HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA Compliance Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

White Paper: Privacy Implications of HIPAA on
State Workers' Compensation Systems

International Association of Industrial Accident Boards and Commissions

September 11, 2001
[Reprinted with permission of the IAIABC, October 2005]

Introduction

This paper addresses privacy and confidentiality in the handling of individually identifiable health information collected and used in connection with the adjudication, payment, and regulatory compliance of claims filed under state workers' compensation systems. A major part of this paper is focused on the privacy rule recently published by the United States Department of Health and Human Services (HHS) as part of the implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Even so, the principles discussed here should be applicable for the most part to Canadian and other national contexts. The health care industry's administrative operations will be transformed by HIPAA administrative simplification standards. But, the same technological advances that make the immense administrative cost savings possible also have made breaches of privacy possible on an unprecedented scale.

  • As we will see, the HHS rule appears to exclude workers' compensation from many of its requirements. However, it would be remiss of the workers' compensation community—both private and public sectors-- not to recognize that the HHS rule has defined a new standard for privacy and confidentiality in health care systems. Finally, we show conflicting and ambiguous requirements, especially between HIPAA privacy regulations and state law, that will take years to resolve. Court action and further rule making and state lawmaking are likely.

Background

On December 28, 2000, HHS published the final regulations for privacy and security of medical records. The privacy rule was the result of years of effort. It was borne out of bi-partisan support for protection of medical privacy. The proposed rule (published November 1999) generated huge interest: more than 50,000 written comments. It is important to note that proponents of the broad application of privacy regulations cut across interest group lines. Medical provider groups, for instance, were supportive of broad and strict privacy guidelines, and resisted exclusions for workers' compensation or other uses. A recent survey of the Association of American Physicians and Surgeons found that 78% of their member-respondents reported withholding information from a patient’s record at the patient’s request due to privacy concerns, and further, 19% reported lying to protect a patient’s privacy. The American Medical Association was particularly pointed in its criticism of removing workers' compensation from the rights and protections afforded patients. They felt that the many exceptions to release and disclosure of medical records compromises patient confidence in the doctor-patient relationship.

Privacy, especially for medical records, has enormous public support.

Some evidence of this can be found in a series of national opinion polls by Louis Harris & Associates. These polls show the level of public concern about privacy growing from 64% in 1978 to 82% in 1995. In a Wall Street Journal poll on Sept. 16, 1999, Americans reported, “loss of personal privacy” as their number one or two concern for the coming century in greater numbers than for any other concern, including terrorism or world war. A very strong statement of the importance of this issue with the American public is shown by the fact that the Bush administration continued with the final adoption of the rule after reopening the rule for public comment during the month of March 2001.

Before going forward a few terms, as used in the HIPAA rule, ought to be clarified:

Privacy. This term is not defined in the act or rule. However, it is described in the preamble to the rule as a fundamental right. The preamble notes that a right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy. Many states specifically provide a remedy for public revelation of private facts. The United States Supreme Court has upheld the constitutional protection of personal health information (Whalen v. Roe, 429 U.S. 589 (1977)). However, the individuals’ right to privacy in information about themselves is not absolute. It does not prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed. In short, privacy rights speak directly to our individual and collective freedom.

Disclosure. This is the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Individually Identifiable Health Information. This covers any information, including demographic information whether oral or recorded in any form or medium, that: 1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and identifies the individual or reasonably could be used to identify the individual.

Security. standards are to create safeguards that ensure the integrity and confidentiality of the information; protect against any reasonably anticipated threats or hazards to the security or integrity of the information and to unauthorized uses or disclosures of the information.

Record. This is any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by a covered entity.

Overview of HHS Rule

The HHS rule is a maze of exceptions and special conditions, so it is hard to make broad generalizations. However, for the sake of a high-level, intuitive understanding of the rule, we provide this non-technical overview. “Covered entities” under the regulation include virtually all hospitals, clinics, medical laboratories, nursing homes, and doctors’ offices. Also covered are health plans that pay for the medical services of the above providers’ groups. Finally, vendors and other third party "business associates" are also covered in certain capacities. Thus, a “clearinghouse” that receives a record or bill from a covered entity for purposes of translating it into a standard electronic format and delivering it to an insurer is also covered.

Covered entities must:

  • develop a formal implementation plan for complying with privacy;
  • offer detailed legal disclosures to all patients;
  • provide minimum necessary data to requesting parties;
  • maintain audit trails and compliance procedures;
  • offer patients the right of review and modification of their records.

The rule is quite detailed on patient rights and duties of covered entities. For instance, it prescribes specific language that must be included in disclosure notices. It details the process by which patients can see and petition to modify records.

