Standards for Privacy of Individually Identifiable Health Information

III. Section-by-Section Description of Final Modifications and
Response to Comments

3. Protected Health Information: Exclusion for Employment Records

December 2000 Privacy Rule

The Privacy Rule broadly defines "protected health information" as individually identifiable health information maintained or transmitted by a covered entity in any form or medium. The December 2000 Privacy Rule expressly excluded from the definition of "protected health information" only educational and other records that are covered by the Family Education Rights and Privacy Act of 1974, as amended, 20 U.S.C. 1232g. In addition, throughout the December 2000 preamble to the Privacy Rule, the Department repeatedly stated that the Privacy Rule does not apply to employers, nor does it apply to the employment functions of covered entities, that is, when they are acting in their role as employers. For example, the Department stated:

Covered entities must comply with this regulation in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurses' (sic) sick leave is not protected health information under this rule.

65 FR 82612

However, the definition of protected health information did not expressly exclude personnel or employment records of covered entities.

March 2002 NPRM

The Department understands that covered entities are also employers, and that this creates two potential sources of confusion about the status of health information. First, some employers are required or elect to obtain health information about their employees, as part of their routine employment activities [e.g., hiring, compliance with the Occupational Safety and Health Administration (OSHA) requirements]. Second, employees of covered health care providers or health plans sometimes seek treatment or reimbursement from that provider or health plan, unrelated to the employment relationship.

To avoid any confusion on the part of covered entities as to application of the Privacy Rule to the records they maintain as employers, the Department proposed to modify the definition of "protected health information" in Sec. 164.501 to expressly exclude employment records held by a covered entity in its role as employer. The proposed modification also would alleviate the situation where a covered entity would feel compelled to elect to designate itself as a hybrid entity solely to carve out its employment functions. Individually identifiable health information maintained or transmitted by a covered entity in its health care capacity would, under the proposed modification, continue to be treated as protected health information.

The Department specifically solicited comments on whether the term "employment records" is clear and what types of records would be covered by the term.

In addition, as discussed in section III.C.1. below, the Department proposed to modify the definition of a hybrid entity to permit any covered entity that engaged in both covered and non-covered functions to elect to operate as a hybrid entity. Under the proposed modification, a covered entity that primarily engaged in covered functions, such as a hospital, would be allowed to elect hybrid entity status even if its only non-covered functions were those related to its capacity as an employer. Indeed, because of the absence of an express exclusion for employment records in the definition of protected health information, some covered entities may have elected hybrid entity status under the misconception that this was the only way to prevent their personnel information from being treated as protected health information under the Rule.

Overview of Public Comments

The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, "Response to Other Public Comments."

The Department received comments both supporting and opposing the proposal to add an exemption for employment records to the definition of protected health information. Support for the proposal was based primarily on the need for clarity and certainty in this important area. Moreover, commenters supported the proposed exemption for employment records because it reinforced and clarified that the Privacy Rule does not conflict with an employer's obligation under numerous other laws, including OSHA, Family and Medical Leave Act (FMLA), workers' compensation, and alcohol and drug free workplace laws.

Those opposed to the modification were concerned that a covered entity may abuse its access to the individually identifiable health information in its employment records by using that information for discriminatory purposes. Many commenters expressed concern that an employee's health information created, maintained, or transmitted by the covered entity in its health care capacity would be considered an employment record and, therefore, would not be considered protected health information. Some of these commenters argued for the inclusion of special provisions, similar to the "adequate separation" requirements for disclosure of protected health information from group health plan to plan sponsor functions (Sec. 164.504(f)), to heighten
the protection for an employee's individually identifiable health information when moving between a covered entity's health care functions and its employer functions.

A number of commenters also suggested types of records that the Department should consider to be "employment records" and, therefore, excluded from the definition of "protected health information." The suggested records included records maintained under the FMLA or the Americans with Disabilities Act (ADA), as well as records relating to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty test results. One commenter suggested that health information related to professional athletes should qualify as an employment record.

Final Modifications

The Department adopts as final the proposed language excluding employment records maintained by a covered entity in its capacity as an employer from the definition of "protected health information." The Department agrees with commenters that the regulation should be explicit that it does not apply to a covered entity's employer functions and that the most effective means of accomplishing this is through the definition of "protected health information."

The Department is sensitive to the concerns of commenters that a covered entity not abuse its access to an employee's individually identifiable health information which it has created or maintains in its health care, not its employer, capacity. In responding to these concerns, the Department must remain within the boundaries set by the statute, which does not include employers per se as covered entities. Thus, we cannot regulate employers, even when it is a covered entity acting as an employer.

