Synopsis: Understanding Medical Privacy Rights in U.S. Workers’ Comp Claims. Thoughts and comments by Gene Keefe, J.D.
Editor’s comment: HIPAA or the Health Insurance Portability Accountability Act first became U.S. law way back in 1996. In my view, that was a game-changer for all WC claims handlers and risk managers. The goal of HIPAA was to insure records of medical care and billing were only provided to those who needed to see the records and bills on a “need to know” basis.
HIPAA was intended by the initial drafters to allow electronic transmission of medical records and bills with safeguards for privacy. HIPAA first came about from the need to create standards for the management of electronic medical records/bills within the health care industry. Its purpose is to allow the safe transfer of medical information from one health insurance company to the next, and from one health care provider to another. It is very odd to confirm medical records and billing are still not fully computerized—the WC industry on both sides still struggles for months and sometimes years to get paper medical records when everything should be done on a high-speed, need-to-know basis.
The HIPAA Privacy Rule plateaued in 1999, and required safeguarding of patient information against unauthorized access and disclosure. Since 2003, the HIPAA Security Rule was published and subsequently the HIPAA Enforcement Rule and Breach Notification Rule were enacted in an effort to keep up with technology and meet the demand of patient privacy. In the workers’ compensation arena this means obtaining and securing medical information within the HIPAA rules, as I outlined below.
How are HIPAA and Work Comp Linked?
Workers’ comp’s highest claim cost, on a per-claim basis, is almost always medical care. The cost of surgery and prescription medications continues to soar. Medical costs and processing will continue to be a major and growing factor in all U.S. WC claims handling.
The flow of records and bills from the medical providers to the WC insurers needs to start on the date of loss and continue until claim closure. All sides to a work injury/exposure need to cooperate and coordinate if that is to occur. If there are delays or dysfunction in medical record transmission, injured workers suffer and go to lawyers and the WC Commissions and Boards to complain and complain more. Key to timely and efficient processing of medical bills are records confirming the treatment is reasonable, necessary and related.
HIPAA’s Privacy Rule allows workers’ compensation insurers, third-party administrators and employers to obtain necessary medical information to manage workers’ comp claims. The Privacy Rule for Workers’ Compensation was designed to provide necessary information needed to manage a claim. State laws, in litigated claims, allow for issuance of subpoenas to obtain full medical records and bills as needed.
Merge a HIPAA Release Into Your Incident Reporting Protocols
My law partner, John Campbell and I drafted and promulgated one of the best HIPAA-compliant releases anyone could ever use in a work comp claim. Our HIPAA release is widely used across the country by readers like you. If you get our form, we do recommend you consult with local counsel if you have claims outside IL, IN, WI, IA and MI, as we can’t provide legal advice in the other 45 states. That said, if you want a complimentary copy of our HIPAA-compliant release, send a reply.
The best way to implement a HIPAA-compliant release is to take your incident-reporting form and add the HIPAA release language to it. In this fashion, you will get the worker’s report of the incident to relay to your carrier/TPA and you will have a signed HIPAA release facilitating the smooth flow of records and bills for rapid processing.
Please note the injured worker or their attorney can later withdraw their consent to access to medical records and bills under HIPAA. Federal law allows it. If withdrawal of a HIPAA consent happens at any time, what you then need to understand is in the paragraphs below.
What is the Workers’ Comp “Exception” to HIPAA?
The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers/TPAs, workers’ compensation administrative agencies or employers. These entities need access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. Generally, this health information is obtained from health care providers who treat these individuals and who may be covered by the Privacy Rule. The Privacy Rule recognizes the legitimate need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information as authorized by State or other law. Due to the significant variability among such laws, the Privacy Rule permits disclosures of health information for workers’ compensation purposes in a number of different ways.
