HIPAA, Work Comp & Common Sense

Saturday, February 15, 2003 | 0

When the Health Insurance Portability and Accountability Act, or HIPAA, became law, most of the public and professional attention was centered on the act's privacy provisions, perhaps because of the serious consequences for violation of those rules (penalties of up to 10 years in prison and $250,000 in fines for each violation of the Act).

But, while the seriousness of Congress' medical privacy statement cannot be discounted, HIPAA was intentionally authored to ensure that state workers' compensation systems would not be adversely affected by a restriction on personal health information (PHI). The Department of Health and Human Services (DHHS) issued its Final version of the HIPAA's Privacy Rule in October, 2002 and HIPAA covered entities (with some exceptions) need to be compliant with those Rules by April 14, 2003.

To ensure that workers' compensation providers and other entities are not adversely restricted in the disclosure of PHI, the Privacy Rule allows PHI to be disclosed to workers' compensation insurers, state administrators, and employers to the extent necessary to comply with laws relating to workers' compensation or similar programs established by state or other law.

The Rule's workers' compensation provisions also allow for the disclosure of PHI if the protected individual specifically authorizes it. The individual's authorization must contain certain elements as enumerated at 45 CFR 164.508 and include a notice to the individual of their right to revoke the authorization in writing; a notice that providers may condition treatment, payment, enrollment or eligibility for benefits on the receipt of authorization; and the authorization must be in plain, ordinary language.

All disclosures of PHI for workers' compensation purposes are subject to the Privacy Rule's "minimum necessary" standard. This standard limits permissible disclosures of PHI to the least amount necessary to communicate what is required in any given situation. For example, if a California employer requests claim information under Labor Code section 3762 (which itself has a medical information limitation clause) to provide alternative or modified work for the injured worker, medical information that may be relevant to a physician prescribing medication may not be necessary for disclosure.

A related "incidental uses and disclosures" standard in the Privacy Rule allows some disclosure of sensitive medical information when revealed only as a side-effect of other required healthcare communications. As in our example above, the reason for a certain medication may be prohibited, but the effects of a medication ("may cause drowsiness - do not operate heavy machinery or drive") would be necessary to protect the injured worker as well as ensure that the employer does not place the worker in a position of danger. There must be "reasonable safeguards" in place that ensure administrative, physical, and technical protections for the information flow at the covered entity.

Note, however, that what is a "reasonable safeguard" will vary from entity to entity, and the DHHS has said that the standard need not aim to protect PHI from every conceivable chance of disclosure. DHHS has advised that meeting the reasonable safeguards standard may be as easy as speaking quietly and avoiding patient names when discussing patient PHI in public spaces; locking filing cabinets and instituting password protections on computers; and posting reminders to entity personnel about keeping PHI confidential whenever possible.

Finally, the Final Rule requires the "de-identification" of PHI in many circumstances. Covered entities are otherwise permitted to disclose some health information that would otherwise be protected under HIPAA if the patient's name and other easily identifiable information are either removed or blocked from view. Note however that codes used to re-identify previously de-identified individuals are expressly exempted from the safe harbor provisions.