One of the most important aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is its privacy protection. The law gave the U.S. Department of Health and Human Services the responsibility of adopting rules to help patients and other health care consumers keep as much of their personal information private as possible. The HIPAA privacy rule applies to "covered entities", and even though employers are generally not covered entities, they are definitely affected by the rules applying to entities that are covered. The HIPAA privacy rule Web site from HHS (https://www.hhs.gov/hipaa/index.html/) has much guidance on the rule, including a very lengthy Q & A section that attempts to cover the privacy rule from the standpoint of covered entities, employers, health care consumers, health care providers, and other interested parties.
This article presents basic information about the HIPAA privacy rule in question and answer format and is specifically focused on the most important things that employers need to know about how the privacy rule will affect them.
What is the primary purpose of the HIPAA privacy rule?
The rule protects from unauthorized disclosure any personally-identifiable health information (protected health information, or PHI) that pertains to a consumer of health care services.
What is considered "personally-identifiable health information"?
Health information is considered to be personally identifiable if it relates to a specifically identifiable individual; under 45 C.F.R. § 160.103, it generally includes the following, whether in electronic, paper, or oral format:
What is a covered entity?
The privacy rule applies to health plans, health care clearinghouses, and health care providers. It applies to employers only to the extent that they somehow operate in one or more of those capacities. The same standards apply to covered entities in both the public and private sectors.
How might an employer be a covered entity?
Normally, an employer will only deal with covered entities, not actually be one. However, if an employer has any kind of health clinic operations available to employees, or provides a self-insured health plan for employees, or acts as the intermediary between its employees and health care providers, it will find itself handling the kind of PHI that is protected by the HIPAA privacy rule.
What must covered entities do to protect consumers of health care?
Covered entities must adopt written PHI privacy procedures; designate a privacy officer; require their business associates to sign agreements respecting the confidentiality of PHI; train all of their employees in privacy rule requirements; give patients written notice of the covered entities' privacy practices and access to their medical records; a chance to request modifications to the records; a chance to request restrictions on the use or disclosure of their information; a chance to request an accounting of any use to which the PHI has been put; and a chance to request alternative methods of communicating information. They must also establish a process for patients to use in filing complaints and for dealing with complaints. Finally, they must take any measures necessary to see that PHI is not used for making employment or benefits decisions, marketing, or fundraising.
What do the written privacy procedures include?
A covered entity's written privacy procedures must include safeguards for administration of PHI, physical security of such information, and electronic and other types of technical security. The procedures should include the designation of a privacy officer and an explanation of the complaint and resolution process.
When is patient authorization necessary?
Under 45 C.F.R. § 164.506(c), patient authorization is not necessary if a disclosure is made for purposes of treatment, securing payment, or in accordance with the operations of a health care provider. If PHI is to be disclosed for any other purpose, the patient's written authorization is mandatory.
When disclosing PHI, what must a covered entity do?
Whether the PHI must be authorized or does not need to be authorized, the covered entity must always release only as much information is necessary to address the need of the entity requesting the information (what the regulation refers to as the "minimum necessary" information to satisfy the inquiry).
What penalties apply to violations of privacy rule requirements?
There are civil penalties of $100 per violation, but the penalties can be "stacked" if there are multiple violations with respect to a single individual. The maximum civil penalties are $25,000 per year, per person, per standard. Thus, if two standards were violated with respect to one person, the potential penalties could mount to as much as $50,000. Criminal penalties (up to a $250,000 fine and ten years in prison) may be imposed for "knowingly and improperly" disclosing information or obtaining information under "false pretenses", with higher penalties reserved for violations designed for financial gain or "malicious harm". In addition, of course, state laws may impose additional penalties for the same offenses, and most states would also allow common-law suits for torts such as invasion of privacy and infliction of emotional distress, among other causes of action. In November, 2004, a federal district court sentenced a former employee of a Seattle, Washington cancer clinic to 16 months in prison under the criminal penalty provisions of HIPAA after he admitted he used a patient's birthdate and SSN information to fraudulently obtain four credit cards in the patient's name and charge over $9,000 in goods.
Are there any exceptions to the privacy rule?
It is possible to disclose PHI without authorization if there is a compelling need for disclosure, such as when the information is needed for public health situations, court and agency proceedings (such as workers' compensation claim proceedings - see below), agency requirements (such as OSHA 300 logs - see OSHA Standards Interpretation Letter, August 2, 2004, https://www.osha.gov/laws-regs/standardinterpretations/2004-08-02), law enforcement, emergencies, identification of deceased people, and national security-related situations (see 45 CFR § 164.512(a, e, and l)).
OSHA Logs and HIPAA
In an OSHA Standards Interpretation letter dated August 2, 2004, OSHA held that the HIPAA privacy rule does not require employers to remove names of injured employees from the OSHA 300 log. This is due to the exception under HIPAA for records that are required by law. Since the OSHA 300 log is a required record, employers have no choice but to include all necessary information on it, including the employees' name and injury information. See the OSHA letter at the following address:
Workers' Compensation and HIPAA
There is no problem with employers, workers' compensation insurance carriers, physicians, and other participants in the workers' compensation system sharing protected health information with each other in connection with workers' compensation claims and appeals. HIPAA specifically allows three exemptions for workers' compensation-related matters:
What about state laws?
The HIPAA privacy rule establishes a national minimum standard. If a state law provides greater privacy protections, the state law must be observed. As it happens, the equivalent Texas state law (Texas Health and Safety Code, Chapter 181 - online at https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm), applies to more types of entities, requires consent for treatment, and otherwise provides similar protections. Since the Texas law defines "covered entity" as anyone who has any role at all in the production, gathering, storing, processing, or transmittal of PHI, as well as anyone who comes into possession of such information, some have argued that any employer who finds out or stores information relating to the medical condition of employees is covered under the law. However, the same state law provides that employers are not covered entities except with respect to reidentification of protected health information and use of PHI for marketing purposes (Texas Health & Safety Code, Section 181.051(3)). Nevertheless, Texas employers and their employees should be careful in how they deal with medical privacy issues in their workplaces. The regulations adopted by the Texas Department of Insurance for medical information privacy provide some guidance (28 T.A.C. Part 1, Chapter 22, Subchapter B). The exceptions for covered entities are found in TDI rule 28 T.A.C. § 22.57. However, since there have been no court decisions issued yet under that 2001 law or the regulations, employers should seek the guidance of qualified legal counsel if they have an unusual medical information privacy issue.
Under Texas Labor Code §§ 402.082 - 402.092, information relating to workers' compensation claims is confidential and may be released only under very restricted circumstances, and unauthorized disclosure of such information may result in criminal penalties, as provided in § 402.091. There is an exception in § 402.092(b)(4) for disclosures to government agencies for legal compliance purposes, including responses to unemployment claims.
The general wisdom applies here: when in doubt, keep the information as private and confidential as possible, and ask for the affected employee's written authorization to release it (to obtain a HIPAA-compliant waiver from employees, engage private legal counsel experienced in HIPAA issues - this is no area for a non-specialist).
For a sample employee policy dealing with the confidentiality of health-related information, click here.
Return to Businesses & Employers
Return to TWC Home