The rule carves out several uses of “personally identifiable health information” from all or part of the above requirements. For instance, research is excluded from disclosure and other privacy requirements under narrowly defined conditions. Court orders and law enforcement requests for records are broadly excluded. There is no broad single exclusion in the HHS rule explicitly removing workers’ compensation (WC) as a unique system of health care. Instead, WC is apparently excluded in three separate places, depending upon the type of entity involved with the record: 1) for health insurers, under the exemption in the “health plan” definition through the Public Health Service reference (see footnote 1); 2) for health care providers, under 164.512 (l), where patient consent is not required for disclosure to comply with laws relating to workers’ compensation; and 3) perhaps for most state WC agencies, as receiving information only from a “non-covered” entity (the WC health plan or the employer), or under the exemption that allows health plans that are required by state law to report information for the purpose of program monitoring and evaluation, or using the exceptions noted in 1) or 2) above for states that act as WC health plans or receive information directly from medical providers.

The most direct mention of WC in the regulation is in sec. 164.512(l). It states:

"§ 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required….

(l) Standard: disclosures for workers’ compensation. A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault."

However, as we shall discuss below, there are some ambiguities in the law that may require further administrative clarification and court rulings. Moreover, this language is permissive, and does not require covered entities to disclose protected information to workers' compensation administrators or payers.

Sec. 164.512(b)(1)(v) of the rule allows for covered entities (medical providers) to disclose medical information to employers without the worker’s consent or release to employers.

"An employer, about an individual who is a member of

the workforce of the employer, if:

(A) The covered entity is a covered health care provider who is a member of the workforce of such employer or who provides a health care to the individual at the request of the employer:

(1) To conduct an evaluation relating to medical surveillance of the workplace; or

(2) To evaluate whether the individual has a work-related illness or injury;

(B) The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;

(C) The employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance;

(D) The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:

(1) By giving a copy of the notice to the individual at the time the health care is provided; or

(2) If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided."

It is not clear whether this section 164.512 (b)(1)(v) will apply in WC, because the section appears to reference OSHA or “state law having similar purpose.” Nevertheless, “covered entity” health care providers will need to apply some HIPAA privacy protections to the normal communications they now routinely make to risk managers and workers' compensation managers at places of employment concerning individual workers’ health conditions. Of special interest to workers' compensation is the fact that although health care providers are allowed to use or disclose the personal health information according to state WC law, they are not exempt with regard to a worker’s right to receive notice of this communication with the employer, or the right to inspect, and attempt to correct or amend the record.

Non-Privacy Parts of HIPAA

“Administrative Simplification” is the heading for a major component of HIPAA rulemaking. It should be of keen interest to anyone in the day-to-day business of workers' compensation claims handling, regulatory compliance and payment processing. This rule "simplifies" medical treatment notices, records, or payment information by imposing standard electronic transactions on routine communications between provider, payer, and employer.

Workers' compensation insurers and payment administrators are intimately familiar with the processing challenges of medical claims. Medical costs constitute about half of all workers' compensation claim costs and medical only claims are more than 70 percent of all claims. Those handling workers' compensation medical information need a way to reduce their paperwork burdens, speed claims handling, and maintain regulatory compliance.

Security regulations, another separate element of the HIPAA rules, have not been finalized. New security requirements may be complex and expensive to implement for some covered entities. It will include measures to make sure that unauthorized parties do not have access to individual medical records and that the records are preserved from loss or damage. Again, workers' compensation insurers should be exempt from the security requirements in the rule but WC medical providers may be included. Workers' compensation carriers would be ill advised to neglect examining their internal processes in light of this rule. It sets a new and rigorous standard for protecting medical information that could be used in civil actions alleging breaches of duty to secure private medical records.

Making HIPAA Work for Workers’ Compensation

In one sense, workers’ compensation programs are in an enviable position. Carriers can enjoy the gain of receiving timely, paperless transactions while avoiding the pain of having to develop considerable system changes to comply with the privacy requirements of the law. How can workers’ compensation capture the gains but avoid pitfalls from HIPAA?

Electronic Transactions

To capture the considerable benefits of electronic transactions, workers' compensation payers need to learn to accept standard reports. At a technical level, this means receiving standard data fields and code sets. Providers will resist proprietary reports. The health industry's insistence on using its own codes and report formats is the motivating force behind HIPAA Administrative Simplification—one standard for all transactions.

If the standard data and codes are inadequate, the WC payer may need to make a special request for more information, e.g., office notes or diagnostics. The standard 835 Health Care Payment and Remittance Advice electronic transaction may not meet every insurer’s internal preferences. It may be time for WC carriers to conform their mainstream systems to the HIPAA transactions.

