Doctor's note - HIPAA issue

[Guest calcu]

We have a situation wherein an employee has been missing several days of work. We requested that this employee supply a doctor's note for days missed to verify that the employee visited the doctor and the reason for the visit. The employee informed us that we could not request her to do this under HIPAA. At the very least I would think we can request a doctor's note verifying that the doctor has seen the employee and that the employee was unable to work for X days. Thoughts? Insights? Any regulation cites?

Thanks

[JanetM]

You can ask for a doctors note. All it has to say is employee was unable to work on specific dates. No reason needs to be given.

[mbozek]

Why cant the employer ask for the reason to determine if the employee had a illness that prevented him from working? I thought that HIPPA only applies to health plans- Determining if the employee had a valid basis to be absent from work is not a health benefit.

[Mary C]

I agree with M Bozek - HIPAA does not apply to short-term disability plans including determining if the absence from work is valid or just playing hooky.

[david rigby]

Or maybe the EE thinks the H stands for Hooky.

[GBurns]

In the OP it stated "the reason for the visit". I take that to mean that this employer wants to know the medical condition. IMHO that is PHI under HIPAA.

The employer did not just want to know whether the person could work or not they asked for details.

[JDuns]

As mentioned previously HIPAA governs the release of PHI from plans, providers and clearinghouses.

HIPAA would prevent the Dr from giving the information directly to the employer without the employee's consent but HIPAA does not prevent the employee from providing the information.

HIPAA does not prevent the employer from requiring certain medical information to support certain HR programs. For example, if an employee refuses to provide medical information in connection with a STD leave of absence, he/she would lose eligiblity for the benefits.

[GBurns]

That is providing that it is the employer making the decision and not the Plan itself, the Claims Administrator or the insurer.

But that raises the question of whether the employer can force the employee to disclose information, especially when that information is not necessary neither is it being used for health or health plan purposes?

Isn't it rather rare that an employer does the claims administration in an STD Plan? Most that I see are either insured or administered by a Third Party (if self insured), but even then I cannot recall there not being a Plan. With a Plan shouldn't that remove the employer from being in a position to access the PHI, since it has no use to the employer because there is no employer decision or administration?

[JDuns]

Many employers self administer the STD Plan as a salary continuation through their regular payroll processes. Even if it is the Plan and not the employer making the decision, a salary continuation STD plan would NOT be a health plan under the HIPAA rules and therefor would not be subject to the HIPAA non-disclosure rules.

There are many reasons that it may be unwise for the employer to ask for medical information that is not needed, but it is clearly possible to argue that medical information is needed to validate sick leave, FMLA leave, disability leaves ...

An employee may refuse to provide information (resulting in a denial of the claim for benefits due to an incomplete application); but the employee may not claim that the employer is prohibited under HIPAA from requesting the information and that their claim must be approved without documentation.

[Steve72]

Under HIPAA, the employer can absolutely force the employee to provide this information. Absence management is an employer function, not a plan function.

Even if it were a plan function (of the STD plan), STD plans are not covered entities under HIPAA. HIPAA does not provide any impediment to this action. The demployer can tell the employee to provide this information or face disciplinary action. It is up to the employee and the doctor how the information is disclosed (the doctor will likely require the employee to execute an authorization), but that is immaterial from the employer's perspective.

[Kirk Maldonado]

Steve72:

I'm no HIPAA expert, so this is a sincere comment.

If the employer is subject to the rigors of HIPAA with respect to the PHI it receives regarding the employee relating to its health plan, it seems anomalous that it could get the exact same information regarding the person and his or her medical condition in the context of it absence management functions without triggering the panoply of protections for the employee under HIPAA.

I'm not questioning your assertion the STD plans are subject to HIPAA because I don't have a clue as to what is the right issue (and I'm not willing to spend the time researching a theoretical point). I'm just pointing out that the result seems hard to justify from a policy perspective.

I've noticed that you have commented on other HIPAA questions and your posts seemed quite knowledgeable. Acccordingly, I presume that you spend a fair amount of time on HIPAA matters. (My condolences.) As a result, I would be very interested in your thoughts about these incongruous results. (It may very well be that they aren't really incongruous, it is just my absence of sufficient knowledge about HIPAA that makes them seem counter-intuititive.)

