220 likes | 228 Views
Learn about the requirements of HIPAA, ADA, FMLA, and Workers’ Compensation laws to avoid legal problems related to employees’ private health information.
E N D
Des Moines Office 2700 Grand Avenue, Suite 111 Des Moines, Iowa 50312-5213 Phone: 515-244-0111 Fax: 515-244-8935 Quad Cities Office Northwest Bank Tower 100 E. Kimberly Road, Suite 704 Davenport, Iowa 52806-5944 Phone: 563-445-2264 Fax: 563-445-2267 Adel Office 1009 Main Street Adel, Iowa 50003-1454 Phone: 515-993-4545 Fax: 515-993-5214 What You Need to Know about HIPAA, ADA, FMLA and Workers’ Compensation Medical Information Brent Hinders Hugh Cain
Scenario • Bob, an elected official, is sued for disability discrimination by a municipal employee. • Bob wants to assert as a defense that he was unaware the Plaintiff-employee was disabled. • Bob had previously demanded the City’s managers give him access to the employee’s workers’ compensation medical information. • Bob’s review of these records likely costs him this defense. • How could Bob have avoided this? What other problems might attend Bob possessing an employee’s medical records? • Knowledge of the requirements of and interactions between HIPAA, ADA, FMLA, and Workers’ Compensation laws can help avoid legal problems as they relate to employees’ private health information.
Health Insurance Portability and Accountability Act (HIPAA) - The Basics • HIPAA, enacted in 1996, contains privacy rules designed to protect protected health information. • HIPAA also requires “covered entities” to implement safeguards for protecting protected health information including risk analysis, training, evaluation, and access authorization. • “Covered entity” means: • (1) A health plan. • (2) A health care clearinghouse. • (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by [45 C.F.R. part 160]. • Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. • See 45 C.F.R. § 160.103
Health Insurance Portability and Accountability Act (HIPAA) -The Basics • Generally employers are not “covered entities.” • Although HIPAA generally doesn’t apply to employers directly, it may affect employers in the process of obtaining employee health information because HIPAA applies to the health provider from whom the employer seeks the information. • Except for disclosures for treatment activities, disclosures of protected health information should be to the minimum extent necessary.
Liability for Violating HIPPA • Courts have held there is no private cause of action for violating HIPAA. Dodd v. Jones, 623 F.3d 563, 569 (8th Cir. 2010); Gaul v. Hughes Pharm. Servs., 2005 U.S.Dist. LEXIS 42151, *9—11. • This means that a person cannot sue another person, employer, or organization for damages incident to a HIPAA violation. • However, there are civil penalties and even criminal sanctions for HIPAA violations.
HIPAA and Workers’ Comp. • 45 C.F.R. § 164.512(l)—workers’ compensation • A covered entity may disclose PHI as necessary to comply with workers' compensation law or similar programs created by law that provide benefits for work-related injuries or illness without regard to fault.
HIPAA and FMLA, ADA • There are no specific exceptions for FMLA or ADA in HIPAA concerning disclosures • Accordingly the authorization requirements of 45 C.F.R. § 164.508 apply: • Broadly, a covered entity can’t disclose PHI without valid authorization. “When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.” 45 C.F.R. § 164.508(a).
Workers’ Compensation Records as “Medical Records” • According to the Equal Employment Opportunity Commission, workers’ compensation records are medical records.
Iowa Workers’ Compensation Law • Iowa Code § 85.27(2): • “Any employee, employer or insurance carrier making or defending a claim for benefits agrees to the release of all information to which the employee, employer, or carrier has access concerning the employee’s physical or mental condition relative to the claim and further waives any privilege for the release of the information. The information shall be made available to any party or the party’s representative upon request. Any institution or person releasing the information to a party or the party’s representative shall not be liable criminally or for civil damages by reason of the release of the information.”
