HIPAA does not generally apply to employment information unrelated to healthcare treatment or operations. An Interactive Journal of Medical Research notes on the topic of the evolution of information sharing, “Sharing health data among health care entities can yield several benefits that include improving care coordination, care quality, and patient safety while reducing mortality rates, medical errors, and health care costs.”
The sharing of PHI across healthcare entities is permitted only under specific conditions, primarily for treatment, payment, or healthcare operations, and always with strict adherence to patient privacy and the minimum necessary standard. Health information sharing has been driven by technological advancements and regulatory incentives to promote interoperability among healthcare organizations.
Programs such as the federal Meaningful Use initiative have encouraged the adoption of certified electronic health records (EHRs) and the use of Health Information Exchanges (HIEs) to facilitate the secure and efficient flow of patient data across different providers and institutions. These initiatives aim to improve care coordination, reduce redundant testing, and enhance patient outcomes by enabling healthcare professionals to access relevant PHI regardless of where it was originally recorded.
When a healthcare professional moves to a new workplace, sharing PHI from a previous employer is permissible only if the disclosure aligns with these TPO purposes and the new workplace is involved in the patient's care or healthcare operations. The Privacy Rule requires that only the minimum necessary information be shared to accomplish the intended purpose, ensuring patient confidentiality is preserved.
An eClinical Medicine study on the treatment of health data sharing in its primary and secondary uses, “Primary use of data is typically performed by the entities that produce or collect these data while providing real-time, direct care to the healthcare consumers…Sharing intentions for primary purposes were observed to be high regardless of data type, and it was higher than sharing intentions for secondary purposes.”
The HIPAA Privacy Rule broadly defines treatment as the provision, coordination, or management of healthcare and related services by one or more providers, including consultations and referrals between providers involved in a patient’s care. This means that when a healthcare professional moves to a new workplace and needs access to PHI from a previous employer to continue or coordinate a patient’s care, sharing such information is permissible under HIPAA, provided it is relevant and necessary for ongoing treatment.
Specifically, treatment-related sharing includes activities such as consultations between providers, referrals for specialized care, and management of patient treatment plans. For example, a physician joining a new hospital can access clinical notes, laboratory results, medication histories, and treatment plans from a previous employer to ensure continuity of care and avoid redundant testing or conflicting treatments.
Beyond treatment, HIPAA also permits the sharing of PHI for healthcare operations, which include activities essential to running a healthcare organization effectively and ensuring quality care. These operations encompass quality assessment and improvement, provider credentialing, case management, care coordination, fraud detection, clinical guideline development, patient safety activities, and training programs. For PHI from a previous workplace to be shared for healthcare operations at a new employer, three conditions must be met:
For example, a new employer can request PHI to verify a healthcare professional’s credentials or to conduct quality reviews related to patients previously treated by that professional.
According to HHS guidance on HIPAA and employers, “The Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.”
HIPAA focuses on protecting your medical records and other personal health information, but it doesn’t cover everything. For instance, when it comes to your past employment health information, HIPAA generally doesn't apply. This is because the legislation handled how health plans or healthcare providers handle your PHI, not your employer. This means that any health related information in your employment records, like the medical exams you might have taken when you first got the job or sick leave records, isn't safeguarded by HIPAA.
The main idea here is that your employment records, even if they contain health information, are considered part of your employer's business records. Therefore, they are governed by other laws and regulations, not by HIPAA.
According to a Chapter on the applications of HIPAA from Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, “The Privacy Rule protects all personally identifiable health information, known as protected health information (PHI), created or received by a covered entity.”
There are, however, rare fringe instances of HIPAA overlapping in the case of an employee switching jobs in a few specific situations, especially when the transition involves health plans or healthcare services:
See also: HIPAA and workplace wellness programs
Role-Based Access Control, is a method of restricting network access based on the roles of individual users within an organization.
Protected health information, refers to any information in a medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service, such as diagnosis or treatment.
In employment situations involving health information, HIPAA applies, regulating how medical information about employees can be shared and used by employers.