Recent FMLA Changes Affect Healthcare Providers
Entailing substantial and significant changes to the Federal Family and Medical Leave Act (FMLA), on November 17, 2008 the United States Department of Labor issued its final rule, 73 Fed. Reg. 67,934, giving new interpretation to parts of the 1993 employment statute. The new regulations will be promulgated in 29 C.F.R. Part 825, set to have taken effect on January 16, 2009.
Among the changes, several are particularly significant to the healthcare arena. Employers who require medical certification as a prerequisite for an employee to take leave must notify that employee of the requirement within five days of receiving the employee’s request. See 29 C.F.R. § 835.305(b). The Department of Labor has included two new forms in an attempt to streamline the medical certification process. The first form is used when the employee is requesting medical leave for his or her own serious medical condition, and the second is used for when the employee is requesting leave to care for the serious medical condition of a family member. The forms are available at 29 C.F.R. §§ 825.305 and 825.306.
If the medical certification form contains incomplete or missing information, the employer may require the employee to produce the additional information, and the employee must do so within seven calendar days of receiving the request. See 29 C.F.R. § 825.305(c).
Most noteworthy of the new regulations, the employer is allowed to directly contact the employee’s healthcare provider to seek clarification and confirmation of the medical information provided by the employee. The employer is allowed to communicate directly with the employee’s healthcare provider, provided that the HIPAA privacy standards (45 CFR 164.500 et seq.) are met. 29 CFR §825.307(a) specifically states that “the requirements of the … HIPAA … Privacy Rule …which governs the privacy of individually-identifiable health information created or held by HIPAA covered entities, must be satisfied when individually-identifiable health information of an employee is shared with an employer by a HIPAA-covered healthcare provider.” Generally, that will mean that the provider must first obtain the employee’s permission, in the form of an authorization, before the medical records can be shared with the employer who requests them. See 45 C.F.R. § 164.508. However, the regulations are unclear as to whether a “specific” authorization is required or if a “blanket” release can be used for all of an individual employee’s FMLA requests.
If the employee refuses to grant permission for the release of his or her medical information for certification or clarification purposes, then the employer may deny the request for leave. See 29 C.F.R. § 825.307(a).
The employer’s communication with the healthcare provider must be through a human resource officer, management personnel, a leave administrator, or another healthcare provider of their choice. See 29 C.F.R. § 825.307(a). However, in no case may the direct supervisor of the leave-seeking employee be the point of contact with the employee’s healthcare provider. Id. In addition, the only information the employer may seek is that which directly pertains to the medical information provided by the employee for leave purposes. Id.
The new FMLA regulations also raise an interesting question with respect to ill family members whose condition necessitates the employee’s taking leave. In order for the employer to certify the leave-requester’s medical information, he or she must obtain authorization for the release of the family member’s medical information. This may cause issues for the employee who must care for the sick family member if the family member does not wish to disclose his or her health information to the unrelated third party-employer. In the case of seriously ill family members who are minors, the employee—acting as the personal representative (see 45 CFR 164.504(g))—may authorize the disclosure of the child’s healthcare information to the employer.
As a final note, what happens when the employer is also a HIPAA covered entity? First, the same rules apply to accessing the employee’s healthcare information, even if the information is in the employing healthcare provider’s records. It will still be necessary to get an authorization in order to access the provider’s own clinical information. Secondly, once the information is received by the provider’s human resources department as an employment record, it is no longer subject to the HIPAA privacy standards. The definition of protected health information in 45 CFR §160.103 specifically excepts “employment records held by a covered entity in its role as employer.”
It is recommended that hospitals and other healthcare providers be aware of the new rules that allow employers to directly contact them about patient information with the proper authorization. The employer’s representative must be a human resource officer, a leave administrator, a member of management, or another healthcare provider but may never be the patient’s direct supervisor, and the disclosing provider will therefore be required to verify that fact. In addition, providers should carefully scrutinize authorizations, especially those of a general nature, to ensure that they adequately cover the requested information. Finally, providers should consider adopting a policy for handling these requests.
Gregory D. Frost is a partner at Breazeale, Sachse & Wilson, LLP in Baton Rouge.
Christopher K. Odinet is a third year law student at Paul M. Hebert Law Center at Louisiana State University, at the time this article was written.