· Don’t have a signed HIPAA release in your work comp claim file or
· The injured worker or their attorney withdraw the HIPAA consent
you and your claims handling then fall into this odd “workers’ comp exception” to HIPAA where you might be able to get records and bills by confirming you need them for a work comp claim. In such a setting, subpoenas may be issued to get needed records and bills.
On the other hand, if you don’t have a valid consent, you may not be able to review records and bills, as the medical providers may balk at providing needed information. You also have to consider the person who makes the game-changing decision to want an injury or illness to be work-related is the worker—if they don’t want a clear work injury to be a work comp claim, the “protection” to you from the WC exception to HIPAA becomes a challenge. If the worker doesn’t want you to know they have a serious disease or other medical condition and decides not to put forward a work comp claim, you can’t and shouldn’t seek medical records without a signed HIPAA release. For that reason, I don’t recommend clients rely on the WC exception—get a signed HIPAA release as part of the initial investigation of all incidents and keep it in your file.
Our advice to all of our KCB&A readers is to work hard, follow HIPAA or the “exception” to get what you need to manage a claim from a medical perspective. Seek cooperation for all injured workers early and often with a goal of helping them to full or “best possible” recovery. Make it clear to the injured worker and their attorneys where appropriate to let them know you are always being audited and you can’t pay medical bills “in-the-blind,” you need to have supporting records or the medical bills will and have to sit. Future medical authorizations/approvals are also going to sit until you have needed documentation. Make your claim needs clearly known to all sides.
HIPAA rules are constantly being amended, but each governs who, what and when someone can receive medical information on an injured workers’ claim for benefits. Please remember HIPAA also mandates destruction/shredding of WC claim files at the end of handling a claim by any work comp vendor, including lawyers on both sides.
If you have questions or concerns about HIPAA and medical privacy in work comp, please send a reply. We appreciate your thoughts and comments. Please post them on our award winning blog.
Synopsis: Indiana’s New Statutory Worker’s Compensation Changes, Additional Regulations and Penalties for Employers and Insurers. This is a “Must Read.” Comment by Kevin Boyle of Keefe Campbell Biery & Associates, LLC.
Editor’s comment: Two important worker’s compensation bills were signed into law last week by Indiana’s Governor that you need to know about.
First, Indiana Senate Bill 290:
§ Requires Employers to pay benefits within 30 days of an Award being issued and imposes civil penalties against Employers that do not pay benefits with due: $50 for the first offense, $150 for the second, and $300 for the third offense
§ Changes the penalty against Employers that fail to provide notice of work comp coverage to $100 per day, instead of $50 per employee.
§ Allows Employers that have mobile or remote employees to convey notices and information about workers’ compensation coverage to those workers in an electronic format or in the same manner as Employer conveys other employment-related information.
§ Provides that a permanently, totally disabled worker must reapply to the second injury fund for a wage-replacement benefit every three years instead of every 150 weeks.
§ Requires the reporting of workplace injuries needing medical attention beyond first aid instead of injuries causing an absence from work for more than one day.
§ Specifies that reporting requirements for workplace injuries are intended to be consistent with the recording requirements set out in the U.S. Occupational Safety and Health Administration's regulations.
These changes will be effective July 1, 2018.
Second, Indiana Senate Bill 369:
§ Adopts a drug formulary to restrict opioid prescriptions and abuse. Indiana is adopting the MCG Health’s Official Disability Guidelines which uses a preauthorization process where doctors cannot prescribe “not recommended” medications unless the insurer first approves. It is not yet clear how that process will be implemented by the Indiana Worker’s Compensation Board, especially since insurer utilization reviews are generally disfavored to dispute medical provider recommendations.
These changes will be effective July 1, 2018. However, SB 369 also provides that there will be a ban on reimbursing prohibited drugs effective January 1, 2019, but injured workers taking those meds before July 2018 may continue to do so until January 2020.
Stay tuned for more. If you have questions/concerns about Indiana workers’ comp, general liability, MVA or employment law issues, please contact: firstname.lastname@example.org