It feels like a dilemma: I need to use my health insurance to get help with my drinking or drug problems, but I’m worried that my employer will find out that I have a problem. I’m worried my employer will fire me, or otherwise penalize me for seeking help, if they find out. 

Making a decision to change your life –  to get sober –  is hard enough without fear of losing your job or being stigmatized at work. Getting to the point where you’re willing to make that change takes plenty of courage and the last thing you need is additional stress. The good news is that your employer will not find out about it from your healthcare professionals nor from your insurance company. Why not? HIPAA.

HIPAA is short for the Health Insurance Portability and Accountability Act. It is a law passed by Congress in 1996 that, among other things, protects a person’s privacy in all things healthcare. HIPAA says no one’s “personally-identifiable health information” or PHI, may be disclosed without that person’s permission. Permission can be granted through a Release of Information, which is a legal document permitting healthcare professionals to share your information, but only with your consent. 

Of course, to effectively treat many healthcare problems, information must be shared within a healthcare system. But it is a violation of federal law for the healthcare system, or anyone you give permission to see your PHI, to share it with any other person or entity without your permission. In other words, your doctors cannot share the information with your employer, even if your employerasks for it. Your doctor can’t even confirm that you are a patient, or that you were a patient, or might become a patient in the future. The law is very strict.

What about health insurers? Can they share your healthcare information with employers? In a word, no. in a few more words, the healthcare industry, for the purposes of analysis and research, often uses healthcare information that has been “de-identified”. If that sounds sketchy, it’s not. The HIPAA Privacy Rule (45 C.F.R. §164.502(d)) requires healthcare companies to follow a specific process for de-identifying PHI. If you want to read about it, a subsection of HIPAA lays out the process here: 45 C.F.R. §164.514(a)-(b) Let’s be honest, you probably don’t want to read about it. In sum, de-identifying your information must remove everything that can be traced back to you. Of course, your name and address must be removed, but in addition, to be adequately de-identified, all of the following must be removed:

  • Dates, except year
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Any unique identifying number or code

Geographic data means not just your actual address, but even your zip code. They can use the first three numbers only. It’s pretty comprehensive.

Employers do receive reports from their health plans using de-identified information so that they can make better economic and coverage decisions. But, again, by federal law, these reports cannot include any information that identifies anything about you personally. 

Okay, let’s get really paranoid: what if your employer sees that someone in the company received treatment for a substance use disorder and, let’s say because your company is small, your employer guesses it was you. Even in this horror film scenario (it won’t happen!), you’re still protected. Yes, the Family and Medical Leave Act (FMLA), another federal law, protects the jobs of employees who seek treatment for “serious health conditions”. Treatment for substance problems is considered a serious health condition.

The FMLA is more complicated than HIPAA. HIPAA is like a steel bank vault with alarms and guards. FMLA has some qualification rules (read about them here: but nonetheless it is strong protection if you need it.

One last thing to consider: getting help with drinking and drug problems online allows you keep working while you get help. At Lionrock, clients attend their therapy sessions by secure video conference, getting help from the privacy of their homes. Lionrock’s HIPAA-compliant systems keep health records private, and our Joint Commission-accredited programs provide “best practices” care. Call us at 800.258.6550 to learn more.