FMLA Spotlight: HIPAA
HIPAA was enacted in 1996 to set national standards for the protection of certain health information. The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes these standards for individuals’ privacy rights and to address the use of certain health information by “covered entities” – those subject to the Privacy Rules. According to the federal Department of Health and Human Services (“HHS”), a “major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and wellbeing.”
As mentioned above, the Privacy Rule standards apply only to specified covered entities. According to the law, that includes health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form, in connection with specified transactions for which the HHS has established standards.
HIPAA and the FMLA
Now, how does HIPAA impact the FMLA certification process? To determine whether an employee qualifies for FMLA leave, an employer can require sufficient medical information to support the FMLA request. However, an HCP may be restricted by HIPAA from divulging the protected health information of their patients to third parties, such as an employer. So, what is an employer to do?
First, remember that it is always an employee’s responsibility to submit a complete and sufficient certification form in order to prove FMLA eligibility. Therefore, an employee can personally deliver the completed FMLA certification form to the employer. If an employee is unable or unwilling to return the completed FMLA certification themselves, many providers will often allow release of protected health information upon receipt of a HIPAA-compliant authorization form. Such form, signed by the employee, will authorize their HCP to send the completed form directly to the employer.
In some cases, an employer may find that the FMLA certification form is incomplete or provides insufficient information to determine whether the employee qualifies for FMLA leave. In such cases, the FMLA requires the employer to give the employee written notice of the deficiencies and allow the employee seven days to submit the missing information. During this clarification process, the HCP may again rely on the HIPAA compliant form to provide the protected health information being requested by the employer or administrator. The individual who reaches out to the HCP must be a healthcare practitioner, an HR professional, a leave administrator, or a management official – under no circumstances may such individual be the employee’s direct supervisor.
What if the employee refuses to sign an authorization?
The employee still has the option to personally return the certification requested to provide proof of FMLA eligibility. However, if the employee refuses to personally deliver the completed FMLA certification form to the employer AND refuses to sign a HIPAA-compliant authorization form, then there is not much an employer can do, other than deny the request. Courts across the country have consistently held that an employee’s inability to comply with the notice and/or certification process for FMLA leave precludes entitlement to FMLA protections. Thus, if the employee refuses to provide sufficient information to determine their eligibility for FMLA, then the employer is not obligated to grant the FMLA request.
Stay tuned - we will have more great lessons on tricky FMLA topics coming up soon.
What Guardian is Doing
Guardian continuously tracks and analyzes current and pending leave and accommodation legislation to determine potential impacts to our customers. In addition, Guardian monitors guidance from agencies such as the Department of Labor and Equal Employment Opportunity Commission and incorporates that guidance into our administration when appropriate.