Be alert but not afraid of new privacy rules

HIPAA won’t be a radical change for EHPs

By Sandra Adams, PhD, RN, COHN-S/CM
Adams Consulting
Mesa, AZ

Barbara Lucas, RN, COHN-S, CPC

(Adams and Lucas are consultants who offer training on the new privacy regulations to occupational health nurses. The information they present in this article is for educational purposes only. It does not constitute legal or professional advice. For specific concerns about regulatory compliance, they recommend that you consult an attorney or other professional.)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created anxiety among employee health professionals (EHPs). It shouldn’t. Privacy and confidentiality are issues that have long been respected in occupational health.

While EHPs must learn the technical aspects of the privacy rule, they already are carrying out the spirit of the law.

HIPAA’s Privacy Rule went into effect April 14, 2003, requiring most health care providers and organizations to implement new policies and procedures to ensure the protection of an individual’s protected health information (PHI).

The complexity of HIPAA is especially challenging for employee health professionals, who must figure out when they are covered by the act and when they are not. The nurse in a hospital employee health unit potentially can function under two separate "covered entities" while also functioning in a "noncovered entity" capacity. Here are some examples:

  1. The hospital is a covered entity under HIPAA as a health care provider. So when the employee health nurse performs functions for the hospital that involve a patient’s PHI, such as assisting with quality assurance functions or monitoring nosocomial infections, the nurse is acting as a member of the hospital covered entity. If you are dealing with medical information from a hospital patient, you must follow HIPAA rules for protecting PHI.
  2. If the hospital has a medical health plan for its employees that is covered under HIPAA and the nurse is involved in reviewing medical claims or assisting with complaint resolution involving PHI, the nurse would be acting as a member of the health plan’s covered entity.
  3. Workers’ compensation and disability plans are not covered under HIPAA. However the nurse will be involved in creating, receiving, and using individual medical information in the course of managing these cases. In this instance, the nurse is functioning in a noncovered entity capacity. For example, information gathered in a pre-employment physical or in the evaluation of a needlestick injury would not be covered by HIPAA. But the EHP would need a signed HIPAA-compliant authorization form from the employee to receive pertinent information from a primary care physician related to that occupational health issue.
  4. If an employee health nurse provides care that is not related to employment, such as blood pressure screening or health services related to a respiratory ailment, the employee might be considered a patient. State privacy laws would apply for the protection of this confidential medical information.

So how do we make sense of when HIPAA applies and when it doesn’t?

Fortunately, for most nurses in this field, we already are protecting confidential health information in a manner that meets most of the HIPAA regulations. We protect PHI and share it only with those who are entitled to use or disclose the PHI. We protect employee health records in the same manner.

Here are a few tips on areas that might need clarification or where you might wish to update or create policies and procedures to address:

• Make sure your authorization forms (formerly known as the medical release of information form) comply with HIPAA.

The act provides specific guidance on what must be in an authorization form that allows health care professionals to disclose an individual’s PHI.

By using a HIPAA-compliant form, you obtain certain protections for your organization regarding the re-disclosure of the PHI you released and, when requesting PHI on your employees, you avoid a denial of the request or a delay in obtaining the PHI due to a noncompliant form.

• Organize your employee health records to separate employment-related records and personal health records.

For example, post-offer applicant physical exams and drug tests are not subject to HIPAA because they are employment-related records. You could use a simple divider in the chart to keep these records separate from other records created for an employee’s personal health problem, such as nursing treatment of an upper respiratory infection.

• Establish guidelines for verifying a requester’s identity and right to receive information prior to releasing it.

This is a good practice regardless of HIPAA. Consider comparing the signature on an authorization form with the individual’s signature that you already have on file.

If they don’t match, call the individual and confirm that you have a valid authorization form that you can act upon or allow the individual to revoke the form.

For phone requests, ask the callers very specific questions that an average person would not know about the individual to verify that the callers are who they say they are. For example, if a wife calls requesting information about her husband, ask for his employee number and their anniversary date.

By documenting the answers to these questions, you verify that you made a valid effort to ensure appropriate release of the PHI.

• Under HIPAA, the individual has a right to request that amendments be made to his or her records if there is inaccurate or incomplete information.

When functioning under a covered entity, you must have procedures to handle these requests. You may want to use the same procedures, even though not required, for noncovered functions as well. In most cases, when information is incorrect, we already are making the changes.

Remember that even though workers’ compensation, disability, Family and Medical Leave Act, and Americans with Disabilities Act cases are not covered under HIPAA’s Privacy Rule, there are very specific privacy protections outlined for each of these, in some cases, more stringent than HIPAA; and these must be followed. Whenever your state’s privacy regulations are more stringent than HIPAA, then those must be followed.

Lastly, have patience. There will be a period of confusion and misunderstanding, especially in releasing information to employee health and occupational health nurses. Become familiar with the HIPAA regulations and how they impact your work situation. Develop appropriate procedures as needed. Enjoy the opportunity to further educate those you interact with when they experience confusion or misinterpretation of what they can or cannot share with you.

[Editor’s note: Adams and Lucas provide information on how HIPAA applies to employee health through seminars organized by the American Association of Occupational Health Nurses. For more information, call (770) 455-7757 or visit the web site More information on HIPAA also is available at and at]