Privacy Officer's Roundtable

Back to eGroups

Expand all | Collapse all

Disclosing employee health information

1. Disclosing employee health information

0 Recommend
David Garrison
Posted 11-18-2015 05:36 PM

Reply Reply Privately
For those of you who "store/enter" employee health information in your charts/EHR, do you require an Authorization before disclosing the information or since it's employee health information, would you accept a general release of information?
------------------------------
David Garrison CHC,MPH
Compliance/Privacy Officer
SEARHC
Juneau,AK
------------------------------
2. RE: Disclosing employee health information

0 Recommend
Nancy Davis
Posted 11-19-2015 07:13 AM

Reply Reply Privately
The crossover between when an individual is an employee and when he or she is a patient is confusing but the lines have to be clear as well as any records created. One health information is made a part of an individual's provider health record, it is protected health information (phi) and has to be accessed, used and disclosed along the lines set forth by HIPAA for PHI and/or applicable state and federal (AODA) laws. I cannot see how employee health can access an employee's patient health record/PHI without a written authorization.

Conversely, I do not see how any provider can have access to a patient's "employee health" information without the patient providing an authorization. In general, the typical authorization will do, but it should clearly identify what is being accessed, used, or disclosed. HIPAACOW.org has a nice whitepaper on employee health records.
------------------------------
Nancy Davis, MS, RHIA, CHPS
Privacy Officer
Ministry Health Care

Original Message
3. RE: Disclosing employee health information

0 Recommend
Julie Sours
Posted 11-19-2015 08:03 AM

Reply Reply Privately
I think the answer to this question depends on how you are defining “employee health information.” Is the employee being seen as a patient of the health care provider, i.e., one of the physicians within your facility has a doctor/patient relationship with the employee, or is the employee being seen for an occupational health reason, i.e., an x-ray done to rule out TB after a skin test rendered a positive result. If the employee is both a patient and has occupational health records and they are stored in an EHR, you would need to have a method to separate the two, having distinct access permissions set for each one and a distinction between what is employee health information and what is PHI.

The disclosure and authorization for the disclosure would also be dependent on the relationship as mentioned above and the contractual relationship with the employer, as this determines ownership of the record. For example, at my last employer we sent employees to an external clinic site for immunizations, exams, etc. We had a contractual relationship with this provider to provide these services and the employee sent there consented to us, the employer, receiving the results of the tests we sent them there for. If the employee went to this provider for treatment of the flu, those records could only be released with proper authorization of the employee because at this point the employee is seeking treatment as a patient, not an employee of the organization and not at our direction.

In another scenario, if your employment organization provided employee health services at the employers site at the employers direction, i.e., TB screening, this is not considered PHI, as the employer owns the health record for employment purposes and would be subject to OSHA requirements along with any other federal or state regulations regarding employee health records.
------------------------------
Julie Sours
Oak Forest,IL

Original Message
4. RE: Disclosing employee health information

0 Recommend
Brenda Manning
Posted 11-20-2015 09:44 AM

Reply Reply Privately
I'm assuming by employee health information you mean things like FMLA requests, work comp claims, employee drug tests etc... I'm not clear why would you put this sort of information in an electronic health record. As a medical provider you are a covered entity. However, in your capacity as an employer you are not a covered entity, therefore you do not have HIPAA obligations towards your employees and this information isn't PHI. It is sufficient to store it in human resources in the employee file and is subject to a general release unless your state law dictates otherwise. However I think once you put this information into an electronic health record you are muddying the waters and should error on the side of using a health release.
------------------------------
Brenda Manning
Esq, CHC, CHPC
R&B Solutions / Dennis A. Brebner & Assoc.
860 S. Northpoint Blvd.
Waukegan, IL 60085

Original Message
5. RE: Disclosing employee health information

0 Recommend
Frank Ruelas
Posted 11-20-2015 09:54 AM

Reply Reply Privately
You may have a point worth considering with respect to employee info into a CE's EHR...however, muddy or not...many if not the majority (I am only guessing since I don't know of any survey or other info other than firsthand experience) of CEs do maintain employee health info in their EHR.

So to that degree, I think one place to invest some time is to see that when this is done, are their templates or access levels that can support the separation of employee health related info with that which may also exist as part of the DRS for that employee within the EHR.

Often times people will be told no (by sales and marketing of the EHR product)...elevate this to the engineering or programming folks who developed and maintain the EHR system...you may find that it is much easier than you have been led to believe.
------------------------------
Frank Ruelas

Original Message
6. RE: Disclosing employee health information

0 Recommend
Brenda Manning
Posted 11-23-2015 09:40 AM

Reply Reply Privately
Thanks Frank good to know! I'm on the BA side of things.
------------------------------
Brenda Manning
Esq, CHC, CHPC
Franklin, WI

Original Message

7. RE: Disclosing employee health information

Recommend

Andrea Eklund

Posted 11-24-2015 07:59 AM

We actually have a separate platform in our EHR specific to the Occupational Health Records. In doing so, we can restrict access appropriately and maintain a record separate from our "Legal Medical Record". Since the records are appropriately defined, it helps minimize risk for wrongful disclosure. Here is a good article:

The Privacy and Security of Occupational Health Records

Ahima

remove preview

The Privacy and Security of Occupational Health Records

The Occupational Safety and Health Administration (OSHA) defines an "occupational medical record" as an occupation-related, chronological, cumulative record, regardless of the form or process by which it is maintained (i.e., paper document, microfiche, microfilm, or automatic data processing media).

View this on Ahima >

------------------------------
Andrea Eklund JD, CHC,CHPC, CPC
Corporate Compliance and Privacy Officer
Tallahassee Memorial Healthcare
Tallahassee,FL

Original Message

Privacy Officer's Roundtable

Disclosing employee health information

David Garrison11-18-2015 05:36 PM

Nancy Davis11-19-2015 07:13 AM

Julie Sours11-19-2015 08:03 AM

Brenda Manning11-20-2015 09:44 AM

Frank Ruelas11-20-2015 09:54 AM

Brenda Manning11-23-2015 09:40 AM

Andrea Eklund11-24-2015 07:59 AM

1. Disclosing employee health information

2. RE: Disclosing employee health information

3. RE: Disclosing employee health information

4. RE: Disclosing employee health information

5. RE: Disclosing employee health information

6. RE: Disclosing employee health information

7. RE: Disclosing employee health information

Contact Us

Membership

Privacy & Terms