Readers, you've submitted several questions this month. Now it's ourturn to track down the answers. Take a look at what some of your colleagues have inquired about and how HIPAA experts have responded. With Workers'Comp Disclosures, View State Law Question: "Workers' compensation disclosures are not listed as being exempt from the accounting requirement. I'm confused because our primary relationship with workers' comp is as a payor, which would cause the disclosure to fall under treatment, payment and health care operations. Could you please clarify a) if workers'comp disclosures do need to be accounted for and b) if so, give examples of workers'comp-related disclosures that would trigger this accounting requirement?" Answer: There are potentially two different answers to this question, informs Kristen Rosati, an attorney in the Phoenix office of Coppersmith Gordon Schermer Owens & Nelson. "If you're paying workers'comp claims - if that's all you do - you're not even a HIPAA covered entity, because workers'comp insurance programs are excluded from the definition of a health plan," she says, adding that workers' comp insurance companies are not HIPAA health plans. Also, because of the diversity of state laws, make sure you're aware of how your state's law may affect workers' comp issues like this, advises Barry Herrin, anattorney with Smith Moore in Atlanta. Herrin says if an employee makes a claim for benefits in Georgia, then they've waived their constitutional right to privacy. "Georgia has a state constitutional right to privacy; it's the strongest anywhere in the country that I know of." He says if you file a claim for benefits in the Peach State, you waive your right to privacy with regard to all of your medical records, not just those related to the claim. "So in that case it's a consensual release. You've authorized the treating professional to release that information to the employer, and you don't have to account for consensual releases in the accounting [under HIPAA]." Photographs = PHI Identifiers Question: For demonstration purposes in a sales context, if a picture or video of a patient were used with no identifying information, would this violate HIPAA? Answer: "Well, someone's photo is an identifier," explains Rosati. She says the Department of Health and Human Services lists photos as identifiers, "and therefore any photos where you can tell an individual's identity are treated as protected health information." That means any disclosure of that photo has to be viewed under HIPAA, but the legality of that disclosure depends on how you're using the information, she notes. Editor's Note: To see what the OCR says about the privacy rule as it relates to marketing, go to www.hhs.gov/ocr/hipaa/guidelines/marketing.pdf. Let HIPAA's Research Rules Guide You Question: "My company is currently being asked to sign a business associate contract. We are a pharmaceutical company that would like to retrieve tissue from deceased individuals for research purposes. My understanding of the definition of a BA is that as a BA, one must provide certain activities for or to the covered entity. If we are using these tissue samples for our own purposes, am I right in saying my company is not a BA? Further, does my company fall under the research exception to disclosing PHI?" Answer: Rosati reminds readers to review the guidance issued by the HHS' Office for Civil Rights in December 2002 which explains that you do not require a business associate agreement when you're disclosing protected health information to a researcher. However, whether the provider is allowed to disclose PHI to the pharmaceutical company for these research purposes has to be evaluated under the HIPAA research rules, "because presumably you're probably not just harvesting the tissue, you're also getting information on who this patient is and any health information about the deceased patient that would be relevant to the research." And in order for a provider to disclose that information to the pharmaceutical company, they either need to get the authorization of the patient's personal representative or they need to get the institutional review board to waive patient authorization for the project, Rosati offers.
However, if you're a provider and you're disclosing health information under workers'comp - if you do it like you're permitted to do without patient authorization - then you do need to track that data if the patient ever asks for it. "But if you get the patient's authorization to disclose the information, then you do not need to include it or track it for accounting, because the disclosures that are made pursuant to somebody's authorization don't need to be accounted for," Rosati advises.
Herrin says there may be a state that stipulates, "All the records have to be released pursuant to a subpoena issued by the state board of worker's compensation." If that's the case, then it's a non-consensual release and that would have to be documented. But in Georgia, he notes that when a patient makes a claim for worker's comp and signs that statement, they've waived their rights and they agree that the provider can send the copy to the employer. "That's an authorization, so you don't have to document authorized releases," he explains.
There are a lot of issues that need to be evaluated to determine whether that disclosure would count as a violation, but what you do need to know is that disclosure of a photo is a disclosure of protected health information, Rosati asserts. If you're making a disclosure for marketing purposes, you have to follow the HIPAA marketing rules. There's a definition of what marketing is, so take a look at whether the communication that you're making with the photo even constitutes marketing, and if it does, there are a couple of exceptions where you don't need authorization to do the marketing. This is a pretty complicated issue, and Rosati advises entities to take a closer look both at the definition of marketing and also the exemptions from authorization for the marketing rule.