The trusted source for
healthcare information and
New privacy regulations enacted by the federal government may mean that occupational health providers have to change some of the ways they handle confidential information. The new rule threatens to cause problems for the way occupational health providers have traditionally operated, yet the rule may not go far enough in solving some ethical dilemmas about patient information.
Released recently as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the privacy rule applies to virtually all health care providers, including occupational health. It is intended to give consumers more control over and access to their health information; set boundaries on the use and release of health records; safeguard that information; establish accountability for inappropriate use and release; and balance privacy protections with public safety.
The Clinton administration finalized the rule just before leaving office, changing the proposed rule by strengthening several key protections. Those changes include:
Occupational health professionals may have a lot of work to do to comply with HIPAA, says Jack Rovner, partner and co-chair of the Chicago Health Law Practice Group for Michael Best & Friedrich. Before the end of the two-year implementation window, occupational health providers will need to examine and evaluate their patient data privacy, electronic data security, and transmission policies, procedures, and practices, as well as their electronic health information exchange capabilities and protocols. They may need to review and audit every operation and every business relationship that may involve use, disclosure, or electronic transmission or storage of individually identifiable health information.
"The good news for occupational health providers is that some of the last-minute changes will make it easier to implement the rules than the version we saw before," Rovner says.
The final version of the rule includes a major change that occupational health providers will welcome. In the proposed version of the rule, providers could make available only the "minimum necessary" information about a patient even when the patient gave consent for the information transfer. Particularly in a field like occupational health, that provision raised all sorts of questions about how physicians would communicate with each other, with some analysts suggesting that the primary physician would have to be cryptic when talking with a specialist for fear of revealing too much patient information. No one in the health care industry liked that possibility, and it apparently won’t come to pass.
Now the rule states that the "minimum necessary" provision does not apply to physician-to-physician consultations. "That’s a major change and a good one," Rovner says.
But the "minimum necessary" provision still applies to a great many situations. "The minimum necessary’ provision says that employees should only see information they need to do their job. You can’t just hand over the medical record and let them find what they need," he says. "That’s going to require some major analysis of what everyone’s job functions are and how you can control information so [staff] get what they need to do their jobs but nothing else. Claims processing doesn’t need to see the same information that the nursing staff does."
The rule also includes provisions that should appeal specifically to occupational health providers. In the part of the rule explaining what a provider can and cannot disclose without specific authorization from the patient, the rule notes an exception for situations in which the provider is hired by the employer to provide health care to the employer’s workers. Furthermore, the provider specifically is allowed to state whether the injury is work-related. No special consent or authorization is needed for that information.
The results of drug tests and workers’ compensation cases fall under that provision, Rovner says, because the employee must acknowledge that the employer hired the provider. Other exceptions state that the provider can report information resulting from a medical evaluation or surveillance of the workplace to the employer, but it may be necessary to alert the patient to such work.
"You also could go to the workplace and do a medical evaluation of the employees’ records or the employees themselves and then give a report to the employer," he says. "The only thing is that you would have to give written notice to the patient — meaning the employee — that you’re doing the evaluation and the results will be given to the employer. You could give that notice to the patient during the evaluation, or you could post a notice prominently when doing an on-site evaluation."
That is a new requirement, Rovner says. However, that sort of notice is necessary only when you are using protected health information from the employee records, for instance. It is not needed if you are just on site observing the workplace to understand the working conditions.
"The touchstone of the entire rule is whether you’re working with protected health information," he says. "If you review records maintained by the employer as part of the hiring process, that is not protected because the employer is not a covered entity. But if the employer hires or contracts with an occupational medicine physician, any information maintained there is covered and requires protection, plus notice of review before anyone else looks at it."
Despite the complexity of the rule, some occupational health providers say it does not address all of the potential privacy problems in their field. The Atlanta-based American Association of Occupational Health Nurses (AAOHN) and the American College of Occupational and Environ-mental Medicine (ACOEM) in Arlington Heights, IL, released a joint statement calling the privacy regulations "a major step toward protecting personal health and medical information."
The new federal regulations will help address major areas of individuals’ concerns regarding privacy of health information held by employers, the groups say.
