Health Information Portability and Accountability Act (HIPAA)
HIPAA is a complex set of federal rules that applies to most businesses and everyone in the healthcare industry — insurance providers, hospitals, medical offices, laboratories, etc. Privacy, mainly about Protected Health Information (PHI), is critical and you will stay in compliance if your company keeps medical information confidential and secure. This applies to both verbal and written health updates.
Find out if your company must comply with HIPAA regulations by contacting the U.S. Department of Health and Human Services. The size of your company and health insurance plan are the main criteria. If HIPAA provisions do not affect you, employee medical privacy should still be considered out of respect and to avoid litigation.
With this in mind, supervisors are not to tell other employees when a coworker has a doctor appointment, a test at the hospital, or will be going on medical leave. The employee is free to share this info if he chooses, but it is not the place of an employer representative. If someone asks about the whereabouts of a coworker with a doctor appointment, a response from the supervisor of “He has an appointment” or better yet, “He will be here in about two hours” is all that should be shared. If an employee will be off work for six weeks due to surgery, anyone who inquires or needs to be informed about the absence should be told that the employee is on a leave of absence. Do not say that they are on medical leave. If the employee chooses to tell his coworkers that he is having surgery, that's fine.
An employee's pregnancy is news that should be shared only by the woman who is expecting. Although it is not an illness, it is a medical condition that will result in a temporary disability period after giving birth. Most pregnant women will notify human resources or their supervisor prior to the condition being obvious.
Posted work schedules should never indicate when an employee is out sick or on medical leave. Outgoing voicemail messages and e-mail out of the office auto-responders set up by someone other than the employee should simply announce that the person is out of the office and who should be contacted in their absence.
HIPAA regulations will affect you when an employee is excused from work by his physician or put on modified duty due to a medical reason. Without written consent from the employee (most doctor offices won't accept a faxed signature), physicians can't give employers too much information. In some instances, the employee's physical or health issue may be something that employers are not privileged to know anyway.
If a doctor's office will be faxing off-work notes, drug- and alcohol-test results, physical-exam reports, or similar documents to your office, it is crucial that the fax machine is not in a public employee area. If it is, have the medical office call you before the document is sent and wait by the fax machine for it to arrive.
If your company offers a self-funded or flexible spending account for medical expenses, make sure that anyone handling the billing has been trained about the importance of PHI issues. For example, an accountant or accounts payable clerk may have access to medical bills and must adhere to the confidentiality of employee medical conditions and expenses. Managers and human resource professionals are accustomed to being discreet about personal issues, but this can be new to other people on staff. Regardless of how well one employee knows another, personal issues that are brought to someone's attention during the process of paying medical or insurance bills should never be shared.
Further respect employee privacy by having a policy prohibiting the distribution of employee addresses in a company directory without permission. A company directory has its benefits and can be a fun tool; however, some people will not want their private information available for all employees to see. If your company distributes an address book that may include the name of family members, birthdates, and anniversary dates, get written permission before adding someone's name and information.