[Steve72]

First, Kirk, I appreciate your condolences. It's gotten even worse since HIPAA Security came out. I went to law school precisely because computers break when I touch them.

If the employer is subject to the rigors of HIPAA with respect to the PHI it receives regarding the employee relating to its health plan, it seems anomalous that it could get the exact same information regarding the person and his or her medical condition in the context of it absence management functions without triggering the panoply of protections for the employee under HIPAA.

It is anomalous. HIPAA is somewhat awkwardly written, in part because of the limited scope of authority HHS was given in drafting and in part (in my opinion) because the drafters of the regs did not have an adequate understanding of the ERISA universe they were suddenly thrust into.

HIPAA only governs certain types of entities, called (appropriately enough) "covered entities". Covered entities are limited to health care providers (doctors offices and hospitals that conduct certain transmissions electronically), health care clearinghouses (third party health information "repackagers"), and health plans (insurance companies and employer sponsored "group health plans"). Note that ERISA plans and the insurance companies themselves are lumped into a single term. This frequently makes for awkward regulations, as rules that were drafted for one apply equally to the other.

Of ERISA plans (and other employer benefits), only those plans which are considered "group health plans" are covered entities. Generally, these are plans which provide benefits as described in the PHSA. This includes health plans and EAPs, but does not include disability plans or absence management plans, because such plans provide income replacement or similar benefits...not medical care.

For purposes of HIPAA, employees of an employer who receive information from a group health plan are deemed to be part of the "workforce" of the plan , not the employer. This is necessary so that those employees can even be considered subject to HIPAA. It is entirely possible that an individual will be considered to work both for the plan and for the employer. When he or she receives information as part of his or her "plan" role, that information may only be used for plan functions. The same is not true if he or she receives information as an employee of the employer. The firewall only works one way.

This sets up exactly the problem you have outlined. If an individual receives information from the health plan, it is subject to HIPAA's rigorous rules. If that same individual receives information in their role as an employer, it is not. Some states have ruled that standards analogous to HIPAA will be used for common law invasion of privacy suits, but that's developing law.

In a nutshell, the reason the situation in your paragraph does not make sense is because (although practically it is correct), legally the situation is misstated. The employer is never subject to the rigors of HIPAA. The plan is. The employer shares its employees with the plan, but is not itself subject to the rules.

(Sidenote...HIPAA requires plan documents to be amended to incorporate HIPAA standards. In this way, a plan which violates HIPAA may also cause the employer to violate the terms of the plan document. This, however, is an ERISA violation...not a HIPAA violation.)

I'm not questioning your assertion the STD plans are subject to HIPAA because I don't have a clue as to what is the right issue (and I'm not willing to spend the time researching a theoretical point). I'm just pointing out that the result seems hard to justify from a policy perspective.

I agree wholeheartedly. The U.S. system of privacy is patchwork at best. Privacy rules are based on the information holder. In the EU, by contrast, the privacy rules are based on information, regardless of where it is held. That system, IMHO, makes much more sense. The results are, as a matter of policy, not only incongruous, but flat-out silly. As far as the HIPAA/ERISA interaction goes, however, silly is par for the course.

[GBurns]

calcu,

I should have asked this initially. Why does the employer need the note? Is it for an STD benefit, sick days, or what?

[Guest calcu]

Sick days. The employee has an absenteeism problem.

[mbozek]

If he is an employee at will he can be terminated for absentism or the faliure to provide proof of of illness to the employer, neither of which reates to a health plan covered under HIPPA.

[jsb]

We call this "controlled leave." It's usually step 2 or 3 in a progressive discipline process (following at least a first level verbal counselling, and maybe even a written warning). Requires that a doctor's note be provided for every unscheduled absence due to illness. Must state reason for absence, expected length of absence, any physical restrictions, and any accommodations that can be made to assist the employee's return to work. If the absence is due to a protected and documented FMLA leave, the doctor's note requirement is waived as it has already been covered by the FMLA leave application policy. Failure to provide proper documentation (doctor's note) is failure to comply with a reasonable employer requirement and results in absence being considered AWOL. Too many AWOLs, goodbye....

HIPAA is not an issue. Granted, it should be for the doctor if you are trying to deal directly with the MD, but your requirement is on your employee to provide the note, and once provided by the employee it is not HIPAA covered. HOWEVER, you are likely subject to other records confidentiality laws so the information should be carefully safeguarded.

