FMLA Certification From Workers Avoids HIPAA Authorization

Companies, as of April 14, will have to comply with the Health Insurance Portability and Accountability Act´s (HIPAA) privacy provisions when using protected health information for treatment, payment or health plan operations. Use or disclosure of protected health information for other reasons such as to attain medical certification for an FMLA serious health condition or a hidden ADA covered disability, will require authorization from the employee.

Authorization Requirements

A final rule has made it optional under HIPAA for health care providers to obtain consent to use or disclose protected health information for treatment, payment or operations of health plans. After the final rule becomes effective in April, a worker´s authorization will be necessary to use protected health information for any other reasons.

HIPAA´s privacy rules set out the required content of an authorization and fair notice about the individual´s rights. All authorizations are required by the final rule to:

• be written in plain language;
• specifically describe the protected health information to be used or disclosed;
• identify any person or class of persons who will use or disclose the protected health information;
• identify any person or class of persons to whom the protected health information will be disclosed;
• describe each purpose of the use or disclosure;
• have an expiration date or event that ends authorization;
• state that the individual has a right to revoke authorization in writing and explain how authorization is revoked;
• state the disclosed protected health information may be subject to redisclosure by the person receiving the information and privacy protections may be lost;
• include the individual´s signature and date;
• if a personal representative signs the authorization, ensure the authorization includes a description of the representative´s authority to act for the individual; and
• state that treatment, payment, enrollment or eligibility for benefits may not be conditioned on obtaining the authorization to the extent the privacy rules prohibit the imposition of the condition.

Seeking FMLA information

When seeking medical certification for an FMLA serious health condition, employers can avoid HIPAA privacy requirements by getting the information directly from employees, rather than tapping into health plan files.

Under the FMLA, employers are allowed to request medical certification when employees request leave. The employer should request only information available in the Department of Labor´s (DOL) Medical Certification Statement (Form WH-380), and its health care provider may contact the worker´s health care provider, with the employee´s permission, for clarification.

The DOL´s form limits the employer´s access to information from the health care provider to what is relevant to the employee´s current serious health condition. This may include the following items:

• the medical facts that support the determination that the condition fulfills the FMLA´s criteria of a serious medical condition;
• the date the medical condition began and the expected duration of the condition;
• whether leave will be intermittent or on a reduced leave schedule;
• the duration of the leave;
• if the serious medical condition is pregnancy or a chronic condition, whether the patient is presently incapacitated and the duration and frequency of episodes of incapacity; and
• if additional treatments are required, an estimate of the probable number of such treatments.

The FMLA does not provide the employer with broad discretion to seek the release of information from the employee´s health care provider. Under the statute, an employer may not acquire the employee´s medical records or a summary medical report that contains any information beyond that set out in the DOL´s sample certification form.

Creating Firewalls

In addition to keeping medical documentation separate from personnel files, it should be kept apart from any files used for health insurance purposes, according to Terry Humo, an assistant vice president with Marsh Advantage America and author of the Employer´s Guide to the Health Insurance Portability and Accountability Act. Separate files can provide a firewall between employment records that are not covered by HIPAA and those documents that are.

HIPAA privacy rules do not apply to FMLA medical documentation provided by an employee, because the information is an employment record rather than a health care record. If the employer gets medical documentation of the serious health condition or an ADA disability directly from its health plan, the HIPAA privacy rules would apply and an authorization would be needed from the employee.

Disability-related Inquiries

Staff members who must coordinate the ADA´s confidentiality and HIPAA´s privacy rules should be trained about the laws´ different mandates and adhere to both sets of requirements, said Humo. Although the ADA generally prohibits disability-related inquiries, employers are allowed to ask for medical documentation of a disability when someone with a hidden impairment requests a reasonable accommodation.

The scope of the medical inquiry should be limited to documenting that the person has an ADA disability. Consequently, the ADA prohibits an employer from asking for an employee´s complete medical records, the EEOC notes in its Enforcement Guidance: Disability-Related Inquiries and Medical Examinations of Employees Under the ADA.

Documentation for proving a hidden disability is adequate under the ADA if it:

• describes the nature, severity and duration of the employee´s impairment, the activities the impairment limits and the extent to which the impairment limits an employee´s ability to perform the activities; and
• substantiates why a requested reasonable accommodation is needed.

Documentation is inadequate if:

• the health care professional does not have the expertise to give an opinion about the employee´s medical condition and the limitations imposed by it;
• the information does not specify the functional limitations due to the disability; or
• other factors indicate it is not believable.

Once the medical documentation is provided, it must be kept strictly confidential in files that are separate from general personnel files. Only the following people, on a need-to-know basis, may be given access:

• supervisors and managers, regarding necessary restrictions and accommodations in the employee´s duties;
• first aid and safety personnel if the disability requires emergency treatment;
• government officials investigating ADA compliance;
• state workers´ compensation officials; and
• insurance company employees when the company requires a medical examination to provide health or life insurance.

Administrative Requirements

There are administrative requirements that must be met to ensure HIPAA privacy rules are complied with, including:

• the designation of a privacy officer to develop and implement an entity´s policies and procedures and act as a contact person or office responsible for receiving complaints and providing information covered by the required notice;
• the training of all members of the workforce on privacy policies and procedures;
• the incorporation of administrative, technical and physical safeguards to prevent protected health information from being unlawfully disclosed; and
• the establishment of policies and procedures to comply with the standards, implementation specifications and other requirements of the privacy rules.

As companies prepare for the effective date of HIPAA´s final rule, there is "no reason they could not use the same HIPAA safeguards for ADA-specific documents," advised Kaye Pestaina, a senior health compliance attorney with the Sengal Company. For example, the addition of locks to filing cabinets and clean desk policies to make sure protected health care information is not in public view could help ensure that information confidential under the ADA really is being kept private, she said.

To the extent that files are stored electronically, employers can establish firewalls by limiting who has access to different information, according to Rebecca Goodloe, an attorney with the law firm of Smith Moore in Atlanta. A HIPAA privacy officer typically should be a higher-level employee, she said. While he or she might have access to ADA records in an HR role, a lower-level employee rather than the privacy officer could have access to health care files as a safety measure, Goodloe noted.

Employers will be uncomfortable with juggling their compliance obligations under HIPAA, the FMLA and the ADA, until more guidance is provided, Humo remarked. In the meantime, their HR and benefits staff should be aware that compliance with HIPAA does not mean the ADA´s requirements have been met and vice versa. "There needs to be awareness of the laws´ different requirements."

This article originally appeared in the March 2003 issue of The Leave & Disability Coordination Handbook.