Get-well cards and HIPAA
MrCreosote
144 Posts
Does the practice of passing around a get-well card for an employee in the hospital, for co-workers to sign, violate HIPAA, since this is indirectly (pretty directly, actually) telling everyone the person is ill? I think this is a common practice, but I could be wrong.
Thanks to everyone who answered my previous question - I agree with you, but I've been outflanked. The card that concerns me reached me after half of the company, including the President, had already signed it.
Thanks to everyone who answered my previous question - I agree with you, but I've been outflanked. The card that concerns me reached me after half of the company, including the President, had already signed it.
Comments
What is of concern here could be ADA (American's With Disabilities Act) or any other state laws addressing confidentiality. Under many of these laws, the employer has a duty to protect confidential medical information from unnecessary disclosure for non-business reasons. ADA could come into play if it creates an atmosphere of perceived disability by the employer, supervisor, etc.
I would suggest that you obtain at least a verbal agreement to pass along the fact that an employee is ill (or a family member speaking on the authority of the employee if the employee is incapacitated). Absent that, I would avoid a general policy of passing around a get well card. I know that I personally, would be offended if news of a personal illness became public knowledge.
(The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form...) [url]http://www.os.dhhs.gov/ocr/privacysummary.pdf[/url]
Information that is used strictly for “employment records” is not subject to the Privacy provisions of HIPAA. (It is important to note that such records may be subject to employment privacy protections in other federal and state law.) An “employment record” is not defined in the law – but “Questions & Answers” in the recently released regulations state that it is not the nature of the information that determines whether or not it is an employment record but whether or not the employer creates and uses the information as an employer for employment purposes or as an administrator of a health plan for purpose of the health plan administration or maintenance. The latter means that it is subject to HIPAA Privacy Rules.
Since "employment records" are not subject to HIPAA Privacy requirements (but as noted above may be subject to other privacy requirements) the difference is not one of semantics. Privacy requirements entail numerous procedural requirements - such as maintaining a disclosure log as well as identifying when, where, how and what information may be disclosed. This is a much more onerous task than the maintainence of normal confidentiallity requirements of non-HIPAA privacy laws.
Yes, my understanding is the same as yours, I believe. But a written authorization is needed only for disclosures that are not "automatically authorized" - in other words if your Notice of Privacy Practices and Plan Document identifies specific types of disclosures (such as communications with your insurance broker or the insurance carrier) those disclosures do not need a written authorization. A written authorization would be needed for those not specifically identified. For example, if your insurance broker wanted to release medical information to an insurance carrier from whom you were seeking a quote for a new benefit plan.
The Disclosure log lists only such disclosures that were not "routine" (disclosures that were not authorized by virtue of the NPP and Plan Document OR were subsequent to a Written Authorization.)
HIPAA is a typical law - written in such a way as to confuse everyone...
Thank you very much. With all of these changes who can keep up? Every time I see something about HIPAA, there is always new or different information. I was unaware of the information you just shared. Thanks again!
Please tell me I am not crazy to think it is going a bit far to worry about sending or signing a get well card.
Once we forgot to send a card to someone when he was out and when he came back to work he was all bent out of shape because he got no card while in the hospital. I think cards mean a lot to sick employees. We have never had anyone upset at a card and flowers.
I'll take my chances.
Now prove you weren't the one that said it! I'd rather avoid the hastle all together. I am speaking from personal experience. We had an ee out on leave and one of the HR people here signed the get well card. Three weeks later we got a letter from an attoney that said their clients privacy rights were violated. We're still fight it out trying to prove our HR Administrator did tell other about the ees illness. We will likely win the case but at what expense.
We are a non-profit service agency and we want to serve our own! I read something ahile back, might have even been my Texas ELL about a person who filed some type of charges after having been on leave. In court it boiled down to they felt uncared for because no one from the company reached out to them to see how they were doing. We walk a fine line between watching the laws and privacy, etc. and ensuring employees feel cared about. I think it would be important that if your company doesn't allow cards to be circulated, etc. that HR (benefits rep or HR Mgr/Dir) take the initiative to send a card to the employee. Those little touches can mean alot!
I'll probably make somebody mad with this comment, but it's not intended to be mean-spirited... it's just that I think there are too many managers (of all disciplines) who take the easy way out instead of doing what is most effective for the company. In this case, saying "I don't know whether I can send a get-well card without violating HIPAA so I won't send them" is taking the easy way out. The effective route is to control the situation in such a way that it makes the sick employee feel missed, and a part of the team, while monitoring the content with HIPAA in mind.
It's akin to the school of thought that says "I don't know if I can give a performance evaluation that won't be used against me later, so I won't give them."
There are risks you incur the first day you open for business. Control them, monitor them, but don't throw the baby out with the bathwater.
Imagine the conversation...."Honey, awhile back when you were in the hospital, I noticed the company didn't send flowers, not even a card. What's up with that?" "Oh, they stopped that in April of '03. Something about government regulations and what types of information the company can discuss or have or share with employees and flower shops I think. And if they know you're sick, they have to pretend they don't. Anyway, I understand, although flowers would have been nice. They're even talking about prohibitions on our asking "How are you feeling today?" when we greet each other in the mornings. And they've already stopped ordering cakes for retirements since they say it'll signal to all the rest of the staff that the retiree is old."
Just for your information, we send flowers immediately to the hospital in such situations. We did so in this case, too, with a card. The employee works at a branch and the card that caused my concern was being passed around the corporate office among people who have never met or worked with the sick employee. Many did not even know that she was out until the card was placed in front of them. Also, the person who circulated the card did it for the express purpose of telling everyone about the illness, and she did it because she was mad at me because I refused to announce the illness company-wide by e-mail. I understand that's a different issue. My thanks to everyone for offering your opinions on this.
You got it right on the nose! We all need to acknowledge that "human" is part of our job title and duties!
psrcello
I am all for legalities, but we are getting WAAAAY too paranoid at the expense of humanity.
And I just give up because she's obviously not listening to anything I've said. I don't think she's being reasonable but I don't know what to do about it so I just hope she'll retire soon. That's what I was thinking when I read your message.
I think your argument is faulty because it is based on the premise that having employees sign a get-well card is automatically in violation of HIPAA.