Q&A: Releasing medical records to the HR department at work
Q: I was out of work for about a month on short-term disability coverage, which was approved through my company's third-party group. We have a medical department at work as well, and I provided them all the documentation as they requested regarding my short-term disability leave. When I returned to work, I was disciplined because of my doctor’s excuse, which I only gave to medical but somehow was released to the human resources (HR) department. Could this release of my medical information to HR be a HIPAA violation?
A: It could certainly be a violation of employment-related laws, but it is not a HIPAA violation. When covered entities (CE) and business associates (BA) are acting in the capacity of an employer, HIPAA does not protect any individually identifiable health information that is being used for documenting medical leave, short-term disability, and/or other activities that fall on the employment side of CE or BA operations.
Editor’s note: Chris Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at firstname.lastname@example.org.