hipaa: basic to advanced (what it is and what it isn’t) jonathan moore director, fire & ems...
TRANSCRIPT
HIPAA:HIPAA:Basic to AdvancedBasic to Advanced
(What it is and what it isn’t)(What it is and what it isn’t)
Jonathan MooreJonathan MooreDirector, Fire & EMS Operations/ GISDirector, Fire & EMS Operations/ GIS
International Association of Fire International Association of Fire FightersFighters
What is HIPAA?What is HIPAA?
Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act
HIPAA Security RuleHIPAA Security Rule
Focused on Patient Information PrivacyFocused on Patient Information Privacy
DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160, 162, and 164
[CMS-0049-F] RIN 0938-AI57 Health Insurance Reform: Security Standards AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS. ACTION: Final rule. SUMMARY: This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. This final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Are you covered by HIPAA?Are you covered by HIPAA?
Are you an EMS provider?Are you an EMS provider?
Do you bill for your EMS services?Do you bill for your EMS services?
Do you bill Medicare?Do you bill Medicare?
Do you transmit Medicare billing Do you transmit Medicare billing information electronically?information electronically?
Covered EntitiesCovered Entities
Health PlansHealth Plans
Health Care ClearinghouseHealth Care Clearinghouse
Health Care ProviderHealth Care Provider– Who transmits any health information in Who transmits any health information in
electronic form in connection with a “covered electronic form in connection with a “covered transaction”transaction”
– Claim filing is most common covered Claim filing is most common covered transaction, but there are otherstransaction, but there are others
Common Covered Electronic Common Covered Electronic TransactionsTransactions
Claims filingClaims filing
Remittance adviceRemittance advice
Coordination of benefitsCoordination of benefits
Claim statusClaim status
Health plan enrollment/disenrollmentHealth plan enrollment/disenrollment
EligibilityEligibility
Referral certificationReferral certification
What is the worry about What is the worry about “transactions”?“transactions”?
Protected Health Information “PHI”Protected Health Information “PHI”
Three Basic Permitted Uses of PHIThree Basic Permitted Uses of PHI
Treatment, Payment and OperationsTreatment, Payment and Operations
Called the “TPO” UsesCalled the “TPO” Uses
Consent, authorization or other permission Consent, authorization or other permission is NOT REQUIRED for these usesis NOT REQUIRED for these uses
““OOPS”OOPS”
Incidental Disclosures Happen and are Incidental Disclosures Happen and are “Expected”“Expected”Examples?Examples?– Radio CommunicationsRadio Communications– ER Arrival “Report”ER Arrival “Report”
Protections?Protections?– ““Reasonable Safeguards”Reasonable Safeguards”
Does not require that you implement new Does not require that you implement new technologies for privacy purposestechnologies for privacy purposes
DispatchDispatch Communications Communications
Scanner World…Scanner World…
Internet CAD pages Internet CAD pages Martin County Emergency Services "FIRMartin County Emergency Services "FIRE/RESCUE SCANNER“E/RESCUE SCANNER“
DispatchDispatch Communications Communications
Most public safety and EMS Most public safety and EMS communications are communications are treatment relatedtreatment related
You have to find the patient and SHOULD You have to find the patient and SHOULD have an idea what the nature of the have an idea what the nature of the problem isproblem is
Any radio disclosure of patient information Any radio disclosure of patient information for location or treatment purposes is for location or treatment purposes is permittedpermitted
And What About Law And What About Law Enforcement?Enforcement?
…….be careful here…...be careful here…..
