HIPAA not always is applicable to occ-health
Know what’s protected
[In the January issue, Occupational Health Management presented some of the privacy issues that can arise when dealing with employee health records. OHM editorial advisory board member Deborah V. DiBenedetto, MBA, BSN, COHN-S/CM, ABDA, FAAOHN, past president of the American Association of Occupational Health Nurses and a nationally recognized consultant on occupational health issues, provides more information on the relationship between the Health Insurance Portability and Accountability Act (HIPAA), employee health records, and the occupational health nurse.]
HIPAA’s privacy requirements, which went into effect in their current form in late 2002, can present challenges to the occ-health professional, because while HIPAA does not regulate employers or employment-related health or occupational health records, it does regulate the employer’s health benefit plan, according to DiBenedetto, a Michigan consultant.
"While workers’ compensation, occupa- tional injury or illness evaluation, and employment-related medical records are exempt from HIPAA, there continues to be great concern about managing occupational health and related injury, since many physicians are refusing to release medical information, stating that HIPAA does not allow the release of protected health information [PHI]," she explains. "There are numerous reports of occupational health nurses and case managers who say they just cannot get the necessary medical information from doctors in their community, and they are spending inordinate amounts of time trying to navigate this issue."
HIPAA authorization important
DiBenedetto points out that a key tool for the occupational health professional who deals in employees’ PHI is a HIPAA-compliant authorization, which allows the exchange of medical information between an employee, his or her medical provider, and the occupational health professional. (See form.)
According to DiBenedetto, employers are entitled to know employees’ fitness for duty, their need for accommodation or restricted work, and what those restrictions are. The Americans with Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA) require that medical information be kept separate from an employee’s personnel file. Medical information also is to be kept confidential, and not used for other employment reasons or actions.
DiBenedetto explains that the ADA does allow medical information to be shared in three specific situations: Supervisors may be informed regarding necessary restrictions on the work or duties of an employee and necessary accommodations; first aid and safety personnel may be informed (when appropriate) if the employee’s physical or medical condition might require emergency treatment; and government officials investigating compliance with FMLA (or other pertinent law) shall be provided relevant information upon request.
HIPAA primarily impacts health care plans, health care clearinghouses, any health care provider who transmits any health information in electronic form (computer-to-computer transmission) in connection with a standard transaction as defined by HIPAA, and plan sponsors such as self-insured employers. The HIPAA standards apply to all individually identifiable health information — electronic or otherwise — for covered entities. DiBenedetto says occupational health professionals should remember that HIPAA does not protect their conversations with employers, supervisors, or anyone else unless the occ-health service is conducting HIPAA transactions. Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care.
The patient/individual may stipulate restrictions on uses and disclosures on the authorization form they sign. HIPAA requires providers and health plans to explain how employees’ PHI will be used, shared, and maintained. While the health plans may own the physical medical or health record, the individual owns his or her own PHI contained in the records — records maintained or transmitted in any format — paper, electronic, or any other media.
PHI and the occ-health professional
The treatment of employment related medical records was address by HHS in the Aug. 14, 2003, Federal Register at 67 FR 53,192 (www.gpoaccess.gov/fr/index.html). HIPAA does not apply to medical records maintained by employers in the employment capacity. HIPAA does not apply to return to work notes; medical information provided to substantiate requests for employee benefits such as short-term disability, long-term disability, FMLA requirements, job accommodation requests, or medical information for compliance with ADA.
However, in the case of FMLA and ADA compliance, those laws mandate that medical information received by an employer for FMLA and ADA requests must be kept confidential, maintained separate and apart from employment or personnel files. Some employers have the occupational health service maintain ADA and FMLA medical information; otherwise, these records must be maintained in separate files, apart from the human resource record.
Third-party occupational health providers must determine if they meet the definition of a covered entity and should modify their polices and procedures to comply with HIPAA as appropriate. However, if a provider does not conduct HIPAA standard transactions, he or she will generally not be under HIPAA’s compliance umbrella.
Many occupational health professionals may also administer employer-based programs in which they handle, request, or exchange PHI in the course of their work activities. If the occupational health professional is part of the employer’s health plan or benefits staff, his or her activities will be regulated by HIPAA, and therefore must be firewalled off from the employer side so that the PHI is not disclosed to the employer without an employee authorization allowing the use of this information for nonplan purposes.
For more information, contact: