Hello & welcome to Just Answer. I am a licensed attorney. Please be fair with me and click the ACCEPT button if I answered your question. Thanks :-)
Two laws affect your privacy rights in the workplace in regard to your health information, The Health Insurance Portability and Accountability Act (HIPAA) and the Genetic Information Non-Discrimination Act (GINA).
The HIPPA privacy rule does not prevent your employer from asking you for information about your health if your employer needs the information to administer sick leave, workers' compensation, wellness programs, or health insurance. However, to obtain this information your health care provider cannot disclose the information in response to requests from your employer without your authorization. Covered health care providers must have your authorization to disclose this information to your employer, unless other laws require them to disclose it.
Group health plans are covered by HIPAA. The HIPAA Privacy Rule applies as long as the plan has 50 or more participants. If you are a member of a group health plan, your employer pays a premium to the health plan organization to cover your health care costs. In return for the premium paid, the health care plan assumes the risk of paying for health care expenses covered by the plan. The HIPAA Privacy Rule applies to the plan itself, but not your employer.
Self-insured plans are health plans often offered by large employers as an employee benefit. Under self-insured health plans, the employer itself assumes the risk of health care costs and has the responsibility for paying heath care claims out of the company's operating funds. Claims may be processed by company personnel or contracted out to other companies that process and maintain the records.
If your employer is self employed, HIPAA says your employer can get what is called "summary" information to use to obtain premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures much like that of a covered entity (a medical facility). HIPAA attempts to limit the use of medical information for employment purposes.
Under the HIPAA Privacy Rule, an employer that is also the insurer of health benefits is in a category called a "hybrid" entity. That means the portion of the company's operations that deal with processing health claims is a covered entity. Like any other covered entity, a "hybrid" function must (1) give notice of written privacy procedures, (2) place restrictions on the use of health information, and (3) appoint a privacy officer and train staff.
Under a 2008 law, the Generic Information Nondiscrimination Act (GINA), an employer may not request, require, or purchase genetic information about you. If, like many people, you have health insurance through your employer's group health or self-insured plan, GINA also prohibits your insurer from requesting, requiring, or purchasing genetic information. Further, the insurer cannot use genetic information to adjust your premiums or the premiums of your group plan. For more on GINA and what employers and insurers can and cannot do, see the website for the organization Council for Responsible Genetics at: http://www.councilforresponsiblegenetics.org/geneticprivacy/index.html
I am providing a couple of other helpful links to resources which provide more detailed information about your privacy rights and resources who are available to you to answer any questions you have related to your health records privacy, for your convenience.