HIPAA, the Health Insurance Portability Accountability Act, became U.S. law way back in 1996. In my view, that was a game-changer for all workers' compensation claims handlers and risk managers.
The goal of HIPAA was to ensure that records of medical care and billing were provided only to those who needed to see the records and bills on a “need to know” basis. HIPAA was intended by the initial drafters to allow electronic transmission of medical records and bills with safeguards for privacy.
HIPAA came about from the need to create standards for the management of electronic medical records/bills within the health care industry. Its purpose is to allow the safe transfer of medical information from one health insurance company to the next, and from one health care provider to another.
It is very odd to confirm that medical records and billing are still not fully computerized. The WC industry on both sides still struggles for months, and sometimes years, to get paper medical records when everything should be done on a high-speed, need-to-know basis.
The HIPAA privacy rule plateaued in 1999, and required safeguarding of patient information against unauthorized access and disclosure. Since 2003, the HIPAA security rule was published, and subsequently the HIPAA enforcement rule and breach notification rule were enacted in an effort to keep up with technology and meet the demand of patient privacy.
In the workers’ compensation arena this means obtaining and securing medical information within the HIPAA rules.
How are HIPAA and work comp linked?
Workers’ comp’s highest claim cost, on a per-claim basis, is almost always medical care. The cost of surgery and prescription medications continues to soar. Medical costs and processing will continue to be a major and growing factor in all U.S. comp claims handling.
The flow of records and bills from the medical providers to the WC insurers needs to start on the date of loss and continue until claim closure. All sides to a work injury/exposure need to cooperate and coordinate if that is to occur. If there are delays or dysfunction in medical record transmission, injured workers suffer and go to lawyers, and WC commissions and boards, to complain and complain more.
Key to timely and efficient processing of medical bills are records confirming that the treatment is reasonable, necessary and related. HIPAA’s privacy rule allows workers’ compensation insurers, third-party administrators and employers to obtain necessary medical information to manage workers’ comp claims. The privacy rule for workers’ compensation was designed to provide necessary information needed to manage a claim.
State laws, in litigated claims, allow for issuance of subpoenas to obtain full medical records and bills as needed.
Merge a HIPAA Release Into Your Incident Reporting Protocols
My law partner, John Campbell, and I drafted and promulgated one of the best HIPAA-compliant releases anyone could ever use in a work comp claim. Our HIPAA release is widely used across the country by readers like you. If you get our form, we recommend that you consult with local counsel if you have claims outside Illinois, Indiana, Wisconsin, Iowa and Michigan, as we can’t provide legal advice in the other 45 states.
That said, if you want a complimentary copy of our HIPAA-compliant release, send us a request.
The best way to implement a HIPAA-compliant release is to take your incident-reporting form and add the HIPAA release language to it. In this fashion, you will get the worker’s report of the incident to relay to your carrier/third-party administrator, and you will have a signed HIPAA release facilitating the smooth flow of records and bills for rapid processing.
Please note that the injured worker or his attorney can later withdraw consent to access the medical records and bills under HIPAA. Federal law allows it. If withdrawal of a HIPAA consent happens at any time, what you then need to understand is in the paragraphs below.
What Is the Workers’ Comp 'Exception' to HIPAA?
The HIPAA privacy rule does not apply to entities that are either workers’ compensation insurers/TPAs, workers’ compensation administrative agencies or employers. These entities need access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems.
Generally, this health information is obtained from health care providers who treat these individuals and who may be covered by the privacy rule. The privacy rule recognizes the legitimate need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information, as authorized by state or other law.
Due to the significant variability among such laws, the privacy rule permits disclosure of health information for workers’ compensation purposes in a number of different ways. If you don’t have a signed HIPAA release in your work comp claim file, or the injured worker or attorney withdraw consent, you and your claims handling then fall into this odd “workers’ comp exception” to HIPAA where you might be able to get records and bills by confirming you need them for a work comp claim.
In such a setting, subpoenas may be issued to get records and bills. On the other hand, if you don’t have valid consent, you may not be able to review records and bills, as the medical providers may balk at providing needed information.
You also have to consider that the person who makes the game-changing decision to want an injury or illness to be work-related is the worker. If he doesn't want a clear work injury to be a work comp claim, the “protection” to you from the WC exception to HIPAA becomes a challenge.
If the worker doesn’t want you to know he has a serious disease or other medical condition and decides not to put forward a work comp claim, you can’t and shouldn’t seek medical records without a signed HIPAA release. For that reason, I don’t recommend that clients rely on the WC exception. Get a signed HIPAA release as part of the initial investigation of all incidents and keep it in your file.
Our advice to all of our KCB&A readers is to work hard and follow HIPAA or the exception to get what you need to manage a claim from a medical perspective. Seek cooperation for all injured workers early and often with a goal of helping them to full or best possible recovery. Make it clear to the injured worker and his attorney where appropriate that you are always being audited and can’t pay medical bills blindly — you need to have supporting records, or the medical bills will and have to sit.
Future medical authorizations/approvals are also going to sit until you have needed documentation. Make your claim needs clearly known to all sides.
HIPAA rules are constantly being amended, but each governs who, what and when someone can receive medical information on an injured worker's claim for benefits. Please remember that HIPAA also mandates destruction/shredding of WC claim files at the end of handling a claim by any work comp vendor, including lawyers on both sides.
Eugene Keefe is a founding partner of Keefe, Campbell, Biery and Associates, a Chicago-based workers' compensation defense firm. This column was reprinted, with permission, from the firm's client newsletter.
Jan 24-27, 2019
Please join us for the California Applicants’ Attorneys Association’s 2019 Winter Convention i …
Jan 27-29, 2019
Leaders from plans, networks, administrators and care management organizations in both commercial/ …
Jan 30-31, 2019
PIWC is teaming up with Jim Moriarty once again to bring you this opportunity to attend his 2 Day …