HIPAA's Potential Impact on FMLA Certification

The Family and Medical Leave Act ("FMLA") entitles eligible employees of covered employers to take unpaid, job-protected leave for certain family and medical reasons. These medical reasons include the "serious health condition" of an employee's spouse, child, or parent, or the "serious health condition" of the employee that prevents him/her from performing the essential functions of their job.

In order to assess whether a covered individual has a "serious health condition", an employer can require sufficient medical information to support an employee's request for FML. However, the Health Insurance Portability and Accountability Act ("HIPAA") generally restricts a healthcare provider from divulging protected health information ("PHI") of their patients to third-parties, including employers. This article provides tips for maneuvering through the potential conflicts between these two statutes.

The Department of Labor ("DOL") prescribes FMLA certification forms to verify the existence of a "serious health condition". To be sufficient, a medical certification should state the following: the date the condition commenced; the probable duration of the condition; appropriate medical facts regarding the condition; a statement that the employee is needed to care for a covered family member or a statement that the employee is unable to perform the essential functions of his or her position; dates and duration of any planned treatment; a statement of the medical necessity for intermittent leave or leave on a reduced schedule; and expected duration of such leave.

The employee can either personally deliver the completed FMLA certification form to his/her employer, or have his/her healthcare provider send the completed form directly to the employer. Either way, at the time the employee is given the FMLA certification forms, the employer should require the employee to complete a HIPAA-compliant authorization for the employee's healthcare provider to release the employee's PHI to the employer. The authorization must specify a number of elements, including a description of the PHI to be disclosed; the person authorized to make the disclosure; the person to whom the healthcare provider may make the disclosure; an expiration date; and in some cases, the purpose for which the information may be used or disclosed.

HIPAA privacy rules requires a healthcare provider to treat a "personal representative" the same as the individual, with respect to the use and disclosure of the individual's PHI. A personal representative is a person legally authorized to make healthcare decisions on an individual's behalf or to act for a deceased individual or the estate. In most cases parents are the personal representative for their minor children.

If an employee is unable or unwilling to return the completed FMLA certification, HIPAA prohibits a healthcare provider from sending the completed FMLA certification directly to the employer if the certification contains patient PHI. An exception to this general rule is disclosure pursuant to the above-referenced authorization executed by the individual who is the subject of the PHI.

On occasion, an employer may determine that the FMLA certification is incomplete or provides insufficient information to assess whether there exists a "serious heath condition". In such instance, the FMLA requires the employer to give the employee written notice as to what sections are incomplete and allow the employee seven days to obtain the missing information. If the employee refuses to cooperate, the employer may decline the FML.

Alternatively, after the aforementioned seven-day period, the employer may directly contact the healthcare provider to either clarify or authenticate the information in the FLMA certification. However, the DOL has specified that communications between employers and the employee's healthcare provider to clarify FMLA certifications must also comply with HIPAA privacy rules. Compliance with these privacy rules may entail the employer sending the healthcare provider the aforementioned authorization to release PHI as a precursor to discussing the FMLA certification. Furthermore, the employer's representative who contacts the employee's healthcare provider must either be a healthcare practitioner, an HR professional, a leave administrator or a management official. In no case may the employer's representative be the employee's direct supervisor.

An employer may request FMLA recertification every thirty days unless the medical certification indicates that the minimum duration of medical condition will exceed this period. In all cases, an employer may request recertification every six months, even where the certification states a longer period. Since an initial grant of FML may require recertification, an employer should set an expiration date on its employee's authorization to release PHI that allows it to be reused to authorize the release of medical information for purposes of recertifying this leave.

While HIPPA's privacy rules may restrict an employer's ability to confirm a serious health condition under the FMLA, such restrictions can easily be avoided by an employer receiving a HIPPA-compliant authorization to release PHI from its employees at the front-end of an FMLA request.