This is not to say that certain supplemental information may not be requested. Increasingly, that supplemental information will be supplied electronically.

The first step is to understand the applicability of the law. Workers' compensation payers are not covered entities under the law. However, the spirit and letter of the law present important unknowns for WC payers.

Consumer Right to Withhold Information

Suppose a patient, upon reviewing the required disclosure by his/her provider, exercises the right to not release medical information without a signed release. Each provider is free to react to such resistance by withholding (non-emergency) services. Many providers might demand other proof of financial responsibility if the patient sets up an obstacle to payment from insurers. It is likely that a patient's refusal to authorize release of his/her medical records for WC purposes (or any routine payment recovery from other insurers) would jeopardize the future relationship with that provider.

Suppose, though, that the provider treats a worker with an apparently covered claim. Learning of the claim through the employer's first report of injury, the carrier asks the provider for a medical report. Further suppose the provider finds in their mandatory HIPAA files a “do not disclose” order. Notwithstanding state law that may authorize disclosure without a release, the provider is caught in a clash of laws. The provider may take the position that HIPAA privacy takes precedence over state WC law. By doing this, the workers’ indemnity benefits may be halted and providers will probably not receive payment for services rendered.

While the provider is within their rights to withhold services, the employer may then be placed in an untenable position. The right to medical treatment provided by the employer is established by statute in virtually all jurisdictions. Denial of that right by employer, by imposition of disclosure requirements upon the provider as a condition for payment, could be considered conduct subject to sanction as a violation of the medical treatment requirement. If the worker has filed a “do not disclose” order, the employer must pay the provider without review of records, deny the claim and shift the burden of production of justifying records onto the worker in expensive formal litigation while risking sanction for unjustified delay of medical treatment, or change to another provider that will be less troubled by the “clash of laws”. The latter choice will often be restricted by existing restrictions upon the choice of providers under state WC laws.

In this context, the inconsistency between HIPAA regulations and the Federal Rules of Evidence may create additional issues. In 1975 Congress approved a rule regarding evidentiary privilege that substantially modified prior law. The new rule adopted by reference common law provisions regarding privileges without specific recognition of protected relationships. The common law, as reflected in the evidence rules of many states and of the prior Federal Rules, recognized a privilege for communications between doctor and patient, but waived the privilege when a claim was made in which the medical condition of the patient was placed in issue. Since the provider can be forced to disclose medical history and treatment during litigation, workers may face the dilemma of choosing between prompt medical treatment by relinquishment of their HIPAA rights and assertion of medical privacy rights, resulting in litigation of their workers’ compensation claim. Colorado has case law from a 1991 Appeals Court where a WC claimant who refused to provide copies of any medical records was denied all WC benefits. The litigation there or in similarly situated states may focus on nuances of which medical records must be released. In Wisconsin, 102.13(2)(a)says all doctor-patient privileges are waived.  So, the employer could deny the claim and increase litigation.  An increase in the percentage of litigated cases, and the increase in economic and societal costs attributable to litigation and delay of treatment is a predicable result of this confusion.

Preemption of State Law

HIPAA’s General Requirements in Subpart B state:

"§ 160.203 General rule and exceptions.

A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law."

State privacy laws are diverse and changing. Nearly all states have passed some sort of privacy law motivated by either internal state pressures to tighten privacy rights, or the privacy provisions of Gramm-Leach-Bliley. The National Association of Insurance Commissioners has proposed a model privacy bill that many states have adapted.

Workers’ compensation statutes often do not have their own specific privacy protections. Many state privacy protections for WC are less rigorous or demanding third parties using the records than would be the case for general health information. For example, in many cases WC law is vague or silent on releases of medical records to payers, employers, or other third parties. Absent a specific policy enunciating privacy protections, it is at least arguable that HIPAA generally applies. Granted, there is a general exclusion of disclosure requirements under sec. 164.512, but the strong language in the state preemption clause may trump vague state privacy, notice, and release laws.

It is unclear how the law will be sorted out in court. The United States has been in a continued series of court tests on the ERISA preemption of state law on employer benefit plans. In this same manner, HIPAA will likely unleash a string of court rulings to define terms and reconcile conflicts in privacy standards. Further, the impact of HIPAA will vary from state to state, depending on the state’s WC privacy laws and rules. This will make it particularly difficult for providers who deal with workers from more than one state. If privacy is a problem for WC medical providers, it will be a problem for WC insurers and employers, whether listed as “covered entities” or not.

