of records.

Also, a health care provider may exercise its discretion to disclose medical information to an employer without written authorization if:  the employer is responsible for paying for health care services rendered to the patient and it is necessary to disclose the records to the employer to allow the employer to determine responsibility for payment; or  the information pertains to health care services which were rendered to an employee at the request and expense of the employer; and

 the information is relevant to a lawsuit or other legal proceeding to which the employer and employee are parties and the employee has placed his or her medical history, mental or physical condition, or treatment at issue; or,  the information is limited to a description of the functional limitations of the patient that may entitle the patient to leave from work for medical reasons or limit the patient’s fitness to perform his or her present employment and provided that no statement of medical cause is included in the information disclosed. 240

d. A Memorandum of Understanding—A Possible Exception to the Exceptions If an employer has adopted a written policy or has entered into a memorandum of understanding that provides that certain types of medical information shall not be used or disclosed by the employer in particular ways, the employer must obtain an authorization for those uses or disclosures even if it would not otherwise be required by the CMIA. 241 3. H EALTH I NSURANCE P ORTABILITY AND A CCOUNTABILITY A CT Privacy regulations enacted by the Department of Human and Health Services (DHHS) under the Health Insurance Portability and Accountability Act (HIPAA), 42 U. S. C., section 1301 et seq ., The primary thrust of HIPAA’s Privacy Rule is directed at hospitals, doctors, medical clinics, health plans and health insurers. However, under some circumstances, local public agencies may be subject to the Rule’s requirements as well. Covered entities under HIPAA are health plans, health care clearinghouses or health care providers conducting certain health care transactions electronically. 242 Also affected by HIPAA are hybrid entities whose business activities include both covered and non-covered functions, 243 and health plan sponsors.

Public employers are covered entities under two specific circumstances:

 First, if the public agency provides health care to the general public by means of a hospital, clinic or any similar method of delivering health care, it is a covered entity. Significantly, the providing of paramedic services through a Fire Department may subject the agency’s paramedic functions to HIPAA’s Privacy Rule.

Privacy Issues in the Workplace ©2019 (s) Liebert Cassidy Whitmore 73