To address these concerns, the Department clarifies that a covered entity must remain cognizant of its dual roles as an employer and as a health care provider, health plan, or health care clearinghouse. Individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. It does not matter if the individual is a member of the covered entity's workforce or not. Thus, the medical record of a hospital employee who is receiving treatment at the hospital is protected health information and is covered by the Rule, just as the
medical record of any other patient of that hospital is protected health information and covered by the Rule. The hospital may use that information only as permitted by the Privacy Rule, and in most cases will need the employee's authorization to access or use the medical information for employment purposes. When the individual gives his or her medical information to the covered entity as the employer, such as when submitting a doctor's statement to document sick leave, or when the covered entity as employer obtains the employee's written authorization for disclosure of protected health information, such as an authorization to disclose the results of a fitness for duty examination, that medical information becomes part of the employment
record, and, as such, is no longer protected health information. The covered entity as employer, however, may be subject to other laws and regulations applicable to the use or disclosure of information in an employee's employment record.

The Department has decided not to add a definition of the term "employment records" to the Rule. The comments indicate that the same individually identifiable health information about an individual may be maintained by the covered entity in both its employment records and the medical records it maintains as a health care provider or enrollment or claims records it maintains as a health plan. The Department therefore is concerned that a definition of "employment record" may lead to the misconception that certain types of information are never protected health information, and will put the focus incorrectly on the nature of the information rather than the reasons for which the covered entity obtained the information. For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when,
pursuant to the employee's authorization, the test results are provided to the provider acting as employer and placed in the employee's employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer pursuant to the employee's authorization.

Furthermore, while the examples provided by commenters represent typical files or records that may be maintained by employers, the Department does not believe that it has sufficient information to provide a complete definition of employment record. Therefore, the Department does not adopt as part of this rulemaking a definition of employment record, but does clarify that medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the covered entity in its role as an employer.

Response to Other Public Comments

Comment: One commenter requested clarification as to whether the term "employment record" included the following information that is either maintained or transmitted by a fully insured group health plan to an insurer or HMO for enrollment and/or disenrollment purposes: (a) the identity of an individual including name, address, birth date, marital status, dependent information and SSN; (b) the individual's choice of plan; (c) the amount of premiums/contributions for coverage of the individual; (d) whether the individual is an active employee or retired; (e) whether the individual is enrolled in Medicare.

Response: All of this information is protected health information when held by a fully insured group health plan and transmitted to an issuer or HMO, and the Privacy Rule applies when the group health plan discloses such information to any entity, including the plan sponsor. There are special rules in Sec. 164.504(f) which describe the conditions for disclosure of protected health information to the plan sponsor. If the group health plan received the nformation from the plan sponsor, it becomes protected health information when received by the group health plan. The plan sponsor is not the covered entity, so this information will not be protected when held by a plan sponsor, whether or not it is part of the plan sponsor's "employment record."

Comment: One commenter asked for clarification as to how the Department would characterize the following items that a covered entity may have: (1) medical file kept separate from the rest of an employment record containing (a) doctor's notes; (b) leave requests; (c) physician certifications; and (d) positive hepatitis test results; (2) FMLA documentation including: (a) physician certification form; and (b) leave requests; (3) occupational injury files containing (a) drug screening; (b) exposure test results; (c) doctor's notes; and (d) medical director's notes.

Response: As explained above, the nature of the information does not determine whether it is an employment record. Rather, it depends on whether the covered entity obtains or creates the information in its capacity as employer or in its capacity as covered entity. An employment record may well contain some or all of the items mentioned by the commenter; but so too might a treatment record. The Department also recognizes that the employer may be required by law or sound business practice to treat such medical information as confidential and maintain it separate from other employment records. It is the function being performed by the covered entity and the purpose for which the covered entity has the medical information, not its record keeping
practices, that determines whether the health information is part of an employment record or whether it is protected health information.

Comment: One commenter suggested that the health records of professional athletes should qualify as "employment records." As such, the records would not be subject to the protections of the Privacy Rule.

Response: Professional sports teams are unlikely to be covered entities. Even if a sports team were to be a covered entity, employment records of a covered entity are not covered by this Rule. If this comment is suggesting that the records of professional athletes should be deemed "employment records" even when created or maintained by health care providers and health plans, the Department disagrees. No class of individuals should be singled out for reduced privacy protections. As noted in the preamble to the December 2000 Rule, nothing in this Rule prevents an employer, such as a professional sports team, from making an employee's agreement to disclose health records a condition of employment. A covered entity, therefore, could disclose this information to an employer pursuant to an authorization.