As mentioned above, the Privacy Rule standards apply only to specified covered entities. According to the law, that includes health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form, in connection with specified transactions for which the HHS has established standards.

HIPAA and the FMLA

Now, how does HIPAA impact the FMLA certification process? To determine whether an employee qualifies for FMLA leave, an employer can require sufficient medical information to support the FMLA request. However, an HCP may be restricted by HIPAA from divulging the protected health information of their patients to third parties, such as an employer. So, what is an employer to do?

First, remember that it is always an employee’s responsibility to submit a complete and sufficient certification form in order to prove FMLA eligibility. Therefore, an employee can personally deliver the completed FMLA certification form to the employer. If an employee is unable or unwilling to return the completed FMLA certification themselves, many providers will often allow release of protected health information upon receipt of a HIPAA-compliant authorization form. Such form, signed by the employee, will authorize their HCP to send the completed form directly to the employer.

In some cases, an employer may find that the FMLA certification form is incomplete or provides insufficient information to determine whether the employee qualifies for FMLA leave. In such cases, the FMLA requires the employer to give the employee written notice of the deficiencies and allow the employee seven days to submit the missing information. During this clarification process, the HCP may again rely on the HIPAA compliant form to provide the protected health information being requested by the employer or administrator. The individual who reaches out to the HCP must be a healthcare practitioner, an HR professional, a leave administrator, or a management official – under no circumstances may such individual be the employee’s direct supervisor.

What if the employee refuses to sign an authorization?

The employee still has the option to personally return the certification requested to provide proof of FMLA eligibility. However, if the employee refuses to personally deliver the completed FMLA certification form to the employer AND refuses to sign a HIPAA-compliant authorization form, then there is not much an employer can do, other than deny the request. Courts across the country have consistently held that an employee’s inability to comply with the notice and/or certification process for FMLA leave precludes entitlement to FMLA protections. Thus, if the employee refuses to provide sufficient information to determine their eligibility for FMLA, then the employer is not obligated to grant the FMLA request.

Stay tuned - we will have more great lessons on tricky FMLA topics coming up soon.

What Guardian is Doing

Guardian continuously tracks and analyzes current and pending leave and accommodation legislation to determine potential impacts to our customers. In addition, Guardian monitors guidance from agencies such as the Department of Labor and Equal Employment Opportunity Commission and incorporates that guidance into our administration when appropriate.

Learn more about Absence Management
Go now
Read more from the Guardian Absence Management blog
Go now


Information provided on this blog is intended for general educational use. It is not intended to provide legal advice. Guardian does not provide legal services. Consult an attorney for legal advice on this or any other topic. GUARDIAN® is a registered service mark of The Guardian Life Insurance Company of America® ©Copyright 2021 The Guardian Life Insurance Company of America, New York, N.Y.

2021-125040 20230831