Have you ever??
KP68
164 Posts
Been told by a physician that he will not complete the FMLA Cert Form because it's in violation of the employee's HIPAA rights??
KP68
164 Posts
Comments
If the condition of ignorance persists, suggest that the form be given only to the patient, then the physician cannot imagine that he still has violated HIPAA.
You might also suggest he notice that the patient/employee has signed the form authorizing the physician to complete it.
If you were the one contacting the physician as the employer then that's why he told you that. Only the employee is allowed to contact the physician.
Somebody correct me if I'm wrong please.
Geno
An employer has absolutely no right to request or have access to an employee's PMI as it relates to FMLA paperwork. Such things as medical diagnosis, prognosis, charts, records, notes, treatment plans and progress reports are not available to the employer under HIPAA regulations, should never be requested or sought, and certainly cannot, under law, be released.
That aside; the employer absolutely can require the employee to supply sufficient medical information from a health care provider as to verify the serious health condition underliying an EE’s FMLA request. Just look at the DOL approved health care provider’s questionnaire for crying-out-loud. Surely you’re not suggesting that the employer is required to take the employee’s word for it when they request FMLA for themselves or a spouse, child, or parent?
Perhaps you could be so gracious as point out for all of us exactly where in the regulations (FMLA and HIPPA) your position is sustained.
Geno
If either of you is requiring such information, you are violating the law, both the HIPAA and the FMLA.
FMLA is specifically excluded from HIPAA regulations. HIPAA privacy regulations pertaining to PHI pertain to electronic transmission of protected health information. There are specific exclusions under HIPAA for FMLA, STD, LTD and Worker's Comp(I'll have to dig through the regs to find the actual reference).
As to what we require for FMLA, we're not asking for the specific info you are stating, but we do run STD concurrent with FMLA and our STD administrator does obtain that info to evaluate STD eligibility. Otherwise, you're correct that we don't ask for any of that if it's an FMLA that's not covered under the STD plan.
AJSPHR's insight is spot-on -- the preamble to the Department of Health and Human Services Final Privacy Rules makes it quite clear that only information that is created, maintained, or transmitted by a covered entity is PHI (it’s PHI by the way, not PMI) – and furthermore, an employer, acting in its role as an employer, is not a covered entity.
Maybe I misunderstood KP’s original question, but I thought the issue had more to do with HIPPA than FMLA. I re-read my post several times and darned if I could find anywhere where, in responding the question, I implied that there were no limits to the level of information that the employer is entitled to in its efforts to administer FMLA.
I must add though, since you brought it up, that the DOL approved health care provider certification form that I am using, ([url]http://www.dol.gov/esa/regs/compliance/whd/fmla/wh380.pdf[/url] ) does indeed ask the health care professional to provide a little more than a few checkmarks and a generic certification. It doesn’t get much more specific than, “describe the medical facts which support your certification” -- or personal than, yes your employee is pregnant, has been since _____ and will be until _____. You will also note that the instructions on the form route the completed document back to the employee (who is entitled to his/her own PHI), who then provides it to the employer.
We can all agree that employers traffic in and hold, on a daily basis, health information for employment-related purposes, such as administering sick leave and complying with laws such as the Family Medical Leave Act, the Americans With Disabilities Act, worker’s compensation and federal and state health and safety regulations. What I apparently did a poor job of conveying was that, according the final HIPPA regulations, this type of information, held by the employer, in its capacity as an employer is not PHI, and therefore not subject to the regulations. I stand by my original statement, i.e.: a physician, using HIPPA as rational for refusing to complete a properly-produced FMLA form, is misinformed.
GENO,SPHR
An employer is never at liberty to ask a medical practitioner to release to you a patient/employee's PHI for purposes of assisting you in an FMLA determination. Nor does the WH 380 invite that information, if properly used. The only exception to that would be a case of concurrent workers compensation. The 380 can be completely and accurately presented without a single entry of diagnosis, medical observations, prior illnesses and conditions, medical notes, cause or manner of illness, prognosis, medical test results, patient ailments or specific treatment plans. What more can constitute PHI in your opinion?
It appears to me that you're attempting to find creative ways to have and hold an employee's PHI, for whatever reasons, rather than to conservatively stay within the law while administering your programs. Most employers, in my opinion, try to find ways to NOT be in posession of such material, rather than searching for creative ways to have it or justify having it. Just an observation.
Yes, I have read 29 CFR 825.306, in fact, many of us, I'm am sure have read 29 CFR 825 in its entirety (my copy is dog-eared and yellow with age – just like me.) – it doesnt't say anything different today than it did ten years ago when I read it the first time. There are inquiries on Form WH-380, the answers to which could be described as PHI (as defined by HIPPA). It is information that, (and this is the key to understanding the concept Don) the employer, in its role as an employer, is allowed to possess.
