The following questions and answers address regulations called Standards For Privacy of Individually Identifiable Health Information (the privacy rule), issued by the federal Department of Health and Human Services to implement the Health Insurance Portability and Accountability Act (HIPAA). The effective date for the privacy rule is April 14, 2003. There are links at the end of this page to additional resources, including the actual regulations and guidance materials developed by the Department of Health and Human Services, Office of Civil Rights.
|
Disclaimer: This series of questions and answers relates only to the impact of the Health Insurance Portability and Accountability Act (HIPAA) regulations on the Minnesota workers' compensation system. This document is a reference tool only and should not be construed as offering or providing legal advice. While the Department of Labor and Industry has made a good-faith effort to provide accurate and useful information, it makes no representation and accepts no liability for any reliance on the completeness or accuracy of this information. This information is not intended to take the place of either the written law or regulations. Readers are encouraged to read the referenced HIPAA rules and the Minnesota workers' compensation statutes and rules because this document contains only a summary of the relevant provisions. A link to the HIPAA Privacy Rule and other resources is provided at the end of this document. |
| Frequently asked questions -- Health Insurance Portability and Accountability Act (HIPAA) | |
| 1. | What is HIPAA and why is it relevant to workers' compensation? |
| 2. | Who must comply with the HIPAA privacy standards? |
| 3. | What is "protected health information" under HIPAA? |
| 4. | What limits does HIPAA place on disclosure of PHI by covered entities? |
| 5. | Under the HIPAA exceptions, what disclosures are permitted or required by Minnesota law without an injured workers' authorization? |
| 6. | When is an authorization required to disclose PHI for workers' compensation purposes? |
| 7. | When an authorization is required, what must it include? |
| 8. | What other HIPAA or Minnesota requirements might
affect the workers' compensation system? Verification of identity: A covered entity must verify the identity and authority of a person requesting protected health information if the identity or authority is not known to the covered entity. A covered entity may rely on a written request on appropriate government letterhead and a written statement (or oral statement if a written one is impracticable) of the public official's legal authority under which the information is requested. [45 CFR 164.514 (h)] Minimum necessary disclosure: Unless a disclosure is required by law or authorized by the individual, a health care provider or other covered entity is required to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. A health care provider is permitted under HIPAA to reasonably rely on a public official's representations that the information requested is the minimum necessary for the intended purpose. [45 CFR 164.502 (b) and 164.514 (d)] Documentation of release: When a provider releases health records without the injured worker's consent in the circumstances described in question five, the health care provider must document the release in the person's health record. [ M.S. 144.335, sub. 3a(h)] |
About DLI
Filing a complaint