The Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule" or the "standards") represent the most comprehensive federal regulations protecting the confidentiality of health information to date.
Although the standards may be modified somewhat before the rule is finalized, the revisions largely will iron out identified "glitches" in the rule without changing the real substance or timing of the regulations. That said, the time has come for occupational safety and health professionals to develop a basic familiarity with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule so they can assess the impact of the regulations on their occupational health programs.
The Privacy Rule is the second of three sets of regulations required under the Administrative Simplification provisions of HIPAA. (1) Those provisions are intended to increase and standardize the electronic transmission of data throughout the health care system. The first set of HIPAA regulations--the Standards for Electronic Transactions -- establishes uniform coding conventions and record formats across all payer types for many electronic transactions central to the processing of health care claims and health plan enrollment. Once it is promulgated as a final rule, the third set of HIPAA regulations will implement the Security and Electronic Signature Standards. These standards will set minimum requirements for protecting the physical integrity, accessibility and confidentiality of data maintained or transmitted electronically.
Uses and Disclosures by Covered Entities
Despite the e-commerce focus of the other two HIPAA regulations, the Privacy Rule governs the use and disclosure of individually identifiable health information transmitted or maintained in any form or medium--paper or electronic--but only by individuals and organizations defined as "covered entities" under the rule. Those covered entities include (1) individual or group health plans such as Medicare, Medicaid and most employer-sponsored health benefit plans; (2) businesses called health care clearinghouses that translate nonstandard transactions into HIPAA-standard formats or vice versa; and (3) those health care providers, either individuals or organizations, that transmit individually identifiable health information electronically in connection with HIPAA-standard transactions. Employers per se are not covered entities, but any part of a company that engages in the functions that define a covered entity will have to comply with applicable HIPAA rules and be firewalled off from the rest of the business.
Except in certain specifically defined situations where public policy considerations dictate more liberal rules, the Privacy Rule requires a covered entity to get an individual's written permission to use or to disclose any health information about the person that contains data that identify or could reasonably be used to identify the subject of the information. Occupational health nurses and physicians often have broad access to employee health information because they conduct wellness initiatives, provide case management services to workers who have suffered on-the-job injuries, operate fitness-for-duty programs and furnish hands-on treatment in onsite clinics.
Regardless, few occupational health professionals employed at worksites and few onsite employee clinics will be covered entities when the Privacy Rule takes effect, because they do not bill payers electronically for their services or engage in any of the other electronic transactions defined to date under the Electronics Transactions Rule. Although this situation could change, because HIPAA contemplates standardization of the transactions used to file first reports of injury, it is unlikely that the Department of Health and Human Services will finalize such a rule any time soon because of stiff opposition from the property and casualty insurers lobby. …