Ask HRC: Privacy and Confidentiality When an Employee Is Seen as a Patient

An HRC member recently asked for recommendations for managing privacy of an employee’s medical record when they are an actual patient of the organization. The facility is implementing an electronic health record (EHR) and is determining who should be able to access employee records, not to be confused with employee or employment health records maintained by an occupational health department.

In our response, HRC notes that first, and most important, is the issue of Health Insurance Portability and Accountability Act (HIPAA) compliance. As the question indicates, the records are health information records that are generated when the employee is seen as a patient – and are not employee health records. So, the HIPAA privacy standards (as modified by the HIPAA omnibus rule) must be complied with. And, if the patient information is in an EHR, the...