The Department of Health and Human Services (HHS) released its final modifications to health privacy regulations. The rule compliance dates for privacy standards are as follows:
April 14, 2003: Companies with $5 million or more in gross receipts of medical care costs.
April 14, 2004: Companies with less than $5 million in gross receipts of medical care costs.
Companies with fewer than 50 employees: Exempt from HIPAA.
Here are excerpts and links from the Office of Civil Rights (OCR) website:
8/9/02 - HHS Final Changes to Privacy Rule That Protect Privacy, Access to Care. HHS Secretary Tommy G. Thompson issued final changes to HHS' health privacy regulations to ensure strong privacy protections while correcting unintended consequences that threatened patients' access to quality health care.
Final Modifications to the Privacy Rule, Federal Register, August 14, 2002
Summary of the Law and Regulation
Department: Health and Human Services (HHS)
Agency: Office for Civil Rights (OCR)
45 CFR Parts 160 and 164
Standards for Privacy of Individually Identifiable Health Information
Action: Final rule.
Dates: Final rule effective October 15, 2002
Rule compliance date is April 14, 2003 (April 14, 2004, for small health plans)
SUMMARY: HHS modifies certain standards in the Rule entitled "Standards for Privacy of Individually Identifiable Health Information" ("Privacy Rule"). The Privacy Rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Workers Compensation - No Impact
As of February 2013, the U.S. Department of Health and Human Services website explains:
"The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers, except to the extent they may otherwise be covered entities. However, these entities need access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. Generally, this health information is obtained from health care providers who treat these individuals and who may be covered by the Privacy Rule. The Privacy Rule recognizes the legitimate need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information as authorized by State or other law. Due to the significant variability among such laws, the Privacy Rule permits disclosures of health information for workers’ compensation purposes in a number of different ways."
Also, since workers compensation insurance is not a "health plan," it is excluded from the HIPAA privacy regulation. HHS clarifies in the preamble that the minimum necessary standard is not intended to impede disclosures necessary for workers' compensation programs. HHS will actively monitor to ensure that worker's compensation programs are not unduly affected by the Rule. Below are excerpts from the OCR website that document the exclusion.
Excerpt from the "Frequently Asked Questions About the HIPAA Privacy Rule" document dated 10/2/02.
Are the following types of insurance covered under HIPAA: long/short term disability; workers compensation; automobile liability that includes coverage for medical payments?
Response: No, the listed types of policies are not health plans. The HIPAA administrative simplification regulations specifically exclude from the definition of a "health plan" any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 C.F.R. § 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs:
Coverage only for accident, or disability income insurance, or any combination thereof.
Coverage issued as a supplement to liability insurance.
Liability insurance, including general liability insurance and automobile liability insurance.
Workers' compensation or similar insurance.
Automobile medical payment insurance.
Coverage for on-site medical clinics
Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.
With regard to disclosures, the Privacy Rule permits a covered entity to rely on the judgment of certain parties requesting the
disclosure as to the minimum amount of information that is needed. For example, a covered entity is permitted reasonably to rely on
representations from a public official, such as a State workers' compensation official, that the information requested is the minimum
necessary for the intended purpose.
Excerpts from pages 53198 & 53199 of the regulation [Federal Register: August 14, 2002 (Volume 67, Number 157)]
Response: The Privacy Rule is not intended to disrupt existing workers' compensation systems as established by State law. In particular, the Rule is not intended to impede the flow of health information that is needed by employers, workers' compensation carriers, or State officials in order to process or adjudicate claims and/or coordinate care under the workers' compensation system. To this end, the Privacy Rule at Sec. 164.512(l) explicitly permits a covered entity to disclose protected health information as authorized by, and to the extent necessary to comply with, workers' compensation or other similar programs established by law that provide benefits for work-related injuries or illnesses without regard to fault. The minimum necessary standard permits covered entities to disclose any protected health information under Sec. 164.512(l) that is reasonably necessary for workers' compensation purposes and is intended to operate so as to permit information to be shared for such purposes to the full extent permitted by State or other law.
Additionally, where a State or other law requires a disclosure of protected health information for workers' compensation purposes, such
disclosure is permitted under Sec. 164.512(a). A covered entity also is permitted to disclose protected health information to a workers'
compensation insurer where the insurer has obtained the individual's authorization pursuant to Sec. 164.508 for the release of such
information. The minimum necessary provisions do not apply to disclosures required by law or made pursuant to authorizations. See
Sec. 164.502(b), as modified herein.
Further, the Department notes that a covered entity is permitted to disclose information to any person or entity as necessary to obtain
payment for health care services. The minimum necessary provisions apply to such disclosures but permit the covered entity to disclose the amount and types of information that are necessary to obtain payment.
The Department also notes that because the disclosures described above are permitted by the Privacy Rule, there is no potential for
conflict with State workers' compensation laws, and, thus, no possibility of preemption of such laws by the Privacy Rule.
The Department's review of certain States workers' compensation laws demonstrates that many of these laws address the issue of the
scope of information that is available to carriers and employers. The Privacy Rule's minimum necessary standard will not create an obstacle
to the type and
amount of information that currently is provided to employers, workers' compensation carriers, and State administrative agencies under these State laws.
... The Department understands concerns about the potential chilling effect of the Privacy Rule on the workers' compensation system.
Therefore, as the Privacy Rule is implemented, the Department will actively monitor the effects of the Rule on this industry to assure
that the Privacy Rule does not have any unintended negative effects that disturb the existing workers' compensation systems. If the
Department finds that, despite the above clarification of intent, the Privacy Rule is being misused and misapplied to interfere with the
smooth operation of the workers' compensation systems, it will consider proposing modifications to the Rule to clarify the application of the
minimum necessary standard to disclosures for workers' compensation purposes.
In 1996, Congress recognized the need for national patient privacy standards and, as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), set a three-year deadline for it to enact such protections. HIPAA also required that, if Congress did not meet this deadline, HHS was to adopt health information privacy protections via regulation based upon certain specific parameters included in HIPAA. Congress did not enact health privacy legislation.
HHS proposed federal privacy standards in 1999 and, after public comments on them, published final standards in December 2000. President Clinton issued the regulations on Wednesday, Dec. 20, 2000.
HHS had to make these final changes (8/9/02) to address the serious unintended consequences of the rule that would have interfered with patients' access to quality care. For example, patients would have been required to visit a pharmacy in person to sign paperwork before a pharmacist could review protected health information in order fill their prescriptions. Similar barriers would have arisen when a patient is referred to a specialist and in other situations.
"We took great care to make sure we weren't creating greater hardships or more health care bureaucracy for patients as they seek to get prompt and effective care," Secretary Thompson said. "The prior regulation, while well-intentioned, would have forced sick or injured patients to run all around town getting signatures before they could get care or medicine. This regulation gives patients the power to protect their privacy and still get efficient health care."
In general, the regulations give people the right to find out who's looking in their records and for what purpose, what's in their records, how to get them, and how to correct errors. No other federal law protects a person's medical privacy.