Information gatekeepers: Occ-health nurses must ensure employee privacy

On-site caregivers are being called to do more than treat patients

If you provide medical services at a company’s on-site clinic or occupational health office, you know the balancing act — organizing charts so they contain what they should but don’t contain more than is necessary; having information readily available to those permitted access to it, but making sure privacy laws are observed.

"It’s a real tricky area," agrees Barbara Lucas, RN, COHN-S, BS, CPC, an Arizona-based consultant who specializes in regulatory compliance, privacy, and Health Insurance Portability and Accountability Act (HIPAA) issues. "Insurance companies, medical reviewers, all want to see all the information in a patient’s file. So does the occupational health nurse have discretion? Yes, and it comes down to organization of charts."

Who is entitled to access?

Lucas says that in many on-site clinics, the nurse maintains a running progress note, documenting each visit by an employee. This leads, in some cases, to lots of comingled information and could lead to a privacy breach. "One of the significant issues in on-site clinics is the comingling of personal and work-related information that really should be segregated," she says.

OSHA inspectors can come into a workplace seeking surveillance data (data used to track occupational injuries, illnesses, hazards, and exposures, an integral part of NIOSH operations), and come away with more than they need or should have access to.

"They’re just looking to make sure surveillance is taking place, so they should only be seeking surveillance information," Lucas points out. "We should not turn over [an employee’s] whole record to OSHA; just the information they’re seeking."

But the most common potential compromise to employee health records comes from within. "The most challenging is human resources’ [HR] and supervisors’ access to medical information," Lucas says. "A lot of times, it’s for valid work reasons or they genuinely want to know how someone is doing. But there is no HIPAA privacy requirement for a supervisor. A lot of times, you’ll see people sending out an e-mail — So-and-so had a heart attack last night’ — and I just cringe."

The chain of command leading to the occ-health nurse can lead to some uncomfortable situations, too. "Where you get into trouble with HR is that a lot of nurses report to HR, and HR supervisors feel entitled to see records; but the issue is why do they want to see them?" Lucas explains.

Right to know vs. need to know

The reason for confusion can be traced, in many cases, to what may appear to be a conflict between what’s permitted by the Americans with Disabilities Act (ADA) and what’s controlled by HIPAA privacy rules. The ADA allows for "reasonable accommodation" of employers to obtain information on employees’ health issues.

"But does HR have the right to the entire record, or just to those [work-related health] issues?" Lucas asks. She recalls being assigned temporarily to a company’s on-site clinic and being visited by someone from HR who wanted medical information on an employee. The occupational health nurse working at the time refused and documented the request. Sometime later, that nurse was out and a temp nurse was filling in; the same HR employee came to the clinic and asked for the information, and again was refused, and again the request was documented. "Finally, when another temp was filling in, the HR employee came in, asked again for the medical information, and when the temp nurse pulled the chart and saw the documentation of the two previous requests, she said, If the other two nurses wouldn’t give it to you, what makes you think I would?’"

Lucas says requests from supervisors who merely want information out of concern for the employee also pose privacy challenges. "It’s a touchy situation for the nurse to explain that an employee has, say, certain restrictions to doing his or her work but without saying why," she explains. "It’s very touchy when you have someone with a chronic health condition that could cause a life-threatening emergency in the workplace; it’s in the employee’s best interest for a supervisor to know about it, but the nurse would get in trouble for disclosing that information to a supervisor because it violates HIPAA."

Lucas says she encourages such employees to discuss their health conditions with the supervisor; she sometimes is present, to provide medical information within the confines of the privacy restrictions. The occ-health professional charged with maintaining employee health records has to learn his or her state’s privacy laws as well as HIPAA privacy laws and how they dovetail or differ.

"You have to separate out workers’ comp from personal and private information, and know what’s OK to release under subpoena under the workers’ comp system," Lucas advises. "Be very familiar with state laws. HIPAA is very specific that workers’ comp and disability are not covered under HIPAA, but that the state laws and workers’ comp laws would still apply. You can’t just give the charts to whoever asks."

Occ-health nurses must exercise caution, even when an employee’s medical condition appears to be common knowledge among coworkers. "Just because HR knows what the medical condition is, the nurse still can’t discuss the condition," says Lucas. "Even if the employee has told her supervisor, the nurse is still restricted only to discussing what the restrictions are, and not the why’ of the restrictions."

Some companies have a practice of doctors’ notes regarding work restrictions being given directly to the supervisor, but Lucas says her recommendation to companies she consults with is that physicians’ notes need to be handed to the occ-health professional, and the nurse then sends the supervisor a form that details only the work restrictions. "You have to remember that there is company liability at stake, and possibly personal liability, as well," she points out.

While it is necessary to keep adequate documentation to support any nursing support given to a worker, it is not necessary — or even wise — to document and record everything, says Lucas. "If an employee comes in with an upset stomach, then pours out her soul about emotional issues, that information is confidential," she says. "The nurse should probably not document everything, but for the record would document the basic information — stomach pain, emotionally upset, stress, problems at home — no need to document that her husband was arrested for embezzlement."

More routine information should also be kept separate from the job-related information. Blood pressure checks are one example. Lucas recommends blood pressure checks be kept in a separate log, unless it becomes linked to work.

What about finding out information that has nothing to do with job performance or injury? Lucas says discoveries need to be handled on a case-by-case basis. "Say you’re in a hospital setting, and a patient contracts [tuberculosis]," she says. "You’re required to report that. So what generally occurs is that you attempt to maintain confidentiality, but management has to identify who has worked with that person. Under the circumstances, it would be considered an incidental disclosure because [the co-workers] would be required to undertake TB testing."

What if, during the course of taking a patient’s history for a musculoskeletal injury, among the medications he is taking is the anti-HIV drug azidothymidine. His HIV status does not affect his job or the safety of his co-workers; should that information be documented at all?

No, says Lydell Anderson, MD, an occupational health physician in Long Beach, CA. "Until there is 100% assurance that an employee with HIV or a pacemaker will not be discriminated against, we must act in the best interests of our patients," he says. "Any other choice will eventually undermine their trust and prevent us from obtaining this very important information in the first place."

An employee who is visibly angry and upset could pose a potential for violence in the workplace. "That would be the most difficult scenario I could identify," says Lucas. "If a company has an EAP [employee assistance program], then it’s an easier course to take," she continues. "If not, there is an obligation to report and provide protection."

Another example given by Lucas is the employee who takes warfarin following a heart attack. She advises that the employee discuss the fact that he or she is taking the blood thinner, so that if any-thing happens at work, someone will be able to alert medical personnel. Lucas says cases like these illustrate one important reason companies are hiring occupational health nurses — it’s not always to treat ill or injured employees. "Companies are hiring occupational health nurses, in part, to protect the privacy of their employees and those medical records," she says. "And it’s been my experience that most occupational health nurses are doing a very good job."

For more information, contact:

  • Lydell Anderson, MD, Occupational Health Clinic, City of Long Beach, CA. E-mail:
  • Barbara Lucas, RN, COHN-S, BS, CPC, Consultant, Comprehensive Practice Management Resources, Gilbert, AZ. Phone: (480) 558-0192. E-mail: