The Health Insurance Portability and Accountability Act, better known as HIPAA, protects the privacy and security of patient health information. A common question from human resource managers has been what is the impact of HIPAA on an employer’s ability to collect employee health information for purposes of workers compensation, Family and Medical Leave Act (FMLA), and Americans with Disabilities Act (ADA) purposes?
While it is generally true that HIPAA does not apply to employers simply because they collect employee health information, HIPAA will affect employers in the process of obtaining this information because HIPAA usually applies to the health care entity from which the employer is seeking the information.
Under HIPAA, covered entities (most health care providers, health plans, and health care clearinghouses) may disclose protected patient health information only as permitted. Essentially, if HIPAA doesn’t say that a covered entity can disclose the information, they can’t.
Generally speaking, a covered entity has broad authority to disclose protected patient health care information for treatment purposes. From there on, the limitations on disclosure begin to stack up. With the exception of disclosures for treatment activities, most other disclosures are subject to the “minimum necessary” limitation embodied in HIPAA – the protected health information disclosed should be the minimum necessary to accomplish the purpose of the disclosure. (Which may explain why as an employer, you are not satisfied with the FMLA or ADA paperwork).
Covered entities may disclose protected health information in cases where the law requires such disclosures, but only to the extent that such disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law.
In the case of workers compensation, HIPAA Section 164.512(l) provides that a covered entity may disclose protected health information “as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work related injuries.” As such, any disclosure would be subject to state law regarding workers compensation. There is no specific exception in HIPAA regarding disclosures for FMLA and ADA purposes. Therefore, covered entities usually require a valid patient authorization, pursuant to section 164.508, prior to disclosing employee protected health information to an employer for purposes of FMLA and ADA.
Virginia state law limits an employer’s re-disclosure of patient health information received. Virginia Code §32.1-127.1:03 provides that “no person to whom health records are disclosed shall redisclose or otherwise reveal the health records of an individual, beyond the purpose for which such disclosure was made, without first obtaining the individual’s specific authorization to such redisclosure.” Other provisions of state and federal law also may limit/prohibit redisclosure.
Some employers that are not covered entities, however, are directly subject to HIPAA for other reasons. Legislation which passed in 2009 as part of the American Reinvestment and Recovery Act, expanded HIPAA privacy and security requirements to a wide range of businesses. Now, HIPAA applies directly to businesses that receive, create, maintain, and/or transmit protected patient health information so that they can perform certain services on behalf of covered entities. These businesses are defined as “business associates” of covered entities under HIPAA. Business associates may be found non-compliant and subject to significant sanctions if they are not conforming to applicable provisions of the HIPAA Privacy and Security Rules.
Examples of business that now may be directly responsible for HIPAA compliance include data analysis, storage, and transmission services, legal and accounting services, billing and benefit management services, actuarial and claims processing services, and a whole host of other businesses that perform activities which require them to have access to patient health information in order to provide services for or on behalf of heath industry entities. Among other things HIPAA compliance means that these businesses will have to engage in physical, technical, and administrative activities to ensure the protection of patient health information from unauthorized access, use, or disclosure and that they will also have to comply with certain notification requirements in the event of a breach of patient health record security. Penalties for non-compliance can be substantial.
The Final Rule implementing changes to HIPAA as a result of this 2009 legislation was issued in January, 2013, with a compliance deadline of September 23, 2013.