The Health Insurance Portability and Accountability Act ("HIPAA"), enacted in 1996 to increase the protections afforded to health care information, will have a dramatic impact on employers and the employment relationship as it pertains to an employee's medical records. The recently finalized HIPAA privacy rules, effective April 14, 2003, establish guidelines for the use and disclosure of certain health information. Importantly, the regulations exclude from the scope of the privacy regulations certain "employment records" relied upon by an employer when acting in their capacity as an employer.

By way of background, HIPAA acknowledges an individual's privacy right in certain, identifiable health information, or "protected health information" (PHI). Generally, HIPAA imposes limitations on the use and disclosure of PHI without the individual's permission, unless specifically permitted or required for disclosure by the HIPAA regulations. Although such restrictions are limited to "covered entities", employees with group health plans would be deemed a covered entity.

Thus, although the privacy rules will have a significant impact on employers as it pertains to their health plans, an employer can still continue to collect and use health information for employment-related functions. In the Final Amendments to HIPAA, promulgated by the Department of Health and Human Services ("HHS") on August 14, 2002, HHS adopted an exception for items contained within employment records from the definition of PHI. Although HHS did not adopt a specific definition of "employment records", it did explain "that medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the covered entity in its role as an employer." In light of this exception, employers are free to use health information for these employment based reasons.

However, the HHS also cautioned employers that they may have dual roles as an employer and as a health plan sponsor and that health information may be PHI as it relates to health plan responsibilities but not PHI in their capacity as an employer. That is, the nature of the information doesn't control whether it is deemed PHI or an employment record but, instead, depends whether the employer obtained or created the information in an employment or health plan capacity. For example, a self-insured employer would be faced with a dilemma as to information it possesses for purposes of its health plan and how that information can be used in its employment decisions, such as determining whether an individual is suffering from a disability under the ADA.

One possible solution for dealing with the issues created by an employer's dual role is to have each employee execute a medical records release permitting an employer to have access to PHI, if necessary. Such releases, however, must comply with HIPAA requirements including an expiration date for the release, which can be the date of the termination of the employment relationship. With a signed release, an employer can avoid any conflicts that may arise with respect to the employer's ability to use PHI in its employment functions.