The Intelligent Insurance Solution

Confidentiality Obligations: HIPAA & Beyond

All healthcare employers have confidentiality obligations to their patients or clients and employees. Healthcare employers that are subject to HIPAA must be aware of their confidentiality obligations to patients or clients and have policies and safeguards in place to protect confidential health information. Even non-medical companion agencies, which are not directly covered by HIPAA, are subject to HIPAA if they are business associates of covered HIPAA entities. Whether or not a healthcare employer is subject to HIPAA, they must be aware of Connecticut’s confidentiality laws governing highly sensitive medical information, which are more restrictive than HIPAA. Finally, employees have certain privacy rights in the workplace as it relates to their medical, private and personnel information, which must be balanced against an employer’s right to know and govern the workplace.

HIPAA Covered Entities Must Protect the Privacy and Security of Confidential Health Information

Individuals, organizations and agencies that are “covered entities” under HIPAA must comply with specific requirements to protect the privacy and security of personal health information, and must provide their patients or clients with notice of their rights with respect to their health information. HIPAA covered entities are health plans, health care clearinghouses and health care providers who transmit health information in electronic form. These requirements include use of HIPAA-compliant authorizations when necessary, and the implementation of safeguards to protect personal health information from unauthorized use or disclosure, including encryption and the use of password protection on computers and phones containing personal health information.

Business Associates Are Also Subject to HIPAA - If the covered entity uses a business associate (e.g., an outside electronic medical records vendor) to carry out its health care operations or functions, the covered entity must have a written agreement with the business associate that describes what the business associate is being asked to do and requires the business associate to protect the privacy and security of protected health information in its possession. Non-medical healthcare employers could be business associates of covered entities (e.g., companion agency that is a subsidiary of a skilled home care agency that are both caring for the same patient) and, as such, can be held directly liable under HIPAA for non-compliance with certain HIPAA rules.

Connecticut’s More Restrictive Confidentiality Obligations - All oral and written communications and records relating to a client’s substance abuse, mental health, HIV or AIDS status, or genetic testing are considered highly sensitive communications under Connecticut law. In general, any disclosure of this highly sensitive information requires a special authorization (above and beyond what is required by HIPAA) signed by the patient or client prior to disclosure. Even if you do not provide medical services to clients or patients, you may be in possession of highly sensitive medical information regarding the clients or patients you serve, and you must take steps to safeguard it against unauthorized disclosure.

Employee Privacy Rights in the Workplace

Personnel and Medical Information - In general, information contained in employee personnel and medical files may not be disclosed by an employer without the written consent of the employee, except in very limited circumstances. Moreover, employees have the right to access their personnel files on an expedited basis, as well as a right to notification of any discipline and termination documents that are placed in their personnel files. Employers that fail to comply with the requirements of Connecticut’s personnel file law may face fines of up to $1,000 per violation.

Social Media in the Workplace - Although employers may prohibit employees from using social media to post

pictures or make identifying comments about consumers, clients or patients under the employer’s care, employers may not restrict all employee speech on social media about the terms and conditions of employment without violating Connecticut law, and possibly federal law (e.g., right of employee to complain about her manager being “difficult and unfair” on the employee’s public Facebook page). Employers should have narrowly tailored social media policies to protect the legitimate privacy interests of patients, consumers and clients, as well as each employee, without impairing an employee’s free speech right. This is not an easy balance.
The representations made in this article are the analysis of the law offices of Letizia, Ambrose & Falls, P.C., who are responsible for its content. This information and analysis are provided gratuitously and for information purposes only. You are encouraged to consult with the appropriate legal counsel prior to relying on this information or analysis.

If you have questions regarding your confidentiality obligations, please contact John M. Letizia at or (203) 787-7000.