Question 1014
Lily works in a hospital human resources department and interviews a man with gaps in his employment that he explains as medically necessary. Lily asks a coworker to search for the applicant’s medical information to make sure he doesn’t have a medical issue that would compromise his ability to perform the job.
Is this a HIPAA violation?
The correct answer and explanation is:
Answer: Yes, this is a HIPAA violation.
Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy and security of individuals’ medical information. HIPAA applies to “covered entities,” such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. Employers, however, are generally not directly subject to HIPAA unless they operate as a covered entity or business associate. Despite this, accessing an individual’s medical records without authorization can still be a violation of privacy laws and ethical guidelines.
In this scenario, Lily works in a hospital’s human resources department and asks a coworker to access the applicant’s medical information to confirm whether a medical issue could compromise job performance. This constitutes a violation of HIPAA if the coworker retrieves the information improperly from the hospital’s records. Medical information is protected under HIPAA, and healthcare employees are prohibited from accessing or disclosing an individual’s protected health information (PHI) without proper authorization or a valid reason related to treatment, payment, or healthcare operations.
Employers must also comply with the Americans with Disabilities Act (ADA), which restricts inquiries into an applicant’s medical history unless they are job-related and consistent with business necessity. Under the ADA, Lily’s request is inappropriate because an employer cannot seek medical information unless the applicant has been offered a job and the inquiry is directly tied to job performance.
Even though the HR department may not directly fall under HIPAA’s jurisdiction as a covered entity, improperly accessing PHI violates ethical principles, employment laws, and potentially state privacy laws. Lily’s actions could lead to serious consequences for the organization, including fines, legal action, and reputational damage. This underscores the importance of maintaining confidentiality and respecting legal limits when dealing with medical information in employment processes.