Know penalties for privacy reg violations

The unauthorized release of employee health information can result in civil, and sometimes criminal, liability under both federal and state laws.  For example, covered individuals under the Health Insurance Portability and Accountability Act (HIPAA) face civil fines ranging from $100 to $25,000, depending on one's level of intent. Criminal penalties include fines ranging from $50,000 to $250,000 and imprisonment of up to 10 years. 

"Personal liability may also arise under the Family and Medical Leave Act, depending on your jurisdiction, and give rise to state law claims for invasion of privacy, defamation, negligence, and breach of confidentiality," warns Kathleen Liever, an employment law associate at Fowler White Boggs in Tampa, FL.

Unauthorized disclosure could also result in disciplinary proceedings before licensing boards.  "Likewise, employers may face civil and criminal liability under federal and state laws," says Liever.

Your first step is to become very familiar with federal and state laws and regulations addressing privacy and confidentiality issues, especially any limitations and exceptions to confidentiality. Next, educate management and human resources.

"You are in the best position to tell your employer how to safeguard employee health information," says Liever. "Get involved in the development or revision of policies and procedures, before you find yourself in a difficult position."

Your best bet is to keep your response simple. "Absent employee consent or the application of a limited exception, an occupational health nurse or manager is obliged to release health information only to the extent of advising the employer whether the employee is fit, unfit, or fit within limitations, to perform a particular job without endangering anyone else," explains. Liever.

Provide what information you can. Then, explain that anything beyond that is "confidential and protected by law from disclosure." "If that is not enough, try reminding management and human resource personnel that there are strong penalties for inappropriate disclosure," says Liever.