Law Enforcement DisclosuresLaw Enforcement Disclosures
HIPAA limits the disclosures that EMS HIPAA limits the disclosures that EMS providers can makeproviders can make
EMS providers are patient care advocates, EMS providers are patient care advocates, not law enforcement information sources not law enforcement information sources
Permissible law enforcement disclosures Permissible law enforcement disclosures are limited to specific situations.Covered are limited to specific situations.Covered under Section 164.512under Section 164.512
Permissible Law Enforcement Permissible Law Enforcement Disclosures…OverviewDisclosures…Overview
1. When required by law or pursuant to process 1. When required by law or pursuant to process (e.g., gunshot wound reporting)(e.g., gunshot wound reporting)
2. Identification and location purposes (victim or 2. Identification and location purposes (victim or material witness, includes type of injury)material witness, includes type of injury)
3.3. Response to request for information about a Response to request for information about a victim of a crime (can’t be used against the victim of a crime (can’t be used against the victim, needed to determine violation of law, in victim, needed to determine violation of law, in the best interests of the individual)the best interests of the individual)
Permissible Law Enforcement Permissible Law Enforcement Disclosures…OverviewDisclosures…Overview
4. Decedents (if suspected death may be from 4. Decedents (if suspected death may be from criminal conduct)criminal conduct)
5. Crime on the premises (evidence of criminal 5. Crime on the premises (evidence of criminal conduct)conduct)
6. Reporting crime in emergencies (identity, 6. Reporting crime in emergencies (identity, description and location of perpetrator)description and location of perpetrator)
Required By Law/Pursuant to Required By Law/Pursuant to ProcessProcess
Health care providers permitted to disclose Health care providers permitted to disclose PHI under HIPAA for injury reporting when PHI under HIPAA for injury reporting when required by state lawrequired by state law– ExamplesExamples
Gunshot injuriesGunshot injuries
Burns Burns
Animal bitesAnimal bites
Check state law for specificsCheck state law for specifics
Required By Law/Pursuant to Required By Law/Pursuant to ProcessProcess
Court ordersCourt orders
WarrantWarrant
Grand jury subpoenaGrand jury subpoena
Civil investigative demand, administrative Civil investigative demand, administrative subpoena or other authorized, official subpoena or other authorized, official requestrequest
The PHI must be relevant and material to The PHI must be relevant and material to legitimate law enforcement inquirylegitimate law enforcement inquiry
Identification and LocationIdentification and Location
To identify or locate a:To identify or locate a:– SuspectSuspect– FugitiveFugitive– Material witness Material witness – Missing personMissing person
Identification and LocationIdentification and Location
The covered entity may The covered entity may only only furnish: furnish: – NameName– AddressAddress– DOBDOB– SSNSSN– Blood typeBlood type– Type of injuryType of injury– Date/time of treatmentDate/time of treatment– Date/time of death* Date/time of death* – Description of distinguishing physical characteristicsDescription of distinguishing physical characteristics
Crime VictimsCrime Victims
May disclose PHI in response to a law May disclose PHI in response to a law enforcement enforcement requestrequest, where the individual , where the individual is a possible crime victimis a possible crime victimIF patient agrees; ORIF patient agrees; ORIf patients unable to agree because of If patients unable to agree because of condition, may release PHI if:condition, may release PHI if:– Law enforcement represents that the info is Law enforcement represents that the info is
needed immediately; AND needed immediately; AND – Won’t be used against the victim*Won’t be used against the victim*
DecedentsDecedents
May release PHI to alert law enforcement of a May release PHI to alert law enforcement of a patient’s death, IF the death may have resulted patient’s death, IF the death may have resulted from criminal activityfrom criminal activity
You are not required to make a “legal You are not required to make a “legal conclusion” that the death resulted from a crimeconclusion” that the death resulted from a crime
Only a “suspicion” is requiredOnly a “suspicion” is required
Note: there is a general exception for releasing Note: there is a general exception for releasing PHI to coroners and funeral directors for non PHI to coroners and funeral directors for non crime-related deathscrime-related deaths
Crime on PremisesCrime on Premises
Health care provider can disclose PHI to Health care provider can disclose PHI to report a crime at the provider’s premisesreport a crime at the provider’s premises
Need only have a “good faith belief” that Need only have a “good faith belief” that the information may constitute evidence of the information may constitute evidence of a crime on the premisesa crime on the premises
Examples: Child Abuse, AssaultExamples: Child Abuse, Assault
Reporting Crime in EmergenciesReporting Crime in Emergencies
Emergency care providers may release Emergency care providers may release PHI to law enforcement to alert them to:PHI to law enforcement to alert them to:– Commission and nature of a crimeCommission and nature of a crime– Location of the crime or of the victimLocation of the crime or of the victim– Identity, description and location of Identity, description and location of
perpetratorperpetrator
““Channel 11 News Reports…..”Channel 11 News Reports…..”
What can you say to the Media?What can you say to the Media?
OROR
What can the Media say?What can the Media say?
Media Disclosures and HIPAAMedia Disclosures and HIPAA
There are no express provisions in the There are no express provisions in the Privacy Rule addressing media Privacy Rule addressing media disclosuresdisclosures
However, EMS organizations are often put However, EMS organizations are often put in the position of fielding media requests in the position of fielding media requests
Is it possible to strike a balance?Is it possible to strike a balance?
Media Disclosures and HIPAAMedia Disclosures and HIPAA
Disclosures made with patient Disclosures made with patient authorizationauthorization– Use a HIPAA-compliant authorization formUse a HIPAA-compliant authorization form– Must specifically inform the patient of the Must specifically inform the patient of the
information to be disclosed and to whom it will information to be disclosed and to whom it will be disclosedbe disclosed
– Disclosures must be limited to those in the Disclosures must be limited to those in the authorizationauthorization
Media Disclosures and HIPAAMedia Disclosures and HIPAA
Disclosures of de-identified informationDisclosures of de-identified information
De-identified PHI is information that:De-identified PHI is information that:– Does not identify an individual; ANDDoes not identify an individual; AND– There is no reasonable basis to believe the There is no reasonable basis to believe the
information could be used to identify an information could be used to identify an individualindividual
““De-Identification”?De-Identification”?
