The Privacy and Security of Non-Traditional Occupational Health Services

By Rose Dunn, MBA, RHIA, CPA FACHE, FAHIMA, and Godwin Odia, PhD, RHIA, NHA

The AHIMA Practice Brief The Privacy and Security of Occupational Health Records focuses on the privacy and security related responsibilities of a healthcare provider that offers occupational health services for other employers in its community.¹ While many healthcare providers have diversified their offerings and now offer occupational health services (OHS), this article supplements that practice brief and focuses on those entities that are not healthcare providers, in the traditional sense of the term.

Independent Occupational Health Service Entities

Non-healthcare provider-owned or operated occupational health services are independent. They may be free-standing, employer owned, or part of a regional or national services network. They focus solely on occupational health assessment and treatment services. In essence, they compete directly with hospitals and physician provider groups that have established occupational health services.

Similar to hospital and physician group-based OHS, these organizations may be contracted by employers to provide assessments and treatment for the employees of their businesses. The occupational health service may employ medical personnel and may, if indicated, refer employees to other healthcare providers for serious conditions or conditions that cannot be effectively treated by the occupational health service.

Defining the Occupational Health Record

The definition of the Occupational Health Record (OHR) remains the same regardless of the ownership or structure of the OHS. The Occupational Safety and Health Administration (OSHA) defines an “occupational medical record” as an occupation-related, chronological, cumulative record, regardless of the form or process by which it is maintained (i.e., paper document, microfiche, microfilm, or automatic data processing media). The occupational medical record includes information about health status documented on an employee, including personal and occupational health histories as well as the opinions and written evaluations generated in the course of diagnosis, employment-related treatment, and examination by healthcare professionals and technicians. The definition includes employee exposure records, occupational illness, and accident or injury records.² OHR will be used throughout this article to encompass both an occupational health record and occupational medical record.

Governing Regulations for Occupational Health Services

The Occupational Safety and Health Administration (OSHA) serves as the primary governing authority of occupational health services, including those that are not owned by a hospital or physician group. Charged with assuring safe and healthy working conditions for employees, OSHA has established standards for not only safe and healthy working conditions but also the monitoring of compliance with those standards. Encompassed within these standards are the responsibilities of those OHS that assess and/or treat workers.

OSHA standards cover most employees in all 50 states, US territories, and Washington, DC directly through federal OSHA plans or indirectly through OSHA approved state plans. There are currently 22 States and jurisdictions operating complete state plans, covering both private and public sector employees:

• Alaska
• Arizona
• California
• Hawaii
• Indiana
• Iowa
• Kentucky
• Maryland
• Michigan
• Minnesota
• Nevada
• New Mexico
• North Carolina
• Oregon
• Puerto Rico
• South Carolina
• Tennessee
• Utah
• Vermont
• Virginia
• Washington
• Wyoming

Employers and OHS providers in state-approved OSHA plans must conform to the standards of the state occupational safety standards which must meet or exceed the federal standards. States also have the option of setting certain standards not covered by the federal OSHA. It is important that employers and independent occupational health providers operating in these states are using applicable standards for record keeping which may or may not mirror the federal OSHA standards.

Access and Disclosure of OHR Content from a Non-Healthcare Provider (Operated OHS)

OSHA rules, not HIPAA regulations, govern the access and release of information relating to OHRs maintained by employers and/or their contracted occupational health service providers.

OSHA may access an employee’s health records, including access to HIV results, for an employee without the consent of the employee.³

Employees or former employees and their representatives have the right to access an OHR maintained by an employer or former employer. A personal representative may be designated in writing by an employee or former employee.⁴ When the OHRs are not maintained by the employer, but rather by the OHS, a representative from the Region 7 OSHA office shared that, employees have the right to access their records in accordance with the procedures of the OHS, which should not unreasonably restrict access.

