Put a premium on privacy in employee health protocol

Give info on need-to-know basis

One employee has a medical file detailing a back injury that occurred at work. Another is a diabetic and consults with the employee health staff but never had a work-related problem.

Their records raise different privacy issues, but for employee health professionals, one truism holds: Only give supervisors the information that they need to know.

Employees often feel uneasy about the confidentiality of information maintained by employee health, notes Marilyn Piek, RN, MSN, COHN-S, CCM, RMHC, director of employee/corporate health services at Palomar Pomerado Health, a hospital district in northern San Diego County.

"If we ever want to get to proactive wellness and safety, we have to create a comfort level of confidentiality," she says.

Piek has worked to build that trust by making it clear that her department shares information only on a need-to-know basis. For example, if an employee fills out a health risk appraisal as a part of the wellness program, only one employee health nurse reviews that information and communicates with the employee. Employee health is not a part of the human resources department and the health information is separate from human resources files.

In fact, the employee's medical file is kept in a locked room, and each worker's compensation claim, which has different privacy considerations, is kept in a separate file, says Piek.

"A manager can't walk into the employee health department and demand to see an employee's medical record," she says. "They can ask questions about things they feel they need to know. It's up to the department protocol what information can be released."

For Rosemary Bootes, RN, CNP, MSN, MBA, nurse practitioner at Alliance Employee Health at Health Alliance, a six-hospital system in Cincinnati, demeanor also is important. She is consistently neutral when addressing any health issue, from a minor first-aid treatment to a life-threatening condition such as HIV.

"I'm very guarded about disclosing information, whether it's completely innocuous or not," she says. "If I'm very cavalier about information, then the moment I'm not cavalier, you think it's something serious — and I've already given you information."

Supervisors simply receive information on whether the employee has any job restrictions, she says. "All they need to know is how it's going to affect this individual's ability to do the job."

Here are some specific privacy issues faced by employee health professionals:

  • HIPAA: Some employee health information is covered by HIPAA (Health Insurance Portability and Accountability Act) privacy provisions, which restrict access and require employee consent before it is shared. For example, personal health information obtained in a pre-placement exam but unrelated to work duties would be protected by HIPAA, Piek notes. Health information obtained in an employee health clinic to treat personal issues such as hypertension also would be protected. In general, employee health information should be treated with the same sense of confidentiality as that of other patients, says Piek. "We need to realize that the employer is not the owner of the medical information, the patient is."
  • Needlestick reporting: Incidents are reported on U.S. Occupational Safety and Health Administration (OSHA) logs without identifying the employee. Lab tests are treated with the same privacy considerations as other patient records, and are released only to the employee health practitioner who is treating the patient. Because of sensitivity about possible HIV or other bloodborne pathogen exposure, some hospitals use codes instead of names and send the tests to an outside lab to further protect employee identity.
  • Workers' compensation claims: Workers' compensation claims are not covered by HIPAA regulations, and information on those work-related injuries and illnesses will be shared with the insurer and case manager. The workers' compensation insurer may request information on similar injuries — for example, to determine if an employee with a back injury had previous work-related or nonwork-related back injuries. If the claim is for work stress, the workers' compensation investigator may delve deeper into the employee's personal health history, notes Piek.
  • "Many employees do not realize that information beyond their employee health file may be examined by the workers' comp claims adjuster," she says.
  • Accident investigation: At Palomar Pomerado Health, supervisors must conduct accident investigations, which include an interview with the injured employee. However, this discussion focuses on the incident and not the health effects. The supervisor also may discuss the accident with other employees to determine if there have been similar "near-misses" or to seek ideas about prevention. The employee's name and specifics about the injuries should not be discussed, however, says Piek.
  • Pre-placement exams: Seek only what you need to know to determine the ability of the newly hired employee to perform his or her job duties, advises Piek. At Palomar Pomerado Health, the medical history questionnaire asks, "Do you have any physical, medical, or mental conditions that would make you unable to perform the job duties for which you are applying?" and "Have you ever had any medical conditions that caused you to miss time from work?"
  • "We are hoping for honest disclosure during that process," she says. The health system also conducts physical exams to evaluate the employee's ability to perform job functions.
  • Electronic communication: Don't put personal medical information in an e-mail unless you use encryption, Piek advises. E-mail advisories may tell employees that they are due for a TB test or influenza immunization. They may be used to briefly alert a supervisor that an employee has been cleared for duty or has job restrictions. "We're very careful about what we put in an e-mail," she says. "None of the details of that clearance should be discussed."