Untangling HIPAA
Nearly 30 Years After Passage, the Act Still
Confounds OEHS Professionals
BY NEIL FELDSCHER
Working from Home but Missing Your Synergist? Update Your Address
If you’ve been working from home, please consider updating your address with AIHA. You can change your address by editing your profile through AIHA.org. To ensure uninterrupted delivery of The Synergist, designate your home address as “preferred” on your profile. Update your address now.
Editor’s note: The information and opinions in this article are the author’s and do not necessarily reflect those of AIHA, The Synergist, or the author’s employer, nor do they constitute legal advice. When confronted with the issues discussed in this article, readers should consult legal counsel.
While it is not uncommon for people to misinterpret (or mistakenly interpret) regulations, I am surprised at how often mistakes are made concerning the Health Insurance Portability and Accountability Act of 1996. HIPAA is probably one of the simplest rules that an OEHS professional deals with. Nonetheless, the confusion around HIPAA is extensive enough that AIHA teamed with the American College of Occupational and Environmental Medicine (ACOEM) in October 2022 to host a webinar about the subject.
While the act has several purposes, some of the most important are to improve the portability and continuity of health insurance, combat fraud, waste, and abuse, and provide administrative simplification. HIPAA required the Department of Health and Human Services (DHHS) to implement enabling regulations. These regulations became what we know as the privacy rule, security rule, enforcement rule, omnibus rule, and breach notification rule.
ADVERTISEMENT
CLOSE
This article is intended to clarify the interaction of HIPAA with OEHS, and therefore I will focus on the privacy rule. I’ll provide a brief overview of HIPAA; a full discussion of its provisions and enabling regulations is beyond the scope of this article. Nothing in this article should be considered legal advice. Readers who have questions about compliance should seek appropriate local legal counsel. Covered entities and business associates should retain all necessary legal counsel to ensure statutory and regulatory compliance.
THE PRIVACY RULE
Everyone should be familiar with the privacy rule, which is the basis of the HIPAA notification you receive every time you seek treatment or care from a doctor’s office or medical provider. The privacy rule is not only the core of what everyone thinks of as HIPAA; it is also what most of us in OEHS are referring to when we discuss HIPAA.
This rule established the standard for protecting an individual’s medical records and other individually identifiable health information. These two concepts, individual medical records and a group or collection of data where it is possible to individually identify a person, collectively form what we consider to be protected health information (PHI).
It is important to note that the scope of the privacy rule is specific to health plans, healthcare clearinghouses, and healthcare providers that transmit any health information in electronic form. Collectively, these are considered to be the “covered entities” of the rule. In addition to covered entities, the rule also defines “business associates” to include an individual or organization “that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information”; any person who offers PHI to another on behalf of a covered entity; or a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.”
Looking at the definitions of covered entities and business associates, it should be clear that the HIPAA privacy rule does not apply to most OEHS professionals. That said, OEHS professionals may be covered by the privacy rule’s requirements if they work for a covered entity or business associate within a unit involving PHI.
As with most regulations, there are exceptions to the HIPAA rules. While I will not comprehensively cover these exceptions, I do want to mention those most common to OEHS:
Party waives HIPAA. Everyone has the right to share their PHI with whomever they choose. If it is your information, HIPAA does not apply to you, and you can share it as you see fit. You can also direct the covered entity or business associate to share or release the information to any party you choose. Medical practices sometimes ask patients to allow them to share their information with another party.
Public interest activities. The privacy rule identifies 12 national priority purposes where PHI can be shared without the individual’s permission; see 45 Code of Federal Regulations 164.512. The ones most likely to impact an OEHS professional include:
• where disclosure is required by another law • public health activities such as providing employers information about employees regarding work-related injuries or illnesses or workplace-related medical surveillance as needed by the employer to comply with OSHA, MSHA, or other similar laws • where there is a belief that the disclosure is necessary to prevent or lessen a serious and imminent threat • to comply with workers’ compensation laws or other programs providing benefits for work-related injuries or illnesses
After more than 20 years of enforcement, DHHS has received over 361,000 HIPAA complaints with only 145 cases resulting in a civil penalty.
ENFORCEMENT
An update published on the DHHS website indicated that, as of May 31, 2024, after more than 20 years of enforcement, the department has received over 361,000 HIPAA complaints with only 145 cases resulting in a civil penalty. Approximately 10 percent of the complaints required an investigation and changes in privacy practices by the covered entity or business associate. Approximately 20 percent of the complaints required no investigation, and the department provided technical assistance to aid in compliance. The remaining complaints were deemed to not present a HIPAA enforcement action. A review did not find any cases other than those aimed at either a covered entity or a business associate. The conclusion is that HIPAA actions are very infrequent and should not be a concern unless you are a covered entity or business associate.
