The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes, for the first time, a set of national standards for the protection of certain health information. The Privacy Rule, which went into effect April 14, 2003, addresses the use and disclosure of individual health information, called "protected health information," by organizations subject to the Privacy Rule, i.e., "covered entities." Occupational health providers must balance the regulations of HIPAA with the other regulations under which they operate.

The primary intent of the Privacy Rule is to assure that individual health information is adequately protected, while not impairing the use and exchange of medical information needed to deliver care and conduct business.^{1, 2}

Protected Health Information (PHI) includes all individually identifiable health information whether in written, electronic, oral, or other form. Demographic data related to physical or mental health at any time in the course of care is also considered PHI.

The Privacy Rule recognizes that under some circumstances disclosure of selected information may be permitted or required. It further specifies this disclosure will always be with the patient’s permission or as the Rule permits or requires. In these circumstances, provide the minimum necessary information (see definition below).

Patient permission is categorized as consent or authorization. Consent is written permission from individuals for information disclosure, and is optional under the Privacy Rule. Use of a consent form and the process for obtaining consent are at the discretion of the covered entity.³

Authorization is more specific and includes information regarding the PHI to be disclosed, individual(s) both disclosing and receiving the information, expiration date of the authorization, and a statement of a patient’s right for revocation of the authorization. You must have either Authorization or Consent unless the disclosure is specifically permitted by the Privacy Rule.

Minimum necessary⁴ is a key component of the Privacy Rule. The covered entity and its employees must assure that information used, disclosed, and requested is no more than required to perform the anticipated activity. The U.S. Department of Health and Human Services has provided answers to frequently asked questions regarding minimum necessary.⁵

While the Privacy Rule mandates patient authorization for the sharing of Protected Health Information, there are several circumstances under which authorization is not required. Treatment, payment, and healthcare operations are all in this category.

• Treatment refers to delivery of healthcare consultation and services by several providers or a third party.

• Payment includes activities required for reimbursement for healthcare services provided, including discussions with case managers representing the insurer.

• Healthcare operations include the panoply of administrative, financial, legal, and quality improvement activities necessary to manage healthcare as a business.

[top]

The Challenges

The question frequently arises regarding the impact HIPAA has on the DOT program. The HIPAA preamble states that there is no conflict between the HIPAA rule and DOT drug and alcohol testing procedures. Such mandated testing is exempt from the disclosure requirements due to the provision in the regulations (§164.512) that states: "A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law."

Furthermore, the DOT has issued a Q&A on HIPAA that states "Use or disclosure of the DOT drug and alcohol testing information without a consent or authorization from the employee is required by the Omnibus Transportation Employees Testing Act of 1991, 49 CFR Part 40, and DOT agency drug and alcohol testing regulations, unless otherwise stipulated by 49 CFR Part 40."⁶

Similarly, the Privacy Rule allows for disclosure related to public health activities.⁷ Such activities generally involve reporting disease or injury, reporting births and deaths, as well as managing public surveillance. Of particular interest to occupational health providers, public health activities also include workplace medical surveillance.⁸ Surveillance refers to injury/illness management or monitoring that is mandated by Occupational Safety and Health Act (OSHA), Mine Safety and Health Administration (MSHA), or applicable state laws. The Public Health Provision permits covered healthcare providers to disclose, in very limited circumstances, an individual’s protected health information to the employer without prior authorization.⁹

• The healthcare service must be requested by the employer.

• The healthcare service must relate to surveillance mandated by federal or state law or an evaluation to determine if a job-related injury or illness has occurred.

• The employer must have a duty under OSHA or MSHA or similar state law to keep records or act on such information.

Examples of medical surveillance programs and associated federal or state law reporting mandates include respiratory protection, hearing protection, blood borne pathogen prevention and exposure, pesticide exposure, lead exposure, HIV/AIDS, and sexually transmitted diseases. These services fall within the purview of the typical occupational healthcare clinic, as do performance of pre-placement and periodic examinations, return-to-work and fitness-for-duty evaluations, DOT exams, drug tests, and similar services.

In addition to HIPAA’s Privacy Rule, other federal restrictions, e.g., Americans with Disabilities Act, as well as state laws, preclude sharing health information, particularly with employers, that may adversely affect the employee’s job. The intent of Congress is to assure a "floor" for privacy guarantee, thus providing a minimum level of protection. However, this base is not permitted to override any state or local laws that are more stringent. Federal regulations "…shall not supercede a contrary provision of state law, if the state law imposes requirements, standards, or implementation specifications that are more stringent that the requirements, standards, or implementation specification imposed under the regulation." Thomas Jefry and David Wright Tremaine LLP offer this quote and an excellent discussion of potential conflict of federal and state law in their article at www.DWT.com.¹⁰

Avoiding Risk

What should occupational health providers do to limit risk? Remember that employees are culpable as well as the facility. Develop operational policies that clearly state all employees must obtain employee/patient authorization for disclosure of any PHI and that the PHI disclosed must be the minimum necessary.

