The Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule" or the "standards") represent the most comprehensive federal regulations protecting the confidentiality of health information to date.
Although the standards may be modified somewhat before the rule is finalized, the revisions largely will iron out identified "glitches" in the rule without changing the real substance or timing of the regulations. That said, the time has come for occupational safety and health professionals to develop a basic familiarity with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule so they can assess the impact of the regulations on their occupational health programs.
The Privacy Rule is the second of three sets of regulations required under the Administrative Simplification provisions of HIPAA.1 Those provisions are intended to increase and standardize the electronic transmission of data throughout the health care system. The first set of HIPAA regulations - the Standards for Electronic Transactions - establishes uniform coding conventions and record formats across all payer types for many electronic transactions central to the processing of health care claims and health plan enrollment. Once it is promulgated as a final rule, the third set of HIPAA regulations will implement the Security and Electronic Signature Standards. These standards will set minimum requirements for protecting the physical integrity, accessibility and confidentiality of data maintained or transmitted electronically.
Uses and Disclosuresby Covered Entities
Despite the e-commerce focus of the other two HIPAA regulations, the Privacy Rule governs the use and disclosure of individually identifiable health information transmitted or maintained in any form or medium - paper or electronic - but only by individuals and organizations defined as "covered entities" under the rule. Those covered entities include (1) individual or group health plans such as Medicare, Medicaid and most employer-sponsored health benefit plans; (2) businesses called health care clearinghouses that translate nonstandard transactions into HIPAA-standard formats or vice versa; and (3) those health care providers, either individuals or organizations, that transmit individually identifiable health information electronically in connection with HIPAA-standard transactions. Employers per se are not covered entities, but any part of a company that engages in the functions that define a covered entity will have to comply with applicable HIPAA rules and be firewalled off from the rest of the business.
Except in certain specifically defined situations where public policy considerations dictate more liberal rules, the Privacy Rule requires a covered entity to get an individual's written permission to use or to disclose any health information about the person that contains data that identify or could reasonably be used to identify the subject of the information. Occupational health nurses and physicians often have broad access to employee health information because they conduct wellness initiatives, provide case management services to workers who have suffered on-the-job injuries, operate fitness-for-duty programs and furnish hands-on treatment in onsite clinics.
Regardless, few occupational health professionals employed at worksites and few onsite employee clinics will be covered entities when the Privacy Rule takes effect, because they do not bill payers electronically for their services or engage in any of the other electronic transactions defined to date under the Electronics Transactions Rule. Although this situation could change, because HIPAA contemplates standardization of the transactions used to file first reports of injury, it is unlikely that the Department of Health and Human Services will finalize such a rule any time soon because of stiff opposition from the property and casualty insurers lobby.
Community-based occupational health providers who work in private practice as well as under contract to employers are less likely to escape the reach of the Privacy Rule. If these providers use the HIPAA standard transactions to bill patient services electronically, they will be covered entities responsible for complying with the Privacy Rule in their practices.
Workers' Compensation Plans
Workers' compensation plans are not considered health plans under the Privacy Rule definitions. As a result, they are not covered entities subject to the standards. Thus, "comp" carriers will be able to continue sharing employee health information with the employers they insure to the extent permitted by applicable state workers' compensation laws, even after the Privacy Rule goes into effect. Because employers per se are not covered entities either, the standards will not restrict their use of employee health information obtained through their comp carrier as long as the carrier does not attempt to communicate the information to the employer indirectly through a health care provider who is a covered entity.
One of the public policy exceptions in the Privacy Rule permits, but does not require, all covered entities to disclose, without obtaining an authorization from the injured employee, "protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault." When the governing workers' compensation laws do not define the scope of health information that covered entities may share with workers' compensation carriers and/or employers without authorization, covered entities are expected to determine what information is needed through discussions with the carrier. The covered entity should limit the release of information to the minimum amount necessary to permit claims adjudication.
Because of the discretionary nature of the exception permitting the release of protected health information without employee permission for workers' compensation purposes and the variability in state workers' compensation laws, employers and carriers should remain prepared to accommodate demands from community providers for authorizations for medical records releases from employees who have suffered on-the-job injuries. Disclosures made pursuant to HIPAA-compliant authorizations2 must be limited to the data specified in the authorization regardless of whether a broader release would be permissible under the public policy exception.
Medical Surveillanceand OSHA/MSHA Reporting
Another public policy exception permits, but again does not require, health care providers subject to the Privacy Rule to release employee health information to an employer without obtaining an authorization, if certain conditions are met. Specifically, the provider must be employed by the company or working at the company's request. Also, the information disclosed must be relevant to and used by the employer for an evaluation relating to medical surveillance of the workplace, to determine whether the employee has a work-related illness or injury, or to comply with OSHA or MSHA recordkeeping requirements. Finally, the employee must have advance notice about what information will be released to the employer and why. Unless the health care provider sees the employee at a worksite clinic where a prominently placed sign explains what health information will be collected and how it will be used, the provider must satisfy the notice requirement by giving the employee a written explanation at the time care is furnished.
