DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Issues involving HIPAA and workers' compensation usually fall into one of two buckets.
1. Is a workers' compensation entity bound by the HIPAA Privacy Rule?
2. May a covered entity disclose PHI to a workers' compensation entity without prior written patient authorization?
Are Workers’ Compensation Entities Bound by the HIPAA Privacy Rule?
The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers, except to the extent these entities may otherwise be covered entities. This means that if an entity that is a workers’ compensation insurer, workers’ compensation administrative agency, or employer (collectively, “workers’ compensation entities”) does not provide healthcare or act as a health plan or healthcare clearinghouse, the entity is not regulated by the HIPAA Privacy Rule.
Workers’ compensation carriers are considered by HIPAA to provide “excepted benefits,” and as such, are not considered to be “health plans,” as HIPAA defines the term “health plan.” Put another way, for a workers’ compensation carrier to be considered a health plan, it must, in addition to its workers’ compensation operations, perform those activities that a health plan performs. That is, it must also act as an individual or group plan that provides, or pays the cost of, medical care under a policy of medical insurance.
May a Covered Entity Disclose PHI to a Workers’ Compensation Entity Without Prior Written Patient Authorization?
Workers’ compensation entities need access to the health information of individuals who are injured on the job, or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. Generally, workers’ compensation entities obtain this health information from the providers that treat these individuals. These providers, if they engage in Administrative Simplification Standard Transactions, are “covered entities” under HIPAA.
The Privacy Rule permits covered entities to disclose protected health information to workers’ compensation insurers, workers’ compensation state agencies, employers, and other persons or entities involved in workers’ compensation systems, without prior written patient authorization:
As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.
This includes programs established by the Black Lung Benefits Act, the Federal Employees’ Compensation Act, the Longshore and Harbor Workers’ Compensation Act, and the Energy Employees’ Occupational Illness Compensation Program Act. See 45 CFR 164.512(l).
To the extent the disclosure is required by State or other law. The disclosure must comply with and be limited to what the law requires. See 45 CFR 164.512(a).
For purposes of obtaining payment for any healthcare provided to the injured or ill worker. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.
In addition, covered entities may disclose protected health information to workers’ compensation insurers and others involved in workers’ compensation systems where the individual has provided his or her authorization for the release of the information to the entity. The authorization must contain the elements of and otherwise meet the requirements of a valid authorization specified at 45 CFR 164.508.
Does the HIPAA Minimum Necessary Standard Apply to Workers’ Compensation Disclosures?
As noted above, a covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
Covered entities are required reasonably to limit the amount of protected health information disclosed for workers’ compensation purposes, to the minimum necessary to accomplish the workers’ compensation purpose. Under this requirement, protected health information may be shared for treatment purposes to the full extent authorized by State or other law. In addition, covered entities are required reasonably to limit the amount of protected health information disclosed for payment purposes to the minimum necessary.
Covered entities are permitted to disclose the amount and types of protected health information that are necessary to obtain payment for health care provided to an injured or ill worker. Where a covered entity routinely makes disclosures for workers’ compensation purposes under 45 CFR 164.512(l) or for payment purposes, the covered entity may develop standard protocols as part of its minimum necessary policies and procedures that address the type and amount of protected health information to be disclosed for such purposes.
Where protected health information is requested by a State workers’ compensation or other public official, covered entities are permitted to reasonably rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article