Employers are not Liable Under HIPPA laws, and can get access to your private medical information.
Does your employer have the right to acquire your private medical information? Apparently yes.
When I worked for the State of RI as an inspector, I discovered that the state Office of Health and Human Services was amassing medical files on employees. I was under the assumption that HIPAA laws protected my right to medical privacy, but when I contacted my union (RI Council 94) they refused to take action to protect their members. Then I contacted the Office for Civil Rights, located within the U.S. Department of Health and Human Services, and wanted to file a complaint on behalf of myself and coworkers, because our employer was forcefully acquiring and saving our medical information. The Office for Civil Rights (OCR) acknowledged my complaint but responded that my employer was not breaking any laws.
Two ways your employer can acquire your private health history.
I learned 2 very important things about how the State of RI is privy to, and acquires this private information.
The State, as the employer, is directly involved with managing the group health insurance plan that I was covered under. Through that management they are given, automatically or by special request, information from my account. That can be any information they want.
The second way they acquire medical information is by way of any supplementary insurance policies that employees have contracted directly between themselves and another insurance provider.
Acquiring Info from your group Health Insurance Provider
Now in a small organizations, normally the employer is not directly involved in the private health information of its' employees. The firm collects the basic info on each employee i.e. name, address, age, individual or family policy, etc. The firm passes this info to the insuring firm, and after that, pays the bill to that company.
The State of Rhode Island is a large employer and has actively taken a role in the management of the employees' personal health information and history. This role was dictated by the State in both it's contracts with the insurance providing company, and contracts with the unions having the collective bargaining rights to your posititon. Normally an insuring firm is not allowed to disclose your personal medical information without having first obtained your authtorization. In my case, and the other individuals in my bargaining unit, this contracted invasion of privacy was never disclosed. I argued, to no avail, that there is a distinct difference between the rights of an individual, and the rights the Union has that pertain to a particular position, and that no such agreement should be valid when affecting the individual's rights.
Who do you think is entitled to receive your medical information?
Acquiring Information from Your Privately Contracted Supplemental Insurance Provider
Once I started researching this issue at the State of Rhode Island, I quickly made some enemies. I dared to tell the Director of RI Health and Human Services, Ms. Kathleen Sherman, that she had no right to employees' private medical information. Then I put in an illness claim with my privately contracted supplemental insurance company AFLAC. Part of the claim required that my employer fill out the Employer's Part of the claim forms. This form is separate from the form I had to fill out, and the one my Physician was required to fill out. This form only required the employer to verify that I had been absent from work on the days I was claiming that I was out sick.
Ms Sherman refused to fill out and submit the Employer Form unless I provided her with the Individual's Claim form, and the Physician's Claim Form. She insisted on receiving all paperwork pertaining to the claim, and then she would submit the forms to AFLAC. She outright told me that unless I did so, then I would never be paid by AFLAC. I was being coerced into submission.
My AFLAC representative said she could do that and without her input through the Employer form, I would not be paid! My union again refused to take action. Unbeknownst to me at the time, there were side contracts that my union had agreed to that prevented me taking any action against the State. I also could not hire a private lawyer because none would take a case that already involved the Collective Bargaining Agreement.
Office of Civil Rights
I contacted the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services. It was my belief that HIPAA laws protected my private medical information. I also thought that my employer was violating my civil rights to privacy.
What is the purpose of HIPAA. The OCR website states that HIPAA covers 2 things:
- The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.
- The Security Rule is a Federal law that requires security for health information in electronic form.
Your Employer is Not Subject to HIPAA.
You may say your employer is not HIPAA.
OCR goes on to state that "We call the entities that must follow the HIPAA regulations “Covered Entities”. Your employer is not a Covered Entity. Your neighbor is not a Covered Entity. HIPAA specifically does not apply to them.
A "Covered Entity" does include "Companies that help administer health plans." The State of Rhode Island does help administer the Health Plan, but it is not hired, employed or contracted by the insuring firm to do so. The insuring company is hired by the State, with State requirements.
So I made a plea to OCR on the basis that my employer was coercing me to provide my private medical information. OCR again declined to take action, or even accept a complaint because it did not meet any of their current civil rights violations criteria
What Can You Do to Protect Your Private Medical Information
1) Read thoroughly everything your Employer gives you to sign.
2) You must research any Collective Bargaining contracts if you are entering a position controlled by a Union. Keep in mind, unions protect positions, not people. Getting the information from your employer, or from your union, may be impossible.
3) Send a letter by Certified Mail to your Health Insurance Provider stating that any and all information they acquire regarding you as an individual may ONLY be shared with "HIPAA Covered Entities", and with no other entity or individual unless prior expressed written approval by YOU is received.
4) If you suffer coercion or violation of your rights with regard to your medical privacy, I strongly recommend that you address those concerns to not only all involved, the OCR, and your health insurance company, but also to your State Senator, Representative, and Governor.
5) Check with any privately contracted Supplemental Insurance Companies before you sign with them. If I had known that they were not in my corner, I never would have contracted with AFLAC.
- American Medical Association - HIPAA Violations and Enforcement
maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of
- Health Information Privacy
Office for Civil Rights
- HIPAA Privacy Rule and Its Impacts on Research
National Institutes of Health