The following information must be removed:The following information must be removed:– NameName– Geographic identifiers smaller than a stateGeographic identifiers smaller than a state– Phone/fax/e-mail addressPhone/fax/e-mail address– SSNSSN– Medical records numbersMedical records numbers– PhotographsPhotographs– Account numbersAccount numbers– License numbersLicense numbers– Other unique identifiersOther unique identifiers
Permissible Media DisclosuresPermissible Media Disclosures
General information about the incident, General information about the incident, number of victims and hospital number of victims and hospital destinationsdestinations– Example: “a total of five patients were Example: “a total of five patients were
transported from the accident scene. Four transported from the accident scene. Four were taken by ambulance to the City Hospital were taken by ambulance to the City Hospital and one by helicopter to the County Trauma and one by helicopter to the County Trauma Center.”Center.”
Permissible Media DisclosuresPermissible Media Disclosures
General information about the incident General information about the incident location, if it cannot reasonably be used to location, if it cannot reasonably be used to identify an individual patientidentify an individual patient– Example: “we responded to an incident at the Example: “we responded to an incident at the
Downtown Outlet Center and transported one Downtown Outlet Center and transported one patient to the hospital.”patient to the hospital.”
– NOT: “we responded to a residence in the 100 NOT: “we responded to a residence in the 100 block of Hobart Street and transported a block of Hobart Street and transported a patient from the scene to the local hospital.”patient from the scene to the local hospital.”
Permissible Media DisclosuresPermissible Media Disclosures
Information about the crew and other Information about the crew and other responding agenciesresponding agencies– Example: “Paramedics Smith and Wesson Example: “Paramedics Smith and Wesson
responded on behalf of Speedy Ambulance responded on behalf of Speedy Ambulance Service. The Awesome City Fire Department, Service. The Awesome City Fire Department, County Sheriff’s office, and other agencies County Sheriff’s office, and other agencies also responded.”also responded.”
Permissible Media DisclosuresPermissible Media Disclosures
General information about patient condition if General information about patient condition if it cannot reasonably be used to identify a it cannot reasonably be used to identify a patientpatient– Example: “Last month we transported 300 Example: “Last month we transported 300
patients, 80% were transported to emergency patients, 80% were transported to emergency room, 20% had alternative destinations.”room, 20% had alternative destinations.”
– Example: “Over ‘Motorcycle Weekend’ we Example: “Over ‘Motorcycle Weekend’ we transported 27 victims of motorcycle collisions, transported 27 victims of motorcycle collisions, only 50% of those patients were wearing only 50% of those patients were wearing helmets.”helmets.”
How Soon Must You Comply?How Soon Must You Comply?
April 20, 2005!April 20, 2005!
Comply With What? The Security Comply With What? The Security Rule…Rule…
““Security” is a grey areaSecurity” is a grey areaThe regulation incorporates concepts of:The regulation incorporates concepts of:– ScalabilityScalability– FlexibilityFlexibility– Generalization Generalization
The Rule itself reads more like a guide – The Rule itself reads more like a guide – hope your interpretation/implementation hope your interpretation/implementation meets someone else’s understanding of meets someone else’s understanding of the “Rule”the “Rule”
Security RuleSecurity Rule
Applies only to Applies only to electronic electronic PHI (“e-PHI”)PHI (“e-PHI”)
e-PHI is any PHI that is in electronic form e-PHI is any PHI that is in electronic form prior to transmissionprior to transmission
What Can We Do About This?What Can We Do About This?
Administrative SafeguardsAdministrative Safeguards
Physical SafeguardsPhysical Safeguards
Technical SafeguardsTechnical Safeguards
Administrative SafeguardsAdministrative Safeguards
Policies and procedures; disciplinary Policies and procedures; disciplinary standards, to ensure that your standards, to ensure that your personnel protect your patients’ PHIpersonnel protect your patients’ PHI
Compliance officerCompliance officer
TrainingTraining
Physical SafeguardsPhysical Safeguards
Security of your buildings, offices, Security of your buildings, offices, cabinets, etc. where e-PHI is stored, cabinets, etc. where e-PHI is stored, as well as your computers, as well as your computers, workstations and electronic mediaworkstations and electronic media
Technical SafeguardsTechnical Safeguards
Protections such as passwords, Protections such as passwords, backups and other security features backups and other security features on your computers, networks, PDAs, on your computers, networks, PDAs, laptops, etc.laptops, etc.
