The rules regarding ownership and sharing of medical records
The rules regarding ownership and sharing of medical records for situations such as pre-employment screenings, fitness assessments, and others are often among the most complex scenarios occupational health providers face. During times like these, it can be difficult to maintain a balance between all of the different entities that an occupational health provider serves.
As noted by the American Health Information Management Association, occupational health providers face the challenge of serving multiple clients:
- Employer
- Employee/patient
- Employer’s insurance carrier, self-insured administrator, or workers’ compensation carrier
- Employee’s health care provider
The provider may need to continuously adjust to understand their responsibility for each role performed, depending on the client they are serving at the time.
Remaining in compliance with regulations outlined by the Health Insurance Portability and Accountability Act (HIPAA) is tricky given the fact different entities served by occupational health professionals are privy to different aspects of sensitive patient data. It’s important to be absolutely clear on what your organization can share with whom. A past NAOHP town hall session brought to light several key questions shared by occupational health professionals from all over the country. We’ve compiled them for you here, along with suggestions as to what your organization should do if you encounter them. Take a look.
What Permission Is Required? In order to provide clients (the employer) with their requested employee medical and fitness results, the employee must sign a consent before the exam, allowing occupational health providers to share that information with the employer. Depending on the content of the release form and how it is worded, information shared with employers can go much deeper than a simple “passed” or “did not pass” testing expectations and may or may not include the full details of the examination. Some occupational health firms use additional release forms to make a point of informing the employee more thoroughly.
How HIPAA Applies There has, historically, been some confusion in occupational medicine about how HIPAA rules apply when dealing with worker’s comp cases. The short answer is the rules still apply very closely. Occupational health providers are only allowed to provide medical information to employers as it pertains to that specific injury, not a complete medical history of the patient.
How Do We Orient Our Clients to Pre-Employment Issues? The health provider reviews the compliance needs of the employer and makes recommendations for exam components to meet regulations. A formalized orientation package should be prepared for all employer clients detailing the need for information at the workplace to meet all regulatory compliant issues from OSHA, DOT, DOPH, and other regulatory governing bodies overseeing the place of employment for safety and health compliance.
What Screenings Can We Share with the Client? Generally, only items included in the written authorization required by the regulatory agencies are allowed to be shared with employers, for example things like hearing screening, respiratory screening, immunizations, substance abuse testing, and lab work required for HAZARD screenings. It all depends on what the employee agreed to in the record of consent. If they agreed that their entire medical history can be sent to their employer, then it can be sent. Once again, it’s important the employee is fully informed about what they’re signing.
What Can We Provide the Employee Candidate? The candidate employee can have their results. The employer can’t refuse the request, even though they paid for the exam.
Who Owns Medical Records? OSHA describes two specific entities in medical record ownership, which depend on where the testing was conducted. If the testing was done in a clinic operated by an occupational health provider, then the records belong to that provider and are still subject to HIPAA. Copies are provided to the employer only with authorization. If testing was done in an employee health clinic at an employer’s site, the employer maintains copies in their human resource departments as part of an employee health record. In this scenario, the employer owns the record and is subject to OSHA and other state regulations governing employee health records.
What’s an Occupational Medical Record? OSHA defines an “occupational medical record” as an occupation-related, chronological, cumulative record, regardless of the form or process by which it is maintained (i.e., paper document, microfiche, microfilm, or automatic data processing media). The occupational medical record includes information about health status documented on an employee, including personal and occupational health histories as well as the opinions and written evaluations generated in the course of diagnosis, employment-related treatment, and examination by healthcare professionals and technicians. The definition includes employee exposure records, occupational illness, and accident or injury records.
Who Gets the DOT Physical Exam Form and Who Has the Rights to It? According to FMCSA the employer has a right to the medical certificate MCSA 5876. The actual exam form (the “long form”) MCSA 5875 is not automatically the employer’s right to have. The employee would have signed an authorization releasing this information to their employers. In other cases, federal entities such as the FBI, the Postal Service, and others have access to the full record of pre-employment testing results for their applicants – much more than a simple “pass or fail.”
Workplace Surveillance A health care provider, who provides a health care service to an individual at the request of the individual’s employer or provides the service in the capacity of a member of the employer’s workforce, may disclose the individual’s protected health information to the employer for the purposes of workplace medical surveillance or the evaluation of work-related illness and injuries to the extent the employer needs information to comply with OSHA, the Mine Safety and Health Administration (MSHA), or the requirements of state laws. Information disclosed must be limited to the provider’s findings regarding medical surveillance or work-related illness or injury. The covered health care provider must provide the individual with written notice the information will be disclosed to the employer or the notice may be posted at the worksite if that is where the service is provided.
OSHA Requirements OSHA’s regulation, “Access to Employee Exposure and Medical Records,” requires retention of occupational medical records for 30 years after termination of a worker for the purpose of providing access to the records for employees and their representatives. Employee medical and exposure records must be retained. Employees must be given access to these records at no cost by the employer within 15 days of the request. For more information, see OSHA publication Access to Medical and Exposure Records.