Topic of the Week Protecting Your Medical Privacy At Work
As an employee, there are just some things that an employer does not need to know. However, while your medical information may seem irrelevant and, at times, is highly sensitive, your employer may have some legal access. For example, employers might require that you take medical tests or inquire about your medical history prior to or during employment. While these requirements are job and state specific, there are certain healthcare protections that do help to maintain the privacy of your medical records.Do I have a right to keep medical information private at work?
Your employer has a number of ways to obtain medical information about you, whether it's because you volunteer it when you call in sick or tell co-workers, or because you provide requested information on health insurance application or workers compensation claim forms. However, just because your employer has the information does not mean that it should be shared with everyone in the workplace, especially when you have not chosen to do so.
The basic legal principle that employers should follow is not to reveal medical information about you unless there is a legitimate business reason to do so. But because that standard is fairly vague, there are laws which more specifically protect the privacy of your medical records, such as the Americans with Disabilities Act, the law which makes it illegal to discriminate on the basis of an employee's disability. State laws may also provide additional protection. When I was injured at work, I was required to go to the company's health clinic. Will the information I gave the doctor be disclosed to my employer?
An on-site health clinic at your place of employment may be another example of what the HIPAA Privacy Rule calls a "hybrid" entity. This depends on whether the health clinic transmits information electronically and engages in standard transactions under HIPAA's electronic data interchange rule (for example, if the clinic bills an employee's health plan). If so, the records maintained by the health clinic are subject to the same protections that apply to other covered entities. However, if the clinic does not transmit information electronically or bill your employer, it would be specifically excluded from HIPAA's protections.
Most job applicants or employees who live with HIV do not have to disclose their HIV status to their employers. The only exception is if you work at a job where HIV infection poses a direct threat to the health of others, like if you work as a surgeon or other health care worker performing invasive procedures. Not every health care worker has public contact. HIV-positive chiropractors, manicurists, food handlers, chefs, bank tellers, veterinarians, hairdressers, and barbers do not pose a direct threat.
Otherwise, it is your choice whether or not to disclosure your HIV status to your employer, for example, if you need an accommodation of your disability, or wish to take leave covered by the Family & Medical Leave Act. It is important to note that your insurance company may provide usage reports to your employer which contain how much care employees are using and for a small employer it may be possible to figure out whose claims are related to HIV/AIDS. What can I do if my privacy rights have been violated by my employer?
How you can respond to an unauthorized disclosure of your medical information depends on what law or laws were violated by the disclosure: the ADA, HIPAA, or state protections. Some laws allow what is called a "private right of action," which means that you can sue in court, while others require that you file with an administrative agency. If you believe your privacy rights have been violated, you may want to consult with a local attorney to determine whether your employer has violated any laws, and if so, how you should proceed. In the event that a covered entity or a business associate committed a violation, you may file a complaint with the Office for Civil Rights (OCR) who will investigate the complaint. In order to file the complaint, you must file the complaint in writing, name the covered entity or business associate involved, describe the act you believe violated the privacy requirements and file within 180 days of when the act or omission occurred. OCR may extend the 180 day period of you can show good cause.