Third-party employment evaluations, such as independent medical evaluations that address issues relevant to fitness for duty or disability, workers’ compensation, or Social Security benefits, are the most common psychiatric evaluations requested for nontherapeutic reasons. Although some are referred to forensic psychiatrists, most of these are performed by general clinicians.
Each year, mental disorders affect approximately 23.5 million adults between the ages of 18 and 54
(1) . The National Health Survey Interview (1998–2000)
(2) found that for younger adults, ages 18–44, mental illness was the second most frequently reported cause of limited activities (11.8 per 1,000 people), exceeded only by musculoskeletal conditions. For adults in midlife, ages 45–54, mental illness ranked as the third most frequently mentioned cause of activity limitation (21.5 per 1,000 people)
(2) . In 1999, mental or emotional problems represented one of the top 10 causes of disability among U.S. adults overall, at a rate higher than disability caused by diabetes or stroke
(2) .
Private disability insurers report that mental disorders represent, on average, 6% of all long-term disability claims and 4% of all short-term disability claims
(3) . In 2003, 28% of Social Security disability recipients received payments based on a mental disorder (not including mental retardation)
(4) . This group represents the highest single diagnostic category of all Social Security disability claims.
The frequency with which issues regarding work function, mental disorder, and disability arise is such that most psychiatrists can report some experience with requests for disability evaluation or documentation.
Although ethical guidelines advise against psychiatrists adopting the dual roles of treatment provider and forensic expert consultant
(5), circumstances may arise that make the assumption of both roles in employment evaluations unavoidable
(6) . Most Social Security claims, for example, are adjudicated on the basis of a review of information regarding psychiatric functional impairment provided by a treating psychiatrist. Workers’ compensation cases also rely heavily on information and opinions supplied by a treating clinician.
Employment-related evaluations are conducted for the express purpose of communicating what would, in other clinical settings, be considered confidential information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
(7) affected an extensive range of health care issues, including confidentiality of and access to health data. HIPAA’s confidentiality provisions are generally not problematic for psychiatrists, who have long been required to comply with similar and often more stringent state and federal laws and ethical principles regarding confidentiality. More than most physicians, psychiatrists are familiar with and have implemented practices, such as requiring consent to release information, releasing only the minimum amount of patient information and training staff to maintain privacy.
However, many psychiatrists are not clear whether HIPAA’s provisions affect standard practices or change legal responsibilities related to nonclinical activities, such as third-party employment evaluations, and if so, how. Some malpractice insurers are treating the privacy rule as though it set a new national standard of care and are recommending that psychiatrists adhere to regulations whether the profession qualifies as a “covered entity” under HIPAA or not. Legal immunity, often available in criminal evaluations, frequently is not available in employment-related or civil evaluations
(8,
9) . Finally, familiarity with these implications can improve evaluation practices and assist psychiatrists in avoiding some of the conflicts that frequently arise in third-party evaluations. This article will discuss specific HIPAA issues related to third-party employment evaluations and reports.
Disclosure and Liability
As required by HIPAA, the Department of Health and Human Services adopted the privacy rule
(10), a uniform standard for the privacy, use, and disclosure of individually identifiable health information by HIPAA-defined “covered entities.”
The privacy rule applies to any health care provider, regardless of size, who transmits health information in electronic form, including claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which Health and Human Services has established standards under HIPAA
(11) .
No case law as yet exists for determining whether HIPAA’s provisions have come to be considered the standard of care for confidentiality. Nevertheless, if the privacy rule is ultimately found to be the standard of care, evaluees and their patients may find it easier to prevail in lawsuits brought under state law or complaints to licensure boards.
Disclosure to Third Parties
The privacy rule gives patients a statutory right to increased knowledge about and control over what information is shared, with whom, and for what purposes. Patients must provide authorization in advance for each type of nonroutine use or disclosure
(12) . In addition, patients are entitled to a list of entities to which nonroutine disclosures have been made
(12) .
The privacy rule has recognized that certain types of evaluations cannot go forward without authorization of the release of information. The rule specifies that medical treatment of an individual cannot be conditioned upon the individual signing an authorization for the disclosure of information. In contrast, it expressly allows independent medical evaluations by physicians to require an evaluee to sign an authorization for the release of protected health information to the third party requesting the independent medical evaluation as a condition of performing the independent medical evaluation. The rule states the following:
A covered entity may condition the provision of health care solely to generate protected health information for disclosure to a third party on the individual giving authorization to disclose the information to the third party. For example, a covered entity physician may condition the provision of a physical examination to be paid for by a life insurance issuer on an individual’s authorization to disclose the results of that examination to the life insurance issuer.
(12)
The privacy rule does allow disclosure to an individual’s employer or insurance company without authorization but only in limited circumstances. First, the covered provider must provide the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce. Second, the health care service provided must be related to the medical surveillance of the workplace or an evaluation to determine whether the individual has a work-related illness or injury. Third, the employer must have a legal duty under federal or state law to keep records on or act on such information
(13) . (Nothing in the privacy rule, however, prohibits an employer from conditioning employment on an individual providing an authorization for the disclosure of such information.)
