The Family and Medical Leave Act ("FMLA") entitles
eligible employees of covered employers to take unpaid,
job-protected leave for certain family and medical reasons. These
medical reasons include the "serious health condition" of
an employee's spouse, child, or parent, or the "serious
health condition" of the employee that prevents him/her from
performing the essential functions of their job.
In order to assess whether a covered individual has a "serious
health condition", an employer can require sufficient medical
information to support an employee's request for FML. However,
the Health Insurance Portability and Accountability Act
("HIPAA") generally restricts a healthcare provider from
divulging protected health information ("PHI") of their
patients to third-parties, including employers. This article
provides tips for maneuvering through the potential conflicts
between these two statutes.
The Department of Labor ("DOL") prescribes FMLA
certification forms to verify the existence of a "serious
health condition". To be sufficient, a medical certification
should state the following: the date the condition commenced; the
probable duration of the condition; appropriate medical facts
regarding the condition; a statement that the employee is needed to
care for a covered family member or a statement that the employee
is unable to perform the essential functions of his or her
position; dates and duration of any planned treatment; a statement
of the medical necessity for intermittent leave or leave on a
reduced schedule; and expected duration of such leave.
The employee can either personally deliver the completed FMLA
certification form to his/her employer, or have his/her healthcare
provider send the completed form directly to the employer. Either
way, at the time the employee is given the FMLA certification
forms, the employer should require the employee to complete a
HIPAA-compliant authorization for the employee's healthcare
provider to release the employee's PHI to the employer. The
authorization must specify a number of elements, including a
description of the PHI to be disclosed; the person authorized to
make the disclosure; the person to whom the healthcare provider may
make the disclosure; an expiration date; and in some cases, the
purpose for which the information may be used or disclosed.
HIPAA privacy rules requires a healthcare provider to treat a
"personal representative" the same as the individual,
with respect to the use and disclosure of the individual's PHI.
A personal representative is a person legally authorized to make
healthcare decisions on an individual's behalf or to act for a
deceased individual or the estate. In most cases parents are the
personal representative for their minor children.
If an employee is unable or unwilling to return the completed FMLA
certification, HIPAA prohibits a healthcare provider from sending
the completed FMLA certification directly to the employer if the
certification contains patient PHI. An exception to this general
rule is disclosure pursuant to the above-referenced authorization
executed by the individual who is the subject of the PHI.
On occasion, an employer may determine that the FMLA certification
is incomplete or provides insufficient information to assess
whether there exists a "serious heath condition". In such
instance, the FMLA requires the employer to give the employee
written notice as to what sections are incomplete and allow the
employee seven days to obtain the missing information. If the
employee refuses to cooperate, the employer may decline the
FML.
Alternatively, after the aforementioned seven-day period, the
employer may directly contact the healthcare provider to either
clarify or authenticate the information in the FLMA certification.
However, the DOL has specified that communications between
employers and the employee's healthcare provider to clarify
FMLA certifications must also comply with HIPAA privacy rules.
Compliance with these privacy rules may entail the employer sending
the healthcare provider the aforementioned authorization to release
PHI as a precursor to discussing the FMLA certification.
Furthermore, the employer's representative who contacts the
employee's healthcare provider must either be a healthcare
practitioner, an HR professional, a leave administrator or a
management official. In no case may the employer's
representative be the employee's direct supervisor.
An employer may request FMLA recertification every thirty days
unless the medical certification indicates that the minimum
duration of medical condition will exceed this period. In all
cases, an employer may request recertification every six months,
even where the certification states a longer period. Since an
initial grant of FML may require recertification, an employer
should set an expiration date on its employee's authorization
to release PHI that allows it to be reused to authorize the release
of medical information for purposes of recertifying this
leave.
While HIPPA's privacy rules may restrict an employer's
ability to confirm a serious health condition under the FMLA, such
restrictions can easily be avoided by an employer receiving a
HIPPA-compliant authorization to release PHI from its employees at
the front-end of an FMLA request.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.