Workers’ Compensation • Is an elected official “a party” or “party’s representative”? • Generally an elected official is a member of the “governing body,” but that is likely different from either being “a party” or “a party’s representative”
Americans with Disabilities Act • Medical information is confidential under ADA. 42 U.S.C. § 12112(d) • If the ADA applies to medical records of an employee, the records must be maintained in accordance with 29 CFR § 1630.14(C): • This information “shall be collected and maintained on separate forms and in separate medical files and be treated as a confidential medical record” with certain exceptions . . . .
Americans with Disabilities Act • Exceptions: • “(1) Supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;” • “(2)First aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; and” • “(3) Government officials investigating compliance with this part shall be provided relevant information on request.” 29 C.F.R. § 825.500(g)(1)—(3). • “Employers or other covered entities may submit information to state workers’ compensation offices or second injury funds in accordance with state workers’ compensation laws.” 29 C.F.R. App. 1630.14(b)
Family Medical Leave Act • All local governments are “employers” under FMLA, 29 U.S.C. § 2911(4) • FMLA confidentiality applies to medical records “created for purposes of FMLA.” • Such records include medical certifications or re-certifications, and include medical histories of employees and their family members. • These records must be maintained separately and confidentially from the employee’s personnel file and should be locked in a separate cabinet or password protected. • Only persons who genuinely need to know should have access to the records. • See 29 C.F. R. § 825.500(g)
Family Medical Leave Act • If the Genetic Information Nondiscrimination Act of 2008 (GINA)is applicable, records and documents created for purposes of FMLA containing family medical history or genetic information as defined in GINA shall be maintained in accordance with the confidentiality requirements of Title II of GINA (See 29 CFR 1635.9), which permit such information to be disclosed consistent with the requirements of FMLA.” • See 29 C.F.R. § 825.500(g)
Common Law Privacy • Medical information is confidential under Iowa common law • Iowa Courts have recognized a common law right to privacy. • Bremmerv. Journal-Tribune Publishing Co., 247 Iowa 817, 76 N.W.2d 762 (1956). • The Court adopted the test laid out in the Restatement (Second) of Torts § 652. Winegard v. Larsen, 260 N.W.2d 816 (Iowa 1977). • “(1) One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other.
Common Law Privacy • Unreasonable publicity given to the other’s private life • “One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that • (a) would be highly offensive to a reasonable person, and • (b) is not of legitimate concern to the public.” • This rule was invoked in Howard v. Des Moines Register & Tribune Co., 283 N.W.2d 289 (Iowa 1979), concerning information disclosed about a woman’s involuntary sterilization . . .
Common Law Privacy—Howard v. Des Moines Register • Howard sought to recover from the Defendants because they disclosed in a news story that she had been involuntarily sterilized while she was a resident in a county home. • The Iowa Supreme Court found, however, the disclosure was not an invasion of her privacy because the information had previously been disclosed in a public record: • A former nurse of the home had written about Howard’s sterilization in a complaint she sent about the home to the Governor as an example of mistreatment of patients in the home; the court found this writing was a public record. • Because the record “was neither complied for diagnostic or treatment purposes by hospital or medical personnel nor maintained as [a] record[] of a hospital or physician,” they were not exempt. • The Court also found the disclosure served a legitimate public concern and was therefore newsworthy.
OSHA – Injury ReportingBasic Record Keeping Document is Log 300 • Name • Job title • Date of injury • Location • Brief description of the Injury • Classify the Case – Outcome and Seriousness (Death, Days off work, restrictions, other). • Identify injury – Only one: Skin disorder, Respiratory, Poisoning, Hearing Loss, All Others. • Keep 5 years • Keep medical records for duration of employment plus 30 years.
OSHA Log 300 • Do not report First Aid injuries ■ Band aid, non-prescription medication, minor events • Post summary February 1 to April 30 • Keep Log for five years. • Do NOT enter employee’s name in the Log if the employee voluntarily requests it or if it deals with an intimate injury, sexual assault, mental illness, or blood borne pathogen infection.
OSHA – Injury Reporting • 8 hours to report fatality (fatality within 30 days of injury) • 24 hours to report amputations, inpatient hospitalizations, loss of eye. • Telephone: 877-242-6742 • Required Poster has telephone number