For example, the Occupational Safety and Health Administration requires employers to monitor employees’ exposure to certain substances and to take specific actions when an employee’s exposure level exceeds a specified limit. A covered entity that tests an individual for such exposure at the request of the individual’s employer may disclose that test result to the employer without authorization. To the extent that any examination, such as a drug test, is conducted at the request of the employer for the purpose of federal- or state-mandated workplace surveillance or work-related injury or illness and the employer needs the information to comply with the federal or state law, the protected health information needed to meet the employer’s legal obligation may be disclosed to the employer without the employee’s authorization
(13) .
The privacy rule specifically addresses disclosures in other common types of employment evaluations, and these disclosures are relatively unchanged by the federal privacy statute. Disclosure of employment-related evaluations conducted in the context of litigation is expressly noted to be subject to the rules of discovery of the jurisdiction. The privacy rule does not give an individual the right of access to information “compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding”
(14) . Thus, if the independent medical evaluation is conducted in these contexts, the individual would not be entitled to see the reports unless rights to greater access are accorded to individuals under applicable state law.
The privacy rule also makes clear that all employment-related evaluation disclosures, including those made by a covered entity in litigation or a proceeding in which the covered entity is not a party and that are made in response to a subpoena, discovery request, or other lawful process, are subject to accounting requirements
(15) . Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity.
Disclosure in workers’ compensation continues to be governed by state law, and therefore, the privacy rule has only limited impact in these cases. “The Privacy Rule is not intended to disrupt existing workers’ compensation systems as established by State law…. To this end, the Privacy Rule explicitly permits a covered entity to disclose protected health information as authorized by, and to the extent necessary to comply with, workers’ compensation or other similar programs established by law that provide benefits for work-related injuries or illness”
(15) . Nevertheless, providers are still required to reasonably limit the amount of protected health information disclosed to the minimum necessary to accomplish the workers’ compensation purpose.
The Social Security Administration and the state disability determination services are not covered entities under HIPAA. The Social Security Administration indicates that covered physicians must still comply with all of the Social Security Administration rules according to the privacy act of 1974, as revised, regarding disclosure of information and access to information gathered and maintained while performing work for the Social Security Administration. Some of these regulations limit the disclosure of information
(16) .
The Social Security Administration has determined that consultative examinations conducted for the Social Security Administration fall within the range of functions included in HIPAA definitions of “health care provider”
(17) and “treatment”
(18) . The Social Security Administration directs physicians to respond to all requests for copies of their consultative examinations by forwarding the requests to the State Disability Determinations Services for processing rather than releasing the information directly to evaluees or others
(19) .
The Social Security Administration also emphasizes that when the examiner is a covered entity under HIPAA, the privacy rule requires that psychiatrists provide the individual with a notice of the patient’s rights and the psychiatrists’ privacy practices
(20) . Psychiatrists should also obtain a written acknowledgment of the receipt of the notice or document good faith efforts to obtain such an acknowledgment.
HIPAA and Evaluee Access to Third-Party Evaluations
One practice associated with employment-related evaluations affected by HIPAA in ways that are not yet entirely clear involves evaluees’ access to reports. As noted, the privacy rule created new federal statutory rights for patients, including the right to obtain copies of their records. Under the privacy rule, only two disclosures of health care information are absolutely mandatory. The first is to the secretary of Health and Human Services for enforcement purposes. The second is to the patient, regardless of what state law allows
(14) . Any further disclosures other than for treatment, payment, and health care operations purposes, as discussed, require authorization from the patient.
Psychiatrists performing third-party evaluations typically release records and reports relating to these evaluations to only the retaining third party or that party’s designee. Evaluees will frequently request a copy of the psychiatrist’s report, either before or after the examination has taken place, and are often frustrated to discover they are not entitled to a copy. In cases involving litigation, reports are generally discoverable, and evaluees or their attorneys obtain copies of them in the course of the discovery process. However, most evaluation results do not end in litigation. Absent the legal process, although psychiatrists can encourage third parties to share reports with evaluees or with their treatment providers, evaluees are not given direct access to the psychiatric evaluation.
At least one basis for the standard practice of withholding third-party evaluations from evaluees lies in the context of their creation. Because such records and reports are not generated within a treatment relationship, and no clinical treatment is provided, psychiatrists generally have not considered them to be medical records in the traditional sense that could be accessed solely at the evaluee’s request. Thus, only the retaining party, who pays for the evaluation or report, has been considered entitled to them.
Evolving ethical standards and case law have indicated that this view of the nature of the physician-evaluee relationship in third-party evaluations is inaccurate
(9,
21) . It is also not the perspective adopted by HIPAA. The privacy rule defines protected health information as all “individually identifiable health information held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral”
(17) . This information includes the individual’s demographic data; past, present, or future physical or mental health or conditions; the provision of health care to the individual; and common identifiers, such as birth dates and Social Security numbers.
The privacy rule’s requirements apply to all disclosures of protected health information, regardless of the purpose for which the information was created. The type of service rendered and the existence of a physician-patient relationship are irrelevant in the determination of the applicability of privacy rule requirements. HIPAA does not differentiate between evaluations conducted for clinical purposes and those conducted for nontherapeutic purposes. If a nontherapeutic evaluation results in the acquisition of protected health information by a covered provider, then that evaluation is subject to the privacy rule.
