[ Monday, January 03, 2005 ]


HIPAA and law enforcement: Another newspaper story about HIPAA and law enforcement, this time in Oregon. See if you can spot what's wrong with it.

Jeff [9:29 AM]

Due to numerous questions concerning the obtaining of medical records and the privacy regulations of HIPAA that went into effect on April 14, 2003, I want to point out that HIPAA provides an exception for workers compensation. Standard Disclosure for Workers Compensation. A covered entity may disclose protected by health information as authorized by and to the extent necessary to comply with the laws related to workers compensation or other similar programs established by law that provide benefits for work-related injuries or illnesses without regard to fault.

Workers Compensation Law
I think that's my first comment. Ever. I tried to set the blog up for comments several times, but it never seemed to take. I guess it finally did. Thanks, Leon.

But I would note that it's a little more complicated than that. First, there's the issue of "authorized by and to the extent necessary to comply with" language. What exactly is encompassed by that language isn't entirely clear. Secondly, the regulatory text simply states that a covered entity may disclose the information for those purposes; the covered entity is not otherwise exempt from HIPAA just because it's doing workers' comp work, and the fact that a particular patient is a workers' comp patient doesn't otherwise relieve the covered entity of maintaining the privacy and confidentiality of the patient's PHI. Rather, if the provider wants to make a disclosure that is "authorized by" state workers' comp laws and is "necessary to comply with" state workers' comp laws, the provider may make the disclosure. But the provider is not required to do so, and need not make the disclosure simply because the employer asks for it. The best advice depends on your state's laws, but if the state law requires the disclosure (for example, a disclosure to the state workers' comp commission), go ahead and do it, but if you have any questions, get the patient's authorization first. Of course, you can tell the patient that the only way his employer is going to pay for it is if the disclosure is made, and the employee will be expected to make payment himself if he won't authorize; that should be sufficient to get the authorization you otherwise need.
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template