HIPAA: When does your boss get to see your exam results?

Contrary to common belief, it's not automatic

Physicians and other providers are often paid by employers to conduct drug tests, fitness-for-duty or return-to-work exams or employment physicals. In such circumstances, the physician may mistakenly assume that they may disclose the test and exam results to the employer without the patient’s authorization.

As with any other protected health information, physicians and other providers generally need the patient’s written, HIPAA-compliant authorization to disclose exam results to the employer. However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization. 

In addition, the employer may condition the employee’s continued employment on the provision of the exam results (at least under HIPAA), thereby creating an incentive for the employee to execute the authorization. The foregoing rules also apply when the health care provider is the employer, e.g., when a hospital employee receives treatment or tests at the hospital. In those situations, the hospital/employer generally may not access or use the patient/employee’s health information for employment-related purposes without the patient’s written authorization.

An employee who receives an unfavorable test or exam result may attempt to block disclosure by revoking their authorization. Although patients are generally entitled to revoke their authorization by submitting a written revocation, HIPAA contains an exception that limits revocation if and to the extent that the provider has taken action in reliance on the authorization. That exception should apply when the provider has conditioned and provided the test or exam in reliance on the patient’s authorization.

There are very limited exceptions to the authorization requirement. As in other situations, a provider may disclose protected health information to an appropriate entity if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public , or if the disclosure is otherwise required by law. 

HIPAA contains a specific exception that allows disclosures to employers if the exam was performed as part of a medical surveillance of the workplace and the employer needs the information to report work-related injuries as required by OSHA, MSHA, or similar state laws. Finally, HIPAA allows providers to disclose protected health information as authorized by and to the extent necessary to comply with workers compensation laws.

The bottom line: if you are a physician or other provider who conducts employment physicals, tests, or exams, be sure you obtain the patient’s written, HIPAA-compliant authorization before conducting the exam and/or disclosing test or exam results to the employer. Click here for a checklist of those requirements.


Kim Stanger is a partner in Holland & Hart's Boise office. Clients in the healthcare industry trust him to provide sophisticated and nuanced counsel on everything from simple healthcare transactions to more complicated regulatory matters.

Pia Dean is a partner in Holland & Hart's Denver office. Health care law, in all its many aspects, is her passion. Her desire to better serve her clients and understand health care laws and regulations in depth led her in 2010 to return to school to begin obtaining her masters of law (LL.M.) in health law.

Bill Mercer is a partner in Holland & Hart's Billings office. He represents clients before government agencies in environmental matters as well as litigation related to the development of natural resources and health care fraud and overpayments.

Categories: Company Perspectives, Sponsored Content