It is important for employers to recognize that this provision of the Privacy Rule applies only to health care providers and not to all types of covered entities. Employers may not tap databases available to them because of their sponsorship of an employee health benefit plan subject to the standards without an employee authorization. In addition, employers should expect many contract health care providers working in their offices to forego use of the exception and to insist upon an authorization from the employee before they turn over any protected health information. Although such demands for authorizations may be viewed as an administrative burden, the preamble to the Privacy Rule makes it clear that employers have a right to force their employees to sign such authorizations by making doing so a condition of employment.
In general, the Privacy Rule does not let covered entities condition treatment or health plan enrollment and coverage on an individual authorizing the use or disclosure of protected health information for purposes other than treatment, payment or health care operations. A covered entity, however, may condition the provision of health care to an individual on his or her authorizing disclosure of the information gathered to a third party when the sole purpose for performing an assessment, which is considered treatment under the Privacy Rule, and creating the protected health information is to benefit that party.
As a result, health care providers who are covered entities under the Privacy Rule may continue to condition the performance of drug tests or fitness-for-duty examinations conducted after an employer has made a job offer or before an employer allows an employee to return to work after an extended illness or injury on obtaining the employee's authorization to disclose the results of the test or exam to the employer. Employers also may continue to require applicants and employees to subject themselves to such examinations and to authorize the release of examination findings so long as they do not request or use protected health information in violation of other applicable laws such as the Americans with Disabilities Act of 1990 ("ADA") or other anti-discrimination laws.
Occupational Health and Safety Databases
Employers who use or plan to use health data gathered through their employee health benefit plan for occupational health and safety purposes will face substantial hurdles under the Privacy Rule. Employer-sponsored health benefit plans covering 50 or more employees or managed by third-party administrators are covered entities under the Privacy Rule. If the health plan is fully insured or self-insured but operated entirely by a third-party administrator, the rule limits an employer's access to plan participants' health information without authorization to summary health data (information that summarizes claims history, claims expenses or types of claims experience, with personal identifiers removed). The rule also specifies that the information may be used only to rebid, redesign or terminate the plan.
The standards impose more restrictions on employers who choose to be more involved in the operation of self-insured plans. When employers handle ongoing plan tasks such as claims adjudication or they take on responsibility for the resolution of certain high-level, expensive plan decisions such as appeals of coverage denials, the Privacy Rule imposes more restrictions.
In addition to requiring the employer to explain its role in the summary plan documents that must be made available to employees under the Employment Retirement Income Security Act, the standards stipulate that the employer must build firewalls around those members of its staff involved in plan operations. This is intended to ensure that employee health data is not used for employment-related actions, such as hiring, firing or promotion, or for decision-making in connection with other employee benefit plans, such as life insurance or long-term disability coverage.
In addition, the health plan also must comply with all other requirements of the Privacy Rule. In contrast to the situation with health care providers subject to the standards, those requirements do not permit health plans to release information for medical surveillance or OSHA/MSHA recordkeeping purposes without obtaining an employee authorization.
Twenty-Four-Hour Coverage Plans
"Twenty-four-hour coverage plans," whether insured or self-insured, will present special challenges under the Privacy Rule. Because they are hybrid entities, having a health care component that is subject to the standards and a workers' compensation component that is not, protected health information will no longer be allowed to flow freely between the two components of a 24-hour coverage plan once the Privacy Rule takes effect. Rather, firewalls will have to be implemented to ensure that data gathered through the health plan component is not released to the workers' compensation component except to the extent authorized by and to the extent necessary to comply with the state workers' compensation law.
Conclusion
The public has indicated a continual worry about employers' use of employee health information. The Privacy Rule will do little to address this concern. The standards' limited definition of covered entity means that employer access to occupational safety and health records created or maintained in the workplace by occupational safety and health professionals is not significantly restricted. Similarly, the Privacy Rule will have limited impact on the interaction between workers' comp carriers and the health professionals who treat employees injured on the job.
Employers should be prepared, however, for community-based health care professionals, who are covered entities, to request employee authorizations before disclosing health information. Finally, employers should be aware that the Privacy Rule makes no changes in an employer's obligations under the ADA.
About the authors: Larri Short and Eileen Kahaner are attorneys with Arent Fox Kintner Plotkin & Kahn, PLLC, in Washington. Short represents a professional association for occupational safety and health professionals and, because of that representation, has long been an active participant in the federal debate over medical records privacy. Short and Kahaner also counsel clients in HIPAA compliance matters. They can be reached at (202) 857-6000.