Is it a HIPAA Violation to Say that an Employee is at a Doctor’s Appointment?

Are any of the following three situations a HIPAA violation?

1. Is it a violation of HIPAA for an employee to say that another employee is out of the office for a “doctor’s appointment”?
2. Is it a violation for an employee to say another employee is out of the office due to an appendectomy? (naming the condition)
3. Is it a violation for an employee to say another employee is out of the office because he is in the hospital? Or having an operation?

We took the questions to our counsel at National Financial Partners for an answer. Here’s what we were told:

“None of these situations is likely a HIPAA violation, since HIPAA does not generally apply to an individual employee. As background, HIPAA applies to health plans, health care clearinghouses and health care providers. Generally, an individual employee will not fall into any one of those three categories. So if it is just a random employee sharing this type of information with another random employee, then there is not likely a HIPAA issue at play (although there may be employment issues that need to be addressed).

The answer likely depends on the employee’s involvement in the plan and how the employee came upon the information that he/she is sharing.

That said, if the employee that is sharing this type of information is associated with the plan in some sort of administrative support or other role, then it’s possible that this could be a HIPAA violation. The answer likely depends on the employee’s involvement in the plan and how the employee came upon the information that he/she is sharing. Medical information obtained by the employer (i.e., an employee in his/her role related to the plan) from the employee, a member of the employee’s family or a co-worker outside of the group health plan is not generally considered protected health information (PHI—personally identifiable health information that is protected from unauthorized disclosure).

In that case, the disclosure is not subject to HIPAA’s privacy rules (although again, non-HIPAA privacy concerns may still arise and appropriate precautions should be taken). However, if the medical information is PHI obtained from or through the employer’s group health plan, the information would be considered PHI, and the health plan’s disclosure to the employer is subject to the HIPAA privacy rule, meaning that the employee in his/her role associated with the plan, should not announce or otherwise share the information without the individual’s consent/authorization.

So it would really come down to the facts and circumstances surrounding the two employees. We could not give an answer on that absent further facts, and probably could not give an exact answer even with further facts since that answer could be construed as legal advice. We suggest engaging outside counsel for an exact answer. In addition, the employer’s HIPAA privacy policies and procedures should be reviewed—there may be some additional guidance in that document that would help describe which individual employees are responsible for the plan as well as the types of disclosures of PHI are allowed.”

So, there you have it. Just a friendly reminder – this information is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice, but hopefully it will help send you in the right direction through your research.