Privacy Issues in the Workplace

Additionally, covered entities must require business associates to comply with HIPAA’s Privacy Rule. A business associate is a person or entity that performs certain functions on behalf of a covered health plan or health care provider which involve the use or disclosure of information protected by HIPAA’s Privacy Rule. Examples of functions carried out by business associates include claims processing, quality assurance, and billing. Although HIPAA does not regulate business associates, a covered entity that contracts with a business associate must require that the business associate comply with HIPAA’s Privacy Rule. Use and disclosure by business associates of information protected under HIPAA’s Privacy Rule is further described below. K. D ISCLOSING M EDICAL I NFORMATION As previously noted, under the CMIA the general rule is that an employer may not disclose medical information unless written authorization is obtained from the subject employee. 245 Exceptions to the rule requiring written authorization include:

 when disclosure is compelled by judicial or administrative process or by any other specific provision of law;  when the information is relevant to a lawsuit, arbitration, grievance or other proceeding to which the employer and employee are parties and the employee has placed his or her medical history, mental or physical condition or treatment at issue;  administering and maintaining employee benefit plans, including health care plans and plans providing short-term and long-term disability income, and workers’ compensation; or  when the employee is incapacitated and the information is necessary to aid the treatment or diagnosis of the employee (See Section 5 and 6).

The following are some specific types of requests for medical information that employers might receive.

1. E MPLOYEE R EQUESTS

California Labor Code section 1198.5 gives employees the right to inspect their personnel files.

Government Code section 3306.5 gives public safety officers the right to inspect their personnel files.

Firefighters also have the right to inspect their personnel file during usual business hours and when on paid status pursuant to Government Code section 3256.5.

California Government Code section 31011 gives county employees the right to inspect their files.

Under CalOSHA, it appears that whenever an employee who is exposed to toxic or harmful substances requests access to medical or “exposure” records, the employer shall assure that

Privacy Issues in the Workplace ©2019 (s) Liebert Cassidy Whitmore 75