HIPAA privacy reg mostly bypasses employee health
HIPAA privacy reg mostly bypasses employee health
Electronic transactions are key to coverage
The Health Insurance Portability and Accounta-bility Act (HIPAA), which became effective April 14, 2001, was created to give patients greater control over their personal health information. Health plans and health care providers who conduct certain financial and administrative transactions electronically must comply with its provisions by April 14, 2003.
In response to concerns about some aspects of the privacy rule, the Department of Health and Human Services (HHS) published some proposed modifications in March.
Deborah V. DiBenedetto, MBA, RN, COHN-S/CM, ABDA, an occupational health consultant based in Yonkers, NY, and president of the American Association of Occupational Health Nurses (AAOHN), analyzed the rule and shared her perspective with Hospital Employee Health on how the rule will impact employee health professionals. DiBenedetto will be leading HIPAA workshops sponsored by AAOHN.
Question: Does HIPAA specifically mention employee health and employers’ access to health information? Does it bolster safeguards to prevent unauthorized viewing of employee health records by supervisors and others?
Answer: HIPAA does not regulate employers, only health care plans, clearinghouses, and health care providers who transmit any health information in any electronic form in connection with transactions and those who receive, maintain, or disclose individual identifiable health information in any form or medium.
This includes oral, written, and electronic communications. It does provide safeguards for employees in that their personal health information (PHI) only can be released with their authorization. However, HIPAA’s preamble states that HHS has no problem, per se, with self-insured employers requiring, as a condition of employment, a signed authorization from the applicant/ employee allowing the release of protected PHI for specific, stated purposes. For example, the authorization might include release of information for return-to-work planning, case management, health promotion activities, and referral to an outside provider.
The PHI must not be used for the purpose of hiring, promotion, etc. The PHI must not be misused or disclosed inappropriately.
Question: Are occupational health physicians and nurse practitioners defined as providers under HIPAA? Do they need to create new privacy notices for all employees to sign?
Answer: HIPAA does not regulate employers — although employers who are self-insured and sponsor group health plans are required to comply with HIPAA. Occupational health providers who work directly for these employers are health care providers, but they generally do not perform any of the covered transactions. Therefore, they are not health care providers under HIPAA’s definition of covered entities.
HIPAA transactions include:
- health claims or equivalent encounter data;
- enrollment/disenrollment;
- eligibility for a health plan;
- health claim payment and remittance advice;
- health plan premium payments;
- health claim status;
- referral certification and authorization;
- coordination of benefits.
In-house professionals are probably not covered under HIPAA unless they perform one of the covered transactions.
Workers’ comp excluded from HIPAA
Now, under the original rule, an additional covered transaction included "first reports of injury" (FROI). Workers’ compensation is excluded from HIPAA, but the FROI is generally issued prior to the claim being established by the workers’ compensation carrier.
HHS has stated that it will not be making further rulemaking on FROI as a covered transaction under HIPAA. State laws may have requirements in place that are more stringent than HIPAA, which must be reviewed for impact on the delivery of occupational health services and other health information. OSHA also regulates privacy of and access to occupational health records.
Question: Is there a distinction between records related to a specific occupational injury and those related to other employee complaints that may or may not be work-related, such as stress-related symptoms, headaches, or high blood pressure?
Answer: At this time, occupational records (workers’ compensation, OSHA-mandated surveillance, Department of Transportation fitness, and public health records such as communicable diseases) are not impacted by HIPAA.
Occupational health records maintained by employee health services/occupational health services also are excluded, unless, there is a HIPAA-covered transaction involved in the care. For example, if billing for these services is made to commercial plans, employer-sponsored health care plans, Medicaid, etc., the records are covered.
Question: Will HIPAA place new limits on how much information employee health practitioners can share internally about individual cases or congregated data?
Answer: We always have used consents and releases for sharing relevant health care information as necessary. HIPAA-covered transactions at this time require an initial consent for treatment, payment, and operations (TPO).
There is a notice of proposed rulemaking that would change this to require only information being given to the patient about the covered entity’s privacy policies.
An authorization would still be required for additional disclosures outside of TPO.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.