The following questions and answers address regulations called Standards For Privacy of Individually Identifiable Health Information (the privacy rule), issued by the federal Department of Health and Human Services to implement the Health Insurance Portability and Accountability Act (HIPAA). The effective date for the privacy rule is April 14, 2003. There are links at the end of this page to additional resources, including the actual regulations and guidance materials developed by the Department of Health and Human Services, Office of Civil Rights.
This series of questions and answers relates only to the impact of the Health Insurance Portability and Accountability Act (HIPAA) regulations on the Minnesota workers' compensation system. This document is a reference tool only and should not be construed as offering or providing legal advice. While the Department of Labor and Industry has made a good-faith effort to provide accurate and useful information, it makes no representation and accepts no liability for any reliance on the completeness or accuracy of this information. This information is not intended to take the place of either the written law or regulations. Readers are encouraged to read the referenced HIPAA rules and the Minnesota workers' compensation statutes and rules because this document contains only a summary of the relevant provisions. A link to the HIPAA Privacy Rule and other resources is provided at the end of this document.
HIPAA is an acronym that stands for a federal law, enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA). One of the goals of HIPAA was to simplify the health care administrative process by standardizing electronic transactions in the health care industry. Another goal was to provide a comprehensive national standard for the privacy and security of personal health information.
The HIPAA Privacy Rule is important because "covered" health care providers, including those that treat employees with workers' compensation injuries, are required to comply with its requirements. The privacy rule recognizes the legitimate need of employers, insurers and other entities involved in workers' compensation to have access to protected health information (PHI) as authorized by state or other law, but there are still indirect effects on the workers' compensation system.
The standards apply to "covered entities." [45 CFR 160.103] Covered entities include:
health care providers that transmit any "protected health information" in an electronic form;
health care clearinghouses (entities that process personal health information received from another entity to or from the standard format required for electronic transactions);
health plans (a plan that pays for the cost of health care, but excluding an entity that pays for workers' compensation benefits); and
business partners of any of the above entities.
The Workers' Compensation Division of the Minnesota Department of Labor and Industry (DLI) and workers' compensation payers are not HIPAA "covered entities" (unless a payer meets the definition of a covered entity for claims other than workers' compensation) and, therefore, are not subject to most of the HIPAA privacy standards. (But see questions six, seven and eight for situations where HIPAA does affect DLI and workers' compensation payers.)
However, it is important to remember that other laws continue to govern disclosure of private health information by the Department of Labor and Industry and Minnesota workers' compensation payers. These other laws include the Minnesota workers' compensation law, the Fair Information Reporting Act (Minnesota Statutes Ch. 72A.49 to 72A.505), the Minnesota Health Records Act (M.S. 144.291 to 144.298), the Minnesota Data Practices Act (M.S. Ch. 13 applicable to government entities) and federal laws such as the Americans with Disabilities Act.
Protected health information (PHI) means individually identifiable health information maintained or transmitted in any form, whether electronically, on paper or orally. However, PHI excludes individually identifiable health information in employment records kept by a covered entity in its role as an employer (such as OSHA 300 logs or First Report of Injury forms completed by an employer for reporting purposes). [45 CFR 164.501]
The general rule under HIPAA is that a health care provider or other covered entity may not use or disclose protected health information to anyone except as permitted or required by the rules. The rules permit disclosures: to the individual who is the subject of the data; for the treatment, payment or health care operations specified in the rules; pursuant to a valid authorization from the individual whose records are being disclosed; or when the HIPAA rules provide an exception that allows the use or disclosure without employee authorization. [45 CFR 164.502] Under the exceptions most relevant to workers' compensation, patient authorization is not required if the use or disclosure is:
required by law [45 CFR 164.512(a)];
for judicial and administrative proceedings [45 CFR 164.512(e)]; and
for workers' compensation [45 CFR 164.512 (l)]: "A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault."
Each of the above exceptions applies only if the criteria set forth in the referenced HIPAA rules are satisfied and only to the extent that Minnesota (or other federal) law also permits or requires the disclosure without authorization.
