Part of the Health Insurance Portability and Accountability Act (“HIPAA”) addresses patient privacy. Certain procedures must be followed when sensitive health information is transferred, received, handled, or shared. These standards are disclosed in the HIPAA Privacy Rule. But does the Privacy Rule apply to Longshore claims? No, it does not.
The regulation that excludes Longshore claims from the HIPAA Privacy Rule is 45 C.F.R. 164.512. Subsection “l,” entitled “Standard: Disclosures for workers’ compensation,” states: “A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provides benefits for work-related injuries or illness without regard to fault.”
Not the clearest regulation, is it? Luckily, the U.S. Department of Health & Human Services (“HHS”) provides more information:
The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers, except to the extent they may otherwise be covered entities. However, these entities need access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. Generally, this health information is obtained from health care providers who treat these individuals and who may bee covered by the Privacy Rule. The Privacy Rule recognizes the legitimate need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information as authorized by State or other law. Due to the significant variability among such laws, the Privacy Rule permits disclosures of health information for workers’ compensation purposes in a number of different ways.
To be sure, a signed medical authorization is the easiest way to obtain medical records. But, technically, the authorization is not required. HHS explains:
Disclosures Without Individual Authorization. The Privacy Rule permits covered entities to disclose protected health information to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization:
As authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. This includes programs established by the Black Lung Benefits Act, the Federal Employees’ Compensation Act, the Longshore and Harbor Workers’ Compensation Act, and the Energy Employees’ Occupational Illness Compensation Program Act. See 45 CFR 164.512(l).
Considering the foregoing, employers and carriers can access relevant medical information about the injured worker as a result of the injured worker filing a workers’ compensation claim. HHS has specifically recognized that medical providers may disclose protected health information without a patient authorization as a part of the patient’s Longshore and Harbor Workers’ Compensation Act (or Defense Base Act) claim. Further, HHS recognizes that employers and carriers have a legitimate need for the injured worker’s medical records.
Now employers and carriers just need medical providers to recognize that this regulation exists…