When HIPAA, temp agencies, and recordkeeping cross paths, who wins?
By: Travis Rhoden
Publication: Workplace Safety Advisor
Date Posted: 05/18/2018
Most employers utilize temp workers at some point. And, while you hope it doesn’t happen, there is the possibility that the worker will suffer a work-related injury. If, as the host employer, you supervise the daily activities of that worker, then any injuries meeting OSHA’s recording criteria would go on your log.
But, often what happens is the temp worker doesn’t come back to your facility during the injury (or after recovery).
How, then, are you supposed to know whether the case is recordable? And, if so, how many days have been missed or restricted?
In an ideal world, your temp agency contact will provide you the information you need for accurate recordkeeping. But, there are occasions when the temp agency will claim they are prohibited by HIPAA (the Health Insurance Portability and Accountability Act) from providing information about an employee’s medical status.
What do you do?
Under OSHA’s recordkeeping regulation, the employer that provides day-to-day supervision must make reasonable efforts to acquire the necessary information to satisfy their Part 1904 recording responsibilities. However, in situations where the controlling employer is not able to obtain medical information from the employer of a leased or temporary employee, the controlling employer should record injuries or illnesses based on the information that is available. (It is OSHA’s expectation that employers will share information about work-related injuries and illnesses.)
HIPAA allows for disclosure for OSHA recordkeeping
The HIPAA privacy rule, issued by the U.S. Department of Health and Human Services (HHS), 45 CFR 160 and 164, provides extensive safeguards and procedures for assuring the confidentiality of individually identifiable health information. As required by HIPAA, the provisions of the privacy rule only apply to “covered entities.” The term “covered entity” includes health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically. See, 45 CFR 160.103. As a result, the requirements of the HIPAA privacy rule would only apply to a temporary staffing agency if it meets the definition of a “covered entity.”
The fundamental requirement of the HIPAA privacy rule is that covered entities may not use or disclose protected health information (PHI) without the written authorization of the person who is the subject of the information. However, the privacy rule includes several exceptions for disclosing PHI without individual authorization. See, 45 CFR 164.512, Uses and disclosures for which an authorization or opportunity to agree or object is not required. The exception at Section 164.512(b) provides that a covered entity may use or disclose PHI for public health activities. Most importantly, Section 164.512(b)(1)(v)C) specifically permits a covered entity to use or disclose PHI in order to comply with obligations under OSHA’s Part 1904.
Accordingly, in situations where a temporary staffing agency meets the definition of a covered entity, Section 164.512(b)(1)(v)(C) would permit them to disclose PHI to the controlling employer for purposes of compliance with Part 1904.
If they still won’t release the records? Refer them to the OSHA Letter of Interpretation, 01/12/2018 - Recording Injuries and Illnesses of Temporary Workers versus HIPAA Requirements.
You may also enjoy the following articles:
Common Questions on Flammable and Combustible Materials
Do you know how effective your HazCom training was?
ISO 45001 approved! A potential game-changer for safety management systems
The Workplace Safety Advisor Newsletter keeps busy safety professionals current on the latest workplace safety and compliance news, consensus standards, and best practices. Click Here for a free, no-obligation trial.