Alan A. Ayers, MBA, MAcc is Chief Executive Officer of Velocity Urgent Care and is Practice Management Editor of The Journal of Urgent Care Medicine.
Urgent message: While a workers’ compensation carrier may want to see a patient’s entire medical record, claiming that such is compliant with HIPAA as the “minimum necessary information to get paid,” urgent care providers should reasonably limit the health information released to the “minimum necessary to accomplish the workers’ compensation purpose.”
Introduction
The HIPAA Privacy Rule dictates how a covered healthcare provider, such as an urgent care center, shares an employee’s protected health information with an employer. The Rule sets parameters on the use and release of health records, and establishes appropriate safeguards that healthcare providers and others must satisfy to protect the privacy of health information.1
While many assume that the law provides a blanket protection, HIPAA’s Privacy Rule does not protect employment records, even if the information in those records is health-related.2 In fact, the Department of Health and Human Services states that in most cases, the Privacy Rule doesn’t apply to the actions of an employer.2 The HHS states that if you work for a health plan or a covered healthcare provider, HIPAA’s Privacy Rule doesn’t apply to your employment records. However, the rule does protect your medical or health plan records if you’re a patient of the provider or a member of the health plan (as it would for any other employer).3
But what happens when the worlds of healthcare and employment collide, as in the area of workers’ compensation? The question as it applies in the urgent care setting is, how much of a patient’s medical history can (and should) be shared with an employer?
Here, we discuss this issue at length, with focus on the responsibilities of urgent care centers, which are frequently used by employers, workers’ compensation insurance carriers, and third-party administrators to treat the work-related injuries of employees.
Workers’ Compensation
As a general rule, an employer can request that an employee provide a doctor’s note or other health information if they require the information for sick leave, workers’ compensation, wellness programs, or health insurance.2 But if the employer requests information about the employee directly from the healthcare provider, the provider cannot give the employer the information without employee authorization unless other laws require them to do so.2
However, in workers’ compensation, it’s important to note that the HIPAA Privacy Rule doesn’t apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers, except to the extent they may otherwise be covered entities.3 These entities require access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. This health information is typically obtained from healthcare providers who treat these individuals and who may be covered by the Privacy Rule, such as urgent care facilities.
With that in mind, the HIPAA Privacy Rule recognizes the legitimate need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information as authorized by law.3 The question remains, to what extent can personal health information (PHI) be disclosed?
Disclosures with and without individual authorization
The HIPAA Privacy Rule allows covered entities to disclose protected health information to workers’ compensation insurers, state administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization in specific circumstances:
- As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.4
- To the extent the disclosure is required by law, and the disclosure must comply with and be limited to what the law requires.4
- For purposes of obtaining payment for any healthcare provided to the injured or ill worker.4
Covered entities may disclose PHI to workers’ compensation insurers and others involved in workers’ compensation systems where the individual has given his or her authorization for the release of the information to the entity.3
Minimum necessary
Urgent care operators should understand that all covered entities are required by law to reasonably limit the amount of protected health information disclosed under 45 CFR § 164.512(l) to the minimum necessary to accomplish the workers’ compensation purpose.3 This means that an employee’s PHI may be shared for such purposes to the full extent authorized by law—but that covered entities must reasonably to limit the amount of PHI disclosed for payment purposes to the minimum necessary.5 However, the Privacy Rule’s requirements for minimum necessary are designed to be “sufficiently flexible to accommodate the various circumstances of any covered entity.”5
The Department of Health and Human Services states that covered entities are permitted to disclose the amount and types of protected health information that are necessary to obtain payment for healthcare provided to an injured or ill worker. Further, it’s important to note that where a covered entity such as an urgent care center routinely makes disclosures for workers’ compensation purposes under federal regulation or for payment purposes, it may develop standard protocols as part of its minimum necessary policies and procedures that address the type and amount of protected health information to be disclosed for such purposes.4
In addition, the HHS explains that where PHI is requested by a state workers’ compensation or other public official, an urgent care center or other covered entity is permitted to reasonably rely on the official’s representations that the information requested is the minimum necessary for the intended purpose.6 Covered entities aren’t required to make a minimum necessary determination when disclosing protected health information as required by state or other law, or pursuant to the individual’s authorization.7
Business Scenario
In a hypothetical case, Dr. White is treating employee John Smith, who is complaining of wrist pain. Smith shares that he had surgery on his wrist 3 years ago after a non─work-related accident.
Dr. White acknowledges that our providers can and should be providing more details about how the injury occurred and further personal medical history related to Smith’s injury. In fact, the workers’ compensation carrier is seeking all of the patient’s history—including psychological, sexual, drugs, everything. Dr. White is of the mindset that information not pertaining to the incident at hand would not be shared. However, the workers’ compensation carrier states that our competitors share the patient’s full medical history.
The key point here is that the law provides that covered entities are required to reasonably limit the amount of protected health information disclosed to the minimum necessary to accomplish the workers’ compensation purpose. Dr. White appears to be correct in that medical information not germane to Smith’s injury (eg, psychological treatment, sexual history, and medications) should not be disclosed. Disclosure of that PHI would be in violation of the HIPAA Privacy Rule. Also, the competition is in violation of HIPAA’s Privacy Rule.
Takeaway
Urgent care center owners should be certain that safeguards, procedures, and training are in place to ensure that when complying with workers’ compensation claims that disclosure of PHI is reasonably limited to the minimum necessary to accomplish the workers’ compensation purpose.
The penalties for HIPAA noncompliance with the Privacy Rule can range from $100 to $50,000 per violation.8 The maximum penalty of an identical provision is $1.5 million per year of violations. In addition, a person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to 1-year imprisonment.8
References
- HHS.gov. Health Information Privacy. What does the HIPAA Privacy Rule do? Available at: https://www.hhs.gov/hipaa/for-individuals/faq/187/what-does-the-hipaa-privacy-rule-do/index.html?language=es. Accessed July 21, 2018.
- HHS.gov. Health Information Privacy. Employers and health information in the workplace. Available at: https://www.hhs.gov/hipaa/for-individuals/employers-health-information-workplace/index.html. Accessed July 21, 2018.
- HHS.gov. Health Information Privacy. Disclosures for Workers’ Compensation purposes. Available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-workers-compensation/index.html. Accessed July 21, 2018.
- 45 CFR § 164.512.
- CFR § 164.502(a)(1)(ii).
- HHS.gov. Health Information Privacy. Minimum necessary requirement. Available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html. Accessed July 21, 2018.
- 45 CFR § 164.514(d)(3)(iii)(A).
- HHS.gov. Health Information Privacy. Summary of the HIPAA Privacy Rule. Available at: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Accessed July 21, 2018.