HIPAA Blog

[ Monday, January 03, 2005 ]

 

HIPAA and law enforcement: Another newspaper story about HIPAA and law enforcement, this time in Oregon. See if you can spot what's wrong with it.

Jeff [9:29 AM]

Comments:
I think that's my first comment. Ever. I tried to set the blog up for comments several times, but it never seemed to take. I guess it finally did. Thanks, Leon.

But I would note that it's a little more complicated than that. First, there's the issue of "authorized by and to the extent necessary to comply with" language. What exactly is encompassed by that language isn't entirely clear. Secondly, the regulatory text simply states that a covered entity may disclose the information for those purposes; the covered entity is not otherwise exempt from HIPAA just because it's doing workers' comp work, and the fact that a particular patient is a workers' comp patient doesn't otherwise relieve the covered entity of maintaining the privacy and confidentiality of the patient's PHI. Rather, if the provider wants to make a disclosure that is "authorized by" state workers' comp laws and is "necessary to comply with" state workers' comp laws, the provider may make the disclosure. But the provider is not required to do so, and need not make the disclosure simply because the employer asks for it. The best advice depends on your state's laws, but if the state law requires the disclosure (for example, a disclosure to the state workers' comp commission), go ahead and do it, but if you have any questions, get the patient's authorization first. Of course, you can tell the patient that the only way his employer is going to pay for it is if the disclosure is made, and the employee will be expected to make payment himself if he won't authorize; that should be sufficient to get the authorization you otherwise need.
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template