HIPAA “In Your Face”HIPAA “In Your Face”
Not a catch-all for protecting providers or Not a catch-all for protecting providers or patientspatients
Can make ‘fact finding’ difficult for Can make ‘fact finding’ difficult for discipline or grievance processesdiscipline or grievance processes
Other privacy protections are availableOther privacy protections are available
Medical Information PrivacyMedical Information Privacy
IAFF Dominick F. Barbera EMS in the Fire Service IAFF Dominick F. Barbera EMS in the Fire Service ConferenceConference
Kurt RumsfeldKurt RumsfeldIAFF Legal CounselIAFF Legal Counsel
June, 2007June, 2007
Legal DisclaimerLegal Disclaimer
Please note that this presentation is offered Please note that this presentation is offered solely for informational purposes, and is solely for informational purposes, and is
not intended, nor should it be relied upon, not intended, nor should it be relied upon, as legal advice. An individual or affiliate in as legal advice. An individual or affiliate in need of legal advice or assistance on any need of legal advice or assistance on any topic covered in this presentation should topic covered in this presentation should contact and confer with legal counsel to contact and confer with legal counsel to obtain legal advice appropriate to his or obtain legal advice appropriate to his or
her particular situation.her particular situation.
Dealing with HIPAA as a Union Dealing with HIPAA as a Union RepresentativeRepresentative
Frank, a member of your union, is disciplined for Frank, a member of your union, is disciplined for allegedly failing to follow patient care protocol allegedly failing to follow patient care protocol during an EMS response. Frank says he did during an EMS response. Frank says he did everything “by the book” and that the “paperwork everything “by the book” and that the “paperwork will prove it.” During the grievance process, you will prove it.” During the grievance process, you request the company’s records related to the request the company’s records related to the response, but management refuses your request response, but management refuses your request because the records contain protected health because the records contain protected health information under HIPAA. How do you respond?information under HIPAA. How do you respond?
Dealing with HIPAA as a Union Dealing with HIPAA as a Union RepresentativeRepresentative
Disclosure of PHI is permitted for Disclosure of PHI is permitted for “resolution of internal grievances.” 45 “resolution of internal grievances.” 45 C.F.R. 164.501C.F.R. 164.501Incidental disclosures do not violate the Incidental disclosures do not violate the Privacy Rule “if the minimum necessary Privacy Rule “if the minimum necessary and reasonable safeguards are met.” 45 and reasonable safeguards are met.” 45 C.F.R. 164.502(a)(1)(iii)C.F.R. 164.502(a)(1)(iii)Consider redacting information or entering Consider redacting information or entering into a confidentiality agreement.into a confidentiality agreement.
Dealing with HIPAA as a Union Dealing with HIPAA as a Union RepresentativeRepresentative
Alleging that EMS employees have been taking Alleging that EMS employees have been taking excessive and unnecessary sick leave, your employer excessive and unnecessary sick leave, your employer institutes a policy requiring anyone taking sick leave for institutes a policy requiring anyone taking sick leave for more than one shift to obtain a certificate from a doctor more than one shift to obtain a certificate from a doctor certifying that such leave was necessary and that the certifying that such leave was necessary and that the employee can return to work. During negotiations, you employee can return to work. During negotiations, you demand documentation substantiating the employer’s demand documentation substantiating the employer’s concerns regarding sick leave abuse. Your employer concerns regarding sick leave abuse. Your employer refuses your demand on grounds that, as an EMS refuses your demand on grounds that, as an EMS provider, it is a “covered entity” under HIPAA, and provider, it is a “covered entity” under HIPAA, and therefore cannnot release any records that contain therefore cannnot release any records that contain protected health information of its employees.protected health information of its employees.
Dealing with HIPAA as a Union Dealing with HIPAA as a Union RepresentativeRepresentative
““Covered entities must comply with [HIPAA’s Covered entities must comply with [HIPAA’s Privacy Rule] in their health care capacity, not in Privacy Rule] in their health care capacity, not in their capacity as employers. For example, their capacity as employers. For example, information in hospital personnel files about a information in hospital personnel files about a nurse’s sick leave is not protected health nurse’s sick leave is not protected health information under this rule.” 65 Fed. Reg. information under this rule.” 65 Fed. Reg. 82,612 (2000)82,612 (2000)““Employment records held by a covered entity in Employment records held by a covered entity in its role as an employer” are excluded from the its role as an employer” are excluded from the definition of “protected health information.” 45 definition of “protected health information.” 45 C.F.R. 160.613C.F.R. 160.613
What laws govern your employer’s What laws govern your employer’s decision to require employee medical decision to require employee medical exams and its handling of employee exams and its handling of employee medical records?medical records?
