HIPAA and the union's right to information
From the Massachusetts Nurse Newsletter
Septemebr 2005 Edition
By Joe Twarog
Associate Director, Labor Education & Training
The term HIPAA is often heard and used frequently in health care settings. But, it is also a term that is frequently misused, either intentionally or other wise, especially when the union is concerned. This article will briefly review HIPAA only as it refers to the MNA as a union and its right to bargaining unit information.
The Health Insurance Portability and Accountability Act, commonly known as “HIPAA,” was passed by Congress in 1996. The privacy rule became effective in April 2001 with full compliance for healthcare providers occurring in April 2003. The act has two primary goals:
- To improve portability and continuity in health insurance coverage and efficiency in healthcare delivery by standardizing electronic data interchange
- To protect the confidentiality and security of health care data by the setting and enforcing of standards.
The establishment of these new rules was entrusted to the Department of Health and Human Services. There are two parts to HIPAA reflecting these goals. The first deals with regulations that allow employees to retain their health insurance coverage if they lose or change jobs. The second part, the privacy rule, deals with the security and confidentiality of health care related data. One of the original ideas behind the act was to compel the healthcare industry to computerize its paper records as a way to save money. This of course led to a legitimate concern over the privacy of those computerized records.
The act is complex and has had numerous modifications and rule clarifications. For instance, new regulations recently took effect dealing with group plan coverage. Also, the Department of Justice has recently ruled on accountability and criminal liability for violations of HIPAA.
One objective of HIPAA is to protect patient’s privacy rights as far as their medical and health records are concerned. The act’s “privacy rule” governs how “covered entities” (health plans, insurers, HMOs, health care providers) may use and disclose protected health information. The privacy rule states that covered entities must adopt reasonable safeguards to protect their patient's medical information.
However, the Department of Health and Human Services has repeatedly stated that the privacy rule does not apply to employers and employment records when they are acting in their role as employers, and when the medical information was obtained for employment purposes such as evaluating employee issues under the Americans with Disabilities Act, the Family and Medical Leave Act, Workers' Compensation, etc. Even though the vast majority of RNs work as employees of a “covered entity” (a hospital) under the act, employment records are excluded under the privacy rule. This means that if the union requests employment information from the employer about bargaining unit employees, the employer is required to provide the information consistent with the National Labor Relations Act or the Massachusetts labor law, Chapter 150 (e).
Some employers have cited HIPAA, either mistakenly or intentionally, as the reason for refusing to provide the union with requested information. This is not a valid reason and such refusal might constitute grounds for an unfair labor practice charge against the employer.
The National Labor Relations Board has recently ruled in a number of cases that the employer was in violation of the National Labor Relations Act for failure to provide such information as the union requested. A 2004 NLRB general counsel report states: “We (the NLRB) decided that the promulgation of the HIPAA regulations did not terminate an employer’s obligation to bargain over an accommodation of its confidentiality interest in health information concerning unit employees.” The NLRB further stated that “portions of the OSHA-required injury reports may not have even been HIPAA covered” because the employee records were held by the employer acting as an employer. In such cases “the employee would have no reasonable expectation of privacy in those portions of the injury reports.”
The government has set up a HIPAA hotline, 866.282.0659, where questions may be answered.