October 23, 2015
A. HIPAA PURPOSE AND SCOPE
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was adopted by the Department of Health and Human Services to provide national standards for electronic healthcare transactions and federal privacy protection for individually identified health information (45 CFR Parts 160 and 164). The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. The Privacy Rule
is balanced so that it permits the disclosure of health information needed for patient care and for other important purposes. The security rule specifies a series of administrative physical and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity and availability of electronic protected health information. A summary of the rule can be found at:
http://www.hhs.gov/ocr/privacy/HIPAA/understanding/coveredentities/workerscomp.html.
Individuals, organizations, and agencies that meet the definition of a “covered entity” under HIPAA must comply with the rules and requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a “covered entity” engages a business associate to help carry out its healthcare activities and functions, the covered entity must have a written business associate contractor or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the rules, requirements to protect that privacy and security of the protected health information. Business associates are directly liable for compliance with certain provisions of the HIPAA rules.
A “covered entity” means a health plan, health care clearing house, or health care provider. A covered entity may not use or disclose protected health information except as permitted or required by this rule. Thus every type of disclosure is prohibited except those listed
in the rule. A covered entity is permitted to use or disclose protected health information to the individual; for treatment, payment, or healthcare operations. Pursuant to and in compliance with an authorization, and in some other listed exceptions, a covered entity is required to disclose an individual’s protected health information to that individual when requested. (45 CFR 164.502,506, 608).
A “covered entity” must make reasonable efforts to limit the disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Exceptions to the minimum necessary rule include disclosures to or
requests by healthcare providers for treatment, uses or disclosure made to individuals, or uses or disclosure made pursuant to an authorization, and uses and disclosures required by law (45 CFR 164.502).
Workers’ compensation programs are a “health plan”, which is excluded under HIPAA through Workers’ Compensation programs are not required to abide by the rules to do the things listed. Basically, the rule says that it applies to “health plans” and then excludes from health plans “any policy, plan or program to the extent that it provides, or pays for the cost of benefits, that are excepted from coverage under the Public Health Services Act.” That Act excepts benefits under “Workers’ Compensation or similar insurance”.
Although Workers’ Compensation programs are not “covered entities”, medical providers are likely to require an authorization before disclosing health information. The authorization must meet all of the requirements of the HIPAA rule that would include description of the
information sought, purpose or use, identification of the person requesting the information, identification of the person or class of persons to whom the information will be provided, an expiration date for the disclosure and the signature of the individual.
HIPAA also provides that a “covered entity” may disclose protected health information as authorized by and to the extent necessary to comply with the laws relating to Workers’ Compensation or other similar programs established by law that provide benefits for work
related injuries or illness without regard to fault. (45 CFR 164.512). Most Workers’ Compensation programs follow the procedures required by the HIPAA regulations. Insurance companies and third party administrators often face decisions about how much information
should be passed on to the employers the “minimum necessary standard” would apply. The rule providing information to patients and colleagues for information needed for treatment and care a covered entity may not use or disclose protected health information except as permitted by the rules. An authorization may be revoked. Authorization cannot be expired and must be filled out completely.
The Privacy Rule is not intended to impede the flow of information to those who need it to process or adjudicate claims or coordinate care, or for injured or ill workers under Workers’ Compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit use and disclosure of as well as requests for protected health information, the minimum necessary to accomplish the intended purpose. For disclosures of protected health information made for Workers’ Compensation purposes under 45 CFR 164.512 the “minimum necessary” standard permits covered entities to disclose information to the full extent authorized by state or other law in addition where protected health information is required by a state workers’ compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the officials’ representation that the information requested is the
minimum necessary for the intended purpose. Covered entities may disclose the type and amount of information necessary to receive payment for any healthcare provided to an injured worker. A covered entity is permitted to disclose an individuals protected health information as is necessary to comply with and to the full extent authorized by Workers’ Compensation law.
The HIPAA administrative simplification regulations specifically exclude from the definition of a “health plan” any policy plan or program to the extent that it provides, or pays for the cost of excepted benefits, which are listed in Section 2791 of the Public Health Services Act,
42 USC, 300 GG-91(c)(1). As described in the statute, exempted benefits are one or more of the following: Coverage for accident, disability income insurance, or a combination thereof, coverage for supplement to liability insurance, liability insurance workers’ compensation or similar insurance, automobile medical payment insurance, credit only insurance, coverage for onsite medical clinics, other similar insurance coverage specified in regulations under which benefits for medical are secondary to or incidental to other insurance benefits.