Prior to 1996 and the Health Insurance Portability Accountability Act, medical records were in paper form. With the realization that like every other business medical providers would go digital HIPAA was enacted. Since then in 2003 the HIPAA Security Rule was published and subsequently the HIPAA Enforcement Rule and Breach Notification Rule all in an effort to keep up with technology and meet the demand of patient privacy. In the workers’ compensation arena this means obtaining and securing medical information within the HIPAA rules.
HIPAA-Health Insurance Portability and Accountability Act of 1996.
HIPAA first came about from the need to create standards for the management of electronic medical records within the health care industry. Its purpose is to allow the safe transfer of medical information from one health insurance company to the next, and from one health care provider to another. The HIPAA Privacy Rule was finalized in 1999, and it requires safeguarding of patient information against unauthorized access and disclosure.
How are HIPAA and Workers’ Compensation linked?
HIPAA’s Privacy Rule allows workers’ compensation insurers, third-party administrators and some employers to obtain the necessary medical information to manage their workers’ compensation claims. Disclosure of medical information can vary from state to state, and in some instances you do not need a medical release/authorization whereas in others you do. The Privacy Rule for Workers’ Compensation is designed to provide the minimal necessary information needed to manage a claim. State laws allow for subpoenas to obtain full medical records when needed.
Workers’ compensation carriers and administrators typically send authorization release forms to injured employees upon the receipt and set up of a workers’ compensation claim just to ensure they are in full compliance with HIPAA and state laws.
There are States that require closer review:
California has the Confidentially of Medical Information Act (CMIA) which protects confidentiality of medical information limiting where the release of medical information is permissible. This Act requires any recipients of the medical information, insurers, administrators or employers to have a new authorization in order to pass on that information to another party. As an employer in California, it is permissible to obtain a work restriction from the insurer or administrator, but the physical report is to be kept separate and not shared with a supervisor. It is permissible to tell the worker’s supervisor what the restrictions are, if needed, to make reasonable accommodations but not to share the actual medical document.
Any medical records or reports and any information about an injured worker on medical bills are confidential. Medical providers are required to give medical records or documentation, needed to determine compensability to the insurance carrier. Additional records can be obtained by the injured worker or representative, the employer or insurer, for a fee.
Illinois has one of the most stringent state privacy laws but for the purposes of workers’ compensation, a consent to release information is required and the self-insured employer, carrier or claims administrator has the right to the medical records in order to pay benefits.
Indiana’s privacy law does require written consent from the patient to obtain health care information; and a copy of those records obtained must be provided to the patient upon request.
If an employee files a workers’ compensation claim, the employee is required to sign a waiver and consent related to the injury being claimed so medical records can be obtained.
In Texas the only parties to a workers’ compensation claim are the insurance carrier and the employee—not the employer. The employer does have the right to request the claim file, attend proceedings, contest compensability or the right to receive return to work coordination services as necessary.
The Wisconsin Workers Compensation Act (WCA) contains an automatic waiver of any patient-physician privilege (including chiropractor, psychologist, dentist or podiatrist) once a workers compensation claim is filed in respect to any condition or complaint that is reasonably related to that condition or claim.
With advances in genetic testing, a federal anti-discrimination statute took effect in 2009, The Genetic Information Nondiscrimination Act of 2008 (GINA). Genetic information is defined as information regarding a disease or disorder in family members, individual genetic testing or genetic testing of individual family members. It states an employer may never use this information to decide employability or any aspect of employment and prohibits harassment of an employee. It also prohibits employers from intentionally obtaining information. However, family medical history can be obtained as part of the certification process for FMLA.
In a workers’ compensation claim, if an insurer or employer is requesting medical information, the Act strongly recommends the following disclaimer on any medical authorization or release form:
The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of individuals or their family members. To comply with this law, we are asking you not to provide any genetic information when responding to this request for medical information. “Genetic information” that should not be disclosed pursuant to GINA includes an individual’s family medical history, the results of an individual’s or family member’s genetic tests, the fact that an individual or an individual’s family member sought or received genetic services, genetic information of a fetus carried by an individual or an individual’s family member, and genetic information of an embryo lawfully held by an individual or family member receiving assistive reproductive services. 29 C.F.R. §1635.8 (b)(1)(i)(B)
As you can see, there are a host of state laws. HIPAA rules are constantly being amended, but each governs who, what and when someone can receive medical information on an injured workers’ claim for benefits. For employers it is recommended you limit the information you receive to avoid violation of the HIPAA Privacy Rule and state laws.