|
 |
 |
 |
 |
 |
 |
 |
 |
  |
 |
 |
|
 |
 |
 |
 |
 |
HIPAA - the Health Insurance Portability and Accountability Act - is intended to protect individually identifiable health information, yet not hinder access to quality health care. Organizations expected to comply with HIPAA's mandates are referred to as "covered entities" - health plans, health care clearinghouses, and those other health care providers who conduct certain financial and administrative transactions electronically. Compliance was required for all covered entities by April 14, 2003.
While recent "final changes" to this legislation did rescind the blanket requirement that providers obtain a signed consent form from clients for personal health information disclosures related to "routine health care delivery" (treatment, payment, health care operations), certain communications involving such information still require client signatures (e.g., for marketing purposes).
Relative to records generated for compliance with OSHA & MSHA's noise standards, nothing in the Act prohibits an employer from requiring an employee as a condition of employment to provide authorization for release of hearing data necessary for the employer to fulfill its obligations under those standards. Nor is a covered health care provider restrained from providing an employer with information needed by the employer to comply with OSHA & MSHA recordkeeping obligations or determinations of whether an illness or injury is work-related. Covered entities are, however, expected under HIPAA (1) to provide the employee with a written notice stating that the OSHA/MSHA-required test data will be furnished to the employer (or, alternatively, the entity may see that a notification to that effect is posted at the worksite IF the testing is performed there), and (2) to communicate only relevant/needed information. Covered entities are not prohibited from routinely obtaining a consent for disclosing health information and, in that regard, may continue any such HIPAA-compliant consent policies already in place within their business practice.
Whether an individual or organization functioning as a health care provider qualifies as a covered entity is, obviously, a critical question - but not a question that can be generically answered by CAOHC merely identifying a type or range of professional services that qualify. Instead, each practitioner or the organization must assess the applicability of the law relative to how they conduct administrative and financial transactions within their individual practice. Therefore, you will want to take advantage of CAOHC's link to the Rule (and HIPAA’s user-friendly decision trees) to further investigate whether you qualify as a covered entity. Please be aware that the act recognizes states as having the authority to maintain or institute laws which supersede HIPAA if the state laws meet one of four exceptions (e.g., if state mandates are more stringent). Thus it is always important to also check into your state's health information privacy legislation.