Whose Business Is It Anyway? The Compelling Need for Privacy of Medical Records in the Workplace
The ever-increasing desire of industry to contain costs in the medical management arena, as well as to gather information about current employees and new hires, and the technological realities of the millennium are now creating new battle lines for workers over the privacy of their medical, genetic, and other personal records. Computers make it easier to store, collect, share and analyze all kinds of data. The attempt to formulate intervention in this arena has placed both federal and state governments as contenders in the management of the confrontation, which may ultimately affect the employment status of every worker in the nation.
THE FEDERAL PRIVACY COMMISSION
In 1977, to establish a national policy conserving personal privacy, the Federal Privacy Protection Commission was established. Under the chairmanship of Professor David F. Linowes, now Boeschenstein Professor of Political Economy and Public Policy Emeritus at the University of Illinois at Urbana/Champaign, the Commission recommended that businesses voluntarily adopt privacy safeguards in employment record-keeping practices. In a survey conducted by Professor Linowes almost 20 years later, it was reported that there was widespread use of confidential information by employers for employment-related decisions. Thirty-five percent of companies reported using medical records to make decisions about personnel. Additionally, while 93% of the companies obtained written permission from the individual when seeking information from a third party, only 32% of the corporations had a policy of informing the individual worker of the types of information sought, only 25% advised them of the techniques used to collect the data, and only 29% disclosed the sources. Furthermore, 70% of the corporations responding to the Professor’s survey had a policy concerning which records were routinely disclosed when inquiries were made by government agencies. Seventy percent of the companies collecting the data disclosed personal information to credit grantors, 47% disclosed it to landlords, and 19% provided the data to charitable institutions.
THE FEDERAL MANDATE
The federal government, driven by several factors, including the globalization of the U.S. economy and the Congressional mandate, has embarked on a path to achieve uniform healthcare data standards and healthcare information privacy. The European Community has already enacted privacy protection laws. In 1998, the European Union mandated that foreign firms desiring to do business with their European counterparts must also have privacy laws enacted.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), recognizing a need for limitations on the distribution and dissemination of medical records, mandated legislation for health records privacy by August 21, 1999. HIPAA also requires the Secretary of Health and Human Services (HHS) to issue regulations to protect the privacy of individually identifiable healthcare records transmitted in standard transactions. The federal regulations are required to be finalized by February 21, 2000. HIPAA also itemizes severe penalties for misusing a health identifier and for wrongfully obtaining or disclosing individually identifiable health information. The penalties, which increase by the type of offense, maybe as much as $250,000.00 and ten years in prison.
The lucrative market for obtaining this information is rapidly expanding, and many vendors of this information exist. The American Insurance Services Group (AISG) in New York maintains INDEX, which is a national clearinghouse for bodily-injury claims with a database of over 50 million claims. INDEX services public and private self-insureds, third-party administrators, state workers’ compensation funds, and a number of health insurers. It has been reported that the National Insurance Crime Bureau (NICB) has already begun to construct an "all-claims" database to hold property and casualty insurance claims without enunciating appropriate privacy protection. The Medical Information Bureau (MIB) collects medical data concerning individuals.
Additionally, this entity collects credit history information, driving record information, criminal activity, and data concerning participation in hazardous sports. Companies belonging to MIB account for 99% of individual life insurance policies and 80% of all health and disability policies issued in the United States and Canada. In 1995, the Federal Trade Commission’s Bureau of Consumer Protection negotiated an agreement with MIB to voluntarily abide by the Fair Credit Reporting Act (FCRA) requirement that individuals be informed when a MIB report was utilized in any part of an insurer’s decision to deny coverage or to charge a higher rate. The insurance carrier, using the MIB’s report, must provide notice to the individual when an adverse decision is rendered in an application for insurance coverage. MIB will provide information to individuals, even if they have not been denied coverage, for an $8.00 retrieval fee. Individuals may write to P.O. Box 105, Essex Station, Boston, MA 02112, and enclose the appropriate request for disclosure form, which will require the signature of the individual requesting the records.
Congressional attention was directed towards privacy rights following the ill-fated 1987 Supreme Court confirmation hearings for Robert Bork. At that time, a newspaper reporter obtained the video rental record for Bork’s family in an attempt to uncover evidence of viewing movies of questionable morality to discredit Bork’s nomination. Congress, at that time, quickly passed the Video Privacy Protection Act of 1988 (18 USC §2710). Ironically, Bork’s nomination was rejected largely because he failed to support the right to privacy
THE STATES JOCKEY FOR POSITION
To avoid Federal preemption in the area of medical privacy, State agencies have been attempting to develop a Model Act. The members of the National Association of Insurance Commissioners (NAIC) adopted the Health Information Privacy Model Act on September 14, 1998. The NAIC hopes to present the Model Act to the legislators of all fifty states to avoid Federal enactment of medical privacy legislation. NAIC President and North Dakota Commissioner Glenn Pomeroy stated, "We have sought to write standards that will not cripple the flow of useful information, will not impose prohibitive costs on insurance carriers, and that will not prove difficult to implement in a world that is rapidly changing from paper to electronic records. Pomeroy also indicated the need for the information obtained by insurance companies to be used only for "legitimate purposes."