Tighten Internal Rules

The disclosure of medical information to third parties typically used in the WC system certainly raises the specter of potential abuse that inspired the HIPAA regulations. “It’s bad enough,” privacy advocates might argue, “that the workers' compensation claims adjusters need not have releases to obtain medical records from medical providers. It’s even worse that they are free to re-release the records to third parties.” One could argue that the HIPAA exception for release to third parties only applies to matters necessary to administer state workers' compensation benefits. However, some commentators have said that once the record legitimately “escapes” the control of the covered entity, HIPAA loses all relevance on further disclosures to third parties. The rationale for excusing WC is principally that the system has distinct business needs that HIPAA regulations will impede. This rationale is most correct for the speedy delivery of indemnity payments. However, how does the speedy determination of compensability of a claim or payment of indemnity justify excusing workers' compensation payers from the following patient’s rights and protections in HIPAA:

  1. The right to see a claim record and challenge the accuracy of medical information;
  2. The right to know that your medical information will be shared with parties outside the WC carrier;
  3. The right to have only minimum necessary data requested and used;
  4. The right to security of medical records.

Items 1 and 2 are probably viewed as annoying and burdensome by many doctors, hospitals, clinics, and health insurers. However, leaders in the health industry have recognized a sea change in public opinion on medical privacy and have accepted the new requirements as a business necessity. The unique status of WC payers to open records requirements is a notable exception to the general practice in medicine.

Regarding item 3), Sec. 164.514(d) says that even if disclosure of protected information is permitted, it must be limited to the “minimum necessary” information to accomplish the purpose of the release.

This minimum necessary requirement is more nuanced. Workers’ compensation carriers should know that they are not alone in their need for extensive medical information to determine proper payment of a claim. Health insurers, like WC payers, have from time to time asked for broad medical records requests to determine if a claim is payable under a policy. For example, a health carrier engaged in post claim underwriting is looking for misrepresentation on the application that might be the basis for rescinding coverage. They might ask for all medical records to look for a history of a pre-existing condition that was not disclosed on the application. This business need is not much different than the needs of a WC claims adjuster looking into medical history for the causation of injury.

The minimum necessary standard within the rule has created much confusion. In the preamble to the rule, the intention of the rule is described as providing that any disclosure of information that is routinely allowed, such as disclosure for payment purposes, requires providers to create policies and procedures to identify what constitutes “minimum necessary” information, and then to uniformly apply those procedures to those disclosures. For non-routine disclosures, providers are required to develop criteria by which they will make individual assessments in determining the minimum necessary information to disclose. However, the preamble also clarifies that disclosures that are required by law and are allowed without patient consent are exempt from the minimum necessary requirement. Instead, these disclosures are expected to be fully defined by the law that is requiring the disclosure. Sec. 164.512(l) says that covered providers may disclose PHI as necessary to and authorized for discharging state workers' compensation law. However, providers will be sensitive to provide minimum amounts of information since that is so clearly the overriding intent of the rule.

Where do these clarifications leave workers’ compensation with regard to disclosure of information to employers? This minimum necessary requirement presumably is either satisfied or unnecessary in the release of information to employers if the OSHA data requirements are followed (see Sec. 164.512 (b)(1)(v) above). However, this release to an employer may be in conjunction with a WC claim or a more general request regarding first aid. It might be argued that because the disclosure is required by WC law, the minimum necessary standard does not apply. But, state WC information requirements are not so clearly delineated nor so uniformly followed as the OSHA data requirements. Absent any clear state law governing specific disclosure and release of medical information for workers' compensation claims, one might speculate that the permitted releases to workers' compensation payers might also fall under this minimum necessary standard. At the very least, providers would expect to be able to develop procedures and policies that they can apply to routine WC disclosure requests in order to be able to justify their disclosures. But what guidance would providers currently have to create appropriate policies in divulging medical information in WC?

Related to this is the question of in-house clinics or medical facilities to handle occupational injuries. Here the exclusion for WC is much less obvious, but the same exemption in the Public Health Service Act that makes WC payers non-covered entities appears to exclude these “on-site medical clinics.” First, many encounters may not be clearly related to work and not be judged to be work-related. Second, many encounters will not result in a workers' compensation claim. A large number of employers simply pay the medical bills of injured workers either directly or through their group health insurance.

