HIPAA and PHI Disclosures for Workers’ Compensation Claims

by | May 26, 2021 | HIPAA

In a workers’ compensation case, determining the claimant’s eligibility requires proper evidence. To avoid any complications during the medical record review process, injured workers will be requested to disclose their medical records and other protected health information (PHI) to their lawyers and other covered entities, as recommended by federal laws including the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules. PHI includes all individually identifiable health data such as demographic details, medical histories, test results, insurance details and other health records that are used to identify a patient or provide medical treatment or healthcare coverage.


According to the U.S. Department of Health & Human Services, a covered entity will include a health care provider (Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies), a health plan (Health insurance companies, HMOs, Company health plans and Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs) and a health care clearinghouse (entities that process nonstandard health information they receive from another entity into a standard or vice versa).

Covered entities often require access to an injured worker’s health information to process or adjudicate claims, or to coordinate care under workers’ compensation systems. To manage the workers’ compensation claims, HIPAA Privacy Rule allows workers’ compensation insurers and other entities to obtain the necessary medical information. Depending on the state laws, disclosure of some medical information does not need a medical release/authorization, while others require permission. Most state laws allow subpoenas to obtain full medical records when needed.

According to the HIPAA Privacy Rule, covered entities

  • may disclose PHI to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems without the individual’s authorization
  • may disclose PHI to workers’ compensation insurers and others involved in workers’ compensation systems, where the individual has provided authorization for the release of the information to the entity
    • authorization is required for psychotherapy notes and to use the information for marketing purposes
    • authorization will not be considered as valid, if the document submitted has any defects such as – the expiration date has passed or the expiration event is known by the covered entity to have occurred, authorization has not been filled out completely or any material information in the authorization is known by the covered entity to be false
  • must limit the amount of PHI disclosed to the minimum necessary
    • to accomplish the workers’ compensation purpose
    • for payment purposes
    • to obtain payment for health care provided to an injured or ill worker
    • when requested by a State workers’ compensation or other public official
  • are not required to make a minimum necessary determination when disclosing protected health information as required by State or other law, or pursuant to the individual’s authorization.

When processing workers’ compensation claims, insurance companies may require an objective medical peer review to make an informed and proper decision. Workers’ compensation attorneys handling related lawsuits also need a comprehensive review of the medical records to ensure that the work-related injury or illness is well-documented in a claimant’s medical records.

Discover our medical record review solutions and partner with us for your next case.

Related Posts

How Can A Medical Record Review Company Be HIPAA-Compliant?

How Can A Medical Record Review Company Be HIPAA-Compliant?

Providers of medical records services that assist attorneys in personal injury, workers’ compensation, medical malpractice and other cases are required to maintain HIPAA compliance. This means that they have to be extra cautious about safeguarding the security and...

How Lawyers Can Remain HIPAA-Compliant Business Associates

How Lawyers Can Remain HIPAA-Compliant Business Associates

HIPAA (Health Insurance Portability and Accountability Act) that came into effect in the year 1996 requires that individuals’ health information remain confidential and secure. The Act’s privacy and security rules govern how PHI or protected health information of...

HIPAA Compliance and COVID-19 – OCR Guidance

HIPAA Compliance and COVID-19 – OCR Guidance

As the COVID-19 pandemic advances rapidly, the U.S. is taking extreme measures to mitigate the health impact of the virus. Whether you run a hospital, law firm or a medical review company, all your employees must be aware of the HIPAA Privacy Rules. The HIPAA Privacy...