Confidentiality of Medical Records and Worker Health Information in the Occupational Health Setting

Introduction

Occupational health nurses (OHNs) have access to a great deal of worker health information, both personal and work- related. They must clearly understand the variety of records in occupational health and the relevant legal, ethical and professional requirements to protect worker health information from inappropriate disclosure. Workers must be confident that their personal health information will be appropriately protected by the OHN. Despite numerous statutes that protect health information, many of these laws may not apply to occupational health settings, and ethical conflicts may arise if OHNs are asked to provide worker health information without the worker’s knowledge or consent. It is essential for OHNs to have a basic understanding of the pertinent local, state, and federal legal and regulatory requirements relevant to their industry and practice setting. In cases where requirements are not clearly understood or specific cases warrant further understanding, the OHN should consult the company’s legal and/or risk advisors.

Rationale

The OHN has access to medical records and worker health information and may gather personal health information in the course of their interaction with workers. It is important that the worker have assurance from the OHN that their personal health information will be appropriately protected; this may impact what the worker is willing to disclose during an evaluation or assessment and may affect decisions regarding their ability to safely perform the job.

The type of records OHNs may deal with include medical records such as documentation of routine preventive care, acute illness care, and care of chronic diseases. Worker health information may include work-related records, work- related illnesses and injuries/workers compensation, medical and employment questionnaires, job descriptions, medical surveillance examinations, exposure evaluations, biologic and other screenings, etc. It is important that the OHN recognize which records include personal health information so that they may avoid unnecessary or inappropriate disclosure.

There are several federal and state statutes that affect maintenance and disclosure of worker health information. Below is a brief summary of pertinent federal legislation:

Occupational Safety and Health Administration

The Occupational Safety and Health Administration (OSHA) assures safe and healthy working conditions by establishing laws that prohibit employers from retaliating or discriminating against workers for reporting an injury or illness (U.S. Department of Labor, 2018). There are specific recordkeeping laws requiring retention and availability of Access to Employee Exposure and Medical Records Standard 29CFR1910.1020 requires that the employee or employee’s designated representative have access to r e l e v a n t m e d i c a l records, with the employee’s written consent, according to the following guidelines: Records must be provided without cost to the employee or representative, if possible within 15 working days of the initial request, and the employer must make provisions for copying of records ( U. S. Department of Labor, 2011 ).

An employee must give specific written consent before a designated representative may look at or copy the employee’s record. A recognized or certified collective bargaining agent is automatically considered a designated representative for purposes of access to worker exposure records and analyses prepared using exposure or health data.

OSHA has also addressed confidentiality in several standards that require medical evaluations. For example, the Bloodborne Pathogen Standard requires a post-exposure confidential medical evaluation with limited information to be given to the employer (i.e., employee has been informed of the results of the evaluation, and told about any medical conditions resulting from the exposure which require further evaluation or treatment). All other findings or diagnoses obtained during the evaluation must remain confidential and must not be included in the written report

(U. S. Department of Labor, 2018 ).

Some more recent OSHA standards with medical surveillance requirements (e.g., hexavalent chromium and crystalline silica) explicitly require that the examining healthcare provider not reveal to the employer specific findings or diagnoses unrelated to occupational exposure. The respirable crystalline silica standard (1926.1153) requires limiting release of information to the employer to: the date of the examination, a statement that the examination has met the requirements of the standard, and, any recommended limitations on the employee’s use of respirators (U. S. Department of Labor, 2018 ).

Americans with Disabilities Act and Amendment Act

The Americans with Disabilities Act (ADA) and Amendment Act (ADAAA) protect individuals with disabilities from employment discrimination (U.S. Department of Justice, 2009). The law limits an employer’s right to collect and use health-related information in regards to job applicants and workers. Although the ADA does not require an occupational health professional to be the custodian of worker health information, it does mandate that health data be kept separate from personnel files and be treated with confidentiality regardless of whether the data reveals a disability. Specific exceptions are as follows:

It is important to note that these mandates regarding confidentiality also apply to medical information relevant to an applicant’s or employee’s occupational injury or workers’ compensation claims (U.S. Equal Employment Opportunity Commission (USEEOC), 2000).

The Health Insurance Portability and Accountability Act

The passage of the 1996 Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, has validated the nurse’s obligation to maintain confidentiality of health information. The primary intent of the HIPAA Privacy Rule is to protect individuals’ privacy by giving them rights regarding their health information and setting rules and limits on who can look at and receive the information (U.S. Department of Health and Human Services [USDHHS], 2017). This applies to all forms of protected health information (PHI), whether electronic, written, or oral. The HIPAA Security Rule is a Federal law that requires security for health information in electronic form (USDHHS).

HIPAA restricts access to health information only if the healthcare provider generating or maintaining the information is a covered entity under the rule. Business associates of covered entities must also follow HIPAA regulations. Organizations that do not have to follow the Privacy and Security Rules include: life insurers, employers, workers compensation carriers, most schools and school districts, many state agencies such as child protective service agencies, most law enforcement agencies, and many municipal offices (USDHHS, 2017, 2003). According to HIPAA, employers are required to comply with laws relating to workers’ compensation as well as requirements of state and federal laws and regulations, thus, may be required to disclose occupational medical records. OHN’s should be mindful of confidentiality when recording patient information in occupational medical records and should keep personal health information separate from exposure records (U.S. Department of Labor, 2018). While OHN’s should ethically maintain confidentiality of PHI, occupational health providers are generally not covered entities under HIPAA and w orker health records held in occupational health departments are excluded in the definition of PH I (Litchfield, 2009).

While HIPAA may not apply to medical information within occupational health departments, various state privacy laws may regulate this information and these laws may be more stringent than HIPAA. OHNs must be familiar with privacy requirements within their state laws (e.g., Workers’ Compensation, Nurse Practice Act) (Strasser & Knoblauch, 2014).

Recommendations

For many OHNs, legislation and regulatory agencies may not provide all the answers related to appropriate sharing of health related information (e.g., what can be disclosed to a supervisor and/or to Human Resources). OHNs should be proactive in development of comprehensive policies and procedures to manage and protect worker’s health information. Protocols and procedures may vary based on the practice situation. The policy should consider the ethical duties pertinent to the OHN as well as the legislative and regulatory requirements. It should be developed in collaboration with relevant representatives from the company (i.e., HR, management, legal/risk), and management support should be secured. Finally, the policies and procedures should be communicated to and acknowledged by all personnel.

The policy should cover (Strasser, 2004):

It is essential for OHNs to have a good understanding of the legal and regulatory requirements at the local, state and federal level where they practice, as well as their ethical and professional duty when implementing and amending such policies. The American Association of Occupational Health Nurses (AAOHN) has tools to support the OHN in navigating this process. They include: AAOHN Standards of Practice (AAOHN, 2012) and the AAOHN Code of Ethics (AAOHN, 2016). OSHA has additional resources on their Clinicians webpage including information on ethics and confidentiality in occupational health, regulatory and clinical issues (with links to OSHA’s Office of Occupational Medicine and Nursing [OOMN]). The OOMN provides OSHA with the recordkeeping and occupational health management expertise of board- certified occupational medicine physicians and OHNs (U.S. Department of Labor, 2018). Additionally, for specific situations that may arise, the OHN may consider consulting an expert OHN consultant or their company’s legal/risk advisors.