So, you’ve heard about the Health Insurance Portability and Accountability Act (HIPAA). You think that’s an issue for health plans and health care providers, not human resources, right?
Well, not exactly. Although there are no legal requirements placed directly upon HR departments by the HIPAA Privacy Rule, it likely will affect the day-to-day operations of those departments.
It is therefore time — with the generally applicable April 14, 2003, deadline for compliance with HIPAA’s final rules now looming on the horizon — for every HR department to have a basic understanding of what those rules require.
HIPAA was actually enacted in 1996 to address the portability of employee health insurance. The law also required the U.S. Department of Health and Human Services (HHS) to adopt national standards for the electronic transmission of health care transactions and for the security and privacy of patient personal health information (PHI).
PHI includes the type of individually identifiable medical information HR departments frequently use when addressing Family and Medical Leave Act (FMLA) and Americans with Disabilities Act (ADA) issues.
The HIPAA provision addressing PHI is known as the HIPAA Privacy Rule, which allows PHI to be released only in certain specific circumstances.
The good news for HR departments is that the only entities directly regulated by the HIPAA Privacy Rule are health plans, health care providers, and health care clearinghouses (together known as "covered entities") – and not HR departments.
In fact, the final August 14, 2002, HIPAA Privacy Rule specifically exempts "employment records," which the rule does not define, from the definition of PHI. Quite simply, the HIPAA Privacy Rule does not directly restrict the actions of HR departments.
The bad news is that the rule will indirectly restrict the operation of HR departments. When an unregulated HR department needs PHI to process an employee’s FMLA request, the employee’s regulated physician — who is covered by HIPAA — may not give that information to the HR department until the employee has provided appropriate written "authorization" required under HIPAA.
Employers with on-site clinics should be aware that those clinics will be treated as "covered entities" subject to HIPAA if they engage in: electronic transmission of health information in connection with health care payment and remittance advice; coordination of benefits; health care claims status; enrollment and disenrollment in a health plan; eligibility for a health plan; health plan premium payments, referral, certification and authorization; first report of injuries; health claims attachments; and other transactions which HHS might specify.
Employers whose clinics are considered "covered entities" will need to make sure that they disclose information to the HR department only in compliance with the HIPAA Privacy Rule.
There is a rather simple solution for employers who need access to PHI. To facilitate the release of such information from regulated health care providers to the HR department, an employer should ensure that each of its employees has completed the appropriate "authorization" under HIPAA before a physician or other covered entity is even asked to release PHI.
Medical information requests accompanied by such an authorization allow health care providers to release the information sought. By obtaining an authorization from each employee up front, an employer can save invaluable time in procuring medical information.
This should allow the employer to more efficiently and productively use such information to address issues raised under the FMLA or the ADA.
An authorization must meet the standards prescribed by the HIPAA Privacy Rule. In order for "authorization" to be valid under the HIPAA Privacy Rule, the following must be in writing:
— A specific and meaningful description of the information;
— The name or other specific identification of the person(s) (or class of persons) authorized to make the disclosure or use the disclosed information;
— The name or other specific identification of the person(s) (or class of persons) to whom the covered entity may make the requested disclosure;
— An expiration date or event that relates to the individual or to the use or disclosure purpose;
— A statement of the individual’s right to revoke the authorization in writing (as well as procedures for doing so and exceptions to this right);
— A statement that any PHI used or disclosed based on the authorization may be subject to redisclosure by the recipient and may no longer be protected at that point by the HIPAA Privacy Rule;
— A statement of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization (and the implications of that);
— The individual’s dated signature; and
— If an individual’s personal representative signs the authorization, a description of that representative’s authority to act on the individual’s behalf
Ralph Topinka is chairman of the Health Law Practice Group at Quarles & Brady law firm in Milwaukee. Thomas Shorter is an associate practicing in health law, labor and employment law and school law for Quarles & Brady.
Jan. 10, 2003 Small Business Times, Milwaukee