Fasten your seat belts.Fasten your seat belts.
Limits on Employers’ Use of Limits on Employers’ Use of Employee Medical InformationEmployee Medical Information
Americans with Disabilities Act (ADA)Americans with Disabilities Act (ADA)
Family and Medical Leave Act (FMLA)Family and Medical Leave Act (FMLA)
Title VII of the 1964 Civil Rights ActTitle VII of the 1964 Civil Rights Act
U.S. and State ConstitutionsU.S. and State Constitutions
State Statutory and Common Law RightsState Statutory and Common Law Rights– Invasion of privacyInvasion of privacy– DefamationDefamation
Americans with Disabilities Act Americans with Disabilities Act (ADA)(ADA)
““A covered entity shall not require a A covered entity shall not require a medical examination and shall not make medical examination and shall not make inquiries of an employee as to whether inquiries of an employee as to whether such employee is an individual with a such employee is an individual with a disability or as to the nature or severity of disability or as to the nature or severity of the disability, unless such examination or the disability, unless such examination or inquiry is shown to be job-related and inquiry is shown to be job-related and consistent with business necessity.” 42 consistent with business necessity.” 42 U.S.C. 12112(b)(4)(A)U.S.C. 12112(b)(4)(A)
ADA (cont’d)ADA (cont’d)““A covered entity may make inquiries into the ability of A covered entity may make inquiries into the ability of an employee to perform job-related functions.” 42 an employee to perform job-related functions.” 42 U.S.C. 12112(b)(4)(B)U.S.C. 12112(b)(4)(B)Information regarding the medical condition or history of Information regarding the medical condition or history of any employee must be collected and maintained on any employee must be collected and maintained on separate forms and in separate medical files and is separate forms and in separate medical files and is treated as a confidential medical record. 42 U.S.C. treated as a confidential medical record. 42 U.S.C. 12112(b)(4)(C)12112(b)(4)(C)Supervisors and managers may be informed regarding Supervisors and managers may be informed regarding necessary restrictions on the work or duties of necessary restrictions on the work or duties of employees, and first aid and safety personnel may be employees, and first aid and safety personnel may be informed, when appropriate, if the disability might require informed, when appropriate, if the disability might require emergency treatment. 42 U.S.C. 12112(b)(3)emergency treatment. 42 U.S.C. 12112(b)(3)
ADA – Periodic Medical ExamsADA – Periodic Medical Exams
““Periodic medical examinations for public safety positions that are Periodic medical examinations for public safety positions that are narrowly tailored to address specific job-related concerns and are narrowly tailored to address specific job-related concerns and are shown to be consistent with business necessity would be shown to be consistent with business necessity would be permissible.” permissible.” Watson v. City of Miami BeachWatson v. City of Miami Beach, 177 F.3d 932 (11, 177 F.3d 932 (11thth Cir. 1999) (quoting EEOC Compliance Manual)Cir. 1999) (quoting EEOC Compliance Manual)In In WatsonWatson, city required incumbent police officers to submit to TB , city required incumbent police officers to submit to TB tests, because of police exposure to high-risk individuals, even tests, because of police exposure to high-risk individuals, even where such exams required the officers to reveal their HIV-AIDS where such exams required the officers to reveal their HIV-AIDS status (since this was necessary to properly diagnose and treat an status (since this was necessary to properly diagnose and treat an individual with TB)individual with TB)ADA also allows for “voluntary medical examinations…which are ADA also allows for “voluntary medical examinations…which are part of an employee health program available to employees.” 29 part of an employee health program available to employees.” 29 U.S.C. 12112(d)(4)(C)U.S.C. 12112(d)(4)(C)
ADA - Fitness for Duty ExamsADA - Fitness for Duty Exams
An employer may require incumbent employees An employer may require incumbent employees to obtain medical certification before returning to to obtain medical certification before returning to work after an injury or medical procedure to work after an injury or medical procedure to demonstrate the employee’s ability to perform demonstrate the employee’s ability to perform job-related functions. 29 C.F.R. 1630.14(c); job-related functions. 29 C.F.R. 1630.14(c); Porter v. United States Alumoweld CoPorter v. United States Alumoweld Co., 125 F.3d ., 125 F.3d 243 (4243 (4thth Cir. 1997) Cir. 1997)An employer can require a medical exam for an An employer can require a medical exam for an employee who has record of chronic employee who has record of chronic absenteeism. absenteeism. Yin v. CaliforniaYin v. California, 95 F.3d 864 (9, 95 F.3d 864 (9thth Cir. 1996)Cir. 1996)
ADA – Fitness for Duty ExamsADA – Fitness for Duty Exams
Conroy v. NY Dep’t of Correctional ServicesConroy v. NY Dep’t of Correctional Services, , 333 F.3d 88 (2d Cir. 2003):333 F.3d 88 (2d Cir. 2003):– employer must show more than that the inquiry is employer must show more than that the inquiry is