The NAIC proposal is a rather limited attempt to solve the wholesale violation of the privacy of the American worker. It requires insurance carriers to develop and implement written policies, standards, and procedures for managing health information. The Model Act attempts to guard against the unauthorized collection and disclosure of protected health information by the insurance industry. It charges insurance carriers responsible for making its health information policies, standards, and procedures available to the Commissioner of Insurance of each state for review. It provides the right to access protected information by an individual no later than 20 working days after receiving a request for medical information from that individual. Insurance companies would be limited to obtaining, using, or disclosing protected information through the use of a valid authorization that is no older than 12 months. The NAIC proposal permits the disclosure of protected health information to federal, state, or local governmental authorities as required by law. A disclosure may be made by the insurance company for scientific, medical, and public policy research, but the carrier is required to keep a log of the disclosure within a prescribed period.
Certain sections of the NAIC Model Act restrict the liability of the insurance carrier, including the provision that the carrier is not responsible for the acts of its agents or third parties that it contracts with in obtaining medical data. Additionally, the Act does not address civil liability against the carrier by an individual but rather leaves that option available to the individual States to consider when enacting their version of the Model Act. Sanctions enumerated in the NAIC uniform proposal include a civil penalty of not more than $10,000.00 for each violation and not over $50,000.00 in fines for multiple violations. A civil penalty could be assessed by the court in the amount of $250,000.00 if it is found that the Act violations occurred with sufficient frequency to constitute a general business practice. Criminal penalties are enumerated in the NAIC proposal as follows: $50,000.00 in fines and imprisonment for not more than one year, or both. Additional higher penalties are proposed in the Act for offenses committed under false pretenses or intending to sell, transfer or use the protected health information for malicious purposes.
Even though the insurance industry has effectively included several proposals in the NAIC draft, Bruce Wood, Assistant General Counsel of the American Insurance Association (AIA), continues to be critical of the Model Act. Wood is fearful that "the ability of a workers’ compensation carrier to exchange protected health information without authorization might be interpreted too narrowly." The industry is also fearful that the carrier’s claims investigation files may be disclosable and may hinder the carrier’s ultimate defense of a claim as a result of what it interprets as an overly broad definition of "health information."
On both State and Federal levels, Labor continues to assert that workers should not be required to surrender their rights to privacy, respect, and dignity in connection with their personal medical information as a condition of employment. James N. Ellenberger, Assistant Director, AFL-CIO, Department of Occupational Safety and Health, commented that the NAIC proposal did not provide adequate recourse to those "workers who lose their jobs or are otherwise discriminated against due to disclosure or misuse of personal health information." Ellenberger points out that the victimized worker "would have no protection and no recourse under the present version of the Model Act." The AFL-CIO is concerned that workers’ compensation insurance carriers may be treated differently under the NAIC Act and that these companies would be permitted to disseminate private health information where other insurance carriers would be prohibited from doing so.
Mike Rucka, Chairman of the Workplace Injury Litigation Group (www.wilg.org), a national organization of attorneys representing injured workers, supported the efforts of organized labor to protect workers’ rights. "Most significantly, we have been working with the AFL-CIO on the issue of privacy protection. This area is probably critical to the ability of our clients not to have their medical records placed in perpetuity in the files of all insurance carriers and employers." Scott Meiklejohn, President of WILG, has further stated: "The need for medical privacy legislation is clear. Especially in the area of workers’ compensation, the abuse of the re-release of the records is unacceptable. Legitimate uses of medical information should be preserved; however, those who use it to chill the reporting of claims or to punish those who do must not be allowed to continue. These records cannot be used as a sword against those seeking legitimate benefits."
THE UNIQUE HEALTH IDENTIFIER
At the Federal level, the National Committee on Vital Health Statistics (NCVHS) has been holding hearings and accepting recommendations and proposals at the direction of the Secretary of Health and Human Services (HHS) to establish a unique health identifier (UHID) for individuals which places even more urgency on the need to establish adequate privacy protection.
