Compliance: Is it HIPAA or ADA?

Let’s start with a look at the ADA and its requirements from employers.

Personnel records relating to disability must be kept confidential, with a few exceptions. The confidentiality requirements of the Americans with Disabilities Act (ADA) apply to all disability-related medical information an employer obtains through employment-related examinations or inquiries.

This includes, for example, medical exams required of new hires, or return to work after an injury or illness, as well as any medical information an employee voluntarily discloses as part of an employee health program.

Asking if an employee has had vaccinations, including a COVID-19 vaccine, or asking for proof of vaccination is not likely to elicit information about a disability. Therefore, this is not a disability-related inquiry protected under ADA.

However, subsequent employer questions, such as asking why an individual did not receive a vaccination may elicit information about a disability and would be subject to the pertinent ADA standard that they be “job-related and consistent with business necessity.”

If an employer requires employees to provide proof that they have received a COVID-19 vaccination, the employer may want to warn the employee not to provide any medical information as part of the proof in order to avoid implicating the ADA.

The ADA doesn’t apply to all health records, however.

The records in question must be related to a disability and must be obtained in the ways described above. Many employers err on the side of caution by treating any and all medical information as if it were confidential.

Employers must keep protected medical information on separate forms and in separate files from regular personnel records. Protected medical information must be treated as confidential.

The ADA doesn’t specify the precise measures an employer must take to maintain confidentiality. Employers that use file cabinets and paper records often keep medical records in a separate, locked cabinet that is accessible only to those who are entitled to see the records.

Whatever method the employer chooses must effectively restrict access to the records to only those people who have a legal right to view them.

Under the ADA, it’s not illegal for certain people to access employee medical records. After all, supervisors may need information about an employee’s work restrictions.

The ADA specifically allows employers to disclose disability-related medical information to:

  • Emergency and first-aid personnel, if an employee’s disability might require emergency treatment;
  • Supervisors and managers, if they need information about restrictions, ability to work, or information on reasonable accommodations, and
  • Government officials who are looking into an employer’s compliance with the ADA.

The Equal Employment Opportunity Commission (EEOC) also recognizes an exception for information provided to state workers’ compensation offices or insurance carriers.

These exceptions are very limited. The EEOC has found, for example, that an employer may not release an employee’s medical records even if they are subpoenaed in a lawsuit, unless the employee consents.

Health Insurance Portability and Accountability Act

The HIPAA Privacy Rule was signed into law by President Clinton in 1996. The Act was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information (PII) maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed limitations on healthcare insurance coverage.

So, who must abide by HIPAA? The entities that must follow the HIPAA Privacy Rules regulations are known as “covered entities.”

Covered entities include:

  • Health plans – including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most health care providers – those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health care clearinghouses – entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
  • Emergency Medical Services (EMS) – HIPAA for EMS, or HIPAA for Emergency Medical Services, applies in the same ways in which HIPAA applies to covered entities. This is because EMS providers are involved in the treatment of patients, making EMS a covered entity.

Who is not required to follow the HIPAA laws?

Many organizations that have health information about individuals do not have to follow HIPAA. Examples of organizations that do not have to follow the HIPAA Privacy Rules include:

  • Life insurers;
  • Employers*;
  • Workers’ compensation carriers;
  • Most schools and school districts;
  • Many state agencies, such as child protective services;
  • Most law enforcement agencies; and
  • Many municipal offices.

* Employment Records – The HIPAA Privacy Rule does not protect employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.

Employers may ask health care providers directly for information about their employees; however, the provider may not give the employer information without the employee’s authorization, unless other laws require them to do so.

Generally, the Privacy Rule applies to the disclosures made by the health care provider – not the questions an employer may ask.

More information on ADA is available here, and HIPAA Privacy Rules are available  here.