By JOSHUA CLIFTON, a Chicago-based writer who covers workers' comp and disability issues
Buried within the massive stimulus package signed into law by President Barack Obama in February 2009 was a new set of rules to bolster privacy protections for medical information. While the Health Information Technology for Economic and Clinical Health (HITECH) Act has given health insurers, hospitals and physicians plenty of headaches, the workers' compensation community has made little noise about the changes. That's because, despite the expansion of Health Insurance Portability and Accountability Act (HIPAA) obligations under the HITECH Act, these rules don't apply in workers' comp situations.
"The reason being is that, when you have a workers' comp claim, it is about a medical condition or injury, and it is impossible to arbitrate or litigate without speaking about private information," said Rania Sedhom, principal at Buck Consultants in New York City and chairperson of the firm's Employment Law Consulting Group.
That being said, Sedhom added that it doesn't mean that providers should be taking out billboard ads heralding an individual's medical information.
"They still have to act responsibly," she said.
BREACH NOTIFICATION RULES
Employers, however, must still work "covered entities" when dealing with workers' comp claims. That's where the HITECH Act's new breach notification provisions come into play.
"Let's assume that one of the individuals involved in the workers' comp claim did not provide only the necessary medical information," Sedhom said. "For example, we inadvertently told your insurance provider that you had diabetes, even though the workers' comp claim was for a knee injury. That would trigger the breach notification rules in the HITECH Act."
If this occurs, individuals would need to be notified within 60 days that a breach occurred. This includes a brief description of what happened, what was disclosed in the breach, the steps an employer is taking to protect against potential harm and a description of what the employer is doing to make sure that it doesn't happen in the future. In cases where an entity had 500 or more breaches of protected health information, "prominent media outlets" and the secretary of the U.S. Department of Health and Human Services must be notified.
Although larger insurers will likely have several divisions and proverbial "walls" built to prevent improper information sharing from occurring, Sedhom said, smaller shops that don't have enough people in the process are more likely to have a problem.
"It is important that workers' comp companies and employers take the time to separate regular medical information from information associated with workers' comp claims," she said. "You should also separate various claims, because individuals may have several workers' comp claims on record."
THE POTENTIAL PENALTIES
Although breaches of medical information have resulted in significant fines under HIPAA, Sedhom said, it is still too early to know what the impact will be under the HITECH Act, which went into effect last September.
Enforcement of business associate provisions was scheduled to be implemented in February, but has been delayed.
"We are expecting guidance in the second or third quarter of 2011, and I'm assuming we are in good faith compliance right now," she said.
Still, employers and insurers shouldn't sleep on it. In January, Connecticut Attorney General Richard Blumenthal fired the first shot under the HITECH Act by filing a lawsuit against Health Net of Connecticut Inc. for allegedly failing to secure private patient medical records and financial information involving hundreds of thousands of enrollees and promptly notifying consumers endangered by the security breach.
While it marked the first litigation under the act, Sedhom said it surely won't be the last, and employers need to take the risks of violating medical privacy laws seriously.
Robinsue Frohboese, principal deputy director of the HHS's Office for Civil Rights, said the protections under the HITECH Act will be a cornerstone for maintaining consumer trust as "we move forward with meaningful use of electronic health records and electronic exchange of health information."
To ensure strong protection of medical information and compliance with the HITECH Act, Sedhom suggested firms:
-- Limit disclosed information. Workers' comp insurers and administrators should look to the act for guidance.
"One thing that it states is that you have to reasonably limit the amount of protected information you disclose," she said. "That is the most important exercise. In workers' comp, you must be asking how much tangential information I need to provide."
-- Streamline your data collection practices. "You should be working with your information technology professionals to ensure that this information is being indexed properly. Talk to them about this so that they can design a filing system in which the incoming medical information can be directed into the right bucket, so to speak," Sedhom said.
-- Know your vendors. "Make sure that if you are going to hire a new vendor, they fully understand the implications of the HITECH Act," Sedhom said. "How are they going to separate workers' comp information from regular medical information? How do they share their data and who has access to it? Don't be afraid to approach these subjects. These are the questions you should be asking."
-- Focus on training. With requirements covering Equal Employment Opportunity Commission issues, whistleblower protections and other areas, sometimes the avalanche of training information can be diluted. However, Sedhom explained, it is very important to pay close attention to the training provided to individuals who will be touching this information.
March 25, 2010
Copyright 2010© LRP Publications