To achieve uniform health data standards and to maintain health information privacy, which can be supported by an efficient electronic exchange of information, the NCVHS has been attempting to establish guidelines for an identifying system for individuals, employers, health plans, and health care providers for use in a generalized health care system. Due to the increased mobility of patients, as well as the aging population, additional pressures have been created for the integration and maintenance of health records that include vast quantities of information at multiple locations. To assure continuity of care, accurate record-keeping, and effective follow-up in preventive care, a proposal is being drafted to establish a UHID system. To maintain confidentiality and privacy, a computer-friendly algorithm or a biometric identifier, i.e. retina or other biological identification, has been suggested. A question exists as to whether or not a link should be established to already existing Social Security numbers which could be used for potential reference for credit and financial data, employment information, consumer behavior data and a wide range of other non-medical reasons. Those wishing to link the data to already existing Social Security numbers cite the effectiveness of injury prevention and environmental workplace exposure records which would provide clinical and public health research efforts with essential data.
STATES BEGIN TO HEDGE THEIR BETS
In a frenzy of activity designed to meet the upcoming challenges of the regulation of medical records, the individual States have taken action to expand and restrict the dissemination of medical information so that they will be in the best position should Federal legislation allow some State regulation. Several states, including New York (c.545, L.1998), have enacted restrictions on the disclosure of workers’ compensation records. A bill was introduced in the State of California (SB 1430), which would prohibit the release of "individually identifiable information" in the files of the individual’s workers’ compensation claim.
While genetic testing has become an important and beneficial tool in the treatment and prevention of disease, the potential for discrimination in the workplace for both the worker and his or her family has become enormous. The ability to predict disease raises an entire spectrum of realistic concerns, from job security to insurability. The release or linkage of this material to peripheral databases will place an enormous amount of sensitive and private information into the public domain if not regulated. A handful of States have enacted separate laws to regulate information obtained from genetic screening or testing.
The actions of the State of New Jersey reflect the problems encountered by the States in attempting to deal with these serious issues. The result is a chaotic, non-comprehensive, and inadequate approach. Outwardly New Jersey presents a cosmetic appearance of protectiveness, but realistically it is not moving in that direction as it is taking additional steps to expand the unrestricted dissemination of medical records. The State of New Jersey already has a statute that prohibits the dissemination of workers’ compensation records to non-parties, but it does not limit or restrict the use or dissemination of records obtained by an employer or insurance company in the investigation of a claim. N.J.S.A. 34:15-128. Since some employers are self-insured, information can flow freely from the claims unit to other departments.
On the surface, New Jersey has recently further restricted dissemination of archived information by requiring the petitioner to sign an authorization for the release of medical information, but it also offers an alternative means for parties to obtain this same information, namely the judicial process, by way of subpoena. On the other hand, New Jersey is imposing a mandatory requirement for submitting Social Security numbers for "recordkeeping purposes and cross-matches" to the Social Security Administration, Workforce New Jersey, Temporary Disability Insurance, and others (30 N.J.R. 3588, Oct. 5, 1998). While New Jersey is now redacting Social Security numbers from some of the documents being released, it has conversely requested additional medical information, without the restriction of disclosure or dissemination, that can be made part of the public record in total disability claims. A rule change has been proposed to require injured workers to submit copies of all "treating physician reports" and excerpts from hospital records, as well as information concerning retirement, disability, and Veterans Administration benefits when applying for State Second Injury Fund benefits. The alleged intent of these submissions would be to verify pre-existing medical conditions to apportion workers’ compensation disability benefits between the State Second Injury Fund and the last insurance carrier on the risk at the time of the accident (30 N.J.R. 3154) (Sept. 8, 1998).
It would appear that the wholesale acquisition of medical records without restrictions on dissemination may be construed as a violation of privacy and may be calculated as an activity to harass and jeopardize the petitioner and his or her family. Essential need should be demonstrated by the party that is requesting this medical information, and restrictions should be placed upon its use and dissemination. Court supervision should be imposed through the utilization of Protective Orders to guard against unintended use according to the Rules of the Division of Workers’ Compensation in a manner consistent with the social remedial intent of the legislation.
CONGRESS ATTEMPTS TO ACT
While a uniform federal law appears to be the best approach to achieving a valid level of privacy protection, our legislators have yet to focus on a single route to achieve this goal. The basis of this right to privacy is well-founded in the United States Constitution. Justice Douglas wrote "…that specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance" and that they give rise to the "right of privacy." Griswold v. Connecticut, 85 S.Ct. 1678 (1965).