Without reviewing the preamble to the rule, there seems to be a conflict, or clash, of HIPAA requirements with state law regarding the minimum necessary requirement, and the disclosures required by law section.. Most providers will not be looking for this distinction, nor will they be comfortable disclosing more, rather than less, information to any “non-covered entity” until they are certain that their own responsibility and liability has been appropriately handled. Especially, it seems likely that providers will resist the very common WC carrier request for 'all medical records you have on this patient.' In the past, providers have questioned the propriety and need to send years of treatment records. The preamble’s discussion of this issue clarifies that absent a provider’s documented justification of the disclosure of the entire medical record, the provider will be in presumptive violation of the rule if they do disclose an entire medical record. The rule itself is discouraging this kind of disclosure, and WC law currently is likely not to seem clear enough to justify it in the eyes of providers. Even more controversial is the propriety of sending full psychological records and office notes, given that these require special authorizations under the rule.

With HIPAA in mind, many providers might be looking for specific authorization in state workers' compensation law to justify broad records requests. The exclusion for workers' compensation uses the term “as necessary to comply with state law.” If the state workers' compensation law is silent or vague, HIPAA covered entities might reasonably resist records requests that they construe to be overly broad.

The complexity of the rule all but assures confusion by providers on what they can and cannot communicate with employers, and on what disclosures they must give to the patient. This is especially true in case of cross-border treatment, i.e., providers that give treatment to patients from several states. Provider groups are troubled by this standard and are expending considerable legal resources to establish legally defensible rules on release of “minimally necessary” records.

Educate Medical Providers

Coordinating WC claims with many medical providers will be a problem. Clinics everywhere will be in a pressurized environment to get them into compliance. It would behoove WC payers to assist covered entities to understand the legal entitlements of WC payers and factor these rights into the implementation strategies. For instance:

  1. In developing their disclosure statements to patients, providers should probably state that information would be released to WC payers in accordance with state law, even if that law does not require a signed release.
  2. Enumerate and describe the entitlements given by law for workers' compensation in each state that the provider does business in.
  3. Identify the routine kinds of disclosures that are needed in workers’ compensation, and provide the specific information that will be required with each type of disclosure.

This education process might best come from more "association to association" contacts instead of just focusing on individual providers.  Healthy collaboration between insurance trade associations, WC administrators, and the leading medical provider associations is the best way to reach out to providers with a consistent, credible, and clear message on privacy rules. Such educational and networking efforts are already underway in states like Colorado and Wisconsin.

Voluntary Compliance with HIPAA

Finally, consider voluntary compliance with HIPAA privacy and security standards as a safeguard against real or perceived abuses of medical records. Privacy lawsuits are a serious risk to any business handling medical records. Voluntary compliance may be a defense against suit against a carrier for civil damages in claims of abuse.

With respect to electronic transactions under the administrative simplification part of the HIPAA regulations, it makes clear business sense for WC payers to support and comply with the HIPAA standard transactions. Even if the claims transaction might not be optimal for WC, providers will be integrating their business systems for all transactions—first report of injury, payment, explanation of benefits, confirmation of coverage, and claims status. As time goes on, providers will resist proprietary, carrier-specific systems for claims. Also, WC payers have a very clear interest in promoting uniformity in transactions. Right now, they are extremely frustrated by the proliferation of state EDI standards and implementation trading partner agreements with the states. More uniform medical transactions are exactly what carriers have already sought for proof of coverage, first reports of injury and subsequent reports of injury.

Finally, the sharp contrast between workers' compensation and other insurance is clearly a target for future lawmaking. The Secretary’s comments at the end of the rule summary state:

While the regulation announced today significantly strengthens protections for patients' confidentiality, Secretary Shalala said Congress still needs to act in areas not covered by existing federal law. Under current law, the final regulation does not directly regulate many entities, including life insurers and worker's compensation programs - thus allowing unlimited use and reuse of information by such entities. [emphasis added] –HHS News, Dec. 20, 2000.

Further, in the preamble to the rule, this opinion is presented:

We recognize that there are significant privacy issues raised by how individually identifiable health information is used and disclosed in workers’ compensation systems, and believe that states or the federal government should enact standards that address those concerns.

  • As discussed below, it seems likely that individual state privacy laws will be debated and altered in the years ahead. Voluntary compliance may blunt the need for further lawmaking. Sec. 160.202 defines state law to include state regulations or rules, so action taken by state agencies in their rule making capacity may also be a method by which some of the confusion or vagueness regarding disclosure of health information in WC may be addressed. Absent broad industry compliance, any abuse, perceived or real, will stimulate lawmakers to “close the gap” on workers' compensation.

Political pressure has been growing in recent years to federalize workers’ compensation. Some of the same interest groups that vocally supported HIPAA have argued that the variance between states in their workers’ compensation laws is undesirable. Since a federal solution to the perceived inadequacies of state privacy laws concerning workers’ compensation will certainly be proposed, it is reasonable to anticipate that the larger issue of federalization of workers’ compensation laws will be discussed in this context.