“convenient or beneficial to its business”“convenient or beneficial to its business”– must show “business necessity” which may include must show “business necessity” which may include
“ensuring that the workplace is safe and secure or “ensuring that the workplace is safe and secure or cutting down on egregious absenteeism”cutting down on egregious absenteeism”
– inquiry or examination canot be any broader or inquiry or examination canot be any broader or intrusive than necessaryintrusive than necessary
ADA – Chronic Absenteeism ADA – Chronic Absenteeism Policies Policies
Transport Workers Local 100 v. NYC Transit AuthorityTransport Workers Local 100 v. NYC Transit Authority, , 341 F.Supp.2d 432 (S.D.N.Y. 2004)341 F.Supp.2d 432 (S.D.N.Y. 2004)– Citing sick leave abuse, employer requires all employees out Citing sick leave abuse, employer requires all employees out
sick for two or more days and employees on “sick leave control sick for two or more days and employees on “sick leave control list” to submit medical certificate from doctor stating the list” to submit medical certificate from doctor stating the diagnosis/objective finding as well as treatment prognosisdiagnosis/objective finding as well as treatment prognosis
– Court sustains policy for those on “control list” and for Court sustains policy for those on “control list” and for employees in “safety sensitive positions” (e.g. bus drivers)employees in “safety sensitive positions” (e.g. bus drivers)
– But for all other employees, employer may only require But for all other employees, employer may only require employee to submit doctor’s certificate confirming employee was employee to submit doctor’s certificate confirming employee was incapable of performing duties, and that the employee is now fit incapable of performing duties, and that the employee is now fit to resume duties, but may not require doctor’s description of the to resume duties, but may not require doctor’s description of the nature of the illness or treatmentnature of the illness or treatment
ADA – Confidentiality of Medical ADA – Confidentiality of Medical RecordsRecords
Great protection in theory, not always in practiceGreat protection in theory, not always in practiceDoe v US Postal ServiceDoe v US Postal Service, 317 F.3d 339 (D.C.Cir. 2003): report from , 317 F.3d 339 (D.C.Cir. 2003): report from employee’s physician confirming that employee had HIV (required employee’s physician confirming that employee had HIV (required by employer for employee to qualify for FMLA leave) was an by employer for employee to qualify for FMLA leave) was an “inquiry” under ADA entitled to confidentiality“inquiry” under ADA entitled to confidentialityMedlin v. Rome Strip Steel CoMedlin v. Rome Strip Steel Co., 294 F.Supp.2d 279 (N.D.N.Y. ., 294 F.Supp.2d 279 (N.D.N.Y. 2003): contents of functional capacity evaluation (FCE) conducted 2003): contents of functional capacity evaluation (FCE) conducted by physical therapist and required by employer as a condition of by physical therapist and required by employer as a condition of returning to work constitute confidential medical information under returning to work constitute confidential medical information under ADA ADA Yoder v. Ingersoll-Rand CoYoder v. Ingersoll-Rand Co., 31 F.Supp.2d 565 (N.D. Ohio 1997): ., 31 F.Supp.2d 565 (N.D. Ohio 1997): employer didn’t violate ADA by inadvertently turning over unopened employer didn’t violate ADA by inadvertently turning over unopened medical report showing employee had AIDS to employee’s mother, medical report showing employee had AIDS to employee’s mother, a co-worker, because confidentiality requirement applies only to a co-worker, because confidentiality requirement applies only to applicant exams and “on site” medical exams; 6applicant exams and “on site” medical exams; 6 thth Circuit affirmed Circuit affirmed
ADA – Other Limits on ScopeADA – Other Limits on Scope
ADA exempts insurers, health maintenance ADA exempts insurers, health maintenance organizations or other benefit plan organizations or other benefit plan administrators when they underwrite or classify administrators when they underwrite or classify risks. 42 U.S.C. 12201(c)risks. 42 U.S.C. 12201(c)
Barnes v. Benham GroupBarnes v. Benham Group, 22 F.Supp.2d 1013 , 22 F.Supp.2d 1013 (D.Minn. 1998): employer may require (D.Minn. 1998): employer may require employees to fill out extensive medical histories employees to fill out extensive medical histories as required by plan administrators for purpose of as required by plan administrators for purpose of risk assessment or waiving coverage eligibility risk assessment or waiving coverage eligibility for a new employee health planfor a new employee health plan
Family and Medical Leave Act Family and Medical Leave Act (FMLA)(FMLA)
