Oftentimes, healthcare entities’ employees are also patients of the healthcare entity, creating a dual role as employer and employee as well as doctor and patient. But what can an employer do when they need to access an employee’s medical records? Are these medical records treated differently than non-employee patients? Throughout the last few years, we have seen an increasing number of healthcare entities with these exact questions.

Pursuant to 65 FR 82612, HIPAA does not apply to employment records held by a healthcare entity. However, “[i]ndividually identifiable health information maintained or transmitted by a covered entity in its health care capacity [will] continue to be treated as protected health information” under HIPAA. (67 FR 53191). In fact, “identifiable health information the healthcare entity holds as a covered health care provider . . . is protected health information and generally may not be shared with the employer for employment purposes without the individual’s authorization.” 78 FR 5589. Therefore, HIPAA does classify a distinction between employment records and employee’s medical records.

There are several examples of how to distinguish between employment records and employee’s medical records that contain protected health information: “drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee’s authorization, the test results are provided to the provider acting as employer and placed in the employee’s employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer pursuant to the employee’s authorization.” 67 FR 53192.

If the records a healthcare entity needs to obtain are medical records of their employee, then HIPAA exceptions would apply just as they would to any other non-employee patient. The main exception we see in this dual role scenario is that a covered entity is permitted to use or disclose protected health information for treatment, payment, or health care operations, as permitted by and in compliance with 164.506. (The “Healthcare Operations Exception”). 45 CFR 164.502(a)(1)(ii).

The Healthcare Operations Exception includes several permitted activities, but the most commonly utilized activities for healthcare entities in the dual role of employer and provider include: conducting quality assessment and improvement activities; reviewing the competence or qualifications of health care professionals; and conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs. 45 CFR 164.501.

The caveat is that “when using or disclosing protected health information . . . a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” 45 CFR 164.502(b). As such, if the healthcare entity does need to look into an employee’s medical record under the Healthcare Operations Exception, they must do so for an extremely limited purpose.