Let’s see what it says Don: (b) ” Form WH-380, as revised, or another form containing the same basic information may be used by the employer; however, no additional information may be required. In all instances the information on the form must relate only to the serious health condition for which the current need for leave exists. The form identifies the health care provider and type of medical practice (including pertinent specialization, if any), makes maximum use of checklist entries for ease in completing the form, and contains required entries for:
(1) A certification as to which part of the definition of “serious health condition,” if any, applies to the patient’s condition, and the medical facts which support the certification, including a brief statement as to how the medical facts meet the criteria of the definition.”
……and the medical facts which support the certification…got that Don?
It goes on to allow the employer to know the approximate date that the serious health condition commenced, its probable duration, whether the condition is chronic and whether the patient is presently incapacitated. Among many other things, the employer also has the right to know the likely duration and frequency of episodes of incapacity, whether additional treatments will be required and an estimate of the probable number of such treatments.
All from the federal regulations Don -- the ones you ask us all to read.
Most of the information that the regulations allow the employer to be in possession of would, by HIPPA definition, qualify as Protected Health Information. However, you will notice that the FMLA regs do not mention PHI. Why? -- because in 1995 the term wasn’t "born" yet!
Look carefully at the top of Form WH-380 Don. Technically, the requester of PHI from the health care provider is the employee -- an entity that is obviously allowed to be in possession of his/her own health information -- and an entity that is free to share it with whomever he/she wishes.
No virture in being presumptuous Don, there's no creativity in use here, just a complete read of both sets of regulations – not just one.
I’ll say it one last time and then turn the microphone over to you, (for good on this issue Don, congratulations, you apparently have more free time than I do) an employee’s health information (as defined by 29 CFR 825.306) that might otherwise be considered PHI (as defined by 45 CFR Parts 160 and 164), when held by the employer, in its capacity as an employer is not subject to HIPPA regulations. I stand by my original statement.
sine die,
GENO, SPHR
Block 3 & 4 ask for a multiple choice response by the physician. and then ask for the physician to describe the medical facts which support your certification. I do not control the physician's pin or selected words; however, we are prepared to apply HIPAA standards to the physician's certification and treat his words with the appropriate level of security.
Block 5. of the form reads:
"State the approximate date the condition commenced, and the duration of the condition (and also the probable duration of the patient's incapacity, if different). Again, I do not control the pin nor the words written but we will secure same, appropriately.
Block 6, of the form ask for his treatment plan.
I've got to run check on the payroll and sign some pay checks, so I'll check on this tread tomorrow.
Bottom line, I recommend the use of the WH-380 as it is, the physicians have not stopped filling them out and probably because of the heading on the form the physician is less concerned about completing the form.
PORK
Here is where I left it: I told the employee to tell her doctor to send the form to HER and she can turn around and send it to me. I explained that this form was not created by the employer, but by the DOL and we are simply following the laws that have been forced upon us.
I am leaning towards the view that this is not subject to HIPAA regs....if it is, then how can anyone NOT get 12 weeks off? I have to believe that the DOL had some good intentions of being so explicit in describing what a SHC is in order for us to be able to determine who does and does not qualify. If we were not able to get some medical info, everyone would get the time off, I'm afraid.
I will certainly keep you all posted on this.
Thanks for a good read!
KP68
Careful, my words did not say the information is not subject to HIPAA. It is from the perspective once the information is obtained then you and your company are in the HIPAA arena and you must treat the information accordingly and you must secure the information as required.
PORK
Thanks for clarifying.
If you run STD concurrent with FMLA and you administer your STD, you will receive some medical information, but it's not PHI as defined under HIPAA so HIPAA does not govern it. Instead, it is private medical information that you should keep confidential to the extent possible.
Just my .02
TWO teaching bullets that give me concern about your strong opposition or point of view.
a) Privacy b) Security
b) Security: The provisions Controls access and protects information from accidental or intentional disclosure to unauthorized persons. It protects information from unauthorized alteration, destruction or loss. It is protection aimed at operating sustems.
It has nothing to do with how you came upon the information, but once medical information and records, faxes, e-mails, pictures, x-rays, reports fall into our hands for whatever purpose we are required by HIPAA law to protect the information and systems, accordingly.
A) Privacy: we are charged with Protecting members' Protected Health Information from unauthorized uses and disclosures.
Members' Protected Health Information (PHI)which is provided on the certification form provided by the concerned physician for the purpose of making a decision on the approval or disapproval by an EE of this company will receive the protections demanded by federal law within this company, period.
I encourage all to use HIPAA as your guide and protect your EEs and company from needless litigation. Being proactive will save a lot of reactive and time consuming efforts to explain why someone in this company released information which was obtained by the HR department of company XX.
Everyone have a Blessed day and a better tomorrow.