THE INTERSECTION OF HIPAA AND INDUSTRIAL HYGIENE
OEHS professionals work in a field that can require access to information that is, or may be classified as, PHI. Whether we are investigating incidents, managing workers’ compensation claims, completing OSHA logs, determining fitness for duty, assigning respiratory protection, or performing other similar responsibilities, the immediate perception is that we are often needing, requesting, or obtaining PHI. But as described in the exceptions to HIPAA, the privacy rule considers the needs not only of government entities such as OSHA or departments of health but also of OEHS professionals who need access to certain PHI. This is especially important for issues such as managing injuries and illnesses, investigating and processing workers’ compensation claims, and completing OSHA logs.
In 2004, OSHA received a letter from the AFL-CIO that asked whether the privacy rule required employers to remove employees’ names from OSHA logs before allowing access to the log. The question concerned whether the log could be viewed as sharing PHI since it includes not only the name but the basic nature of a work-related injury or illness. As OSHA noted in its reply, the HIPAA exception for disclosures as required by law applies in this instance because the OSHA recordkeeping rule requires that certain personnel have access to a complete log, including employee names. More recently, in a reply to a question submitted by the Virginia Ship Repair Association, OSHA emphasized that HIPAA “specifically permits a covered entity to disclose PHI in order to comply with obligations under” the OSHA recordkeeping requirements.
Less clear than the exception for OSHA recordkeeping requirements is the need for fitness-for-duty information. Some may believe that HIPAA would not apply in this instance since the employer is retaining the healthcare provider for the fitness-for-duty examination. However, the privacy rule does not include an exception that would fit this scenario. Some avenues for addressing this issue include conditioning employment upon passing the exam, creating a need for an employee to agree to release their results, or having the healthcare provider condition the exam on HIPAA release authorization. Perhaps the easiest approach is to establish with the healthcare provider that it will not provide PHI and will merely indicate pass or fail based on the work requirements you established.
THE PRIVACY RULE AS A STANDARD OF CARE
While we can conclude that the typical OEHS professional is not a covered entity or a business associate and therefore HIPAA does not directly apply, we also need to acknowledge that OEHS professionals are very likely to obtain PHI from healthcare providers. The general population may not be aware of what does and does not constitute PHI but nevertheless expects that private information will be protected, not shared. This expectation is what leads to claims of “you violated HIPAA” even when HIPAA does not apply to us, or, once an attorney gets involved, a claim such as invasion of privacy if the individual suffered damages due to the release of their PHI.
So, what does this mean for us?
HIPAA is the law and the required level of conduct by covered entities and business associates. Those outside HIPAA’s scope, though, must recognize that HIPAA has established what, it will be argued, is a societal norm or an expected standard of care. While the HIPAA requirements cannot be enforced by law against us, our breach of those requirements will be used in legal actions to show our lack of care or perhaps even negligence in protecting PHI.
We need to obtain specific information to properly perform as OEHS professionals. While we should not be concerned with HIPAA violation claims, we should recognize that we do need to meet the expected standard of care in doing our best to protect and limit the sharing of PHI that we obtain in the course of our jobs. Some key takeaways to aid in achieving this goal include:
Don’t obtain, retain, or maintain PHI that you do not actually need. There is plenty of PHI that you will need; obtaining or retaining extra just provides additional opportunities for accidental disclosure.
Limit your internal discussions and disclosures of PHI to the minimum necessary. It is unavoidable that some personnel will need the information. But you should limit these conversations and the sharing of information to the extent possible and clearly mark electronic communications to limit forwarding or sharing.
Implement administrative, technical, and physical safeguards as outlined by HIPAA. These include:
• Administrative protections such as the training of employees on how to identify PHI and how to talk about and handle it so as not to share or identify individuals. This can include not holding public discussions and not including names or any identifiable information when talking about situations.• Technical protections such as ensuring the use of strong passwords, cybersecurity controls and measures, and maintenance of a secure area for PHI storage with strong access rights protection.• Physical protection of records, such as limiting access to and securely locking the spaces, rooms, or cabinets where records are maintained. This protection would include shredding records when they are no longer needed or required to be maintained.
NEIL FELDSCHER, CIH, CSP, Esq., FAIHA, is director of environment, health, and safety for the New York City Department of Environmental Protection.
Send feedback to The Synergist.
Vahit Ozalp/Getty Images
RESOURCES
Department of Health and Human Services: “Enforcement Highlights.”
GovInfo: Public Law 104-191-Health Insurance Portability and Accountability Act of 1996 (August 1996).
OSHA: Standard Interpretation: Letter to Bill Kojola (August 2004).
OSHA: Standard Interpretation: Letter to Tom Binner and Dawn Kriz (January 2018).