Navigating the complexities of federal laws like HIPAA and FMLA can be challenging for employers. One common question is whether HIPAA requires an individual’s authorization before an employer can receive their Protected Health Information (PHI) for Family and Medical Leave Act (FMLA) compliance purposes. This blog post aims to clarify this issue and provide guidance on how to handle PHI in compliance with both HIPAA and FMLA.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. It sets the standard for protecting PHI and applies to healthcare providers, health plans, and healthcare clearinghouses.

What is FMLA?

The Family and Medical Leave Act (FMLA) allows eligible employees to take unpaid, job-protected leave for specified family and medical reasons. Employers may require medical certification to support the need for leave due to a serious health condition.

When is Authorization Required?

Whether an employer needs an individual’s authorization to receive PHI under HIPAA depends on the source of the information and the relationship to the individual.

  1. Employee Provides Information:
    • If an employee seeking FMLA leave obtains the necessary medical information from their healthcare provider and then forwards it to the employer, no HIPAA authorization is required. The employee has the right to share their own PHI.
  2. Direct Communication Between Employer and Provider:
    • If the employer communicates directly with the healthcare provider, HIPAA requires the employee’s authorization for the provider to disclose PHI. This authorization must meet HIPAA’s technical requirements.
  3. Family Member’s Health Information:
    • If the FMLA leave is for a family member’s serious health condition, the family member’s authorization is required for the provider to release their PHI to the employee or employer.

FMLA Regulations on Employer-Provider Contact

FMLA regulations limit the contact an employer can have with an employee’s healthcare provider. If the employee submits a sufficient medical certification, the employer cannot request additional information from the provider. However, the employer may contact the provider for clarification and authentication through a designated representative, not the employee’s direct supervisor. If this involves disclosing PHI, the employee’s HIPAA authorization is necessary.

Conclusion

Employers must navigate both HIPAA and FMLA regulations when handling PHI. Understanding when authorization is required can help ensure compliance and protect the privacy of employees and their family members. Always consult with legal counsel to address specific situations and ensure adherence to all applicable laws.

Source: Thomson Reuters