Frequently asked questions --
Health Insurance Portability and Accountability Act (HIPAA)

The following questions and answers address regulations called Standards For Privacy of Individually Identifiable Health Information (the privacy rule), issued by the federal Department of Health and Human Services to implement the Health Insurance Portability and Accountability Act (HIPAA). The effective date for the privacy rule is April 14, 2003. There are links at the end of this page to additional resources, including the actual regulations and guidance materials developed by the Department of Health and Human Services, Office of Civil Rights.

Disclaimer: This series of questions and answers relates only to the impact of the Health Insurance Portability and Accountability Act (HIPAA) regulations on the Minnesota workers' compensation system. This document is a reference tool only and should not be construed as offering or providing legal advice. While the Department of Labor and Industry has made a good-faith effort to provide accurate and useful information, it makes no representation and accepts no liability for any reliance on the completeness or accuracy of this information. This information is not intended to take the place of either the written law or regulations. Readers are encouraged to read the referenced HIPAA rules and the Minnesota workers' compensation statutes and rules because this document contains only a summary of the relevant provisions. A link to the HIPAA Privacy Rule and other resources is provided at the end of this document.

Frequently asked questions -- Health Insurance Portability and Accountability Act (HIPAA)

1. What is HIPAA and why is it relevant to workers' compensation?

2. Who must comply with the HIPAA privacy standards?
The standards apply to "covered entities." [45 CFR 160.103] Covered entities include:

health care providers that transmit any "protected health information" in an electronic form;

health care clearinghouses (entities that process personal health information received from another entity to or from the standard format required for electronic transactions);

health plans (a plan that pays for the cost of health care, but excluding an entity that pays for workers' compensation benefits); and

business partners of any of the above entities.

The Workers' Compensation Division of the Minnesota Department of Labor and Industry (DLI) and workers' compensation payers are not HIPAA "covered entities" (unless a payer meets the definition of a covered entity for claims other than workers' compensation) and, therefore, are not subject to most of the HIPAA privacy standards. (But see questions six, seven and eight for situations where HIPAA does affect DLI and workers' compensation payers.)

However, it is important to remember that other laws continue to govern disclosure of private health information by the Department of Labor and Industry and Minnesota workers' compensation payers. These other laws include the Minnesota workers' compensation law, the Fair Information Reporting Act (Minnesota Statutes Ch. 72A.49 to 72A.505), the Minnesota Health Records Act (M.S. 144.291 to 144.298) [1], the Minnesota Data Practices Act (M.S. Ch. 13 applicable to government entities) and federal laws such as the Americans with Disabilities Act.

3. What is "protected health information" under HIPAA?

4. What limits does HIPAA place on disclosure of PHI by covered entities?

5. Under the HIPAA exceptions, what disclosures are permitted or required by Minnesota law without an injured workers' authorization?

6. When is an authorization required to disclose PHI for workers' compensation purposes?

7. When an authorization is required, what must it include?

8. What other HIPAA or Minnesota requirements might affect the workers' compensation system?

Frequently asked questions -- Health Insurance Portability and Accountability Act (HIPAA)
1.	What is HIPAA and why is it relevant to workers' compensation?
2.	Who must comply with the HIPAA privacy standards? The standards apply to "covered entities." [45 CFR 160.103] Covered entities include: health care providers that transmit any "protected health information" in an electronic form; health care clearinghouses (entities that process personal health information received from another entity to or from the standard format required for electronic transactions); health plans (a plan that pays for the cost of health care, but excluding an entity that pays for workers' compensation benefits); and business partners of any of the above entities. The Workers' Compensation Division of the Minnesota Department of Labor and Industry (DLI) and workers' compensation payers are not HIPAA "covered entities" (unless a payer meets the definition of a covered entity for claims other than workers' compensation) and, therefore, are not subject to most of the HIPAA privacy standards. (But see questions six, seven and eight for situations where HIPAA does affect DLI and workers' compensation payers.) However, it is important to remember that other laws continue to govern disclosure of private health information by the Department of Labor and Industry and Minnesota workers' compensation payers. These other laws include the Minnesota workers' compensation law, the Fair Information Reporting Act (Minnesota Statutes Ch. 72A.49 to 72A.505), the Minnesota Health Records Act (M.S. 144.291 to 144.298) [1], the Minnesota Data Practices Act (M.S. Ch. 13 applicable to government entities) and federal laws such as the Americans with Disabilities Act.
3.	What is "protected health information" under HIPAA?
4.	What limits does HIPAA place on disclosure of PHI by covered entities?
5.	Under the HIPAA exceptions, what disclosures are permitted or required by Minnesota law without an injured workers' authorization?
6.	When is an authorization required to disclose PHI for workers' compensation purposes?
7.	When an authorization is required, what must it include?
8.	What other HIPAA or Minnesota requirements might affect the workers' compensation system?