Understanding When HIPAA Applies
One of the most common questions in workers’ compensation subrogation practice is whether HIPAA requires a signed release before medical records can be obtained or shared. The short answer is that HIPAA seldom prevents the exchange of records between medical providers and workers’ compensation carriers for the purpose of administering or paying the claim. However, once the matter shifts from claim administration to third-party recovery or tort litigation, the landscape changes. For subrogation professionals, understanding when HIPAA applies—and when it doesn’t—is critical to avoiding unnecessary roadblocks and maintaining compliance.
HIPAA regulates only “covered entities,” which include health care providers, health plans, and clearinghouses that transmit information electronically. It does not directly regulate employers, liability insurers, or workers’ compensation carriers. These entities are not covered by the HIPAA Privacy Rule, meaning they are not bound by HIPAA’s release requirements when they receive records from a lawful source. The compliance burden rests on the covered entity—the doctor, hospital, or clinic—that discloses the records.
The Workers’ Compensation Exception
The key provision governing this area is found at 45 C.F.R. §164.512(l). That section specifically authorizes covered entities to disclose protected health information (PHI) without the patient’s consent “as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law that provide benefits for work-related injuries or illnesses.” The U.S. Department of Health and Human Services has explained that this rule is intended to ensure that state workers’ compensation systems continue to function smoothly. Providers may therefore send bills, reports, and treatment records directly to employers, carriers, or their representatives as necessary to process a claim—without a signed HIPAA release.
This exception, however, applies only when the information is being used to administer or pay a workers’ compensation claim. When the purpose of disclosure shifts—such as when the carrier or its subrogation attorney seeks to pursue a third-party tortfeasor—HIPAA’s workers’ compensation rules become a little less clear. A subrogation claim is not part of the workers’ compensation system. It is an independent legal action against a negligent third party. Therefore, if a provider is asked to send medical records to a subrogation attorney, some might argue that when sending records to a liability carrier, or any other party outside the workers’ compensation process, some claim that a HIPAA-compliant release is required unless another legal exception applies.
HIPAA’s Limited Reach Over Subrogation Professionals
HIPAA’s Privacy Rule does not apply to subrogation professionals handling third-party recoveries, except in very limited circumstances. This is because HIPAA regulates only “covered entities”—health care providers, health plans, and clearinghouses that transmit medical information electronically—and their “business associates.” Workers’ compensation and property-and-casualty insurers, along with their subrogation teams and attorneys, are not covered entities under the regulation. The rule governing this area, 45 C.F.R. §164.512(l), explicitly permits covered entities (such as hospitals or clinics) to disclose protected health information (PHI) “as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs.” This means that medical providers may send medical bills and records directly to a workers’ compensation carrier or employer for purposes of administering or paying a claim without a HIPAA authorization. In particular, § 160.103 – Definitions (Covered Entities and Business Associates) defines who HIPAA actually regulates. It makes clear that only “covered entities” (health plans, health care clearinghouses, and health care providers who transmit health information electronically) and their “business associates” are subject to the Privacy Rule. Therefore, Workers’ compensation insurers, employers, and subrogation professionals are not covered entities and are therefore not directly subject to HIPAA.
Use vs. Disclosure: What Happens After Records Are Received
Once the carrier has received those records lawfully under the workers’ compensation exception, HIPAA no longer controls what the carrier—or its subrogation professionals—can do with them. Subrogation professionals are free to use the information for recovery or litigation purposes without violating HIPAA because the Privacy Rule governs only the disclosure by covered entities, not the use by non-covered entities that lawfully obtained the data. The Department of Health and Human Services’ own workers’ compensation guidance confirms that the rule intends to ensure the smooth functioning of state compensation systems and does not extend to third-party subrogation efforts.
Section 164.512(l) is the operative provision that permits covered entities to disclose protected health information without authorization for workers’ compensation purposes. It reads:
“A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law that provide benefits for work-related injuries or illness.”
However, if a subrogation professional or attorney attempts to obtain medical records directly from a covered provider for purposes of a third-party claim—outside of the compensation system—a signed HIPAA authorization is required. In that situation, the provider cannot rely on the workers’ compensation exception because the disclosure no longer serves the administration or payment of the claim itself.
