When HIPAA, temp agencies, and recordkeeping cross paths, who wins?

By: Travis Rhoden

Publication: Workplace Safety Regulatory Alert

Date Posted: 02/04/2022

Most employers utilize temp workers at some point. And, while you hope it doesn’t happen, there is the possibility that the worker will suffer a work-related injury. If, as the host employer, you supervise the daily activities of that worker, then any injuries meeting OSHA’s recording criteria would go on your log.

Simple enough, but often what happens if the temp worker doesn’t come back to your facility during the injury (or after recovery). How, then, are you supposed to know whether the case is recordable? And, if so, how many days have been missed or restricted?

In an ideal world, your temp agency contact will provide you the information you need for accurate recordkeeping. But, there are occasions when the temp agency will claim they are prohibited by HIPAA (the Health Insurance Portability and Accountability Act) from providing information about an employee’s medical status.

What do you do? Under OSHA’s recordkeeping regulation, the employer that provides day-to-day supervision must make reasonable efforts to acquire the necessary information to satisfy their Part 1904 recording responsibilities. However, in situations where the controlling employer is not able to obtain medical information from the employer of a leased or temporary employee, the controlling employer should record injuries or illnesses based on the information that is available. (It is OSHA’s expectation that employers will share information about work-related injuries and illnesses.)

HIPAA allows for disclosure for OSHA recordkeeping

HIPAA, Temp workers, and OSHA RecordkeepingThe HIPAA privacy rule, issued by the U.S. Department of Health and Human Services (HHS), 45 CFR 160 and 164, provides extensive safeguards and procedures for assuring the confidentiality of individually identifiable health information.

As required by HIPAA, the provisions of the privacy rule only apply to “covered entities.” The term “covered entity” includes health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically. As a result, the requirements of the HIPAA privacy rule would only apply to a temporary staffing agency if it meets the definition of a “covered entity.”

The fundamental requirement of the HIPAA privacy rule is that covered entities may not use or disclose protected health information (PHI) without the written authorization of the person who is the subject of the information. However, the privacy rule includes several exceptions for disclosing PHI without individual authorization. One exception provides that a covered entity may use or disclose PHI for public health activities. Most importantly, it specifically permits a covered entity to use or disclose PHI in order to comply with obligations under OSHA’s Part 1904 Injury and Illness Recordkeeping Rules.

Accordingly, in situations where a temporary staffing agency meets the definition of a covered entity, the HIPAA exception would permit them to disclose PHI to the controlling employer for purposes of compliance with Part 1904.

If they still won’t release the records? Refer them to the OSHA Letter of Interpretation, 01/12/2018 — Recording Injuries and Illnesses of Temporary Workers versus HIPAA Requirements. (Note: The letter was recently re-posted by OSHA after a lengthy legal review.)