For disclosures to individuals other than an employee or employee’s designated personal representative, a written authorization is required for release of information from the OHR. The content of the authorization is similar to the content required of an authorization to release information under HIPAA. The authorization must include:

• The name and signature of the employee authorizing the release of medical information
• The date of the written authorization
• The name of the individual or organization that is authorized to release the medical information
• The name of the designated representative (individual or organization) that is authorized to receive the released information
• A general description of the medical information that is authorized to be released
• A general description of the purpose for the release of the medical information
• A date or condition upon which the written authorization will expire (if less than one year)

Similar to traditional release of information and HIPAA practices, a valid written authorization does not authorize the release of health information not in existence on the date of the written authorization, unless the release of future information is expressly authorized, and does not operate for more than one year from the date of the written authorization.

A written authorization may be revoked in writing prospectively at any time.

Under HIPAA, if the OHS provider maintaining the OHR is also a covered entity then a consolidated release of information form meeting both HIPAA and OSHA standards may be used for release of information purposes.

Impact of HIPAA on OSHA Regulations

While HIPAA privacy regulation 45 CFR 160 and 164 prohibit covered entities from using and disclosing personally identifiable information without authorization and to ensure the confidentiality of health information of all patients, it specifically carves out for exemption personally identifiable health information disclosures by covered entities to public health authorities and health oversight authorities. The preamble cited OSHA as an example of both public health authority and health oversight authority. Therefore, release of information required under OSHA and its affiliated organization, Mine Safety and Health Administration (MSHA), are unaffected by HIPAA privacy regulations.

According to HIPAA’s preamble, OSHA and MSHA rules do not impose duties directly upon health care providers to disclose health information pertaining to recordkeeping and medical monitoring requirements to employers. Rather, these rules operate on the presumption that healthcare providers who provide services at the request of an employer will be able to disclose to the employer work-related health information necessary for the employer to fulfill its compliance obligations. This new provision permits covered entities to make disclosures necessary for the effective functioning of OSHA and MSHA or those of similar state laws by permitting a healthcare provider to make disclosures without the authorization of the individual concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under OSHA.⁵

More information about OSHA’s release and access policies can be obtained by reading 29CFR1910.1020. The purpose of this section of the Code of Federal Regulations applying to OSHA is to provide employees and their designated representatives a right to access relevant exposure and medical records; and to provide representatives of the Assistant Secretary a right of access to these records in order to fulfill responsibilities under the Occupational Safety and Health Act.⁶

US Department of Transportation Testing Records

The US Department of Transportation (DoT)’s Office of Drug and Alcohol Policy and Compliance advises the Secretary of Transportation on national and international drug testing and control issues. The agency is responsible for rules related to the drug and alcohol testing of safety-sensitive transportation employees in aviation, trucking, railroads, mass transit, pipelines, and other transportation industries. The Office publishes regulations and provides official interpretations on drug and alcohol testing, including how to conduct tests (including but not limited to drug and alcohol, urine, and laboratory testing) and the evaluation and treatment procedures necessary for employees returning to duty after testing violations.⁷ Under the DoT regulation, employers may use the services of others to provide employment related services but the employer is still responsible for ensuring that their agent providing the OHS services complies with all regulations of the department including, record keeping:

1. Alcohol tests with a result of 0.04 or higher alcohol concentration
2. Verified positive drug tests
3. Refusals to be tested (including verified adulterated or substituted drug test results)
4. Other violations of DoT agency drug and alcohol testing regulations
5. With respect to any employee who violated a DoT drug and alcohol regulation, documentation of the employee’s successful completion of DoT return-to-duty requirements (including follow-up tests)

Release and Access to DoT Results

Generally, Sec. 40.321 of the regulations prohibits release of individual drug or alcohol test results to third parties without the employee’s specific written consent. Section 40.331 creates certain exceptions to this general requirement. Of particular importance is Sec. 40.331(e), which provides that parties “must provide drug or alcohol test records concerning the employee” to a “state or local safety agency with regulatory authority over you or the employee.” An Interim Final Rule was issued in 2008 and later became the Omnibus Transportation Employee Testing Act of 1991, which permits employers of commercial motor vehicles to comply with tate reporting requirements without violating 49 CFR 40.321.⁸ The federal reporting requirements eliminated a conflict that would have precluded parties from complying with certain state laws.⁹

