September 21, 2020

Volume X, Number 265

September 18, 2020

Subscribe to Latest Legal News and Analysis

HIPAA: Disclosing Exam Results to Employers

Physicians and other providers are often paid by employers to conduct drug tests, fitness-for-duty or return-to-work exams, or employment physicals for employees. In such circumstances, the physician may mistakenly assume that they may disclose the test and exam results to the employer without the patient’s authorization, but that is not correct.

As with any other protected health information, physicians and other providers generally need the patient’s written, HIPAA-compliant authorization to disclose exam results to the employer. (45 CFR 164.508(a); see also 65 FR 82592 and 82640). However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization. (45 CFR 164.508(b)(4)(iii); 65 FR 82516 and 82658). In addition, the employer may condition the employee’s continued employment on the provision of the exam results (at least under HIPAA), thereby creating an incentive for the employee to execute the authorization. (65 FR 82592 and 82640). The foregoing rules also apply when the health care provider is the employer, e.g., when a hospital employee receives treatment or tests at the hospital. In those situations, the hospital/employer generally may not access or use the patient/employee’s health information for employment-related purposes without the patient’s written authorization. (67 FR 53191-92).

An employee who receives an unfavorable test or exam result may attempt to block disclosure by revoking their authorization. Although patients are generally entitled to revoke their authorization by submitting a written revocation, HIPAA contains an exception that limits revocation if and to the extent that the provider has taken action in reliance on the authorization. (45 CFR 164.508(b)(5)). That exception should apply when the provider has conditioned and provided the test or exam in reliance on the patient’s authorization.

There are very limited exceptions to the authorization requirement. As in other situations, a provider may disclose protected health information to an appropriate entity if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public (45 CFR 164.512(j)), or if the disclosure is otherwise required by law. (Id. at 164.512(a)). HIPAA contains a specific exception that allows disclosures to employers if the exam was performed as part of a medical surveillance of the workplace and the employer needs the information to report work-related injuries as required by OSHA, MSHA, or similar state laws. (Id. at 164.512(b)(v)). Finally, HIPAA allows providers to disclose protected health information as authorized by and to the extent necessary to comply with workers compensation laws. (Id. at 164.512(l)).

The bottom line: if you are a physician or other provider who conducts employment physicals, tests, or exams, be sure you obtain the patient’s written, HIPAA-compliant authorization before conducting the exam and/or disclosing test or exam results to the employer. 

Copyright Holland & Hart LLP 1995-2020.National Law Review, Volume V, Number 265


About this Author

Kim C. Stanger, Holland Hart, Health care Lawyer, HIPAA Attorney, Technology

Clients in the healthcare industry trust Mr. Stanger to provide sophisticated and nuanced counsel on everything from simple healthcare transactions to more complicated regulatory matters.

Mr. Stanger guides clients through simple and complex healthcare transactions, including practitioner and payor contracts; joint ventures; practice formations, acquisitions, and mergers; conversions; and physician integration. He helps clients comply with numerous laws and regulations governing healthcare, including Stark, the Anti-Kickback Statute, HIPAA,...

Patricia Pia Dean, Holland Hart, healthcare lawyer, regulatory matters attorney, medical

Health care law, in all its many aspects, is Ms. Dean's passion. Her desire to better serve her clients and understand healthcare laws and regulations in depth led her in 2010 to return to school to begin obtaining her masters of law (LL.M.) in health law. Her education, coupled with her years representing clients in health law related matters, provide her clients with sophisticated counsel on a wide range of issues, including healthcare transactions, regulatory matters, practice formation, government investigations, medical ethics, and physician integration.

She is immersed in efforts at both the federal and state levels to reform healthcare and address its rising costs. She has extensive knowledge of the Patient Protection and Affordable Care Act, health benefit exchanges, accountable care organizations, and Medicare/Medicaid reforms.

William W. Mercer, Holland and Hart, Environmental Matters Lawyer, Natural Resource Litigation Attorney

Mr. Mercer represents clients before government agencies in environmental matters as well as litigation related to the development of natural resources and health care fraud and overpayments. To minimize the probability of civil or criminal liability for business entities, Mr. Mercer provides compliance counseling. He also represents companies and individuals in response to state and federal investigations and cases.

From June 2005 through July 2007, Mr. Mercer served as a senior Justice Department official in the positions of Acting Associate...