HIPAA’s Impact On DOT Driver Qualification And Medical Requirements

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health and Human Services established regulations referred to as the “Privacy Rule.” The Privacy Rule is designed to protect disclosure of certain health information. Nevertheless, DOT regulations require employers to obtain and keep certain medical information related to their drivers.

HIPAA requires all “covered entities” to meet standards addressing “protected health information.” “Covered entities” include individual and group health plans, including employer-sponsored group health plans with 50 or more participants.

“Protected health information” includes all individually identifiable health information held or transmitted by a covered entity in any form—written, electronic or oral. Individually identifiable health information is information that identifies the individual and relates to 1) the individual’s past, present or future physical or mental health or condition; 2) the provision of health care to the individual; or 3) the past, present or future payment for the provision of health care to the individual. Individually identifiable health information includes name, address, birth date and Social Security number. Protected health information does not include employment records held by a covered entity in its role as employer.

Covered entities are permitted, but not required, to use and disclose information without the individual’s written authorization in six situations: 1) to the individual; 2) for its own treatment, payment and health care operations; 3) after giving the individual the opportunity to agree or object to disclosure (informal permission); 4) when disclosure is incidental; 5) when the public interest requires disclosure; and 6) when a limited data set (mostly deidentified information) is disclosed for specific purposes.

Under exception 5, disclosures in the public interest, the Privacy Rule permits disclosures without an individual’s authorization or permission for 12 public interest purposes, including disclosures required by law or for health oversight activities.

DOT may request information at any time to determine if a driver is physically qualified to drive. But may companies provide DOT with medical information without violating HIPAA?

DOT has given motor carriers the responsibility of ensuring that drivers meet all qualifications to drive, including that drivers be physically able to meet the demands of operating commercial motor vehicles. Drivers also have an obligation to meet the physical qualifications set forth in the regulations. Drivers must undergo physical exams and the results must be recorded on DOT Form 649-F. After the exam, drivers receive a copy of the Medical Examiner’s Certificate confirming that he or she is qualified to drive. The Medical Examiner’s Certificate is a brief statement from the examiner that the driver meets the qualifications set forth in the regulations. The card notes that the examiner has on file the complete examination form in his or her office.

However, DOT only requires that drivers be issued a brief medical examiner’s certificate that, while noting some specific medical information, does not provide much in the way of detail. Likewise, motor carriers are required to keep only the certificate in the driver’s qualification file. Companies are not required to keep the long Form 649-F.

As a general rule, covered entities must make reasonable efforts to limit the disclosure of protected health information to the “minimum necessary to accomplish the intended purpose of the use, disclosure or request.” Employers should develop policies and procedures to ensure that the minimum necessary information is being requested or disclosed.

Companies may provide a copy of the Medical Examiner’s Certificate without violating HIPAA. HIPAA permits agencies to obtain medical information when required to do so by law. DOT is responsible for reviewing drivers’ medical information to ensure they are physically able to drive, and disclosures to DOT for this purpose are “required by law.” In this capacity, companies are not bound by the “minimum necessary disclosure” rule, but providing just the certificate would comply with that rule just the same.

Disclosures for health oversight activities may be made to “health oversight agencies” for any activity “necessary for appropriate oversight” of “entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards.” “Health oversight agencies” include any government agency “that is authorized by law to oversee…government programs in which health information is necessary to determine eligibility or compliance…” Thus, DOT may ask for the information, and a company may provide the information without penalty under HIPAA.

Gases and Welding Distributors Association
Meet the Author
GAWDA Government Affairs and Human Resources Legal Consultant Richard P. Schweitzer, Esq., is president of Richard P. Schweitzer, PLLC, in Washington, D.C. Members can reach him at 202-223-3040 and at rpschweitzer@rpslegal.com.