Provides for unpaid leave for serious medical conditionsProvides for unpaid leave for serious medical conditionsAllows employers to obtain medical certification of such Allows employers to obtain medical certification of such conditions; limited to medical facts supporting conclusion conditions; limited to medical facts supporting conclusion that condition qualifies for FMLA leave, onset dates, that condition qualifies for FMLA leave, onset dates, likely duration, likely treatment and impact on work; DOL likely duration, likely treatment and impact on work; DOL approved form: approved form: dol.gov/esa/regs/compliance/whd/fmladol.gov/esa/regs/compliance/whd/fmla..Also allows employers to require “simple statement” Also allows employers to require “simple statement” certifying ability to return to work, and to obtain second certifying ability to return to work, and to obtain second opinion, and possibly third, at employer’s expense – 29 opinion, and possibly third, at employer’s expense – 29 C.F.R. 825.306C.F.R. 825.306Medical records must be kept separate and confidentialMedical records must be kept separate and confidential
Non-Discrimination LawsNon-Discrimination Laws
Norman-Bloodsaw v. Lawrence Berkeley LabNorman-Bloodsaw v. Lawrence Berkeley Lab., ., 135 F.3d 1260 (9135 F.3d 1260 (9thth Cir. 1998): employer violated Cir. 1998): employer violated Title VII (sex and race discrimination) by testing Title VII (sex and race discrimination) by testing blood samples taken as part of general medical blood samples taken as part of general medical exam for pregnancy and sickle cell traits without exam for pregnancy and sickle cell traits without informing employeesinforming employeesWroblewski v. Lexington GardensWroblewski v. Lexington Gardens, 448 A.2d 801 , 448 A.2d 801 (Conn. 1982): employer committed sex (Conn. 1982): employer committed sex discrimination by conducting medical inquiry into discrimination by conducting medical inquiry into female applicant’s “urogenital health” where no female applicant’s “urogenital health” where no such inquiries were made of mensuch inquiries were made of men
Constitutional LimitationsConstitutional Limitations
For public sector employees, actions of employers are For public sector employees, actions of employers are subject to constitutional limitations (federal and state)subject to constitutional limitations (federal and state)Fourth Amendment protects against unreasonable Fourth Amendment protects against unreasonable searches, and balances employee’s privacy interest with searches, and balances employee’s privacy interest with employer’s interest in obtaining the medical informationemployer’s interest in obtaining the medical information– Tough argument for public safety employees (see drug testing)Tough argument for public safety employees (see drug testing)– Norman-Bloodsaw v. Lawrence Berkeley LabNorman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260 ., 135 F.3d 1260
(9(9thth Cir. 1998): employer violated 4 Cir. 1998): employer violated 4thth Amendment and due Amendment and due process clause (privacy) by testing employee blood samples for process clause (privacy) by testing employee blood samples for medical and genetic information related to syphilis, sickle cell medical and genetic information related to syphilis, sickle cell and pregnancy without knowledge of the employees; “that one and pregnancy without knowledge of the employees; “that one has consented to a general medical examination does not has consented to a general medical examination does not abolish one’s privacy right not to be tested for intimate, personal abolish one’s privacy right not to be tested for intimate, personal matters involving one’s health – nor does consenting to giving matters involving one’s health – nor does consenting to giving blood or urine samples, or filling out a questionnaire”blood or urine samples, or filling out a questionnaire”
– Also found violation of privacy right under California Constitution Also found violation of privacy right under California Constitution
State Statutory ProtectionsState Statutory Protections
A “morass” of different statutory and regulatory schemesA “morass” of different statutory and regulatory schemes36 states impose a general duty on physicians (and in 36 states impose a general duty on physicians (and in most cases other health care providers) to maintain most cases other health care providers) to maintain patient confidentialitypatient confidentialityFewer states impose restrictions on employersFewer states impose restrictions on employers– Pettus v. ColePettus v. Cole, 57 Cal.Rptr.2d 46 (Cal.App. 1996): employer , 57 Cal.Rptr.2d 46 (Cal.App. 1996): employer
refers stressed employee for psychological evaluation after he refers stressed employee for psychological evaluation after he seeks disability leave; doctor, retained by employer, discloses to seeks disability leave; doctor, retained by employer, discloses to the employer highly personal information revealed by employee; the employer highly personal information revealed by employee; court finds violation of California Confidentiality of Medical court finds violation of California Confidentiality of Medical Information Act because disclosure exceeded exception in the Information Act because disclosure exceeded exception in the Act allowing for health care provider to disclose to employer Act allowing for health care provider to disclose to employer “functional limitations on the patient that may entitle the patient “functional limitations on the patient that may entitle the patient to leave from work for medical reasons or limit the patient’s to leave from work for medical reasons or limit the patient’s fitness to perform present employment, provided that no fitness to perform present employment, provided that no statement of medical cause is included in the information statement of medical cause is included in the information disclosed”disclosed”
