Health Insurance Portability and Accountability Act (HIPAA)


Federal regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) went into effect April 14, 2003. One of the goals of HIPAA and the related regulations is to protect the privacy of health records used and disclosed by covered entities. Covered entities include health care providers who conduct certain financial and administrative transactions electronically, health care clearinghouses, and health plans.

Workers’ Compensation Exception

The HIPAA Privacy Rule is important because covered health care providers, including those that treat employees with workers’ compensation injuries, are required to comply with its requirements. The Privacy Rule recognizes the legitimate need of insurers and other entities involved in workers’ compensation systems to have access to individuals’ health information as authorized by state or other law.

Under HIPAA regulations, protected health information may be disclosed:

  • As authorized by and to the extent necessary to comply with the laws relating to workers’ compensation or similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. See 45 CFR 164.512(l).
  • To the extent the disclosure is required by state or other law. The disclosure must comply with and be limited to what the law requires. See 45 CFR 164.512(a).
  • For purposes of obtaining payment for any health care provided to the injured or ill worker. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.

Nebraska law relating to the release of medical and hospital information in workers’ compensation cases states as follows: “All medical and hospital information relevant to the particular injury shall, on demand, be made available to the employer, the employee, the workers’ compensation insurer, and the compensation court. The party requesting such medical and hospital information shall pay the cost thereof. No such relevant information developed in connection with treatment or examination for which compensation is sought shall be considered a privileged communication for purposes of a workers’ compensation claim. When a physician or other provider of medical services willfully fails to make any report required of him or her under this section, the compensation court may order the forfeiture of his or her right to all or part of payment due for services rendered in connection with the particular case.” See Neb.Rev.Stat. §48-120(4).

The federal Office of Civil Rights (OCR), which administers the HIPAA Privacy Rule, has issued guidance on the interpretation of the Rule for workers’ compensation records. See the “Disclosures for Workers’ Compensation Purposes” section of their website.

The OCR web site also includes a link to Frequently Asked Questions where information regarding the HIPAA Privacy rule may be found.

In addition, as part of a collaborative effort of health care organizations, a model HIPAA authorization form has been developed. This form is provided courtesy of the Nebraska Strategic National Implementation Process (Nebraska SNIP), a HIPAA implementation work group. The model authorization form is available at (PDF: 0.5 KB). More information about this organization can be found at

Other Links

For additional general information, including definitions of terms used in HIPAA, see the following links:

  • The website for the Office of Civil Rights, which is responsible for enforcement of the HIPAA Privacy Rule.
  • The web site for the Workgroup for Electronic Data Interchange (WEDI). WEDI is a standard-setting organization for electronic medical reports and was an advisory group for HHS as they developed the HIPAA regulations.