Good luck. Been there too....

[GBurns]

jsb

But does your scenario require the stating of the medical condition and the treatment like calcu does?

[Steve72]

The information contained doesn't affect the answer. The entity requesting the information is not a covered entity, and has no HIPAA restrictions on the use of medical information. As pointed out above, there may be state restrictions (BTW, excellent state health privacy resource HERE), but HIPAA only applies to covered entities.

Unless this information is being used for health plan administration (which does not include STD, LTD, leave of absence, etc.), the only HIPAA concern is held by the doctor.

If the employer states that the employee must provide the information or face discipline or discharge, the manner in which the employee gets the information is between the employee and the doctor (either by authorization for the information to be provided directly to the employer, or by the employee walking in and exercizing his or her HIPAA right to review the relevant designated record set, then bringing it to the employer.)

In either case, the employer is unconcerned with HIPAA at any level.

[GBurns]

First, when an employee uses the term HIPAA, it usually is used as a "catch all" for all Privacy rules, State Federal and anything else. I do not expect accuracy from an employee who probably uses the term 1 time per year. So although the OP did state HIPAA, I took that as a "catch all" not as an exact term and did not get hung up on HIPAA. There is still State law etc.

Second, I still do not see how the employer can get around HIPAA. Note the references in the below (and many other) Q&A and use of such phrases as "the Privacy Rule does control the conditions under which the group health plan can share protected health information with the employer""will not be used for employment-related actions"refrain from intimidating or retaliatory acts (45 CFR 164.530(g)), and from requiring an individual to waive their privacy rights (45 CFR 164.530(h))". There are many other Q&As that seem applicable and probably more on point including 29, 97 and others.

(Highlights below are mine)

HIPAA Q&A 110:

Question

As an employer, I sponsor a group health plan for my employees. Am I a covered entity under HIPAA?

Answer

Covered entities under HIPAA are health care clearinghouses, certain health care providers, and health plans. A "group health plan" is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA.

Thus, the Privacy Rule does not directly regulate employers or other plan sponsors that are not HIPAA covered entities. However, the Privacy Rule does control the conditions under which the group health plan can share protected health information with the employer or plan sponsor when the information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan. See 45 CFR 164.504(f). Among these conditions is receipt of a certification from the employer or plan sponsor that the health information will be protected as prescribed by the rule and will not be used for employment-related actions.

The covered group health plan must comply with Privacy Rule requirements, though these requirements will be limited when the group health plan is fully insured. See the Answer to the FAQ "Is a fully insured health plan subject to all Privacy Rule requirements?" That question, hundreds of FAQs, and a wide range of other guidance and materials to assist covered entities in complying with HIPAA and the Privacy Rule, are available at the Department of Health and Human Services Office for Civil Rights website, http://www.hhs.gov/ocr/hipaa.

HIPAA Q&A 147:

Question

I’m an employer that offers a fully insured group health plan for my employees. Is the fully insured group health plan subject to all of the Privacy Rule provisions?

Answer

The Privacy Rule recognizes that certain fully insured group health plans may not need to satisfy all of the requirements of the Privacy Rule since these responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members. In particular, a fully insured group health plan that does not create or receive protected health information other than summary health information (see definition at 45 CFR 164.504(a)) and enrollment or disenrollment information is not required to have or provide a notice of privacy practices. See 45 CFR 164.520(a)(2). Moreover, these group health plans are exempt from most of the administrative responsibilities under the Privacy Rule. See 45 CFR 164.530(k). These health plans are still required, however, to refrain from intimidating or retaliatory acts (45 CFR 164.530(g)), and from requiring an individual to waive their privacy rights (45 CFR 164.530(h)). The documentation requirements at 45 CFR 164.530(j) apply to these group health plans only to the extent of amendments, if any, made to the plan documents for the sharing of information with the plan sponsor under 45 CFR 164.504(f). Additional information about the Privacy Rule, including guidance and technical assistance materials is available through the Department of Health and Human Services Office for Civil Rights website at: http://www.hhs.gov/ocr/hipaa.

