Employers Beware: Requirements and Potential HIPPA Liability

Every business, large or small, will encounter a situation where a third party will request information pertaining to an employee. Whether it is verification of employment or income, or in the case of medic professionals, the release of a patient's medical records, it is important to always verify that the requesting entity has legal authority to obtain said information. A requesting entity should always provide your company with a signed authorization giving that entity the authority to obtain the confidential records being requested. Additionally, the parameters of the release must be strictly followed. For example, if a release allows you, as an employer to only verify employment, then verification of income is prohibited.

To insure that the requesting entity has the authority to obtain the information requested, a signed authorization from the release should be produced by the requesting entity at the time the request is made. This release should be placed in the individuals' file and a copy maintained with all documents produced. Additionally, if resources permit, despite the production of a release, your company should independently verify that the employee is authorizing the release of his or her personal information. In the event that a question is raised regarding whether your company was authorized to release the information, all matters will be well documented.

With regard to entities requesting employee medical records, strict guidelines must be followed by employers. As a general rule, anything a doctor, nurse or other health professional has written or discussed about a patients' personal medical treatment is confidential. HIPPA (Health Insurance Portability and Accountability Act) imposes many privacy obligations on employers, especially those employers who administer their own group health plans. Employers are required to protect the privacy of their employees' personal health related information.

In the case of medical professionals, physicians, chiropractors, dentists etc. should make sure that when third parties request medical records, said requests are accompanied by a HIPPA compliant authorization. It should be noted that a HIPPA authorization expires after six months. Records should not be produced when an entity has produced an expired HIPPA authorization. It is common for physicians to deal with the same entities on a repetitive basis regarding the release of records. Although there may familiarity with the entity, no corners should ever be cut. Despite an ongoing working relationship with the requesting entity, you must make sure that entity produces a HIPPA authorization with every request for medical bills or records. Despite the familiarity with the requesting entities, HIPPA compliant authorizations should be obtained with each and every request for records. When faced with such requests it is vital that the appropriate measures be taken to insure that patient privacy rights are not violated and that you have not opened your business up to legal liability.