Even under the best of circumstances—excellent staff, streamlined workflows, the latest technology— Release of Information (ROI) is a precarious process. Specific rules apply to different categories of requests. One area of complexity and confusion is the disclosure of Protected Health Information (PHI) for workers’ compensation purposes. While the ROI process for workers’ comp requests is similar to the process for “regular” requests, the type of information allowable for disclosure is different unless the request is accompanied by a patient authorization.
According to HHS guidelines, “The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers, except to the extent they may otherwise be covered entities.” However, the rule recognizes the legitimate need of these entities involved in workers’ compensation cases to access PHI according to state or other laws. Due to variability among such laws, the Privacy Rule permits disclosures of PHI for workers’ compensation purposes in different ways.
Disclosures without individual/client authorization. In most cases, an employer or insurance carrier is permitted to request and receive information pertaining to the injury—on behalf of the company or on behalf of the client—without an authorization. So employers, insurance companies or their attorneys can obtain information on behalf of the insurance company or on behalf of the client. Typically an attorney would get an authorization from the client. However, the employer, the payer or an attorney representing the payer can generally request those records without individual authorization.
Disclosures with individual authorization. The Privacy Rule permits covered entities to disclose PHI to workers’ compensation insurers and others involved in workers’ compensation systems if the individual (patient/client) has provided an authorization for the Release of Information to the entity. The authorization must meet specific Privacy Rule requirements.
When considering a workers’ comp claim, we can only disclose PHI pertaining to the event that initiated that particular claim. For example, suppose a patient had five admissions in 2017, and was injured January 2018. The employer may want to determine if the patient had preexisting injuries or conditions where the most recent injury occurred. If the January 2018 injury was secondary to a problem that already existed with this patient, the requester generally cannot obtain prior information without a HIPAA valid authorization.
The main point is that rules and regulations pertaining to workers’ compensation claims differ depending on the type of request for information and the type of requester.
About Don Hardwick
As Vice President of Client Relations and Account Management, Hardwick oversees all client relations initiatives including implementation and account management. Prior to joining MRO, he was CEO and President of Record Enterprises Inc., a Health Information Management (HIM) company that provided hospitals with an outsourcing program for patient release of information, medical coding and medical/confidential record storage. Previously, he was CEO and president of MedRecs Law Inc., a record acquisition company. Additionally, he was a manager in the healthcare consulting division of Ernst & Young and worked as the Director of HIM at Saint Margaret Hospital in Montgomery, AL and Southampton Memorial Hospital in Franklin, VA. Hardwick is a past President of the Virginia Health Information Management Association (VHIMA) and the recipient of East Carolina’s Allied Health Sciences Distinguished Alumni Award. He holds a B.S. in Health Information Management.
If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.