Medical info privacy rules don’t go far enough

Stronger protections needed, EHPs say

After an injury, illness, or medical leave, employers need to know whether their employees are physically capable of doing their jobs. But if an administrator demands details, what legal backing do employee health professionals have for maintaining confidentiality?

New federal regulations covering electronic medical information add some privacy safeguards, but legislation is still needed to ensure protection of medical records, says Kae Livsey, RN, MPH, public policy and advocacy manager for the American Association of Occupational Health Nurses in Atlanta.

"The day occupational health nurses take a job, they’re automatically torn between the employer and the employee," says Livsey. "In the course of their job, they collect a great deal of highly personal information on employees. It’s not uncommon for occupational health nurses to be asked to disclose very personal medical information by personnel [administrators].

"We’ve had nurses who have lost their jobs because they didn’t want to disclose information and there’s nothing to back them up," says Livsey.

Administration may have a legitimate concern about whether or not an employee is capable of carrying out the necessary tasks of a job. An employee health professional can answer that question but cannot ethically reveal details of the diagnosis and treatment, says Livsey.

"The only thing I can tell that supervisor is whether that employee is able to come back to work and whether or not they have restrictions," agrees Mary Ann Gruden, MSN, CRNP, NP-C, COHN-S/CM, executive president of the Association of Occupational Health Professionals in Healthcare in Reston, VA, and an employee health nurse practitioner at Sewickley (PA) Valley Hospital.

Employee health practitioners should establish a policy based on professional standards and standards from the U.S. Occupational Safety and Health Administration and the Joint Commission on Accreditation of Healthcare Organizations, Gruden advises. The OSHA record-keeping standard, OSHA 29 CFR1910.1020, outlines access to employee medical records.

Meanwhile, the U.S. Department of Health and Human Services issued regulations to protect the privacy of electronic health information. The regulations limit disclosure of electronic medical information to only what is needed for treatment or claims processing, unless the patient provides written consent. Individuals have a right to obtain access to their own medical information and to correct inaccurate or incomplete records.

"It doesn’t provide protections for paper records," notes Livsey. "It’s unclear how far it will go for providers in an employer environment. In all likelihood hospitals, because of the [electronic] claims processing they do, would be subject to these rules."

Several bills were introduced in Congress last year to protect medical information, but none passed. Efforts are continuing, Livsey says.

"We feel strongly that there is still need for national legislation," she says.