How does HIPAA affect workers' compensation programs?

It is increasingly recognized that most patients have a strong interest in the privacy of their own medical information. This recognition is due in no small part to a law known as the Health Insurance Portability and Accountability Act, or HIPAA.

HIPAA began life as the legislative incarnation of a relatively straightforward idea. That idea was that workers who lose their jobs should be able to carry their largely employer-funded health insurance with them when they become unemployed or change jobs. From that humble beginning HIPAA has grown into something of an avatar of cultural change, touching on such seemingly disparate 21st century issues as personal privacy rights, data security, and genetic information. Another key issue it addresses is worker compensation.

Most prominent among HIPAA's roles is its function in protecting privacy. Along these lines, the word "HIPAA" has come to serve as shorthand for a recently finalized mandate from the Department of Health and Human Services (DHHS) on protecting the privacy of personal health information (known as "PHI"). After a tortured political history spanning two presidential administrations, Congressional turnover, and partisan politicing that has touched on such sensitive issues as gay rights and abortion, DHHS at last issued its final version of the HIPAA's Privacy Rule in October, 2002. HIPAA covered entities (with some exceptions) need to be compliant with the new Final Rule by April 14, 2003, and violators will face possible penalties of up to 10 years in prison and $250,000 in fines for each violation of the Act.

Several aspects of the Privacy Rule have been tailored to meet unique concerns of worker compensation entities. Specifically, the Privacy Rule allows for the disclosure of PHI to workers' compensation insurers, state administrators, and employers to the extent necessary to comply with laws relating to workers' compensation or similar programs established by state or other law. The Rule's workers' compensation provisions also allow for the disclosure of PHI essentially whenever the person whose PHI is sought specifically authorizes it - though in these situations, the individual's authorization must contain certain elements (enumerated at 45 CFR 164.508). These elements include statements that place the individual on notice of their right to revoke the authorization in writing; statements informing the individual of the provider's possible ability under the law to condition treatment, payment, enrollment, or eligibility for benefits on the receipt of authorization; and the authorization must be written in plain, ordinary language.

It should also be noted that all disclosures of PHI for workers compensation purposes are subject to the Privacy Rule's "minimum necessary" standard. This standard aims to limit allowable disclosures of PHI to the smallest amount of disclosure needed to communicate whatever information is required in any given situation. A related "incidental uses and disclosures" standard in the Privacy Rule allows some disclosure of sensitive medical information when that information is revealed only as a side-effect of other required healthcare communications, so long as "reasonable safeguards" are in place. Such safeguards should be comprehensive-encompassing administrative, physical, and technical protections for the information flow at the covered entity. However, DHHS has said that what constitutes a "reasonable safeguard" will vary from entity to entity, and that the standard need not aim to protect PHI from every conceivable chance of disclosure. According to the agency, meeting the reasonable safeguards standard may be as easy as speaking quitely and avoiding patient names when discussing patient PHI in public spaces; locking filing cabinents and instituting password protections on computers; and posting reminders to entity personnel about keeping PHI confidential whenever possible.

Another part of the Final Rule requires the "de-identification" of PHI in many circumstances. Under the Rule's de-identification provisions, covered entities are allowed to disclose some health information that would otherwise be private and protected if the entities strip out the patient's name and other easily identifiable information about him or her prior to disclosing that information. Under the Final Rule, codes that can be used to re-identify previously de-identified individuals and their health information are expressly exempted from the safe harbor provisions.

Readers interested in more detailed official guidance on how HIPAA intereacts with workers compensation law should access the policy explanation put out by DHHS's Office of Civil Rights, the government agency responsible for HIPAA enforcement, at http://www.dhhs.gov/ocr/hipaa/guidelines/workerscompensation.pdf.