HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Disclosure question

Email This Post Print This Post

An employer is also a healthcare provider and provides services to its workforce members through an employee clinic. If one member of the employer’s workforce is evaluated in the clinic and the doctors discover a non-work-related illness such as tuberculosis, may the clinic disclose the individual’s protected health information to the employer without the authorization of the patient?

Jorge Laguna
Chief Privacy and Security Officer
Puerto Rico Medical Services Administration

Categories : HIPAA Q&A


  1. Frank Ruelas says:


    I don’t see how this would be an allowable disclosure to the employer without the patient’s authorization.


    You may want to check with your local public health authority as often it is required that when a health care entity identifies a patient with TB, the public health authority is to be notified which does not require patient authorization.


  2. Kim says:

    No, once they are treated by you their records are to be treated the same as any other patient. If you would not release information regarding a normal patient, the same applies for a employee-patient.

  3. Myrna says:

    No. The employee is now a patient. His/her rights are not waived just because the physician is also the employer. The employer/physician relationship is difficult. It is often hard to switch hats when rendering services to an employee, especially when the diagnosis may effect the physician’s practice and bottom line. I believe that in the best interest of both parties, the employee not seek medical care from his/her employer if the service is available elsewhere.

  4. Helen P. murphy. says:

    No. You must get the permission of the employee first, But this diagnosis must be reported to the Department Of Public Health even without the permission of the employee. It is a mandatory reportable disease


    NO. The employee does not loose his confidential right and HIPAA protection because he is now a patient. The Public Health department could be notified as required by most state laws. There is no provision in HIPAA rules that grants an employer to look into the the health information of her employees for non-treatment matters. Informing the the employer of this employee’s health issues in this case has nothing to do with the treatment of the employee.

  6. Catherine Harrington says:

    I believe that TB is considered a pubic health risk. The information about the employee/patient should be released to the Dept of Public Health( no consent or authorization required). It would be the responsibility of the Dept of Health to notify the employer about the possible health risk to other employees.

  7. Frank Ruelas says:

    It is good to hear some of the responses that stay the course of disclosures with patient consent. It seems too often I run into situations where people stray from their well written and implemented policies primarily because the patient involved happens to also be an employee or coworker that people have some level of emotional attachment such as a friend.

    Hang in there!


  8. Stephanie says:

    I agree with all of the above as long as the clinic is providing services that are billed to the employee’s insurance. However, if the purpose of the clinic is to provide work related health care services (annual physical assessment, TB testing, occupational exposure evaluations) and the employer is paying for the services then it is acceptable for the employer to receive such disclosures. As previously stated most states also have disclosure requirements for public health concerns.

  9. I am a public health administrator. If the diagnosis is a diagnosis that is mandated to be reported to your local/state health department (such as TB), then the clinician must report the disease to the health department (NOT to the employer) and the health department will contact the appropriate parties that need to be notified. If it is not something that is required to be reported to the health department, then authorization is required.

  10. Frank Ruelas says:


    I like your postings….it reminds me that if there are enough “ifs” you can just about go from any point A to any other point.

    Nice job pointing out this particular what if….


Leave a Reply