October is the time for ghosts, ghouls, and goblins. To the uninformed, the Health Insurance Portability and Accountability Act (HIPAA) may be just as harrowing as those Halloween harbingers. If you've attempted to obtain employee medical information from a health care provider, the provider may have required that you provide an authorization signed by the employee as a precondition to any disclosure. In this article, we'll try to demystify and reduce the fear factor of those requirements. We'll summarize the provisions of the HIPAA privacy rule concerning disclosures to employers, which should help you understand why providers are hesitant in disclosing requested information to you.
HIPAA prohibits “covered entities,” including most health care providers, from disclosing protected health information without a written authorization from the patient unless a specific provision within the regulation permits such disclosure. “Protected health information” is information that there is a reasonable basis to believe can be used to identify an individual and relates to the past, present, or future physical or mental condition of the individual, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual.
Work-related medical surveillance and work-related injury
The HIPAA privacy rule permits a health care provider to disclose information to an employer concerning an employee without the employee's authorization in very limited circumstances. Specifically, a provider may disclose information concerning workplace medical surveillance and work-related illness or injuries only if the following conditions are met.
First, the health care provided to the individual must be at the request of the individual’s employer or provided in the capacity of a member of the employer’s workforce.
Second, the disclosure must be limited to information relating to work-related medical surveillance or a work-related injury.
Third, the employer must need such information to comply with reporting obligations required by law. For example, employers in Kansas are required by the workers' compensation law to report work-related injuries. Thus, a provider may release to an injured employee's employer information necessary for it to complete such a report without the employee's authorization.
Fourth, the provider must furnish to the employee a written notice that the provider will disclose information to the employer concerning the work-related injury or workplace medical surveillance. The notice must be given to the employee at the time health care is provided either by written notice or, if the services are provided on the work site, by posting a notice in a prominent location.
The HIPAA privacy rule also permits a provider to disclose information to workers' comp insurers, state administrators, employers, and other persons involved in the workers' comp system without authorization if such disclosure is permitted under the state workers' comp law or the Black Lung Benefits Act, the Federal Employees' Compensation Act, the Longshore and Harbor Workers' Compensation Act, and the Energy Employees' Occupational Illness Compensation Program.
The Kansas statutes and regulations establishing the state workers' comp program require providers who examine and treat injured employees at the employer's request to furnish copies of reports to the employer. Because those disclosures are required by state law, a provider is permitted under the HIPAA privacy rule to disclose such information without obtaining the employee's authorization.
With one exception discussed below, all other disclosures of medical information by a health care provider to an employer about an employee must be authorized by the employee even if the employer is paying for the health care services, such as a preemployment physical or drug test. For example, a provider cannot send documentation directly to an employer to support an employee's request for leave under the Family and Medical Leave Act unless the provider previously has obtained written authorization from the employee.
The HIPAA privacy rule doesn't prevent employers from requiring employees to sign a written authorization for the disclosure of certain information as a condition of employment. For example, an employer, as part of its drug-testing program, may require its employees to sign authorizations permitting the clinical lab that performs the test to release the information to the employer. Nor does the rule prevent the employer from requiring an employee to obtain reports from the provider and deliver the documents to the employer.
The regulation includes very specific requirements for a written authorization. If a provider discloses information under an authorization that doesn't meet all the requirements, the provider faces potential liability for an improper disclosure under the HIPAA privacy rule. Providers therefore will scrutinize each signed authorization you provide and may even require you to have your employee complete their authorization form.
DOT drug and alcohol testing program
When the HIPAA privacy rule came into effect, there was significant confusion concerning whether the U.S. Department of Transportation's (DOT) drug and alcohol testing program was subject to the privacy rule. The DOT clarified that the privacy rule doesn't require employers and service agents in the drug and alcohol testing program to obtain written employee authorization to disclose drug and alcohol testing information required by federal regulations. According to the agency, “DOT-required drug and alcohol testing information differs significantly from health information covered by [the HIPAA privacy rule]. The DOT program is concerned only with employees' compliance with DOT safety regulations, and not with preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care or the past, present, or future physical or mental health or condition of an individual.”
The rules concerning DOT testing can be summarized as follows:
- Employers don't need employee authorizations to conduct DOT tests.
- Collectors don't need employee authorizations to perform DOT urine collections, distribute federal drug testing custody and control forms, or send specimens to laboratories.
- Screening test technicians and breath alcohol technicians don't need employee authorizations to perform DOT saliva or breath alcohol tests (as appropriate) or to report test results to employers.
- Laboratories don't need employee authorizations to perform DOT drug and validity testing or to report test results to medical review officers (MROs).
- MROs don't need employee authorizations to verify drug test results, discuss alternative medical explanations with prescribing physicians and issuing pharmacists, report results to employers, confer with substance abuse professionals (SAPs) and evaluating physicians, or report other medical information.
- SAPs don't need employee authorizations to conduct evaluations, confer with employers, confer with MROs, confer with appropriate education and treatment providers, or provide reports to employers.
- Consortia/third-party administrators don't need employee authorizations to bill employers for service agent functions that they perform for employers or contract on behalf of employers.
- Evaluating physicians don't need employee authorizations to report evaluation information and results to MROs or to employers, as appropriate.
Don't be haunted by HIPAA. Although its requirements can be cumbersome and confusing, if you take the time to learn the law and get the help needed to comply, you will see a well-meaning scheme to protect privacy in health care. It's kind of like lifting up the scary mask of the goblin on your doorstep and seeing a smiling gradeschooler underneath. But with HIPAA, like Halloween, if you fail to provide the treats, you may find yourself subject to tricks.