What You Need to Know About Employer HIPAA Violations
The seasoned Delaware workers’ compensation attorneys at Silverman, McDonald & Friedman understand the importance of maintaining your privacy. Contact us in Seaford, Newark, or Wilmington if your employer violated HIPAA laws regarding your claim.
One of the few sacred areas left in our lives is the protection of our personal health information. It has become such an important breach of privacy that the federal government had to step in to create rights under the Health Insurance Portability and Accountability Act (HIPAA). You have certain rights as to who can receive your sensitive health information, and what they’re permitted to do with it.
When you are hurt at work, you need to provide proof of that injury. This can involve may pieces of documentation, including authorizing the release of your medical records to your employer’s insurer. Even then, however, there are rules that need to be followed, and failing to do so can land your employer in hot water from a legal standpoint.
What are an employer’s HIPAA limitations?
Whether you had a chronic backache from a car accident that required cryogenic therapy six months ago, or you’ve needed daily diabetes injections your entire life, your entire medical history is no one’s business.
An employer is considered a protected entity when it comes to disseminating your personal health information, but this protection only extends to certain circumstances. Under the law, “Covered entities are required reasonably to limit the amount of protected health information disclosed under 45 CFR 164.512(l) to the minimum necessary to accomplish the workers’ compensation purpose.” Should your company use your medical information for any purpose beyond the scope of your workers’ compensation claim against them, there are consequences they may face under the law.
Under the Privacy Rule, these are the entities your employer is legally able to provide your health information to the following:
- Workers’ compensation insurers
- State administrators
- Any other person or entity involved in carrying out a workers’ compensation claim
Under the Code of Federal Regulations, information used by or disclosed to your employer must be limited to the medical provider’s findings regarding:
- Medical surveillance, which monitors workers for adverse health effects in the workplace to determine the effectiveness of the company’s injury prevention program.
- Work-related illness or injury, which is primarily what you would be concerned with in a workers’ comp case.
Furthermore, your covered health care provider must give you written notice that this information will be disclosed to your employer.
Should I sign a medical release for my employer?
While your employer does not need to obtain your permission, it does not mean that you can’t provide them with a HIPAA compliant authorization tailored to disclose only medical information relevant to your work injury. Discussing this with your personal injury attorney will give you the proper guidance for your particular case.
Providing written authorization may be better in some instances so that you ensure the information you have agreed to the release of actually relates to your claim. While these guidelines are established under HIPAA and state law, it never hurts to cover your bases in the event something goes awry requiring you to take further action.
What happens when an employer violates HIPAA?
Having your private medical history floating around to people who had no official reason for knowing that information can lead to embarrassment and damage to your reputation. Filing a complaint with the Office for Civil Rights (OCR) is one avenue you can take if you believe your HIPAA rights have been violated.
You have 180 days in which to file with OCR, which will then:
- Investigate to determine if your rights were violated by a covered entity
- Issue an investigation resolution letter
If a violation occurred, the protected entity must agree to a settlement and take corrective action, otherwise face a potentially substantial civil fine.
To learn whether you may have a private cause of action under state law due to your employer or another protected entity improperly using or releasing your private medical information, speak with a member of our workers’ compensation team. To schedule your free case evaluation in our Wilmington, Seaford, or Newark, DE office, please call Silverman, McDonald & Friedman at 302-888-2900, or reach out to us through our contact page to tell us your story.