The implications of this statutory right in relation to third-party evaluations have not yet become clear. Nevertheless, covered psychiatrists conducting such evaluations should bear in mind that evaluees have the right to access not just the report but the entire file. This includes information communicated by the third parties requesting the evaluation or by other informants, such as co-workers or supervisors (assuming that disclosure poses no threat to those persons, a circumstance that constitutes an exception to evaluee access)
(14) . Psychiatrists might wish to assess their procedures in regard to taking notes and perhaps even consider warning collateral informants that an evaluee may become privy to the information provided.
Psychiatrists should also bear in mind that state law, when more stringent regarding privacy, supersedes federal HIPAA provisions. Some states may not provide any exceptions to patient access. For example, the Medical Practice Act of Texas
(22) requires physicians to provide evaluees with access to their records and the evaluator’s stated opinions
(23) . In addition, federally assisted substance abuse treatment programs must comply with federal confidentiality requirements, which are more stringent than HIPAA
(24) . As previously discussed, the Social Security Administration process does not permit evaluees access to their relevant records directly from the evaluator.
Similarly, no case law yet exists that provides guidance to psychiatrists who receive requests from evaluees for their independent medical evaluation records or reports. Unless state statutory law indicates otherwise, psychiatrists who are not covered entities may therefore be relatively secure in continuing the historical practice of forwarding reports or directing requests for reports or records only to the referral source. Such is probably not the case for psychiatrists and other providers who are covered entities. Unlike the Social Security Administration assessments, the provider would be obligated to maintain a copy of the report and provide a copy to the evaluee upon his or her written request. The other HIPAA provisions would also apply, although there is the “administrative proceedings” exception.
The privacy rule specifies that the definition of protected health information excludes employment records held by a covered health care provider in its role as an employer, such as records related to the Family Medical Leave Act or Americans With Disabilities Act information, sick leave requests, or occupational injury information
(18) . The statute does not address whether a third-party evaluation conducted by a consultant for an employer similarly constitutes an exception to the definition of protected health information, but the exception for employer-held information implies that similar records generated by third parties for similar purposes might be considered excluded from disclosure requirements. Again, as yet, no case law exists to provide guidance regarding this issue.
Prudent psychiatrists should therefore bear in mind when writing their reports that evaluees very likely will be able to review what the evaluator has written. Evaluees will often be able to obtain a copy of their disability evaluation or other employment-related reports either directly from the referral source or, as discussed, in the course of litigation. Although relatively rare, defamation and libel suits may arise from such reports. Psychiatrists are generally not protected by judicial immunity from these suits
(9,
10) . As should be standard practice, psychiatrists should be certain that reports and disclosures adhere to professional and ethical standards.
Initial Disclosure to Evaluees: Informed Consent
Psychiatrists who are covered entities conducting independent medical evaluations or third-party evaluations are now required to include in their initial disclosures to evaluees practices and policies related to the privacy rule and authorization for disclosure. This should not present undue hardship because psychiatrists have already integrated many of these into their routine practice. However, covered psychiatrists also need to keep a log of all disclosures of protected health information in accordance with privacy rule provisions, even if they are made in the context of litigation, because evaluees are entitled to know the nature of each nonroutine disclosure, even if authorized.
Psychiatrists who are not covered entities and who are not already doing so may want to adopt similar procedures as a conservative risk management step. Many psychiatrists, for example, obtain verbal but not written authorization to disclose information obtained in the course of a third-party evaluation. Should the privacy act eventually become established as a standard of care, adherence to the standards of the act might help disprove claims of breach of confidentiality should they arise.
Many of the legal and ethical issues that arise in employment evaluations can be effectively addressed by initial disclosures regarding the extent of confidentiality, whether mandated by HIPAA or not. Before beginning an employment evaluation, psychiatrists should discuss with evaluees:
The nature of the referral source
Their understanding of the reason for the referral
Their understanding of the potential consequences of the evaluation
Who will be receiving a copy of the report
Whether the evaluee understands the nature of his or her access to the report
If evaluees lack understanding of any of these issues or object to any aspect or structure of the evaluation, they should be advised to consult their attorneys or referring agencies before proceeding with the evaluation. Covered providers are required to obtain signed authorization to release information. Noncovered providers may want to consider adopting the same policy.
HIPAA Resources and Additional Information
The following information does not constitute formal legal advice, and health care providers need to assess their own legal obligations:
Additional information regarding HIPAA and Social Security disability evaluations can be accessed at http://www.ssa.gov/disability/professionals/hipaa-cefactsheet.htm
The official Health and Human Services information source for the HIPAA privacy rule (www.hhs.gov/ocr/hipaa) provides links to other HIPAA information, including the Health and Human Services December 2003 guidance, an easy-to-read discussion of some of the key issues
The American Medical Association also provides useful HIPAA information at www.ama-assn.org/ama/pub/category/4234.html 4; APA also provides HIPAA information at http://www.psych.org/members/forums/categories.cfm?catid=19