PORK
First let me state that I am not at all condoning releasing or sharing private MEDICAL information. We maintain any confidential medical info in separate confidential medical files and we don't give access to those files for anyone.
I'm being stringent about the HIPAA portion because HIPAA is intended to protect against the electronic submission of private health info from a covered entity - a health insurer, an employer for a self-funded plan, or a dr's office. The fear or concern that drove the legislation was technology making it far easier for covered entities to share protected and private health information without the patient's knowledge. HIPAA was intended to protect against that by requiring releases and permissions and safeguards.
The act does specifically excluded short term disability and long term disability benefits, worker's compensation and FMLA.
Ultimately, I agree that I would not share this info and would protect the confidential nature of it. But it's not HIPAA that's driving my behavior - it's how we've always handled it.
Here's a correlation. The highway patrol has established the maximum speed on Mississippi roads which are not interstates at 65 in some cases. If you restrict the speed of visitors to your pasture to 65 mph, you have done that by choice, not because the highway patrol regulates your pasture speeds.
You beat your head against this wall for a week last year in this same HIPAA converstion. x:-) Now, if you disagree with me, please restrict your comments to my argument, not to me personally.
When I read a posting from someone in our group, who is seeking realtime help for a "individual concern", I respond based on the sense of what I am reading and my personal experience and knowledge. I care less for who is doing the typing.
Bottom line on this issue HIPAA is now an intragral part of all of our HR lives. If I'm young and don't know or am not comfortable with what I do know or experience I would pay close attention to one with YOUR experience. I read "you" and "AJ" loud and clear that you do not accept there is the remotest possibility that there is any concern in this member's sphere for HIPAA. Fine, but after reading my post the originator has a balance of professional HR input on which to chew.
Yes, this company is very conservative and down to earth in everything we do. At the same time we are a very "large target" that can not run along behind the setting sun; we are present 25 hours a day and 8 days a week, whether we want to or not. The original poster may be a like organization, therefore, the original poster can accept my thoughts or toss my thoughts and experiences and at the same time take your advise as written.
Glad to be here! I am also glad to know you pay attention to what I post, like it or not.
PORK
I support you personally and professionally, more often than not. If you take it personally good then also take the disagreement personally. I do not have the ability to reach in and seperate you from your words, nor do I want to. Bit I do have the ability to post a balancing thought, even though my old thoughts might be way out there in the "outfield lounge".
There is no way to seperate your words from you personally and nor do I wish to do so.
My posting on this thread is to help the original forum member asking or bring up a topic for our consideration and our choice to give of our experiences.
I was right this time last year and I am right this year. HIPAA is an intragral part of all our HR worlds of work. Take heed or one may not be a member of the HR world in the future! Yes my company is very conservative and with tight resources. We are a big target and no way to hide behind the "setting sun", we have no room for a chance of being wrong. Yes, I, as the responsible administrator in this sphere of our business, I protect the business by requiring all to travel at no greater than 65 miles per hour on our farms roads. The fact here, Don, is there is a rule and guidance on which to proceed; therefore, the idiot travelling 65 on our farm road is fore warned. I believe that HIPAA is a rule and by picking up on the bottomline issue of the rule PRIVACY AND SECURITY OF PHI regardless of where or how it came into our hands it will be covered by the provisions of HIPAA.
The previous response was better and much more personal.
PORK
Now, yes Any PHI on hand in this department pertaining to anyone in our company and anyone out side of this company is going to be considered as HIPAA QUALIFIED! To me that makes sense and is the smart thing to do.
Yes, traveling on our farm roads at less than 65 miles per hour is good sense and smart, only a dummy would do otherwise, obviously, MDOT had a good engineered reason for the rule. I recommend less, but for your purposes, we choose to take the Department of Transportation's rules and apply them to our farm road not because we are required to do it, but because we were not smart enough to use our good sense to limit the speed limit to 10 miles per hour (which is the posted speed limit).
The MDHS has a rule based on the FEDERAL rule and it is called HIPAA, we choose to incorporate our guidance and rules based on the FEDERAL rule and anything having to do with our EEs medical situation to include enrollment for our medical plan is PHI protected, likewise, so is the FMLA completed document. That way, anytime our receptionist at the front door receives a piece of medical information pertaining to someone regardless of who it is, OUR RULE IS SECURE IT AND GET IT TO HR FOR SECURITY AND PROTECTION OF PRIVACY RIGHTS.
Personally, I think that is the easy way of being in compliance. If we do better than the law we are in compliance and this company is protected and I keep my job! Pretty good reason don't you think!
PORK
PORK
Regardless of the outcome, I did learn something, and thus, it served a purpose!
- KP68
The doctors office records manager completed the forms and the situation was resolved.
If this would not have worked, I would have notified the employee in writing why their FMLA leave request had been denied.