We have received a few questions recently regarding HIPAA in the workplace and how safety professionals receive and handle confidential information. This is a confusing topic for many and yet an essential one to understand, not only because of regulatory requirements, but also to ensure professional ethical conduct.
First and foremost, we advise establishing a corporate policy and procedures on receiving, handling, and maintaining confidential employee information. If there is a corporate policy, we encourage safety, wellness, and occupational health departments to develop their own policy modeled after corporate’s. The policies should include employee notification of what information is collected/needed, how it is used, who has access, and how the employee can obtain copies.
Below is an overview of information related to HIPAA and the covered entities as well as confidentiality and privacy.
HIPAA in a Nutshell
Briefly, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 established federal standards protecting sensitive health information from disclosure without a patient’s consent. It was not finalized until August 2002. The US Department of Health and Human Services issued the HIPAA Privacy Rule to implement HIPAA requirements.
A major goal of the Privacy Rule is to assure that individual health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.
Any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA are “covered entities.”
Covered entities include for example:
- Healthcare providers
- Health Plans (including employer sponsored plans)
- Business associates: A non-member of a covered entity’s workforce using individually identifiable health information to perform functions for a covered entity.These functions, activities, or services include:
- Claims processing
- Data analysis
- Utilization review
- Billing
There are instances permitting use and disclosure of personal health information, without an individual’s authorization, for example,
- Workers’ compensation
- Public Health
- By Law
Despite the exemptions, we do recommend that Workers’ Compensation claims and Injury Reports be handled confidentially and that employees be notified of how the documents are handled.
Only covered entities are required to train employees on HIPAA requirements and internal procedures, including new employees within a reasonable time period.
OSHA is not a “covered entity” under HIPAA and is not bound by the use and disclosure requirements included in the privacy regulation. Most workplaces are also not considered “covered entities” except related to insurance administration. However, OSHA complies with applicable laws and regulations protecting privacy, such as the Privacy Act, 5 U.S.C. § 552a, and businesses should as well.
Even though OSHA is not a covered entity, OSHA addresses confidentiality in several standards that require medical evaluations. For example, the Bloodborne Pathogen Standard if an exposure occurs, respirator medical clearance, and several surveillance standards such as hexavalent chromium and crystalline silica.
Protected Health Information
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”
Individually identifiable health information is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
And when there is reason to believe that individuals can be identified from the information. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Here are a few examples where health data is not classified as PHI:
- Employee and education records: Any records regarding employee health, including known allergies, blood type, or disabilities, are not considered PHI.
- Wearable devices:
- Data collected by wearable devices including heart rate monitors or smartwatches is not PHI.
However, again we believe it is prudent to handle such information as confidential and private. Issues for Safety, Wellness, and Occupational Health to consider as private and confidential, would include for example,
- Hepatitis B Vaccine or other workplace required vaccination records
- Handling Respirator Medical Clearance documents
- Biometric Screening results including blood pressure checks during Safety and Health Day
- Information learned by the Medical Emergency Response Team
- Injury Reports and physician follow-up treatment summaries
- Occupational Health Records
- ADA and FMLA records
OSHA’s Access to Employee Exposure and Medical Records Standard 29CFR1910.1020 requires that the employee or employee’s designated representative have access to relevant exposure and medical records, with the employee’s written consent, according to the following guidelines: Records must be provided without cost to the employee or representative, if possible within 15 working days of the initial request, and the employer must make provisions for copying of records (U.S. Department of Labor, 2011).
Even workplace ‘gossip’ can be a HIPAA or Privacy violation if it takes place in a covered entity’s or business associate’s workplace, if it concerns an individual whose individually identifiable health information is protected by the HIPAA Privacy Rule, and if the workplace gossip identifies the individual. Think about employees chatting in the breakroom about an incident or about someone’s blood pressure readings, etc.
Dimensions uses employee notifications and release of information forms for example for respirator medical questionnaires, wellness activities, Workers’ Compensation case management, injury investigation, and Medical Emergency Response Team training.
It is important to consider how confidential information is handled and maintained including how employees are informed. We are happy to discuss options and help develop a privacy policy, including employee notification based on your needs.
Resources used:
Gossip
HIPAA Exceptions
CDC Information