ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Employers are not Liable Under HIPPA laws, and can get access to your private medical information.

Updated on June 17, 2015

Does your employer have the right to acquire your private medical information? Apparently yes.

When I worked for the State of RI as an inspector, I discovered that the state Office of Health and Human Services was amassing medical files on employees. I was under the assumption that HIPAA laws protected my right to medical privacy, but when I contacted my union (RI Council 94) they refused to take action to protect their members. Then I contacted the Office for Civil Rights, located within the U.S. Department of Health and Human Services, and wanted to file a complaint on behalf of myself and coworkers, because our employer was forcefully acquiring and saving our medical information. The Office for Civil Rights (OCR) acknowledged my complaint but responded that my employer was not breaking any laws.

Two ways your employer can acquire your private health history.

I learned 2 very important things about how the State of RI is privy to, and acquires this private information.

  1. The State, as the employer, is directly involved with managing the group health insurance plan that I was covered under. Through that management they are given, automatically or by special request, information from my account. That can be any information they want.

  2. The second way they acquire medical information is by way of any supplementary insurance policies that employees have contracted directly between themselves and another insurance provider.


Acquiring Info from your group Health Insurance Provider

Now in a small organizations, normally the employer is not directly involved in the private health information of its' employees. The firm collects the basic info on each employee i.e. name, address, age, individual or family policy, etc. The firm passes this info to the insuring firm, and after that, pays the bill to that company.

The State of Rhode Island is a large employer and has actively taken a role in the management of the employees' personal health information and history. This role was dictated by the State in both it's contracts with the insurance providing company, and contracts with the unions having the collective bargaining rights to your posititon. Normally an insuring firm is not allowed to disclose your personal medical information without having first obtained your authtorization. In my case, and the other individuals in my bargaining unit, this contracted invasion of privacy was never disclosed. I argued, to no avail, that there is a distinct difference between the rights of an individual, and the rights the Union has that pertain to a particular position, and that no such agreement should be valid when affecting the individual's rights.

Who do you think is entitled to receive your medical information?

See results

Acquiring Information from Your Privately Contracted Supplemental Insurance Provider

Once I started researching this issue at the State of Rhode Island, I quickly made some enemies. I dared to tell the Director of RI Health and Human Services, Ms. Kathleen Sherman, that she had no right to employees' private medical information. Then I put in an illness claim with my privately contracted supplemental insurance company AFLAC. Part of the claim required that my employer fill out the Employer's Part of the claim forms. This form is separate from the form I had to fill out, and the one my Physician was required to fill out. This form only required the employer to verify that I had been absent from work on the days I was claiming that I was out sick.

Ms Sherman refused to fill out and submit the Employer Form unless I provided her with the Individual's Claim form, and the Physician's Claim Form. She insisted on receiving all paperwork pertaining to the claim, and then she would submit the forms to AFLAC. She outright told me that unless I did so, then I would never be paid by AFLAC. I was being coerced into submission.

My AFLAC representative said she could do that and without her input through the Employer form, I would not be paid! My union again refused to take action. Unbeknownst to me at the time, there were side contracts that my union had agreed to that prevented me taking any action against the State. I also could not hire a private lawyer because none would take a case that already involved the Collective Bargaining Agreement.

Office of Civil Rights

I contacted the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services. It was my belief that HIPAA laws protected my private medical information. I also thought that my employer was violating my civil rights to privacy.

What is the purpose of HIPAA. The OCR website states that HIPAA covers 2 things:

  1. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.
  2. The Security Rule is a Federal law that requires security for health information in electronic form.


Your Employer is Not Subject to HIPAA.

You may say your employer is not HIPAA.

OCR goes on to state that "We call the entities that must follow the HIPAA regulations “Covered Entities”. Your employer is not a Covered Entity. Your neighbor is not a Covered Entity. HIPAA specifically does not apply to them.

A "Covered Entity" does include "Companies that help administer health plans." The State of Rhode Island does help administer the Health Plan, but it is not hired, employed or contracted by the insuring firm to do so. The insuring company is hired by the State, with State requirements.

So I made a plea to OCR on the basis that my employer was coercing me to provide my private medical information. OCR again declined to take action, or even accept a complaint because it did not meet any of their current civil rights violations criteria

What Can You Do to Protect Your Private Medical Information

1) Read thoroughly everything your Employer gives you to sign.

2) You must research any Collective Bargaining contracts if you are entering a position controlled by a Union. Keep in mind, unions protect positions, not people. Getting the information from your employer, or from your union, may be impossible.

3) Send a letter by Certified Mail to your Health Insurance Provider stating that any and all information they acquire regarding you as an individual may ONLY be shared with "HIPAA Covered Entities", and with no other entity or individual unless prior expressed written approval by YOU is received.

4) If you suffer coercion or violation of your rights with regard to your medical privacy, I strongly recommend that you address those concerns to not only all involved, the OCR, and your health insurance company, but also to your State Senator, Representative, and Governor.

5) Check with any privately contracted Supplemental Insurance Companies before you sign with them. If I had known that they were not in my corner, I never would have contracted with AFLAC.


    0 of 8192 characters used
    Post Comment

    No comments yet.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)