The Health Insurance Portability and Accountability Act (more commonly known as “HIPAA”) celebrated its twenty-fifth birthday on Aug. 21, 2022 and, like any 26-year-old, it’s just starting to get good.
HIPAA was originally intended to protect and relay health information for employees who were between jobs and therefore health insurance plans.
It was, however, subsequent legislation – the Privacy and Security Rules – that were actually intended to give consumers the protections that many associate with HIPAA to preserve their medical privacy.
The Privacy Rules took effect on April 14, 2003, protecting information “held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual,” protecting patients from the use of their medical information for marketing, research, and fundraising and the right to withhold information about their healthcare from insurance providers where their treatment was privately-funded. The Security Rules were enacted two years later which outline the means by which private medical information may be maintained and communicated.
According to the United States Department of Health and Human Services, however, HIPAA does not apply to workers’ compensation or employers. So where does that leave injured workers with respect to their medical privacy?
Characteristically, the California Legislature charged to the rescue with the Confidentiality of Medical Information Act (CMIA), enacted as Civil Code §§56-56.16. This act limits the disclosure of “medical information,” narrowly defined as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.” (Cal. Civil Code §56.05(j).)
The key qualifying phrase though of “individually identifiable information” is only the first of many exceptions to the disclosure of actual medical records of a patient with or without his permission.
Indeed, the protection of the CMIA only applies to records that contain accompanying information which can reasonably identify the patient. In turn, that suggests that a person’s medical records can be put to any use so long as they are sufficiently redacted. Additionally, Cal. Civil Code §56.10 dictates that a provider may not disclose medical information without a patient’s permission but proceeds to outline more than twenty exceptions, including litigation contexts.
Specific to the workers’ compensation arena are subsections (c)(2) and (c)(8) which outline what information can be provided to the employer. Subsection (c)(2) allows information to be disclosed to an employer responsible for payment of medical care to the extent necessary to allow responsibility for payment to be determined and payment to be made.
Consider, then – for an employer who provides a health plan with no deductible or co-pay, is there any medical privacy for an employee who uses that health plan?
Subsection (c)(8) is most pertinent, allowing disclosure to an employer of employment-related health care services provided at the employer’s expense so long as that information is relevant to a claim to which the employer and employee are parties and the employee has placed at issue his “medical history, mental or physical condition, or treatment,” limited to being disclosed in that setting only.
An employer may also be provided medical information describing an employee’s functional limitations, i.e. work restrictions. Again, however, this begs the question – in an injury, such as a psychiatric claim where anything may become relevant, does this reveal to the actual employer the employee’s entire medical history as recounted, say, by a psychiatric PQME? Labor Code §3762(c) gives some additional protection in this context, permitting third-party administrators to only disclose medical information needed to modify an injured worker’s duties and that medical information which is limited to the diagnosis of the condition for which compensation is claimed and treatment is provided.
Contemplate the implications of these privacies regarding the Cal-OSHA standards that delineated separate regulations and treatment of people based on medical status – whether they are vaccinated or not against COVID-19. (This version of the standards that delineated differing rules based on a employee’s vaccination status expired on May 5, 2022. The current version of those Cal-OSHA standards now frequently uses the words “regardless of vaccination status.”)
We know that HIPAA is not applicable. Is an employer’s request for vaccination status or test results from an employee who does not have a COVID-19 workers’ compensation claim directly then a violation of the CMIA?
The answer seems to be “no,” as the CMIA protections prevent the disclosure of medical information by a healthcare provider. While an employer clearly could not solicit an employee’s medical information from his private physician or pharmacist (unless the employer pays for that care entirely?), there is no prohibition in the CMIA of an employer requesting medical information from an employee himself.
No… that would more likely fall under the purview of the Americans with Disabilities Act if employee medical information, whether self-reported or not, is collected solely to discern which set of rules applies to an employee. The California Legislature most recently amended the CMIA effective July 1, 2022 with Assembly Bill 1184 to prohibit the disclosure of medical information regarding certain “sensitive services” to anyone other than the individual without the individual’s consent, including minors, but it was “crickets” as to COVID-19 privacies.
In the wake of Cal-OSHA’s early 2022 policies on the prevention of COVID-19, some employers did express reservations as to their ability to request an employee’s medical status in light of the CMIA and would issue authorizations for their employees to sign, entitling them to COVID-19 test results and vaccination information; however, such forms appear to have been careful to blare out to the reader that the signed disclosure was “voluntary.”
The form is conspicuously lacking an option for the employee to opt out of the disclosure or in describing alternatives for an employee who does not wish to waive CMIA protections.
As of May 5, 2022, Cal-OSHA apparently no longer sees COVID-19 as enough of a threat to maintain its prior guidelines of requesting medical information from employees to categorize them as “fully-vaccinated” or other – or it is not confident in the effectiveness of those procedures.
Whatever the case, Cal-OSHA has quietly backed off of this position with little fanfare, leaving employers to decide what they will now consider “normal” and their options for protecting their workplaces and other employees without the protection of relying on Cal-OSHA guidance.
Whether Cal-OSHA ultimately decided that requesting COVID-19 information such as test results and vaccination status ran afoul of state and federal legislation remains to be seen, but perhaps the courts will have the final word.
Kimberly R. Wagner is a partner and the Managing Attorney of the Bradford & Barthel Ventura office. She is also a workers’ compensation specialist. Ms. Wagner can be reached at kwagner@bradfordbarthel.com or (805) 677-4808.
Viewing this website does not form an attorney/client relationship between you and Bradford & Barthel, LLP or any of its attorneys. This website is for informational purposes only and does not contain legal advice. Please do not act or refrain from acting based on anything you read on this site. This document is not a substitute for legal advice and may not address every factual scenario. If you have a legal question, we encourage you to contact your favorite Bradford & Barthel, LLP attorney to discuss the legal issues applicable to your unique case. No website is entirely secure, so please be cautious with information provided through the contact form or email. Do not assume confidentiality exists in anything you send through this website or email, until an attorney/client relationship is formed.