HIPAA and the letter excusing a return to the workplace

With the pandemic drawing to a close in May, many employers are requiring their workers to return to the physical workplace. Patients that are afraid that their medical situation makes that return too risky at this time are requesting a letter from the doctor preventing that return.  If the doctor believes this to be valid, they generate the letter. This is causing concerns about the risk to the patient’s privacy as well as how to handle requests from the employers for more details. Some practical ideas will help you navigate between caring for your patient and complying with HIPAA regulations.

What kind of authorization is need for the doctor to give this information to the patient’s employer?

If you treat this like you do an absentee notice to schools or employers, no authorization is required. Give the letter to the patient and have them deliver it to their employer. Then, you are not the one releasing the information, and the responsibility is on the patient. If you must send the letter directly to the employer, a standard authorization clearing detailing the information to be released will be needed.

What should you do when an employer contacts the office to verify the letter?

Have them fax you a copy of what they received. You can verify the doctor generated the letter and that it has not been altered. That is all. Do not give that information prior to receiving a copy of the letter. Do not even acknowledge that the employee is a patient until you receive the letter.  Accept this copy only by fax, US Mail, or encrypted email. (This works for truancy officers from a school, too.)

What should you do when an employer contacts the office to request more details?

Inform the employer that this request must be directed to their employee who must request and authorize a release of this information from the doctor. Otherwise, this information can only be obtained by a valid subpoena.

Should you get a disclaimer signed that details that your patient could be terminated by pursuing this course of action?

This is not your responsibility. This issue should be handled by the patient with their employer. If your lawyer advises this disclaimer, do not include the disclaimer on your authorization form. The HIPAA regulations are clear that an authorization document cannot include anything but another authorization. A disclaimer will invalidate the authorization form. The purpose of this distinction is to make it clear to the patient what they are signing.

Thinking this process through beforehand and following these steps can lower your risk of inadvertently causing a breach of information while still accommodating your patient’s needs. Remember to always give out the minimum information when fulfilling any documentation.