Employee health departments in health care facilities are often urged (or required) to utilize the hospital's human-resources (HR) or hospital-management (HM) software (such as Meditech®, Lawson®, PeopleSoft®, Cerner®, Kronos® or Epic®) to document and track information such as immunizations, serology results, and other medical-surveillance data elements. Additionally, some hospital laboratories store test results directly into systems such as Meditech® and Epic®, in a manner which enables hospital employees with access to those databases to view the results of medical tests performed on their co-workers.

We respectfully suggest you discuss the following issues with your HR and legal departments:

• Is confidential medical information (such as immunizations and medical test results) stored in the hospital's HR / HM database?

• If so, is that information viewable by other hospital employees other than the professional staff of the Employee Health department?

• If so, has each Employee signed an authorization to allow each of those individuals to view those records? (NOTE: The fact that a hospital administrator may have signed a "confidentiality agreement" or agreed to abide by a "confidentiality policy" is irrelevant; The HIPAA Privacy Rule requires the authorization of the tested individual before medical information obtained by the Employee Health staff is made available to anyone except in the specific circumstances defined in the Privacy Rule).

• In the absence of such a signed consent, it is a violation of the HIPAA Privacy Rule for licensed Employee Health professionals to store employee medical information in a manner which enables it to be viewed by any other employees of the facility. Remember that HIPAA does not place any restrictions on the employer's ability to view confidential medical information; it is the legal obligation of the licensed health professional who obtains the information to ensure that it is not made available to the individual's employer or co-workers without the individual's specific consent.

This issue of confidentiality is not new. OSHA replied to a hospital inquiry in 2002 regarding the storage of medical screening information following a bloodborne pathogen exposure, by issuing an interpretation which read in part:
A healthcare professional must conduct appropriate medical evaluation and follow-up after an exposure incident (e.g., a needlestick)(29 CFR 1910.1030(f)(3)). Further, the healthcare professional must provide a written opinion limited to documentation that: (a) the employee has been informed of the results of the post-exposure evaluation, and (b) the employee has been told about any medical conditions resulting from the exposure. All other findings or diagnoses must remain confidential and must not be included in the written (or electronic) report submitted to the employer. Employee blood tests must not be included in the employer's report (29 CFR 1910.1030(f)(5)(iii).
Since your facility chooses to use its own employee health service to conduct diagnostic analyses of employee and source blood for hepatitis B virus (HBV), human immunodeficiency virus (HIV), and other bloodborne pathogens, these records must remain confidential (i.e., free of personal identifiers) since employees in the facility have access to them. You mentioned in your letter that the name of the exposed employee remains on the lab tests that are housed in your computerized database. In that situation, some type of randomized numbering system or other coding system must be used to prevent any inappropriate access to this information.
Failure to keep an employee's post-exposure medical records confidential would be a violation of the standard. Please refer to paragraphs (f)(3), (4), (5), and (h)(1)(i) for specific requirements under 29 CFR 1910.1030, and the requirements for general employee medical records under 29 CFR 1910.1020.

We also recommend that you determine whether your facility's HR or HM software can:

• document sharps injuries and maintain a Sharps Injury Log, including documentation of screening tests and immunizations for the Employee (and the source, if known) in a HIPAA-compliant manner;
• preserve confidentiality of medical tests performed on Employees;
• document immunizations and infection-control surveillance records, and generate compliance reports;
• document and track work restrictions following an occupational injury;
• document and track respirator clearances and fit testing records, and generate compliance reports;
• create subgroups of Employees with specific surveillance requirements (e.g., groups of individuals who have been exposed to a specific infectious hazard);
• document and track surveillance of individuals (volunteers, students, staff physicians, contractors, etc.) who are not employees (although some facilities do create personnel records for such individuals, this is not a common practice);
• support case management activities; and
• create customized clinical protocols for specific types of evaluations.

We invite you to contact MediTrax if you wish to discuss our ability to provide HIPAA-compliant recordkeeping and reporting, or to discuss any of these issues further.