HIPAA and PHI Disclosures for Workers’ Compensation Claims

by | Last updated on Feb 5, 2024 | Published on May 26, 2021 | HIPAA

In a workers’ compensation case, when determining the claimant’s eligibility, you need proper substantial evidence. To avoid any complications during the medical record review for workers compensation insurance, injured workers will be requested to disclose protected health information (PHI) to their lawyers and other covered entities, as recommended by federal laws including the Health Insurance Portability and Accountability Act or HIPAA Privacy Rule. PHI includes all individually identifiable health data such as demographic details, medical histories, test results, insurance details and other health records that are used to identify a patient or provide medical treatment or healthcare coverage. Attorneys utilizing medical record review services from a medical review company need to ensure that their service provider is HIPAA compliant and has excellent security measures to safeguard PHI.

MOS Medical Record Reviews provides HIPAA-compliant, secure medical record review for attorneys.

Ask us for a Free Trial!

How HIPAA Governs PHI Disclosures for Workers’ Compensation

  • How the Medical Records Can Be Disclosed: The medical records must be disclosed with great caution. These can be disclosed only with the claimant’s express written permission. The records cannot be sent through unencrypted email or a public fax system. The claimant should sign a medical release of information form, and this form should be filled out properly with no blank spaces. A separate release form has to be signed for each medical provider. The requests should be made only for those records related to the specific work-related injury.
  • Where the Medical Records Can Be Stored: The records being highly sensitive, must be stored in a secure location where only authorized users can access them. The documents can be stored as physical or digital files, but the employer/workers’ comp provider must limit access strictly. Importantly, they should have specific policies for disclosure of medical records and PHI.
  • Who Are Authorized to Access the Medical Records? Medical record access must be strictly limited to those entities that are listed on the release form. Typically, employers should have a designated person to handle confidential medical records.
  • How the Medical Records Can Be Used: HIPAA mandates that the medical records are disclosed only for establishing and supporting the particular workers’ compensation claim.
  • Restraints on Medical Record Disclosure: The workers’ compensation claims administrator can only submit requests that relate to the particular claim. They cannot request the claimant’s full medical file or medical history. As mentioned earlier, the information disclosed can only go to the entities or persons listed on the medical record release form.

Covered Entities and How HIPAA Governs the Way They Release PHI

According to the U.S. Department of Health & Human Services, a covered entity will include a health care provider (Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies), a health plan (Health insurance companies, HMOs, Company health plans and Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs) and a health care clearinghouse (entities that process nonstandard health information they receive from another entity into a standard or vice versa).

Attorneys, especially those who handle PHI from “covered entities” need to be knowledgeable about the importance of HIPAA compliance for law firms. Law firms and attorneys that possess or process PHI on behalf of their clients are subject to HIPAA. These include personal injury, insurance defense, medical malpractice and elder law attorneys and their firms.

Covered entities often require access to an injured worker’s health information to process or adjudicate claims, or to coordinate care under workers’ compensation systems. To manage the workers’ compensation claims, HIPAA Privacy Rule allows workers’ compensation insurers and other entities to obtain the necessary medical information. Depending on the state laws, disclosure of some medical information does not need a medical release/authorization, while others require permission. Most state laws allow subpoenas to obtain full medical records when needed.

According to the HIPAA Privacy Rule, covered entities –

  • may disclose PHI to workers’ compensation insurers, State administrators, employers, and other persons or entities involved in workers’ compensation systems without the individual’s authorization
  • may disclose PHI to workers’ compensation insurers and others involved in workers’ compensation systems, where the individual has provided authorization for the release of the information to the entity
    • authorization is required for psychotherapy notes and to use the information for marketing purposes
    • authorization will not be considered as valid, if the document submitted has any defects such as – the expiration date has passed or the expiration event is known by the covered entity to have occurred, authorization has not been filled out completely or any material information in the authorization is known by the covered entity to be false
  • must limit the amount of PHI disclosed to the minimum necessary
    • to accomplish the workers’ compensation purpose
    • for payment purposes
    • to obtain payment for health care provided to an injured or ill worker
    • when requested by a State workers’ compensation or other public official
  • are not required to make a minimum necessary determination when disclosing protected health information as required by State or other law, or pursuant to the individual’s authorization.

When processing workers’ compensation claims, insurance companies may require an objective medical peer review to make an informed and proper decision. Workers’ compensation attorneys handling related lawsuits also need a comprehensive review of the medical records to ensure that the work-related injury or illness is well-documented in a claimant’s medical records.

MOS Medical Record Reviews provides comprehensive and secure review of medical records for workers’ compensation insurance.

Talk to our Solutions Manager today!

CALL 1-800-670-2809

Given the importance of HIPAA compliance and PHI disclosures for covered entities, legal entities that require access to PHI including personal injury lawyers, law firms that assist a covered entity such as a health plan, and malpractice firms that represent covered entities such as physicians, must ensure the security of any confidential healthcare data they handle. It is vital that all entities handling PHI understand the subtleties of HIPAA and have a proper compliance plan in place to ensure data security.

Discover our medical record review solutions and partner with us for your next case.

Related Posts

How Can A Medical Record Review Company Be HIPAA-Compliant?

How Can A Medical Record Review Company Be HIPAA-Compliant?

Providers of medical records services that assist attorneys in personal injury, workers’ compensation, medical malpractice and other cases are required to maintain HIPAA compliance. This means that they have to be extra cautious about safeguarding the security and...

How Lawyers Can Remain HIPAA-Compliant Business Associates

How Lawyers Can Remain HIPAA-Compliant Business Associates

HIPAA (Health Insurance Portability and Accountability Act) that came into effect in the year 1996 requires that individuals’ health information remain confidential and secure. The Act’s privacy and security rules govern how PHI or protected health information of...

HIPAA Compliance and COVID-19 – OCR Guidance

HIPAA Compliance and COVID-19 – OCR Guidance

As the COVID-19 pandemic advances rapidly, the U.S. is taking extreme measures to mitigate the health impact of the virus. Whether you run a hospital, law firm or a medical review company, all your employees must be aware of the HIPAA Privacy Rules. The HIPAA Privacy...