I am the HIPAA Program Manager for a large healthcare system with 300 beds and 70+ clinics, with 6+ years experience with both the Privacy & the Security Rules.
Your employer CAN obtain information about your injury IF you filed for worker's compensation benefits. Worker's comp is one of the specific disclosures within the HPAA Privacy Rules that allows providers to disclose information without your authorization. Of course, the request must be legitimate, but your employer would obviously be able to prove legitimacy in a worker's comp case.
If you DID file a worker's comp claim, and your provider discloses information about your case, it must be (1) the minimum necessary to answer the questions raised and (2) your provider must log the disclosure (this process is called disclosure accounting). You have the right to request a copy of the disclosure accounting log that pertains to you. If your provider declines to provide you with the log pertaining to you, then you have a legitimate HIPAA Privacy complaint that you can file with your provider's Privacy Officer (they are required to have one), or you can file directly with HHS (see hhs.gov/ocr/hipaa). Heads-up that filing a complaint with HHS may take as long as a year before they investigate -- they're notoriously underfunded in this respect.
Once the information is provided to your employer, then they can impose whatever restrictions they want based on their company policy.
If you did NOT file a worker's comp claim, then you need to look at the authoriation you signed when you first went to that provider. All authorizations for disclosures must meet strict requirements, and there are a number of elements they must contain. Check with your provider and look at what you signed. A blanket type consent that many providers still use is not usually compliant with the HIPAA Privacy Rules, but I'd have to know what it actually says before I could help you with that.
So, it's hard to say without knowing more about the situation whether your provider could legitimately give copies of your health record relating to to this specific case. Just depends on whether it's workers comp, or what kind of authorization you signed with your provider.
Please note that your provider does NOT need your authorization in order to disclose your health information for purposes of Treatment (i.e. to another provider who is treating you, to nurses, med techs, etc.), Payment (disclosures to your insurance company, etc.), or internal operations.
You also have a right to your provider's Notice of Privacy Practices -- it spells out your rights, though most are written pretty badly. If you don't have one of these, or don't remember getting one, you have the right to get another copy. If your provider refuses to give you one, or only allows you to "look" at one, again they are out of compliance with the HIPAA Privacy Rules and you have a legitimate complaint.
You also have the right to a copy of your medical records. Your provider can ask you to pay a "reasonable" copying charge, but they have to provide a copy of the records to you within 30 days of your WRITTEN request.
Good luck on this -- let me know if I can help you further. Lane Hatcher
|