HIPAA benefit authorization form

I recently attended an HR workshop where the speaker claimed that HR would need a an authorization from the employee each time we needed to get into an employee's benefit file. That would be ludicrous. Wouldn't an authorization form, signed at the time of open-enrollment work for that plan year? Is this even necessary?


  • 3 Comments sorted by Votes Date Added
  • [font size="1" color="#FF0000"]LAST EDITED ON 01-17-02 AT 07:50PM (CST)[/font][p][font size="1" color="#FF0000"]LAST EDITED ON 01-17-02 AT 07:49 PM (CST)[/font]

    Ludicrous -- But may be true. It appears that if the purpose of going into the file is only to assist the employee in getting their benefits or for other soley administrative purposes (as opposed to making an employment decision about the employee based on the medical info) a seperate release may not be required. But if you are accessing the medical information to use in making an employment decision, a seperate release probably is required. (CAVEAT: I am not a HIPPA expert -- when this is brought up, my eyes usually glaze over):

    Here is a brief notice that my law firm (Andrews & Kurth, LLP) did about HIPPA:

    HIPPA Amendments Implicate Employee Privacy Rights

    Recent amendments to the Health Insurance Portability & Accountability Act (HIPPA) increase the protections provided to employee’s medical information. Specifically, companies that sponsor health plans may not access the personal health information held by the plan for employment related purposes without authorization from the patient.
    The authorization must be explicit, in writing, and in a manner that ensures that the authorization is truly informed and voluntary. The following must be included: (1) a description of the information to be used or disclosed; (2) the names of the persons to whom the information will be disclosed or from whom the information will be requested; (3) an expiration date related to the individual or the use of the disclosure; (4) a statement informing the individual of his or her right to revoke the authorization; (5) a statement that the information disclosed may be subject to redisclosure by the recipient and no longer protected; and (6) any direct or indirect remuneration to the covered entity as a result of the use or disclosure of the information.
    Disclosure of medical information must be limited to the minimum necessary for the purpose of the disclosure unless the disclosure is for purposes of treatment.
    When an employer receives medical information about an employee, the employer should keep that information separately from the employee’s personnel file. Also, the employer should ensure that the medical information is kept confidential, secure storage area with limited access, and only give to personnel with a need to know.

    Good Luck!
  • The above advise to you by Theresa Gegen is very accurate as is appropriate for a member of Andrews & Kurth, a very fine law firm. Let me add just one observation. Any employer needs to pay close attention to HIPAA as concerns privacy, particularly the part referred to as "the Privacy Rule." As to the employers impacted by the Privacy Rule, it directly impacts what are called "covered entities" which consist of health plans, healthcare clearing houses, and certain (practically all) healthcare providers. The term "health plan" can include an employer. A health plan is defined as any individual or group plan that provides or pays the cost of medical care. This can includes any employee welfare plan established to benefit employees. The question for each employer to be asked is whether the employer fits into that category. For example self insured employers for health definitely do as do certain employers that administer their respective plans. As to the need for a consent to deal with accessing medical records, the advice from Andrews & Kurth above is very good. Bear in mind that the Privacy Rule is presently subject to a major modification proposal by the Federal Dept. of Heatlh & Human Services that could impact this question. Despite such potential changes, all employers must be very sinsitive to the growing state of confidentiality that pervades an employee's medical information. Whether it is HIPAA, FMLA, ADA or even the recent changes in OSHA that provide for confidentiality for dealing with certain types of work related inuries, employers need to treat employee's health information carefully both by restricting access to only those persons that have a valid need and in no way using such data for employment decisions except in situations allowed by the law.
    Stanley P. Santire
    The PEER Institute
    Houston, Texas
  • Thank you very much for the info.
Sign In or Register to comment.