State WC Privacy Laws

States vary tremendously on how explicitly and extensively they treat medical privacy rights in their respective workers' compensation systems. Some states require written authorizations for medical records, similar to any other use of records. At the other extreme, some states hold that the act of filing a workers' compensation claim creates an automatic waiver of any privacy protections requiring disclosures and releases.

Moreover, the scope of inquiry by the workers' compensation claims adjuster varies widely. In states with the narrowest scope of authority, the adjuster is entitled to information from the practitioner treating the immediate encounter after an injury or incident. In jurisdictions with the broadest scope of inquiry, the demands for information can be as broad as the adjuster feels they need to investigate the claim. This might include years of prior treatment records to look for preexisting conditions. It may also include psychological or psychiatric treatment records to look for contributing factors to the incident or condition. Notice and signed acknowledgements vary widely in law and practice.

Insurers who are sensitive to the legal and public relations aspects of privacy go beyond what the law requires in disclosure and notice. Some insurers/payers ask for medical records from the primary physician and at the same time notify the patient. Some ask for informed consent before seeking secondary records.

In response to the public concerns over medical privacy, many states are reexamining their laws on sharing and disclosing individually identifiable financial and medical information. We believe that the gap between workers' compensation and other medical privacy rights is glaring and will provoke further tightening of laws and regulations. Therefore, we lay out below some of the critical issues that are special to workers' compensation that should justify special treatment in state privacy regulations.

Special Characteristics of Workers’ Compensation

The workers' compensation system has special needs that make it far different than general health uses of medical information. It also has special risks of abuse to the patient-worker. We first discuss the process needs of workers' compensation. Following this we will review some concerns about risks of abuse that may be greater in workers' compensation than general health care. This discussion should highlight the special characteristics of workers' compensation that require careful consideration before the application of new privacy requirements. Certainly, the uniform application of all HIPAA regulations would have dramatic and unwelcome impacts on the timeliness of payments, disputed claims, and administrative costs for carriers and state agencies.

Prompt Indemnity Payment. First is the issue of timeliness. For legal and self-interested reasons, carriers need to begin investigating claims and making indemnity payments as soon as possible. Most states have laws mandating prompt payment of indemnity benefits to injured workers. A typical state standard might be to pay first indemnity checks within 14 days of the date of receipt of a claim, or the date of injury. This places great pressure on WC payers. Many employers are very late in reporting claims to WC payers, which makes the standard especially difficult to comply with.

WC insurers have long known that prompt investigation of a claim is associated with less loss payout. Knowing that a provider has been seen about what appears to be a work injury is vital to an adjuster. With this information, they can manage care, payment of medical bills, and compliance with state law. The potential for benefit and medical provider fraud and abuse is reduced. Finally, many system administrators believe there is less litigation and attorney involvement if the WC payer promptly communicates with the injured worker to explain benefits, payment schedules, and answer questions.

Special consideration might therefore be given to workers' compensation claims adjusters to obtain diagnosis and treatment records from the practitioner(s) that treated the condition that gave rise to the immediate claim for WC benefits. This would include emergency and non-emergency treatment. It may include routine office visits in which the occupational origin of an injury or disease was first diagnosed. The protection of disclosure for the provider clearly needs to extend to claims, which are apparently WC, even though that connection is in dispute or not yet admitted by the payer. In these circumstances, however, the providers should be certain that the injured worker wants to file the claim as WC, as opposed to the provider simply assuming that any injury diagnosed by the provider as work-related should be billed to the WC payer and not to the group health insurer.

Special or Detailed Background Investigations. For the vast majority of claims simple reports by the treating physician are all that are required to pay and close a claim. Over 70 percent of WC claims are “medical only” and involve no lost time. In these cases, if a properly presented bill for services is consistent with the date and nature of the injury, the insurer or administrator pays the claim promptly without detailed investigations.

In a fraction of the cases more detailed medical and other facts must be gathered to justify payment, or continued payment. The adjuster needs to determine if the medical services support a valid workers' compensation claim. Thus, the adjuster will want to look at the history statement in the provider notes to see if there was: 1) a pre-existing condition that was responsible for the injury, or 2) other activity more likely the cause of the injury (e.g., sporting activity). These cases may involve more extensive records requests. In some cases, there may be questions as to the reasonableness or necessity of the medical treatment being provided. For example, if a worker is diabetic, treatments may need to be longer or different than if the worker were not. Even though the diabetes itself is not work-related, it plays a role in justifying the treatment of the work-related injury. These types of issues may require extensive disclosures of the background medical condition of the worker, in order to justify the current treatment.

