April 2, 2015


What are my obligations to maintain patient confidentiality with regards to sharing PHII with an employer? 

Your advice is appreciated.

Thanks, Dr. I


Happy to address.  Only under very limited circumstances are you authorized to share protected health information with an employer with the patient's express consent.  Those circumstances are addressed by the Office for Civil Rights on its FAQs page, as follows - 

The public health provision permits covered health care providers to disclose an individual's protected health information to the individual’s employer without authorization in very limited circumstances.

First, the covered health care provider must provide the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.

Second, the health care service provided must relate to the medical surveillance of the workplace or an evaluation to determine whether the individual has a work-related illness or injury.

Third, the employer must have a duty under the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or the requirements of a similar State law, to keep records on or act on such information. For example, OSHA requires employers to monitor employees’ exposures to certain substances and to take specific actions when an employee’s exposure level exceeds a specified limit. A covered entity which tests an individual for such an exposure level at the request of the individual’s employer may disclose that test result to the employer without authorization.

Generally, pre-placement physicals, drug tests, and fitness-for-duty examinations are not performed for such purposes. However, to the extent such an examination is conducted at the request of the employer for the purpose of such workplace medical surveillance or work-related illness or injury, and the employer needs the information to comply with the requirements of OSHA, MSHA, or similar State law, the protected health information the employer needs to meet such legal obligation may be discussed to the employer without authorization. Covered health care providers who make such disclosures must provide the individual with written notice that the information is to be disclosed to his or her employer (or by posting the notice at the work site if the service is provided there).

When a health care service does not meet the above requirements, covered entities may not disclose an individual’s protected health information to the individual’s employer without an authorization, unless the disclosure is otherwise permitted without authorization by other provisions of the Rule. However, nothing in the Rule prohibits an employer from conditioning employment on an individual providing an authorization for the disclosure of such information.

Protect your Practice from "Surprise Bill" disputesCLICK HERE for OON Disclosure Forms.   (All orders in March 2015 will be processed at the reduced fee of $315.)

Recent Webinars (Click to view anytime!) - 

HIPAA Compliance - Combating Exposure with Risk Assessment and Proper Policies

Tips to Operate Compliantly and Stay off the Radar Webinar


I-STOP Implementation - Common Q&As

Looking for HIPAA and compliance forms?  
Click here to visit 
our website.

Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.