In Congress, two major pieces of legislation have been proposed. The Medical Records Privacy Act of 1997 (S.1368) is a comprehensive and carefully crafted bill that would ensure privacy protection while allowing the idealistic goals of a uniform program to be achieved. It was introduced on November 4, 1997, by Senator Patrick Leahy (D-Vt) and Senator Edward Kennedy (D-Mass). Senator Leahy stated, "Americans strongly believe that their personal, private medical records should be kept private. The time-honored ethics of the medical profession also reflect this principle. The physicians’ Oath of Hippocrates requires that medical information be maintained ‘as sacred as secrets.’" While the information age offers endless possibilities, Senator Leahy believes that unless we are vigilant, the new technology can overrun our privacy rights. The Leahy/Kennedy proposal requires safeguards to ensure the privacy of medical information and requires that individuals have prompt access to their records and also have the opportunity to amend them. It establishes a specific program on how healthcare providers must notify individuals of their rights and establishes rules to ensure individual consent. It limits the disclosure of information and allows for the segregation of particularly sensitive portions of the medical records, including psychotherapist's notes, and retains State law when those restrictions are mandated. Furthermore, it permits civil actions by individuals who have been knowingly or negligently violated under the terms of the Act.
A more pro-industry proposal was offered by Senator James Jeffords (R-Vt) on April 2, 1998. The Jeffords proposal, The Health Care Personal Information Non-Disclosure Act of 1998 (S.1921), makes it mandatory for the participants of healthcare plans to provide authorization for the release of their records to their insurance company. If the individual fails to execute the disclosure authorization, termination may result. It also allows healthcare providers to deny individuals access to their records if the disclosure would cause "substantial mental harm." Finally, the Jeffords proposal fails to segregate psycho-therapist’s notes from exempted records.
The violation of privacy is a contagious disease. From a single incident, it can spread in epidemic proportion throughout the veins of the entire spectrum of the electronic network. Medical record privacy, once violated in the workplace, will proliferate with an Orwellian fervor throughout every aspect of a worker’s life. The time is now to legislate a cure for this disease.
By Jon L. Gelman, Attorney at Law, of Wayne, NJ. He is the author of NJ Workers’ Compensation Law (Thomson-Reuters) and co-author of the national treatise Modern Workers’ Compensation Law (Thomson-Reuters). For over five decades, the Law Offices of Jon L Gelman 1.973.696.7900 email@example.com have represented injured workers and their families who have suffered occupational accidents and illnesses.
Recommended Citation: Gelman, Jon L., "Whose Business Is It Anyway? The Compelling Need for Privacy of Medical Records in the Workplace,” 150 N.J.L.J. 592 (November 16, 1998) https://tinyurl.com/4cr827zy
© 1998-2023 Jon L Gelman. All rights reserved.
Prior results do not guarantee a similar outcome.
Download Adobe Reader
This article is reprinted with permission from the Fall 2001 issue of the Workers First Watch. © 2001
Wednesday, October 6, 2021 Is It Your Employer’s Business if You Are Vaccinated?Privacy issues have arisen as employers throughout the U.S. are mandating and/or encouraging COVID vaccinations. The U.S. Department of Health and Human Services [H.S.S.] recently issued guidance on workplace vaccinations and the Health Insurance Portability and Accountability Act (H.I.P.P.A.), 42 U.S.C.A. § 201 et seq.
HHS Relaxes HIPAA Rules During COVID PandemicThe US Department of Health and Human Services has published a “Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency,” that eases the enforcement of medical record privacy. As workers’ compensation providers increasingly employ electronic communication with their patients, these rules will have a major impact on how medical care is provided.
Defense Firm Prohibited From Seeking Unfettered Medical DiscoveryA defense firm, that had a “custom” of seeking unlimited medical discovery in workers’ compensation claims, was barred from utilizing that litigation tactic. The NJ Appellate Division affirmed the trial level decision of The Honorable Emille R. Cox, Supervising Judge of Compensation that prohibited requests for unlimited medical data.
Privacy: Workers' Compensation Health Data Heading for Electronic StorageMedical records are a significant aspect of workers' compensation claims and storing them is a significant issue. As claims are filed and litigation is pursed, medical records become critical evidence in evaluation claims and adjudicating decisions.
Privacy Went Out the WindowPrivacy, a core element in the workers’ compensation system, is rapidly become a thing of the past. Both the State and Federal governments have not considered it a key ingredient in the program.
Improving the Cybersecurity Posture of Healthcare in 2022 Encourages HIPAA covered entities and business associates to strengthen their cyber posture in 2022.
Filing a complaint with the Office for Civil Rights (OCR)If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.
Google, Epic ink deal to migrate hospital EHRs to the cloud to ramp up use of AI, analyticsGoogle Cloud and Epic, one of the largest medical records software companies in the U.S., inked an infrastructure agreement to enable hospital customers to run their Epic workloads on the tech giant's cloud technology.
Privacy and Security — Protecting Patients’ Health InformationCareless conduct in a medical practice’s waiting room led to an investigation by the Department of Health and Human Services (HHS) into privacy violations. A staff member had discussed HIV testing with a patient in front of other patients, and computer screens displaying patient data were clearly visible to people in the waiting area. In other, more egregious, privacy breaches, health care workers impermissibly viewed Britney Spears’ psychiatric hospitalization records, and a researcher illegall