In such cases, the principles of disclosure and informed consent might be applied. The claimant must be notified that failure to release records may result in a delay or denial of payment for medical and indemnity payments, depending on current state law.

Treatment of Mental Illness. Psychiatric and psychological medical records and office notes get special protections in HIPAA. Likewise, in workers' compensation it may be wise to require written release of records for disclosing these records to a claims adjuster, and certainly this should be required before release to the employer by the adjuster. Also, as in HIPAA, a doctor’s mental health related office notes should be withheld from disclosure to the patient, at the discretion of the treating provider.  

Disclosure. Under HIPAA a patient is entitled to a full disclosure of uses to which their records might be put. In the formal disclosure, there is no requirement to tell the patient that their records may be shared with employers, insurers, or claims adjusters for the purpose of complying with workers' compensation law or claims practices. Disclosing the fact that a claim of occupational origin of the injury or disease will lead to records demands and transfer to claims adjusters does not seem to prejudice fair and efficient claims handling. The limits of records requests without written release might also be described.

  • Finally, the fact that these records might be shared by the workers' compensation payer with third parties that are assisting in the claims investigation, including employers, should also be known to the patient. This last disclosure is where state law is the only regulating factor. Once the medical provider, who is a “covered entity,” releases the records to the WC insurer, who is not a “covered entity”, the limit of HIPAA in WC is reached. Because the WC insurer is not covered by HIPAA, they may release the records to whomever state law allows.

Security. HIPAA mandates a list of security measures to make certain that medical records are properly safeguarded and handled. These include:

  • A formal written security plan;
  • Designation of a security officer to monitor compliance with the security plan;
  • Training for staff on security rules and procedures;
  • Audit trails for records handling.

It is difficult to see how these responsibilities for “covered entities” under HIPAA would jeopardize the fair and efficient handling of workers' compensation claims. Surveys of medical providers suggest that significant improvements in their security systems will be necessary. These requirements will include any providers who treat ‘regular’ patients in addition to WC. Of course, once installed, these security improvements will include their WC patients as well. We have no systematic evidence on how close the workers' compensation carriers and third party administrators conform to the HHS regulations. An informal survey of the largest carriers suggests that the internal security of their information systems is quite strong. However, the specific responsibilities of the HHS regulation are not followed to the letter. For example, each carrier has a security procedure that covers access to datasets by authorized parties, but the plans do not reference or acknowledge HIPAA.

Paper records, most of which also end up being covered under HIPAA because at some point they are maintained or transmitted electronically, need to have the same security procedures. Here, formal procedures and policies exist, but they are more relaxed in terms of documentation. Logs are not typically kept on who took out a record. Formal privacy and security training is not given to staff. A security officer is not always easy to identify.

Public entities that receive electronic and paper medical information seem even more vulnerable to abuse and criticism. The confidentiality of medical information is clearly understood by public agencies. Staff members know that records must be treated carefully. However, seldom is there a formal security plan for paper records that meets HIPAA rules. For instance, any staff member known to a records clerk could typically obtain a workers' compensation claim file containing medical records. Details of a claimant’s health and medical condition are openly discussed.

Workers' compensation, by its nature, uses medical data in a more public way than general health systems. Adjusters want facts to ensure the claim of injury is supportable with medical evidence. For health claims, the adjuster need only find evidence that the treatment was covered under the policy and that the maximum dollar amount of the policy has not been reached. For workers' compensation, the adjuster also wants to review the treatment to make certain it was relevant to the injury, reasonable medically, and appropriately paid. However, the WC adjuster additionally scrutinizes medical records at four stages of the claim:

1. was the origin of the injury occupational and are there defenses against full payment

2. when will the patient be able to return to work and under what conditions

3. when will maximum medical improvement be reached

4. what degree of permanent disability will result from the injury.

Altogether, these legal and medical demands require a considerable amount of attention by the workers' compensation adjuster to medical records.

Moreover, claims personnel within public agencies often review the details of injury and treatment in the normal course of their duties. Thus, a jurisdiction staff member may audit the doctor’s estimate of permanent injury using the medical facts around a disputed claim. Other jurisdictions provide for independent medical exams in disputed situations, where very complete medical reports are written that are intended for semi-public, legal, adjudicative purposes, not for treatment purposes.

