Company | Support | Contact Us
Privacy | Transactions and Code Sets | Security | Identifiers
HIPAA Navigator | HIPAA SLP | Manuals
Approach | Assessment | Implementation | Training | Evaluation | Maintenance
For Providers | For Health Plans | FAQ | Free Downloads
For Providers | For Health Plans | For Attorneys | For Security Professionals
subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link
subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link

Standards for Privacy of Individually Identifiable Health Information

DISCLOSURES FOR WORKERS’ COMPENSATION PURPOSES
[45 CFR 164.512(l)]

Background

The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers, except to the extent they may otherwise be covered entities. However, these entities need access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. Generally, this health information is obtained from health care providers who treat these individuals and who may be covered by the Privacy Rule. The Privacy Rule recognizes the legitimate need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information as authorized by State or other law. Due to the significant variability among such laws, the Privacy Rule permits disclosures of health information for workers’ compensation purposes in a number of different ways.

How the Rule Works

Disclosures Without Individual Authorization. The Privacy Rule permits covered entities to disclose protected health information to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization:

  • As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. This includes programs established by the Black Lung Benefits Act, the Federal Employees’ Compensation Act, the Longshore and Harbor Workers’ Compensation Act, and the Energy Employees’ Occupational Illness Compensation Program Act. See 45 CFR 164.512(l).
  • To the extent the disclosure is required by State or other law. The disclosure must comply with and be limited to what the law requires. See 45 CFR 164.512(a).
  • For purposes of obtaining payment for any health care provided to the injured or ill worker.

See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.

Disclosures With Individual Authorization. In addition, covered entities may disclose protected health information to workers’ compensation insurers and others involved in workers’ compensation systems where the individual has provided his or her authorization for the release of the information to the entity. The authorization must contain the elements and otherwise meet the requirements specified at 45 CFR 164.508.

Minimum Necessary. Covered entities are required reasonably to limit the amount of protected health information disclosed under 45 CFR 164.512(l) to the minimum necessary to accomplish the workers’ compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law.

In addition, covered entities are required reasonably to limit the amount of protected health information disclosed for payment purposes to the minimum necessary. Covered entities are permitted to disclose the amount and types of protected health information that are necessary to obtain payment for health care provided to an injured or ill worker.

Where a covered entity routinely makes disclosures for workers’ compensation purposes under 45 CFR 164.512(l) or for payment purposes, the covered entity may develop standard protocols as part of its minimum necessary policies and procedures that address the type and amount of protected health information to be disclosed for such purposes.

Where protected health information is requested by a State workers’ compensation or other public official, covered entities are permitted to reasonably rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).

Covered entities are not required to make a minimum necessary determination when disclosing protected health information as required by State or other law, or pursuant to the individual’s authorization. See 45 CFR 164.502(b).

The Department will actively monitor the effects of the Privacy Rule, and in particular, the minimum necessary standard, on the workers’ compensation systems and consider proposing modifications, where appropriate, to ensure that the Rule does not have any unintended negative effects that disturb these systems.

Refer to the fact sheet and frequently asked questions on this web site about the minimum necessary standard, or to 45 CFR 164.502(b) and 164.514(d), for more information.


--------------------------------------------------------------------------------

DISCLOSURES FOR WORKERS’ COMPENSATION PURPOSES

Frequently Asked Questions

Q: Won’t the HIPAA Privacy Rule’s minimum necessary standard impede the ability of workers’ compensation insurers, State administrative agencies, and employers to obtain the health information needed to pay injured or ill workers the benefits guaranteed them under the State workers’ compensation system?

A: No. The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers under workers’ compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose. For disclosures of protected health information made for workers’ compensation purposes under 45 CFR 164.512(l), the minimum necessary standard permits covered entities to disclose information to the full extent authorized by State or other law. In addition, where protected health information is requested by a State workers’ compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).

For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount of information necessary to receive payment for any health care provided to an injured or ill worker.

The minimum necessary standard does not apply to disclosures that are required by State or other law or made pursuant to the individual’s authorization.

Q: Does an individual have a right under the HIPAA Privacy Rule to restrict the protected health information his or her health care provider discloses for workers’ compensation purposes?

A: Individuals do not have a right under the Privacy Rule at 45 CFR 164.522(a) to request that a covered entity restrict a disclosure of protected health information about them for workers’ compensation purposes when that disclosure is required by law or authorized by, and necessary to comply with, a workers’ compensation or similar law. See 45 CFR 164.522(a) and 164.512(a) and (l).

Q: Does the HIPAA Privacy Rule permit a health care provider to disclose an injured or ill worker’s protected health information without his or her authorization when requested for purposes of adjudicating the individual’s workers’ compensation claim?

A: Covered entities are permitted to disclose protected health information for such purposes as authorized by, and to the extent necessary to comply with, workers’ compensation law. See 45 CFR 164.512(l). In addition, the Privacy Rule generally permits covered entities to disclose protected health information in the course of any judicial or administrative proceeding in response to a court order, subpoena, or other lawful process. See 45 CFR
164.512(e).

Q: I am a health care provider and my State law says I have to provide a workers’ compensation insurer, upon request, with an injured workers’ records that relate to treatment or hospitalization for which compensation is being sought. Am I permitted to disclose the information required by my State law?

A: Yes. The HIPAA Privacy Rule permits a covered entity to disclose protected health information as necessary to comply with State law. No minimum necessary determination is required. See 45 CFR 164.512(a) and 164.502(b).

Q: My State law says I may disclose records, relating to the treatment I provided to an injured worker, to a workers’ compensation insurer for purposes of determining the amount of or entitlement to payment under the workers’ compensation system. Am I allowed to share this information under the HIPAA Privacy Rule?

A: Yes. A covered entity is permitted to disclose an individual’s protected health information as necessary to comply with and to the full extent authorized by workers’ compensation law. See 45 CFR 164.512(l).

Q: My State law says I may provide information regarding an injured workers’ previous condition, which is not directly related to the claim for compensation, to an employer or insurer if I obtain the workers’ written release. Am I permitted to make this disclosure under the HIPAA Privacy Rule?

A: A covered entity may disclose protected health information where the individual’s written authorization has been obtained, consistent with the Privacy Rule’s requirements at 45 CFR 164.508. Thus, a covered entity would be permitted to make the above disclosure if the individual signed such an authorization.

 

Go to TOP

NOTICE OF PRIVACY PRACTICES

Privacy Policy | Legal Notice | ©2001-2008 HIPAAssociates, Inc.