Key Takeaways
In summary, the legal authorities and administrative guidance confirm the following:
- HIPAA applies only to covered entities and their disclosures, not to subrogation professionals or property-and-casualty insurers.
- Once a carrier has lawfully received medical information under the workers’ compensation exception, its subrogation staff may use that information freely.
- A HIPAA release is only necessary when a subrogation professional seeks records directly from a medical provider for purposes outside the workers’ compensation claim.
This framework means that subrogation professionals do not violate HIPAA when using existing claim records to pursue third-party recovery. They only need to obtain a release if they are requesting records directly from a covered provider.
Distinguishing Between Lawful Use and Direct Requests
That distinction is easy to overlook in practice. During the early life of a claim, medical providers and carriers exchange information freely to determine compensability, authorize treatment, and calculate benefits. No HIPAA authorization is needed because these disclosures are part of the claim itself. Later, when the carrier’s subrogation unit or outside counsel seeks to build a third-party case, those same records are often requested again—but now for a different purpose. At that point, the provider is no longer disclosing information to administer a workers’ compensation claim but rather to support a civil recovery. Without a valid release from the injured worker, the provider may not legally disclose the records.
Subrogation professionals should therefore distinguish between records already in the carrier’s possession and those obtained directly from a medical provider. If the workers’ compensation carrier lawfully received the records during the normal administration of the claim, HIPAA does not restrict how the carrier uses them for subrogation purposes. HIPAA applies to covered entities’ disclosures, not to what a non-covered entity does with lawfully obtained information. In other words, once the records are in the carrier’s file, HIPAA does not bar the carrier from using them to pursue subrogation or sharing them with counsel or the court.
However, if the subrogation attorney or outside firm attempts to obtain records directly from the medical provider—without going through the carrier—a HIPAA authorization is generally required. That is because the attorney or firm is not part of the workers’ compensation claim administration process, and the provider cannot rely on the workers’ compensation exception to justify the disclosure. This distinction explains why many subrogation professionals have experienced inconsistent responses from medical offices: some release the records freely under the workers’ compensation exception, while others insist on an authorization once the purpose changes.
Additional Considerations
In addition to HIPAA, state law also plays a role. Many state workers’ compensation statutes explicitly authorize providers to release information to employers and carriers for work-related injuries but are silent about third-party actions. In those states, the statutory authorization ends where the subrogation process begins. Unless the state law independently permits disclosure for litigation purposes, a HIPAA release remains necessary to obtain records for use in a third-party recovery.
Even when HIPAA would allow a disclosure without authorization, subrogation professionals should remember the “minimum necessary” rule. Covered entities must disclose only the amount of information reasonably necessary to achieve the intended purpose. When records are released without a HIPAA authorization, they should be limited to the treatment directly related to the compensable injury, excluding unrelated medical history unless it is relevant to the claim.
It is also worth remembering that HIPAA governs only disclosure, not use. Once a non-covered entity, such as a carrier or attorney, lawfully possesses the records, HIPAA does not restrict what can be done with them in litigation. Other confidentiality or evidentiary rules may apply, but HIPAA itself does not extend that far. The Privacy Rule’s purpose is to protect medical information from unauthorized disclosure, not to obstruct legitimate recovery rights or defenses.
The Bottom Line
In the end, HIPAA is often cited more broadly than it was ever intended to apply. The workers’ compensation exception exists precisely so that state benefit systems can function without unnecessary red tape. But subrogation, though closely related, is a separate legal process that falls outside that exception. The rule of thumb is simple: within the workers’ compensation system, no HIPAA release is required; once you step outside of it—into tort or subrogation—an authorization is needed to obtain medical records directly from a provider.
Subrogation professionals who understand that distinction can navigate the privacy requirements confidently. By recognizing when HIPAA applies, relying on the workers’ compensation exception where appropriate, and obtaining releases when necessary, carriers and attorneys can maintain compliance while keeping their recovery programs efficient and effective.
