SUBJECT: Clarification on the HIPAA Privacy Rule and Disclosures to the Texas Workers' Compensation Commission, effective May 6, 2003
The Texas Workers' Compensation Commission (the Commission) provides clarification on the applicability of the HIPAA Privacy Rule to disclosures of protected health information (PHI) required by workers' compensation system participants. The HIPAA Privacy Rule does not apply to entities that are workers' compensation insurers, workers' compensation administrative agencies or employers when disclosing health information as required by state law for workers' compensation system purposes.
The Texas Workers' Compensation Act and Commission Rules require system participants disclose to the Commission an injured worker's PHI necessary to process or adjudicate claims or to coordinate care under the workers' compensation system. Generally, this health information is submitted by health care providers who treat the injured workers and who may otherwise be covered by the HIPAA Privacy Rule. The Privacy Rule recognizes the legitimate need for insurers and other entities involved in the workers' compensation system to have access to an injured worker's PHI as authorized by state or other law. 45 C.F.R. 164.512(a) and 164.502(b).
The new Privacy Rules should not change or hinder PHI disclosures to the Commission or other system participants as required by the Texas Workers' Compensation Act or Commission rules.
How the Privacy Rule Works.
Generally, the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) do not apply to entities that are workers' compensation insurers, workers' compensation administrative agencies or employers, except to the extent that they may otherwise be "covered entities." 42 U.S.C. 300gg-91 (c)(1). System participants making PHI disclosures to the Texas Workers' Compensation Commission or other workers' compensation participants as required by the Texas Workers' Compensation Act and Commission rules are, therefore, exempt from the HIPAA Privacy Rules with regard to those disclosures.
Disclosures without Authorization. The Privacy Rule permits covered entities to disclose PHI to workers' compensation insurers, State administrators, employers or other persons or entities involved in the workers' compensation system without the individual's authorization:
As authorized and to the extent necessary to comply with laws relating to workers' compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. 45 C.F.R. 164.512(l).
To the extent disclosure is required by State or other law. The disclosure must comply with and be limited to what the law requires. 45 C.F.R. 164.512(a).
For purposes of obtaining payment for any health care provided to an injured or ill worker. 45 C.F.R. 164.502(a)(1)(ii).
Disclosures with Authorization. The Privacy Rule permits covered entities to disclose other PHI (in addition to or different than PHI the entities are required by law or Commission rules to disclose) to workers' compensation insurers, State administrators, employers or other persons or entities involved in the workers' compensation system when the individual has provided authorization for the release of the information to that entity. The authorization must contain the elements and meet the requirements of 45 C.F.R. 164.508.
Only the Minimum Necessary Required. Generally, the Privacy Rule requires covered entities to reasonably limit the amount of PHI disclosed under 45 C.F.R. 164.512(l) to the minimum necessary to accomplish the workers' compensation purpose. When disclosing PHI as required by Texas workers' compensation or other law, or pursuant to an individual's authorization, however, covered entities are not required to make a minimum necessary determination 45 C.F.R. 164.502(b).
Privacy Rules Under the Texas Workers' Compensation Act. Though the Commission is not required to comply with the HIPAA privacy provisions, the Commission is committed to protecting each injured worker's medical privacy. The Texas Workers' Compensation Act and Commission rules require the Commission to keep confidential an injured worker's claim file information, including information that could be used to identify an injured worker, with certain exceptions. See TEXAS LABOR CODE 402.083 - 402.092.
Privacy Notice Requirements.
HIPAA regulations require covered entities to publish a privacy notice informing patients of the covered entity's policies regarding the release of PHI. The Commission recommends system participants include in their privacy notice that Texas state law requires, and federal law allows, use and disclosure of PHI to the Commission, workers' compensation insurers, employers, or other entities involved in the administration of workers' compensation benefits without an individual's authorization.
Business Associate Contracts.
HIPAA requires covered entities to obtain Business Associate contracts with "business associates," as defined by 45 C.F.R. 160.103. The Commission and system participants, however, are not required to enter into business associate contracts for the disclosure of PHI required by the Texas Workers' Compensation Act and Commission administrative rules because HIPAA exempts such disclosures from the Privacy Rules.
This Advisory is not intended as legal advice. If you have concerns or questions about HIPAA compliance, please consult an independent legal representative.
Signed on this 6th day of May, 2003
Richard F. Reynolds, Executive Director
Medical Professional Associations
Forms Notification List
Public Information List
RELATED DOCUMENT: HIPAA and Texas Workers' Compensation - Frequently Asked Questions