An authoritative summary of where HIPAA applies

If an aromatic employee claims a medical reason for the problem, don't worry about HIPAA, but do pay close attention to the ADA.

In my last post, "Dealing with a smelly co-worker," (9/15/2008) I made reference to HIPAA (Health Information Portability and Accountability Act). The context: Some medical conditions can cause severe body odor. I advised that should the odiferous employee inform his manager that this was the cause of the situation, HIPAA mandated keeping this information private.

Among the responses was what follows, from Lane R. Hatcher, who deals with HIPAA professionally, was kind enough to set me straight. His comments follow, edited for length and to stitch together the information he provided in a conversational thread. - Bob


Perhaps the person who raised the question regarding the co-worker with an odor problem in fact works for a healthcare provider's office, in which case HIPAA might apply if the individual was also a patient there.

If this is not the case, then HIPAA would not apply to the situation. HIPAA Privacy Rules apply only to healthcare providers, health plans, and clearinghouses.

Employer-sponsored health plans are just that -- employer sponsored.
That sponsorship does not make the employer itself (i.e., the entire
organization) a HIPAA-covered entity, and the same goes for government and other organizations that sponsor health plans.

In the scenario you presented, let's say that this is just your run-of-the-mill small business, and health insurance is provided; employer and employees pay a monthly premium to, say, Aetna. Does HIPAA apply at the workplace?

No. The workplace is not a provider of healthcare, isn't a group plan or a clearinghouse. Employees can yak all they want about the individual's body odor -- this is a case for management to put the kibosh on gossip, not for regulation.

Even ADA (Americans with Disabilities Act) info in the employee's file does not cause HIPAA rules to kick in, and ADA is the area of regulation most likely to apply to a situation in which an employee asserts medical reasons for a deficiency in workplace performance.

How about a small company that has the money to self-fund a health plan?

The entire company is not a HIPAA covered entity. Only those individuals responsible for the daily administration of the health plan are covered under HIPAA (which could be, but is not necessarily, HR staff). So, only those who are administering the health plan would be responsible under HIPAA to not disclose information they gained about the individual as a result of any demand for payment that was received from the employee's healthcare provider.

I think it's better not to mention HIPAA except in the context of a de facto covered entity. Otherwise, people get all stirred up. Those organizations that are covered entities and need to worry about HIPAA, pretty much know who they are.

- Lane Hatcher