December 1, 2008
Do you have to provide them to MSHA?
by Donna Vetrano Pryor
The Mine Safety and Health Administration (MSHA) has recently been demanding health-related information regarding employees from mine operators citing 45 C.F.R. § 164.514(d), the HIPAA Privacy Rules. Do operators need to provide this information? The answer may depend on which state you are in.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). Among other things, this law mandates that the Department of Health and Human Services (HHS) adopt a series of standards to shift the health care industry toward electronic transactions. The Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Regulations) govern how covered entities (certain health care providers, health plans, and health care clearinghouses) may use certain individually identifiable health information, known as protected health information (PHI).
The HIPAA Privacy Regulations apply only to (1) health care providers engaged in certain electronic transactions (covered health care providers); (2) health care clearinghouses; and (3) health plans [42 U.S.C. § 1320d-1]. An organization can also be a “hybrid entity” and covered by HIPAA if it has a health care component that uses or discloses protected health information electronically. An example of a hybrid entity would be corporations that are not in the health care industry, but that operate on-site health clinics that conduct the HIPAA standard transactions electronically.
Put bluntly, if your mine or company does not operate a clinic and is not covered by HIPAA, you may have to turn over medical records, unless there is a state prohibition on releasing such information. Hence, in order to determine whether HIPAA regulations apply to your company, you first must determine if you are a covered entity under HIPAA regulations and thus, cannot refuse to provide medical documents under HIPAA privacy rules. For example, if your business has a health clinic on site, but does not submit claims or engage in other standard HIPAA transactions using the HIPAA-adopted code sets, your business may not be covered by HIPAA because you are not engaged in the type of electronic transactions that subject you to the regulations, even though you are a health care provider. Thus, because you are not subject to the HIPAA regulations, you do not have to comply with the privacy-related restrictions on the use and/or disclosure of PHI. But beware, the inquiry doesn’t end there. Many states have laws which provide that health care providers may not disclose a patient’s medical record without the patient’s written authorization, unless otherwise required by law. Some states even provide that a patient whose records have been improperly disclosed has a right to bring a civil action to recover damages. Thus, specific attention should be given to turning over medical records of an employee in any given situation, including the demands of MSHA.
In some cases, a business may not be able to disclose patient information under state law unless one of the statutory exceptions, such as the disclosure, is required by law, applies, or the patient provides an authorization. To this, an MSHA representative might argue that giving them employee medical records is “required by law.” However, while Section 103(a) of the Mine Act requires an operator to disclose information that enables MSHA to conduct an investigation in an expeditious manner, case law appears to dictate that the Mine Act does not authorize a wholesale search of all files in a mine office.
30 U.S.C. § 813(a) (section 103(a) of the Mine Act) provides, in relevant part:
Authorized representatives of the Secretary or the Secretary of Health, Education, and Welfare shall make frequent inspections and investigations in coal or other mines each year for the purpose of (1) obtaining, utilizing, and disseminating information relating to health and safety conditions, the causes of accidents, and the causes of diseases and physical impairments originating in such mines…
Additionally, Section 103(h) of the Mine Act states, in part:
In addition to such records as are specifically required by this Act, every operator of a coal or other mine shall establish and maintain such records, make such reports, and provide such information, as the Secretary or the Secretary of Health, Education, and Welfare may reasonably require from time to time to enable him to perform his functions under this Act.
These sections of the Act were considered in Sewell Coal Co. v. Secretary of Labor, 1 FMSHRC 864 (July 1979). In Sewell, the Secretary argued it had a right to review employee personnel files to verify the mine operator’s accident, illness, and injury reporting under Part 50. In that case, the administrative law judge found that “the Mine Safety and Health Act does not authorize wholesale, warrantless, nonconsensual searches of files and records in a mine office.” Id. at 872.
However, in Secretary of Labor v. BHP Copper, Inc., the Federal Mine Safety and Health Review Commission found that BHP’s refusal to disclose an employee’s address and telephone number during an accident investigation violated Section 103(a) of the Mine Act [21 FMSHRC 758 (July 1999)]. While the Commission stated generally that it agreed that “section 103(a) can be reasonably interpreted to require a mine operator to disclose information…that enables MSHA to conduct an accident investigation in an expeditious manner,” the application of this decision is fairly limited, since it also stated that its holding was “fact-specific” and that it was not addressing disclosure of other information not at issue in the case [Id. at 765 and 768]. Depending on the circumstances surrounding the MSHA investigation and given the potential repercussions of violating state law, an operator would be well served to check state law for applicable restrictions, and may wish to obtain a patient’s written authorization before disclosing medical records to MSHA. Should the employee refuse to sign, and state law prohibits release without patient authorization, MSHA may ultimately have to look elsewhere for the information – or simply abandon its request.
If you are not subject to the HIPAA regulations, you may have to turn over requested health care records to MSHA. But, state laws may still prohibit disclosure of medical records without the patient’s written authorization.
Donna Vetrano Pryor is an associate in the Denver office of Patton Boggs LLP. She assists a diverse range of clients in complex commercial litigation matters in state and federal courts, as well as during alternative dispute resolutions. Vetrano Pryor may be reached via phone at 303-894-6145 or via e-mail at firstname.lastname@example.org.