State Common Law ProtectionsState Common Law Protections
Invasion of privacyInvasion of privacy– Medical information is protected by common law doctrine of Medical information is protected by common law doctrine of
privacy, but disclosure may be protected by “qualified privilege” privacy, but disclosure may be protected by “qualified privilege” when only shared with those with a “need to know”when only shared with those with a “need to know”
– Davis v. MonsantoDavis v. Monsanto, 627 F.Supp. 418 (S.D.W.Va. 1986): no , 627 F.Supp. 418 (S.D.W.Va. 1986): no breach of privacy where psychologist’s report on employee’s breach of privacy where psychologist’s report on employee’s suicidal tendencies was shared by company’s manager with the suicidal tendencies was shared by company’s manager with the personnel department and union representative; all had a personnel department and union representative; all had a legitimate interest in protecting the plant and its employees from legitimate interest in protecting the plant and its employees from dangerdanger
– White v. Township of WinthropWhite v. Township of Winthrop, 116 P.3d 1034 (Wash.App. , 116 P.3d 1034 (Wash.App. 2005): mayor breached privacy of town marshall by telling press 2005): mayor breached privacy of town marshall by telling press he resigned for “health reasons” related to a “seizure,” insofar as he resigned for “health reasons” related to a “seizure,” insofar as disclosure was “highly offensive” where marshall intended to disclosure was “highly offensive” where marshall intended to keep reason private keep reason private
State Statutory Protections (cont’d)State Statutory Protections (cont’d)
S & A Plumbing v. KimesS & A Plumbing v. Kimes, 756 So.2d 1037 , 756 So.2d 1037 (Fla.Dist.Ct. App. 2000): employee does not (Fla.Dist.Ct. App. 2000): employee does not have state constitutional privacy claim where have state constitutional privacy claim where health care provider gave medical records to health care provider gave medical records to employer and insurance carrier in conjunction employer and insurance carrier in conjunction with worker’s comp claim, despite employee’s with worker’s comp claim, despite employee’s lack of express consentlack of express consent– court cites Florida statute that provides for exchange court cites Florida statute that provides for exchange
of such information, and employee essentially of such information, and employee essentially consented when he presented himself for evaluation consented when he presented himself for evaluation of the injury as assessment of whether it is of the injury as assessment of whether it is attributable to his employmentattributable to his employment
State Common Law ProtectionsState Common Law Protections
Defamation: an erroneous medical report might be Defamation: an erroneous medical report might be construed as a false statement of fact harmful to the construed as a false statement of fact harmful to the employee’s reputation; can apply to physician’s employee’s reputation; can apply to physician’s publication or subseqent publication by other partiespublication or subseqent publication by other parties– Physicians typically enjoy a qualified privilege to report, but this Physicians typically enjoy a qualified privilege to report, but this
can be defeated if it is found that physician harbored a malicious can be defeated if it is found that physician harbored a malicious motive; if the information was recklessly disseminated, or motive; if the information was recklessly disseminated, or involved a reckless disregard for the truth of the information; or if involved a reckless disregard for the truth of the information; or if report exceeded scope of the privilegereport exceeded scope of the privilege
– McDermott v. HughleyMcDermott v. Hughley, 561 A.2d 1038 (Md. 1989): psychologist , 561 A.2d 1038 (Md. 1989): psychologist exceeded scope of privilege by reporting to employer that exceeded scope of privilege by reporting to employer that employee was “malingerer and a virtual pathological liar” as a employee was “malingerer and a virtual pathological liar” as a result of an altercation he had with the employee; purpose of the result of an altercation he had with the employee; purpose of the report was supposed to be limited to whether the employee report was supposed to be limited to whether the employee could perform a particular job assignmentcould perform a particular job assignment
IAFF ResourcesIAFF Resources
IAFF Fire & EMS Operations DepartmentIAFF Fire & EMS Operations Department
IAFF Health and Safety DepartmentIAFF Health and Safety Department
IAFF Legal DepartmentIAFF Legal Department– Your local president can request guidance by Your local president can request guidance by
a request submitted through your District Vice a request submitted through your District Vice PresidentPresident