Background - News & Events (Landing) 2016
Publications

On-Site Health Clinics: The Privacy Risks of Providing Care

Fall/Winter 2006

Co-Authors: Tim Means and Benjamin T. Butler.

Many companies in mining and other industries seek to minimize health costs and improve efficiencies by utilizing on-site health clinics for their employees. While an on-site health clinic can provide important benefits, it can also create legal obligations under federal health information privacy laws. If you have an on-site health clinic, you should analyze your situation and determine whether implementation of appropriate compliance measures is necessary to minimize the risk of legal exposure.

In 1996, Congress passed the Health Insurance Portability and Accountability Act ("HIPAA"), a law designed in part to standardize certain health care transactions. On the heels of HIPAA, the U.S. Department of Health and Human Services ("HHS") implemented in 2003 a comprehensive regime of health information privacy regulations and, in 2005, health information security regulations. See 45 C.F.R. parts 160 and 164 (subparts A and E) ("Privacy Rule"), and 45 C.F.R. parts 160 and 164 (subparts A and C) ("Security Rule").

The Privacy Rule is intended to accomplish three health information privacy objectives. First, it generally restricts the use and disclosure of "protected health information" ("PHI"), without an individual's written authorization, to circumstances involving treatment, payment, and processing of a claim, and other defined "health care operations." Second, it generally imposes a number of administrative duties, including drafting of policies and procedures, training of employees, and designation of a Privacy Official. Finally, it creates certain rights for individuals, such as the right to access their records, the right to request an amendment of those records, and the right to obtain an accounting of certain circumstances in which the records were previously disclosed. Individuals also have the right to receive notice of privacy practices, the right to request restrictions on the use or disclosure of their PHI, and the right to file a complaint if they believe the privacy of their PHI has been breached. The Security Rule complements the Privacy Rule by requiring implementation of certain technical, physical, and administrative safeguards to protect the use, disclosure, receipt, and storage of electronic PHI.

At first glance, HIPAA would seem far removed from the mining industry. By definition, the statute and underlying regulations apply only to three types of entities: (1) health plans; (2) health care clearinghouses; and (3) "health care providers" who "transmit health information in connection with a transaction covered by this subchapter" – i.e., a transaction for which a HIPAA standard has been adopted. 45 C.F.R. § 160.102. If an entity does not fall within one of these three categories of "covered entities," as they are known, then HIPAA and the Privacy and Security Rules do not apply to the entity. For example, as HHS has stated in the Federal Register, "[e]mployers as such are not covered entities under HIPAA and we generally do not have authority over their actions."

Where a company has an on-site health clinic, however, the clinic can fall under the broad HIPAA definition of "health care provider." If an on-site clinic "furnishes, bills, or is paid for health care in the normal course of business," it likely meets the HIPAA definition. See 45 C.F.R. § 160.103. However, even if the on-site clinic meets the definition of "health care provider," it is not considered a "covered entity" under HIPAA unless it engages in certain electronic transactions for which HHS has adopted uniform standards (e.g., electronic filing of health care claims with a health insurer). See 45 C.F.R. §§ 160.102, 162.1101-162.1801.

If an on-site health clinic that is a health care provider engages in one or more of the designated HIPAA electronic transactions, HIPAA applies and the company must implement the compliance measures designed to account for the above-described requirements or face potential civil monetary penalties.

Even where a company determines that its on-site health clinic is not subject to HIPAA, it is important to keep in mind that the statute generally establishes a "federal floor" of health information privacy. This means that applicable state laws with "more stringent" privacy protections are not preempted and may apply to an on-site clinic operation. With the significant amount of privacy-related legislation being implemented at the state level over the past several years, companies must determine whether state-level compliance obligations exist. Few areas are as likely to raise an employee's ire as concerns that the privacy of his or her health information has been breached. Companies that fail to ensure compliance with HIPAA and related laws may open the door for unwanted litigation and government inquiry.

Mine site health clinics can also raise Mine Safety and Health Act issues regarding access to miners' health information – access by the mine operator and access by MSHA. Issues of "reportability" of miners' health or safety situations under Part 50's reporting scheme for occupational injuries and illnesses may, in fact, turn on medical information in the hands of the mine's health clinic. HIPAA can also bear on these access issues, and thereby help or hamper the operator's reportability decisionmaking. Mine operators should consider whether HIPAA impairs their access to information needed for Part 50 compliance decisionmaking, and whether there are measures they can take to actually facilitate such access.

Thomas (Tim) C. Means
Retired Partner – Washington, D.C.
Email: tmeans@crowellretiredpartners.com