A health care provider may disclose PHI without employee authorization to the employee, the employer or the workers' compensation payer who are parties to a Minnesota workers' compensation claim under M.S. Ch. 176, or to the Department of Labor and Industry, in the following circumstances:
Health care providers must provide existing written medical data related to a current claim for workers' compensation, under the Minnesota workers' compensation law, within seven days of a request from the employer, insurer, employee or DLI. [M.S. 176.138(a)]
Health care providers must provide reports of injuries and supplementary reports to DLI as required under M.S. 176.231.
Health care providers are permitted to release in writing, by telephone discussion or otherwise, medical data related to a current claim for Minnesota workers' compensation to the employee, employer or insurer who are parties to the claim, or to the Department of Labor and Industry, without prior approval of any party to the claim. [M.S. 176.138 (a)]
Health care providers must complete and submit the information on a Health Care Provider Report form and a Report of Work Ability form within 10 days of a request from the employer, insurer, employee or DLI. [M.S. 176.231 and Minn. Rules part 5221.0410]
Health care providers must respond within 10 calendar-days to a request by the employee, employer or insurer regarding whether the physical requirements of a proposed job are within the employee’s restrictions. [M.S. 176.231 and Minn. Rules, part 5221.0420]
Health care providers, except hospitals, must supply payers, along with the bill, an "appropriate record that adequately documents the service and substantiates the nature and necessity of the service or charge. Hospitals must submit an appropriate record upon request by the payer." [M.S. 176.135 and Minn. Rules, part 5221.0700]
Note: The above provisions apply only to claims governed by the Minnesota workers' compensation law. They do not apply to or authorize release of medical records for claims under any other state or federal workers' compensation laws. Read Release of workers' compensation medical records under Minnesota and federal workers' compensation programs (PDF) for more information about release of records under other laws.
An authorization to disclose PHI is required in the following circumstances.
Medical data that is not directly related to a current injury or disability under the Minnesota workers' compensation law shall not be released without prior authorization of the employee. [M.S. 176.138 (b)
Workers' compensation medical data may not be released without employee authorization to anyone other than the Department of Labor and Industry or a party to a current claim for compensation under the Minnesota workers' compensation law (the employee, employer or insurer). [M.S. 176.138 (a)
A qualified rehabilitation consultant (QRC) must obtain written authorization from an employee before communicating with a health care provider about the employee. [Minn. Rules, part 5220.1802, subd. 5] Notwithstanding the workers' compensation exception to the HIPAA requirements, psychotherapy notes may not be disclosed without authorization unless required by law or otherwise authorized by the HIPAA rules. [45 CFR 164.508]
The authorization must contain all the elements and otherwise meet the requirements specified in the HIPAA rules. [45 CFR 164.508] The following is a summary of the elements and statements that are required to be included in an authorization under the HIPAA rules:
the information to be used or disclosed;
the names of the person(s) authorized to disclose, receive and use the information;
the purpose of the use or disclosure;
an expiration date or event;
the dated signature of the individual;
statements concerning the right to revoke the authorization in writing; the ability or inability to condition treatment, payment or eligibility for benefits on the authorization; and the potential for re-disclosure of the data.
The authorization must be in plain language. Additional requirements apply for compound authorizations. Authorizations must not only comply with the above HIPAA requirements, but also must comply with applicable requirements and time frames in the Minnesota Health Records Act and M.S. 72A.501.
Verification of identity: A covered entity must verify the identity and authority of a person requesting protected health information if the identity or authority is not known to the covered entity. A covered entity may rely on a written request on appropriate government letterhead and a written statement (or oral statement if a written one is impracticable) of the public official's legal authority under which the information is requested. [45 CFR 164.514 (h)]
Minimum necessary disclosure: Unless a disclosure is required by law or authorized by the individual, a health care provider or other covered entity is required to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. A health care provider is permitted under HIPAA to reasonably rely on a public official's representations that the information requested is the minimum necessary for the intended purpose. [45 CFR 164.502 (b) and 164.514 (d)]
Documentation of release: When a provider releases health records without the injured worker's consent in the circumstances described in question five, the health care provider must document the release in the person's health record. [M.S. 144.335, sub. 3a(h)]