Health care providers can feel pulled in different directions trying to balance the requirements of state laws to disclose patient information with the privacy protections of HIPAA. For example, state workers’ compensation schemes, such as that in Pennsylvania, deal with employees injured in the course of their work and therefore necessarily involve some level of coordination among the employer, the workers’ compensation insurer, the relevant regulatory agency and the health care provider. But what must a provider do to coordinate with those parties while maintaining HIPAA compliance?
The Pennsylvania workers’ compensation statute and its regulations require health care providers who treat an employee injured on the job to submit periodic medical reports to the employer or, if the employer has a workers’ compensation insurer, to that insurer. Specifically, a provider who treats an injured employee must file periodic reports including, as applicable, history, diagnosis, treatment, prognosis, and physical findings. “Periodic,” in this context, means that the reports are to be filed within 10 days after treatment begins and at least monthly thereafter. Crucially, the provider is not entitled to payment by the insurer for such treatment until a report has been filed in the required format.
How do these disclosures comport with HIPAA’s privacy protections? Fortunately, HIPAA has a subsection that deals directly with workers’ compensation schemes, which provides that a “covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.” 45 C.F.R. § 164.512(l). Importantly, the disclosures permitted by this subsection do not require written authorization from the relevant individual or granting that individual the right to agree or object to the disclosure.
As a final matter, it is worth briefly noting the employer’s obligations within the workers’ compensation scheme (particularly for those health care providers who are employers). In PA, an employer shall report all injuries sustained by employees while on the job to the employer’s workers’ compensation insurer (if the employer is self-insured, then the report goes to the person in charge of that program). In addition, the employer must report those injuries to the PA Department of Labor and Industry, copying the employer’s insurer. The Department notices must be submitted within 48 hours if the injury resulted in death and within 7 days if not (with an exception for certain minor injuries).
In addition, employers must keep a record of each employee injury with a description of the injury, a statement of any time during which the injured person was unable to work because of the injury, and a description of the manner in which the injury occurred. These records are subject to inspection by government agencies.
Navigating legal obligations to disclose patient information in the context of HIPAA’s privacy protections can often be confusing. What is more, the general explanation provided above is subject to conditions, exceptions, and qualifications that may apply in certain circumstances. It is therefore critical that health care providers work with their attorneys to meet disclosure obligations in a HIPAA-compliant way.