The Health Insurance Portability and Accountability Act of 1996 (HIPAA) obligates employers, health care providers, insurance agents, insurance carriers and others to respect the confidentiality of the Private Health Information (PHI) of employees and their dependents. This is a quick overview of what employers should and should not do with PHI.
You, the employer, must be aware of basic health status during hiring and employment: Whether an employee or prospective employee can physically perform the duties of the job, whether an ill employee is communicable or otherwise a health risk to others, what health conditions require accommodation under the ADA, how long an employee currently on disability or FMLA leave can reasonably be expected to be absent, etc.
However, prospective or ex-employees have brought many successful lawsuits against employers in recent decades because of wrongful use of PHI. These include employees fired (or never hired) because of their health conditions–not because they can’t do the job, but because:
- their poor health would negatively impact the employer’s health insurance premiums.
- the employer did not want to incur expense for reasonable accommodations which would be required under the ADA.
- a socially stigmatized health condition (for example, a sexually transmitted disease) made the employer uncomfortable.
Especially because of the liability to employers, you should NEVER ask about, collect, or expose yourself to employees’ PHI beyond the absolute minimum required for legitimate business reasons such as those outlined above.
What about health information collected in applying for group insurance?
For larger employers, or for employers applying for level-funded or self-funded group insurance, insurance underwriters may require the collection of PHI, often in the form of health questionnaires filled out by all employees. (Any increase to proposed insurance premiums based on that PHI would be assessed to all employees, not to any specific unhealthy employees.) Because these underwriters or the insurance agents they work with can’t hire, fire or otherwise impact any employee’s employment status, there is no liability to you in their knowledge of your employees’ PHI. You as the employer may even make the completion of such a health questionnaire a mandatory condition of employment.
But you STILL should not expose yourself to any PHI collected. Always use sealed envelopes, secure websites, and other protected means to transmit PHI directly from employees to the agents and underwriters. (Similarly, both underwriters and insurance agents are careful not to let any PHI leak back to the employer when discussing insurance options.)