Question: When an employer pays our medical office to perform drug tests, fitness-for-duty or return-to-work exams, or employment physicals, can we disclose the exam/test results to the employer without obtaining an authorization from the patient?
Answer: Although many healthcare providers assume that they don’t need patient authorization in this case, that is not correct, healthcare attorney Kim Stanger said in a recent analysis for Holland & Hart LLP. As with any other PHI, you generally need the patient’s written, HIPAA-compliant authorization to disclose exam and test results to the employer.
“However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization,” Stanger said. Also, the patient’s exam or test results may affect his employment, which would create an incentive for the patient to execute the authorization.
There are a few very limited exceptions where you can forgo patient authorization. You may disclose PHI to an appropriate entity if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, Stanger noted. Also, HIPAA allows disclosures to employers if the exam was part of a medical surveillance of the workplace and the employer needs the information to report work-related injuries as required by the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or similar state laws.
Additionally, HIPAA allows you to disclose PHI as necessary to comply with workers compensation laws.
Best practice: If you conduct employment physicals, tests, or exams, make sure you obtain the patient’s written, HIPAA-compliant authorization before conducting the exam and/or disclosing exam/test results to the patient’s employer, Stanger asserted.