**********

The information that this employer wants is detailed PHI and it will not be used for the administration of any sort of health plan. It will be used for employment related purposes and refusal to give it would garner a retaliatory action. Even if there is no refusal and no immediate retaliatory action by the employer, the PHI is still going to be used towards eventual disciplinary action and which is still employment related and not health plan related. On top of all this such detailed information is not necessary to administer the sick day program and so the detailed PHI serves absolutely no purpose.

[JDuns]

I agree that the Plan or Provider could not give the information directly to the employer without the employee's consent. But we are not talking about disclosures by the plan or provider; we are talking about disclosures by the employee (or with the employee's consent) in connection with a claim for paid sick leave, unpaid FMLA leave, or otherwise permitted un-excused absence.

Nothing in HIPAA (or any state law of which I am aware) prohibits the employer from requiring an employee to provide documentation supporting a sick day, FMLA or disability leave. If the employee chooses not to provide the information to support the application for paid sick time, unpaid FMLA leave ..., the employer is clearly permitted to take employment action.

State laws may protect the employee from certain other uses of the information (like sending a broadcast message to co-workers about the employee's medical status).

[Steve72]

First, when an employee uses the term HIPAA, it usually is used as a "catch all" for all Privacy rules, State Federal and anything else. I do not expect accuracy from an employee who probably uses the term 1 time per year. So although the OP did state HIPAA, I took that as a "catch all" not as an exact term and did not get hung up on HIPAA. There is still State law etc.

...Which is why I was careful to limit my response to HIPAA and provide a link to a resource on state privacy rules. State regulation varies wildly. It is not possible to answer yes or no to a question like this regarding state issues without knowing the state.

Second, I still do not see how the employer can get around HIPAA. Note the references in the below (and many other) Q&A and use of such phrases as "the Privacy Rule does control the conditions under which the group health plan can share protected health information with the employer""will not be used for employment-related actions"refrain from intimidating or retaliatory acts (45 CFR 164.530(g)), and from requiring an individual to waive their privacy rights (45 CFR 164.530(h))". There are many other Q&As that seem applicable and probably more on point including 29, 97 and others.

I'm not going to re-quote the majority of your quotes, but this sentence is the most important one:

Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA.

There is no health plan involved here. The employer does not have a covered entity involved in the exchange of information. As far as HIPAA is concerned, once the information leaves the doctor's office, it is free and clear.

The remainder of the Q&As are completely inapplicable. The plan is not sharing information with the employer. The doctor is.

The information that this employer wants is detailed PHI and it will not be used for the administration of any sort of health plan. It will be used for employment related purposes and refusal to give it would garner a retaliatory action. Even if there is no refusal and no immediate retaliatory action by the employer, the PHI is still going to be used towards eventual disciplinary action and which is still employment related and not health plan related. On top of all this such detailed information is not necessary to administer the sick day program and so the detailed PHI serves absolutely no purpose.

First, once it is released from the doctor (either to the employer or the employee), it is no longer PHI, regardless of the information it contains. It is IIHI. PHI is defined as is IIHI held by a covered entity. Neither the employer nor the employee are covered entities.

This fact eliminates the remainder of your argument. If the information is not used for health plan administration, it never, ever becomes PHI when held by the employer (or any of its non-health plans).

HIPAA is completely inapplicable to this question.

[GBurns]

You omitted noticing the word "However" which would act as a qualifier and affect non covered entities.

I guess that we might have to wait until someone spends the time and cites a case or instance that has the same or near facts and circumstances.

[oriecat]

This "However"?

However, the Privacy Rule does control the conditions under which the group health plan can share protected health information with the employer

This isn't relevant to the situation. The group health plan is not the one sharing the information.

[GBurns]

There is more than 1 "However".

How about:

"however, to refrain from intimidating or retaliatory acts (45 CFR 164.530(g)), and from requiring an individual to waive their privacy rights (45 CFR 164.530(h))"

As I suggested. let's see if there are any actual cases etc.

[Steve72]

You omitted noticing the word "However" which would act as a qualifier and affect non covered entities.

I honestly don't understand what you mean by this. The inclusion of "however" does not change the statement that HIPAA does not affect non-covered entities.

I guess that we might have to wait until someone spends the time and cites a case or instance that has the same or near facts and circumstances.

The only HIPAA case of which I am aware is a criminal conviction for stealing health information. However, any case which held an employer liable under HIPAA under these facts would be absolutely and completely out of line with the plain language of the regulations..