HIPAA Privacy Rule Exceptions and L&I
Authorizations are not needed when patients are covered by workers' compensation
HIPAA exempts workers’ compensation programs from the Act’s Privacy Rule authorization requirement (45 CFR § 164.512(l)).
This means you can disclose a patient’s personal health information to L&I or a self-insurer without obtaining authorizations from your patient as is generally required by HIPAA.
HIPAA also allows you to disclose a patient’s personal health information to an employer regarding work-related illnesses or injuries without the patient’s authorization (45 CFR § 164512(b)(v)(B)).
Health Insurance Portability & Accountability Act (HIPAA) allows exceptions to the HIPAA Privacy Rule when providers are treating patients covered by the:
- L&I’s workers compensation program.
- Crime Victims’ Compensation (CVC) program.
- As well as when providers are conducting examinations required by the Washington Industrial Safety and Health Act (WISHA).
The information on this webpage explains how these exceptions to the HIPAA Privacy Rule apply when providers are taking care of patients through these programs.
Links to further information about these rules is provided at the end of this page.
HIPAA's "minimum necessary" standard does not apply to workers' compensation or crime victims' compensation claims
HIPAA's minimum necessary standard does not apply to any disclosure you are required to make by state law (45 CFR § 164.502(b)(2)(v)).
This means when L&I or a self-insurer requests the personal health information of a patient being treated under a workers' compensation or crime victims' compensation claim, you must send everything requested.
This includes requests or personal health information that may appear unrelated to your patient's claim. This is because L&I or self-insurer may cover treatment for a condition that is unrelated to an injury when the condition is regarding your patient's recovery.
L&I or the self-insurer may also request what appears to be unrelated medical information in order to review your patient’s medical history when the patient contends a new condition is related to or has been aggravated by a work-related injury.
Releasing personal health information to vocational counselors, nurses and others assisting L&I or self-insurer
When a worker signs a "Report of Industrial Injury or Occupational Disease" form* or files an application to reopen a claim with L&I, he or she authorizes treating providers to release the worker's personal health information (PHI) as needed for them to receive benefits.
These benefits may include vocational rehabilitation, nurse case management, utilization review, independent medical exams, foreign language translation, and pre-authorized services such as pain clinics.
Providers must release the worker's personal health information to professionals who have an active L&I provider number and perform services for a worker with an industrial insurance claim. No additional worker authorization is required.
*For self-insurers, the "Physician's Initial Report" form or the "Self-insurer Accident Report" (SIF-2) form.
Your privacy notice should address disclosure to L&I
If you are subject to HIPAA, HIPAA requires that you develop a privacy notice for your patients (CFR 45 § 164.520). The notice must advise your patients of your legal duties under HIPAA, as well as how you may use and disclose their personal health information. We recommend that you include in your privacy notice that:
- You are required by Washington State law to disclose personal health information to L&I or a self-insured employer when they are treated under a workers' compensation claim.
- You can disclose personal health information to an employer without an authorization from your patient if that information is about a workplace injury or illness, light duty work, workplace medical surveillance, or a return-to-work examination.
- You are required by Washington State law to disclose personal health information to L&I if they are treated under a crime victims' compensation claim.
- Your patients can’t compel you to restrict disclosures of their personal health information to L&I or self-insurer because it is required by law (45 CFR § 164.512,164.522(a)(1)(v)).
Read L&I's privacy notice (F101-055-000).
External HIPAA links
- Centers for Medicare and Medicaid Services – Directory of CMS's HIPAA-related business activities.
- Office of Civil Rights – Resources for understanding and asking questions about HIPAA.
- Workgroup for Electronic Data Interchange (WEDI) – WEDI focuses on electronic commerce within healthcare.
- The American Medical Association (AMA)– The AMA's HIPAA page.