Keep in the mind these guidelines regarding disclosure of PHI in these specific occupational health-related activities:

• Injury and illness care: Employers have a duty under OSHA, MSHA, and state laws to provide medical care for job-related injuries and illnesses. Covered providers are permitted to disclose PHI to the extent required, but no more, to permit the employee to work safely. Authorization to disclose such information should be obtained. Employees do not have the right to restrict information being disclosed for workers’ compensation purposes.¹¹

• Respiratory Protection: The Respiratory Protection Standard 29 CFR 1910.134 mandates a medical questionnaire and, depending upon questionnaire answers, medical examination. The standard "…requires the employer to establish and retain written information regarding medical evaluations, fit testing, and the respirator program. This information will facilitate employee involvement in the respirator program, assist the employer in auditing the adequacy of the program, and provide a record for compliance determinations by OSHA."

• Hearing Protection: The Occupational Noise Exposure Standard 29 CFR 1910.95 as well as Mine Safety and Health Administration provide for audiometric testing under certain workplace conditions. The testing results must be provided to both the employee and employer.

• Blood Borne Pathogens: The Blood Borne Pathogens Standard 29 CFR 1030 requires a preventive as well as post-exposure program for employees potentially exposed to body fluids. The employer shall obtain and provide the employee with a copy of the evaluating healthcare professional’s written opinion within 15 days of the completion of the evaluation.

[top]

The healthcare professional’s written opinion for hepatitis B vaccination shall be limited to whether hepatitis B vaccination is indicated for an employee, and whether such vaccination has been administered.

The healthcare professional’s written opinion for post-exposure evaluation and follow-up shall be limited to informing the employee of the results and advising him or her about any further evaluation or treatment that might be necessary for medical conditions potentially resulting from the exposure. All other findings or diagnoses shall remain confidential and shall not be included in the written report.

The employer shall ensure that employee medical records required by section (h) of the Blood Borne Pathogens Standard 29 CFR are kept confidential and not disclosed without the employee’s express written consent except as required by law. The employer shall maintain the records required by section (h) for at least the duration of employment plus 30 years in accordance with 29 CFR 1910.1020.

• Lead Exposure: Lead¹² and other hazardous materials¹³ have standards which include testing, examination, and reporting. Refer to the applicable standards for more information.

• Pre-placement and periodic examinations: Return-to-work and fitness-for-duty examinations and employer-paid drug testing are generally not performed for purposes required by OSHA, MSHA, or state law. To the extent that they are, the health information may be disclosed to the employer without authorization. As stated earlier, DOT-mandated physicals and drug and alcohol testing are exempt from the HIPAA Privacy Rule. In all other situations, covered entities may not disclose health information without patient/employee authorization.

• Providers should review their state laws as they relate to privacy to determine if they are more stringent than federal law.

• Provide all patients with a notice of privacy that explains your facility’s policy.

• Obtain written authorization from employees/patients whenever you intend to disclose PHI to an employer, payer, or other entity.

• Under all circumstances, disclose only the minimum necessary to meet the bonafide need for information.

• When employee/patient consent is not obtained, ensure that PHI disclosure meets the requirements of the Privacy Rule: specifically, is the contemplated disclosure one of the valid exceptions, such as DOT-mandated drug testing?

• Investigate whether your state law preempts the Privacy Rule and applies a higher standard. If it does, abide by your state law.

• Train employees to lock or log off computer workstations when away from their desks.

• Maintain auditory privacy of PHI.

• Make sure patient files are not visible to unauthorized persons.

Footnotes

1 http://www.hhs.gov/news/facts/privacy.html

2 http://www.hhs.gov/ocr/privacysummary.pdf

3 http://answers.hhs.gov

4 http://www.hhs.gov/ocr/hipaa/guidelines/minimumnecessary.rtf

5 http://answers.hhs.gov

6 http://www.dot.gov/ost/dapc/main/QandAHIPAA05031.htm

7 http://www.hhs.gov/ocr/hipaa/guidelines/publichealth.rtf

8 http://www.access.gpo.gov/nara/cfr/cfrhtml_00/Title_45/45cfr164_00.html

9 http://answers.hhs.gov

10 http://www.dwt.com/practc/hc_ecom/images/HIPAAmanual.pdf (go to page 13)

11 http://answers.hhs.gov

12 http://www.osha.gov/SLTC/lead/index.html

13 http://www.osha.gov/SLTC/hazardcommunications/index.html

Answer 2: "Thank you for your recent letter. I have reviewed it with Dr. Schumann. He agrees with your statement. All that is required by the Department of Transportation is the medical clearance form. As you have explained, if a clinic is to release the entire physical form, then it must have a specific release of information signed." – Maureen Summers, RN, MBA, CHE, Tracker Editor

Question 3: "While reading your recent letters regarding DOT Physicals and what should be released to the employer I did not see mention of the common problem we have encountered. Although we see that the form states to release the certificate only, many employers tell us that our state (WI) DOT auditors/inspectors ask for copies of the complete medical exam form when reviewing the company required paperwork. We have advised companies to keep medical information in the employee medical file per OSHA regulations. Someone should advise state employees of the federal regulations so that the medical providers do not get 'caught in the middle'."