Employers often receive requests for medical information from the unions representing their employees. These requests come up in a variety of contexts and include:
- requests for an individual employee’s medical information related to a grievance on behalf of that individual;
- requests for other employees’ medical information related to a grievance;
- requests for health plan claims information during collective bargaining; and
- requests for patient information related to the discipline of a bargaining unit employee for inadequate or improper patient care within a hospital or other healthcare setting.
When employers receive these types of requests, many are concerned about whether the request implicates the confidentiality provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or its privacy rule. The short answer is that HIPAA generally does not apply to medical records maintained by an employer. But that doesn’t mean employers don’t have confidentiality obligations vis-à-vis those employee medical records. And union requests to employers for information maintained in their capacity as a “covered entity,” as that term is defined under HIPAA, do implicate HIPAA requirements.
Non-HIPAA Employer Confidentiality Obligations
Although HIPAA generally doesn’t apply to employee medical records maintained by an employer, employers nevertheless have an obligation to maintain the confidentiality of those records. For example, the Americans with Disabilities Act requires employers that obtain disability-related medical information to maintain that information in a confidential medical file that is kept separate from the employee’s personnel file. It must be treated as a confidential medical record and may be disclosed only to certain individuals and in certain situations—not in response to union information requests. Similarly, the Genetic Information Nondiscrimination Act (GINA) provides that employers that possess genetic information about an employee must treat that information as a confidential medical record and maintain it in a separate medical file. In addition, many state laws require employers to keep employee medical records confidential.
What can an employer do if it receives a union’s request for employee medical information?
While the National Labor Relations Act (NLRA) requires employers to provide unions with information relevant to collective bargaining or to the investigation or processing of grievances, that requirement is anything but absolute. The Supreme Court of the United States has recognized a balance between a union’s right to relevant information and an employer’s (or an employee’s) right to confidentiality. In Detroit Edison Company v. National Labor Relations Board (NLRB), the Supreme Court considered the privacy interests of employees who had taken a psychological aptitude test. The union sought to obtain the test questions and results. The Court determined that the interest in protecting the privacy rights of employees who had taken the psychological aptitude test outweighed the interest of the union in obtaining the information and thus declined to order the employer to provide the information.
An employer may not simply refuse to provide confidential information, however. Rather, it must work with the union to explore reasonable alternatives to protect confidentiality while providing the union with information it needs to perform its duties as the employees’ exclusive bargaining representative.
A. Written Release of Medical Records
One way to balance these competing interests is to require the union to obtain a written release of medical records from the employee(s) whose records the union is seeking. For bargaining unit employees, this often is an obvious solution. But what if a represented employee won’t release his or her medical records to the union? Depending on the circumstances, this may support an argument that the employee’s confidentiality concerns outweigh the union’s need for the information. If, despite this fact, a union continues to insist on receiving confidential employee medical records without a release, the employer may consider communicating the union’s actions to the employee(s) whose records the union is seeking and/or to the bargaining unit as a whole, so they have a clear understanding of the union’s position regarding their confidential medical records. Employers may want to carefully craft any such communication to avoid a claim of direct dealing.
B. Limiting Access to the Records
Another option that may be used instead of or in addition to an individual release of records is to enter into an agreement with the union to limit access to the records to only those people necessary to process a grievance.
C. Medical Records of Nonbargaining Unit Employees
If a union is seeking employment records of nonbargaining unit employees, relevance isn’t presumed—the union must demonstrate it. For confidential medical records, the union’s burden is even higher. There are few circumstances in which a union would be entitled to those records, so an employer may want to evaluate any such union request very carefully.
HIPAA-Covered Confidentiality Obligations
What if an employer with bargaining unit employees is also a “covered entity” under HIPAA?
In that situation, an employer’s obligations as an “employer” are the same as those of any other employer, and HIPAA does not apply. But, if a union is seeking protected health information (PHI) that you maintain as a HIPAA-covered entity, then HIPAA does apply and such PHI may be disclosed only as set forth in the HIPAA regulations.
HIPAA defines “covered entities” as:
- health plans;
- healthcare clearinghouses; and
- healthcare providers that electronically transmit health information in connection with transactions for which the Department of Health and Human Services has adopted standards.
For “covered entities,” the most common types of union information requests that trigger a HIPAA obligation are:
- requests for health plan claims information;
- requests for an employee’s PHI maintained by the entity in its role as a healthcare provider (i.e., where the employee also is a patient); and
- requests for a nonemployee patient’s PHI to investigate discipline taken against an employee working in a hospital or other healthcare setting.
Does HIPAA prohibit these disclosures?
Maybe. HIPAA does allow disclosure of PHI if it is related to “healthcare operations,” which includes “resolution of internal grievances.” Similarly, HIPAA allows disclosure of PHI if such disclosure otherwise is required by law. Comments to the regulations clarify that “to the extent a covered entity is required by law to disclose protected health information to collective bargaining representatives under the NLRA, it may do so without an authorization.” The comments also provide that the definition of “health care operations” permits disclosures to employee representatives for purposes of grievance resolution.
Therefore, while HIPAA may permit (but not require) disclosure of PHI for grievance resolution or if required by law, this simply brings the discussion back to the balancing of the interests of an employee’s right to privacy and a union’s need for information under the NLRA. In other words, whether or not a disclosure is permitted because it is “required by law” or “for purposes of grievance resolution” pivots back to the analysis of when an employer is required to provide information to a union under the NLRA. If the employer is not required to provide the information under the NLRA, then it may be prohibited from disclosing the information under HIPAA.
There are ways to protect PHI while still providing relevant information to a union. Consider the following examples:
- For health plan claims information, a union normally does not need individual participant information for bargaining. Generally, a summary of claims information is adequate.
- For an employee’s own patient information, the union can get a release from the employee.
- For patient information related to an employee’s discipline, redacted information that eliminates all patient-identifying information generally is appropriate and satisfies a union’s needs. While the employee who is the subject of the discipline may be aware of the patient’s identity, that employee is bound by HIPAA to protect it, and redacting the information obscures the identity for the union and in any subsequent grievance and arbitration proceedings.
What if You Get It Wrong? Potential Penalties
If an employer refuses to provide information based on confidentiality concerns and the NLRB disagrees with the employer’s decision, the NLRB can order the employer to provide the information to the union and to post a notice. If the employer did not attempt to negotiate with the union to provide relevant information while protecting confidentiality, then the NLRB may order it to provide the information without any accommodation to confidentiality.
In addition, if the employer is in bargaining, an unfair labor practice determination will impact its ability to declare impasse and implement a final offer, engage in a lockout, or hire permanent replacements for striking workers.
Finally, if an information request relates to a grievance and the employer refuses to provide the information, it may be precluded from introducing that information at arbitration.
For those employers that also are covered entities under HIPAA, the potential penalties for improperly providing PHI can be very severe. Even for a HIPAA violation that has a reasonable cause or is the result of the covered entity not knowing it was a violation, the penalty can be up to $50,000 per violation, not to exceed $1.5 million in a year, for violations of an identical provision, and can result in jail time of up to a year. For willful violations, the penalties are harsher still.
What Goes Around Comes Around
Confidentiality of medical information is an important consideration for employers. HIPAA hasn’t changed that; in both HIPAA-covered and non-covered situations, the determination of when and if an employer is required to disclose confidential medical information to a union comes back to the longstanding NLRA analysis requiring a balancing of competing interests and a negotiated attempt to preserve confidentiality wherever possible. However, for employers that also are covered entities under HIPAA, the stakes of getting it right are higher because of the potential penalties associated with violating HIPAA by improperly releasing PHI.