Both occupational health groups note, however, that the protection of specific health information used by employers — such as information collected by occupational health professionals for wellness programs and for management of occupational injuries and routine consultations at work — may not be covered by the privacy rules. Both AAOHN and ACOEM made recommendations for changes during the comment period prior to the new regulations being issued, saying the routine activities of occupational health professionals challenges their ethical obligations to not disclose protected information. They also acknowledged that there is the potential for improper use of employee medical information for decision making about nonhealth-related employee personnel issues, such as hiring, firing, and promotional opportunities.
"AAOHN and ACOEM believe that some of their initial concerns have been addressed in the final rules, yet are concerned that all health information at the work environment is not included under the protections," the groups state.
Larri Short, JD, privacy rights expert and attorney at the Washington, DC-based law firm Arent Fox, says the new privacy rules are a step in the right direction, but occupational health professionals should not rest easy and assume that their ethical quandaries regarding employees’ medical information are addressed.
"This new rule represents a significant first step toward health privacy, but it does not do enough to eliminate employees’ risk of health information disclosures to their employers. Simply put, employers are not always subject to the rule," Short says. "As a result, they will continue to have relatively free access to personal health information obtained through fitness-to-work examinations, occupational safety and health initiatives, and workers’ compensation programs."
Deborah DiBenedetto, MBA, RN, COHN-S, ABDA, president of AAOHN agrees, saying occupational health professionals still will be faced with dilemmas when employers want access to information that may not be protected. "Employers do have legitimate needs to have access to certain health information for managing workers’ compensation or other benefits, accommodating a disabled employee, or assessing an employee’s physical capability to complete assigned tasks." she says. "However, this does not mean that an employer should have access to unrelated information — such as an employee’s diagnosis or entire medical file."
DiBenedetto says legislation is needed to authorize the development of privacy rules that will draw the privacy lines appropriately for information collected and used in the work environment.
Robert Goldberg, MD, FACOEM, director of the ergonomics program and assistant clinical professor at the University of California, San Francisco, agrees that more work is needed. "Protecting confidentiality and privacy is imperative to preserving patient trust. Personal medical information obtained as a result of employment should be extended the same confidentiality protections as that collected for payment purposes," he says.
Until such rules are established, ACOEM and AAOHN recommend that occupational health professionals hold the line in protecting medical information from overeager employers.
Other changes in the final rule allow integrated health care organizations to share information as if they were a single entity, even if they are actually several facilities. That change recognizes the "real world of how health care is delivered," and could prove especially important in occupational medicine, Rovner says. In a hybrid organization with both health care and nonhealth care members, the rule allows the information to be shared between the health care entities but not with other branches.
Also, protected health care information cannot be provided to any human resources department within the organization. The only exception is a situation, such as workers’ compensation treatment, in which an outside employer has purchased the health care and the patient has consented to such a release.
Probably the greatest impact, however, will be felt on the financial side of the health care operation. The rule makes it clear that accounts receivable employees, for instance, must not have access to protected patient information. It is not sufficient to ensure that they do not disclose or otherwise misuse the information; systems may have to be revamped to ensure they do not even have access to that information.
There is a strong incentive for complying with the HIPAA regulations. Rovner says HIPAA gives the U.S. Department of Health and Human Services (HHS) the power to impose civil monetary penalties of $100 for each knowing failure to meet one of the HIPAA standards, up to a maximum annual fine of $25,000 for multiple violations of the same standard. As the cap applies only per standard, the exposure can be far greater should a health care organization be out of compliance with multiple standards. For example, violations of 100 different standards 250 or more times each in any year would bring an exposure of $2.5 million for that year.
For knowingly obtaining or disclosing patient data in violation of HHS regulations, the penalties are $50,000 and one year in prison. If the infraction involves false pretenses, the penalties increase to $100,000 and five years in prison; if it involves commercial or personal gain or malicious harm, the penalties are $250,000 and 10 years in prison. This criminal exposure is both personal and corporate. There’s also potential substantial liability under state negligence or other tort principles premised on noncompliance with HIPAA standards.
Some providers expressed concern that the rule places an unreasonable burden on them to obtain consent from patients before disclosing medical information in almost any way. The requirement was strengthened from the original proposal so that now the patient must give written consent for just about any type of information release. Providers will have to retain the consent forms for a minimum of six years.