Specific access verbiage as it relates to the individual’s access to their results requires sifting through a myriad of regulatory language. For example, according to 49 CFR 199, which applies to pipeline operators and requirements to test their employees for substance use, the results for individuals are accessible by that individual. “An employee is entitled, upon written request, to obtain copies of any records pertaining to the employee’s use of alcohol, including any records pertaining to his or her alcohol tests. The the operator shall promptly provide the records requested by the employee. Access to an employee’s records shall not be contingent upon payment for records other than those specifically requested.”¹⁰

Following a direct inquiry regarding the right of transportation industry employees to access their test results, DoT public affairs representative Bill Mosely said:

“Yes, an employee can obtain copies of his or her DoT-regulated drug and/or alcohol tests. Within 10 days of receiving a written request from the employee, the Medical Review Officer (MRO) must provide the employee with copies of the drug and/or alcohol tests and any records pertaining to the employee’s use of alcohol and/or drugs. Also, with 10 days of a written request from the employee, made through the MRO, the laboratory must provide records related to the results of the employee’s drug test. In both situations, the MRO and the laboratory may charge no more than the cost of the preparation and reproduction for copies of these records.”

Determining Which Regulations Apply

The first step in determining which regulations apply is to determine the sponsorship of the OHS—is it owned or operated by a HIPAA covered entity (i.e., hospital, physician practice)? Is it owned or operated by another entity not governed by HIPAA regulations? Regardless of ownership, the primary regulation will lie with either OSHA (see 29 CFR 1910.1020) or the DoT (see 49 CFR Part 40). OSHA compliance is not exempted because a health facility or HIPAA covered entity owns the OHS or maintains an OHR. HIPAA regulation makes it very clear that OSHA covered records and other health records are not permitted to be co-mingled. Where electronic health records (EHRs) play a role, the necessary administrative and security safeguards must be in place to keep the two types of records separate.

Notes

1. AHIMA. “The Privacy and Security of Occupational Health Records.” Journal of AHIMA 84, no.4 (April 2013): 52-56.
2. Ibid.
3. United States Department of Labor. Occupational Safety and Health Administration Regulations (Standards – 29 CFR). 29 CFR 1910.1020(e)(3). Accessed 2013. https://www.osha.gov/pls/oshaweb/owasrch.search_form?p_doc_type=standards&p_toc_level=0.
4. Ibid.
5. Department of Health and Human Services. “Standards for Privacy of Individually Identifiable Health Information.” Federal Register. Vol. 65, No. 250. 45 CFR Parts 160 and 164. December 28, 2000. http://www.gpo.gov/fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf.
6. United States Department of Labor. Occupational Safety and Health Administration Regulations (Standards – 29 CRF) – Table of Contents. www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=STANDARDS&p_id=10027.
7. Department of Transportation. “Procedures for Transportation Workplace Drug and Alcohol Testing Programs.” September 2011. www.dot.gov/sites/dot.dev/files/docs/PART40.pdf.
8. Department of Transportation and Related Agencies Appropriations Act. Public Law 102-143. 102nd Congress. October 28, 1991. http://uscode.house.gov/statutes/1991/1991-102-0143.pdf.
9. Department of Transportation. “Procedures for Transportation Workplace Drug and Alcohol Testing Programs.” Federal Register. Volume 75, No. 37. February 25, 2010. http://transit-safety.fta.dot.gov/DrugAndAlcohol/Regulations/Regulations/49CFR40/2010-02/2010-3729.htm.
10. Department of Transportation. “Procedures for Transportation Workplace Drug and Alcohol Testing Programs.” 49 CFR 199. Accessed 2013. http://law.justia.com/cfr/title49/49-3.1.1.1.9.html.

Rose Dunn (Rose.Dunn@FirstClassSolutions.com) is chief operating officer at First Class Solutions. Godwin Odia (godwin.odia@cms.hhs.gov) is senior health insurance specialist with the Centers for Medicare and Medicaid Services.