HIPAA workers compensation

The HIPAA Privacy Rule dictates how a healthcare provider may share protected information, or PHI in the workers compensation context. PHI disclosures to the employer and the workers compensation board must be HIPAA compliant. HIPAA workers compensation requirements are discussed below.

What is Workers Compensation?

Many employers are required, under state law, to purchase and maintain a workers compensation insurance policy (or to self-insure). When an employee sustains an injury or illness arising out of and in the scope of his or her employment, the employee may file a claim for benefits under that policy.

State workers compensation laws are a specific kind of “no-fault” law. That is, an employee who sustains an injury or illness is generally entitled to benefits even if the employee’s injuries were brought about by his or her own negligence. Whether an employee is or is not entitled to benefits is generally not determined by whose “fault” the injury was.

To demonstrate entitlement to benefits and reimbursement for healthcare provider treatment costs, employees are required, through their providers, to submit medical information to their employers, and to the state workers’ compensation board. 

What Must a Covered Entity Do for HIPAA Workers Compensation Disclosure Requirements?

The HIPAA Privacy Rule allows covered entities to disclose protected health information to workers’ compensation insurers, state administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization, when:

  • The PHI disclosure is authorized by, and is necessary to comply with:
    • State workers compensation laws; or
    • Similar “no-fault” programs established by law that provide benefits for job-related injuries or illness.
    • The PHI disclosure is required for purposes of obtaining payment for healthcare provided to the injured or ill worker.

In both instances, the “minimum necessary standard” applies. The PHI disclosure, under the HIPAA Privacy Rule, must be reasonably limited to the minimum information necessary to accomplish the HIPAA workers compensation purpose. This means that the medical information that is disclosed must be relevant to the specific injury. Medical information having no relationship to the injury or to payment should not be disclosed.

What is HIPAA Compliant Reasonable Reliance?

When PHI is requested by a state workers’ compensation or other public official, the covered entity may reasonably rely on the state official’s representation that the requested PHI is the minimum necessary for the specific workers’ compensation purpose.  In such circumstances, the covered entity is not required to make a minimum necessary determination when disclosing protected health information as required by state law. The provider will generally be deemed HIPAA compliant under such circumstances.

HIPAA and OSHA Together

Automate HIPAA and OSHA using simplified software.