Returning the injured worker to the job is a major goal of compensation systems. To accomplish this, open and direct communication among medical providers, adjusters and employers is a must. So, the employer must know details about functional limitations and prognosis. These details may be embarrassing or sensitive to the worker. Moreover, this potentially sensitive information may have to be shared with supervisors and others in the organization with a need to participate in the return to work process. In the vast majority of return to work situations this functional limitation information is benign and mundane, e.g., no lifting over 30 pounds for two weeks or no grasping with the left hand until stitches are removed. However, diagnoses or related medical information far beyond the basic “need-to-know” level of work restrictions is provided to employers, e.g., psychological or sexual problems being treated as a result of the injury.

Identifying the appropriate disclosure is particularly problematic for employers who wish to seriously explore their benefit plan’s handling of disabilities among their workforce. These employers may, by careful examination of the health of their employees, be able to improve both their own company’s injury rates and the provision of general medical services for their employees. However, this kind of intensive analysis does not appear to be allowed under HIPAA.

In addition, workers' compensation is more adversarial than most health claims. The vast majority of workers' compensation claims go through the system with computer validity checks and only cursory review by adjusters. Yet, disputed cases can become acrimonious and adversarial. When a case goes to a hearing, the facts about an injury can become quite public. Nothing is off limits: incontinence, clinical depression, and sexual dysfunction. The parties to the dispute, including the employer, scrutinize all the details of the injury. Moreover, if the case is appealed, orders issued at the appeals level are public record and fully published for their precedent-setting importance.

Conclusion

HIPAA provides sweeping and elaborate new rights to patients to control the use of their medical information. It also creates strong privacy and security safeguards. These rights and safeguards are not extended to certain uses of medical records, including workers' compensation.

Given the strength of public opinion behind privacy and the fact that medical providers are demanding consistent application of strong privacy rules, it makes sense for workers' compensation policy makers and administrators to review state privacy rules for handling workers' compensation claims. Clearly, prompt payment of indemnity benefits requires some leeway in obtaining some medical records of recent, immediate treatment. Other records and record handling practices might be made to conform more closely to the new societal norms set by HIPAA.

Comments should be directed to:

Gregory Krohm
Executive Director
International Association of Industrial Accident Boards and Commissions
608-277-1479
email: gkrohm@iaiabc.org
Web site postings of HIPAA White Paper: www.iaiabc.org

This is a collective project of the IAIABC Committees. The principle authors, to whom comments should be directed are: Greg Krohm, gkrohm@iaiabc.org and Marty McReynolds, marty.mcreynolds@state.co.us. Bob Aurbach and Richard Smith deserve credit for their helpful comments and additions to this draft, though no responsibility for remaining errors.

Health plan (insurer for purposes of the HHS regulations) excludes any policy, plan or program that provides or pays for "excepted benefits" (as listed in Public Health Service Act section 2791(c)(1), 42 USC section 300GG-91(C)(1) (See HIPAA regulations at section 160.103).

Elsewhere it states excepted benefits are "benefits under one or more (or any combination thereof) of a) coverage only for accident or disability income insurance, b) coverage issued as supplement to liability insurance, c) liability insurance, including general liability and automotive liability insurance, d) worker's compensation or similar insurance, e) automobile medical payment insurance, f) credit-only insurance, g) coverage for on-site medical clinics, h) other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.

The notice need not include WC, since 164.512 (l) says without “consent, authorization or opportunity to agree or object.” Most notices will include WC, we believe, especially since it is part of the OSHA portion. Also, if the disclosure is NOT part of the notice, then the provider has to be able to account for every individual disclosure, whereas if it is included in the notice, then each individual disclosure does not have to be accounted for. So providers will try to get everything they possibly can into the notice, so they don’t have to account for any more than minimum number of disclosures.

The American National Standards Institute X12N Committee developed this standard. It includes the ability both to make payments using elect ronic funds transfers (EFT) and to send remittance information (such as reductions to their billed charges) directly to medical providers.

In some jurisdictions, the practice of channeling treatment of work related injuries to group health providers is regarded as a fraudulent attempt to artificially reduce experience modification factors utilized in the calculation of workers’ compensation insurance premiums. That issue will not be addressed here.

This is not to say that bill adjusters must not be vigilant to watch for providers that might be “gaming” the payment system with code shifting or unbundling of services. Expert computer systems used by payers attempt to detect these irregularities, but skillful gaming of the standard claims forms can still get through the system if the adjustor does not obtain additional documentation of services provided. The distortion or manipulation of the description of treatments is a problem for general health insurers and workers' compensation payers.

Case law in some jurisdictions has recognized that a pre-existing condition may contribute to the total disability experienced by a worker as a result of their injury, requiring compensation for the entire disability of the worker, including that caused by the pre-existing condition. In such cases, state law may mandate the need for more detailed medical records.

Go to TOP