HR Alert

HIPAA Permits Certain Disclosures for Workers' Compensation Purposes

Various Disclosures Permitted without Individual Authorization

Employers are reminded that the federal Health Insurance Portability and Accountability Act (HIPAA) permits disclosures of an individual's health information for workers' compensation purposes. Most notably, HIPAA permits covered entities--including health care providers and their business associates--to disclose the health information of an individual to workers' compensation insurers, employers, state administrators, and other persons or entities involved in workers' compensation systems, without the authorization of the individual.

Permitted Disclosures without Authorization

Disclosures without the authorization of the individual are permitted in the following circumstances:

  • As authorized by, and to the extent necessary to comply with, laws relating to workers' compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.
  • To the extent the disclosure is required by state or other law. The disclosure must comply with and be limited to what the law requires.
  • For purposes of obtaining payment for any health care provided to the injured or ill worker.

In addition, covered entities may disclose so-called protected health information (PHI)--all individually identifiable health information held or transmitted by covered entities or their business associates, in any form or media, whether electronic, paper, or oral--to workers' compensation insurers and others involved in workers' compensation systems, where the individual has provided his or her authorization for the release of the information to the entity. The authorization must be valid and otherwise meet HIPAA requirements.

Disclosure Limited to Amount of 'Minimum Necessary' PHI

Covered entities are required reasonably to limit the amount of PHI disclosed to the minimum necessary to accomplish the workers' compensation purpose. Under this requirement, PHI may be shared for such purposes to the full extent authorized by State or other law. In addition, covered entities are required reasonably to limit the amount of PHI disclosed for payment purposes to the minimum necessary.


In general, HIPAA protects all PHI from unauthorized disclosure. HIPAA applies to covered entities, which includes health care providers (e.g., doctors and dentists) and their business associates.

Login to HRSPI Client Portal
Forgotten PasswordForgot Password
Executive Search Executive Search

Harrassment Prevention

HRSPI offers comprehensive, interactive, AB1825-Compliant training. Programs include introduction to recent anti-bullying legislation.

Latest News

News Archives

Latest Blog

Blog Archives