For those of you who "store/enter" employee health information in your charts/EHR, do you require an Authorization before disclosing the information or since it's employee health information, would you accept a general release of information?
The crossover between when an individual is an employee and when he or she is a patient is confusing but the lines have to be clear as well as any records created. One health information is made a part of an individual's provider health record, it is protected health information (phi) and has to be accessed, used and disclosed along the lines set forth by HIPAA for PHI and/or applicable state and federal (AODA) laws. I cannot see how employee health can access an employee's patient health record/PHI without a written authorization.
Conversely, I do not see how any provider can have access to a patient's "employee health" information without the patient providing an authorization. In general, the typical authorization will do, but it should clearly identify what is being accessed, used, or disclosed. HIPAACOW.org has a nice whitepaper on employee health records.
I think the answer to this question depends on how you are defining “employee health information.” Is the employee being seen as a patient of the health care provider, i.e., one of the physicians within your facility has a doctor/patient relationship with the employee, or is the employee being seen for an occupational health reason, i.e., an x-ray done to rule out TB after a skin test rendered a positive result. If the employee is both a patient and has occupational health records and they are stored in an EHR, you would need to have a method to separate the two, having distinct access permissions set for each one and a distinction between what is employee health information and what is PHI.
The disclosure and authorization for the disclosure would also be dependent on the relationship as mentioned above and the contractual relationship with the employer, as this determines ownership of the record. For example, at my last employer we sent employees to an external clinic site for immunizations, exams, etc. We had a contractual relationship with this provider to provide these services and the employee sent there consented to us, the employer, receiving the results of the tests we sent them there for. If the employee went to this provider for treatment of the flu, those records could only be released with proper authorization of the employee because at this point the employee is seeking treatment as a patient, not an employee of the organization and not at our direction.
In another scenario, if your employment organization provided employee health services at the employers site at the employers direction, i.e., TB screening, this is not considered PHI, as the employer owns the health record for employment purposes and would be subject to OSHA requirements along with any other federal or state regulations regarding employee health records.
I'm assuming by employee health information you mean things like FMLA requests, work comp claims, employee drug tests etc... I'm not clear why would you put this sort of information in an electronic health record. As a medical provider you are a covered entity. However, in your capacity as an employer you are not a covered entity, therefore you do not have HIPAA obligations towards your employees and this information isn't PHI. It is sufficient to store it in human resources in the employee file and is subject to a general release unless your state law dictates otherwise. However I think once you put this information into an electronic health record you are muddying the waters and should error on the side of using a health release.
You may have a point worth considering with respect to employee info into a CE's EHR...however, muddy or not...many if not the majority (I am only guessing since I don't know of any survey or other info other than firsthand experience) of CEs do maintain employee health info in their EHR.
So to that degree, I think one place to invest some time is to see that when this is done, are their templates or access levels that can support the separation of employee health related info with that which may also exist as part of the DRS for that employee within the EHR.
Often times people will be told no (by sales and marketing of the EHR product)...elevate this to the engineering or programming folks who developed and maintain the EHR system...you may find that it is much easier than you have been led to believe.
Thanks Frank good to know! I'm on the BA side of things.
We actually have a separate platform in our EHR specific to the Occupational Health Records. In doing so, we can restrict access appropriately and maintain a record separate from our "Legal Medical Record". Since the records are appropriately defined, it helps minimize risk for wrongful disclosure. Here is a good article:
The Privacy and Security of Occupational Health Records
Phone: +1 952.933.4977Toll - Free: firstname.lastname@example.org
Join SCCEAbout UsTypes of Membership