Carolyn Buppert, NP, JD


July 11, 2012


A reader asks: Is it against HIPAA regulations for a supervisor to tell other employees about an employee's medical condition, such as diabetes, substance abuse problems, or cancer, without permission?

Response from Carolyn Buppert, NP, JD
Attorney, Law Office of Carolyn Buppert P.C., Bethesda, Maryland

How Was the Information Obtained?

Whether sharing your private information about your medical history is a violation of HIPAA (the Health Insurance Portability and Accountability Act of 1996) depends on how the supervisor obtained the information. If the supervisor accessed your medical records, then HIPAA would apply. If the supervisor has information about your medical conditions because you gave her that information or because you have discussed your health issues in the workplace, then HIPAA probably does not apply.

What HIPAA Covers

HIPAA requires "covered entities" (a person or organization who furnishes, bills, or is paid for healthcare in the normal course of business) to implement safeguards to ensure that an individual's health information is used only for purposes related to treatment, payment, or healthcare operations, and that only the minimum amount of necessary information is disclosed. "Safeguards" include organizational policies that prohibit healthcare workers from accessing the records of individuals who are not their patients, prohibit a staff member from disclosing information about a patient to individuals who don't need to know, and require password protection of the organization's medical records. When healthcare workers access an individual's record, they may use or disclose an individual's health information only for purposes related to treatment, payment, or healthcare operations and may use only the minimum amount of information necessary to perform the work.

HIPAA covers all medical records and other individually identifiable health information used or disclosed by a covered entity (a hospital, facility, practice, or clinician) in any form, whether electronic, paper, or oral. Disclosures can be made only to individuals who need to know the information to treat the patient, obtain payment, or conduct the practice's operations.

The HIPAA definition of healthcare operations includes[1]:

  • Conducting quality assessment and improvement activities and population-based activities related to improving health or reducing healthcare costs;

  • Reviewing the competence or qualification of healthcare professionals; evaluating practitioner, provider, and health plan performance; and conducting training programs and accreditation, certification and licensing, or credentialing activities;

  • Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits;

  • Conducting or arranging for medical review, legal services, and auditing functions;

  • Business planning and development; and

  • Business management and general administrative activities of the entity.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.