Generally no, but since the Division of Vocational Rehabilitation (DVR) often handles protected health information (PHI), using HIPAA compliant emails can help them safeguard client privacy and security, and reduce legal risks.
The DVR is a state-operated program that helps disabled individuals get and maintain employment. The DVR of each state is usually part of a larger network funded partly by the federal government, particularly through the Rehabilitation Services Administration under the Department of Education.
The Wisconsin DVR, for example, offers the following services:
While every state has a DVR program, the specifics of services and funding, along with how programs are structured, can differ from state to state.
Some states even have multiple DVR offices, like New York, which has the New York State Office of Adult Career and Continuing Education Services - Vocational Rehabilitation (ACCES-VR)and the New York State Commission for the Blind (NYSCB).
Moreover, local offices that serve different regions or types of disabilities can complicate service delivery. Especially, whether the DVR should follow state-level privacy and security standards like the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA mandates that covered entities (including healthcare providers, health plans, and healthcare clearinghouses) and their business associates safeguard individuals’ protected health information (PHI).
More specifically, covered entities and their business associates must use a HIPAA compliant communication solution, like Paubox, to safeguard PHI during transmission and storage. These solutions use advanced security measures, including encryption, access controls, and audit trails to maintain regulatory compliance and avoid legal ramifications.
No, the DVR isn’t a HIPAA-covered entity since it doesn't provide healthcare services but instead offers employment services.
Wisconsin DVR confidentiality rules explain, “DVR is not an entity covered under the Health Insurance Portability and Accountability Act (HIPAA) as determined by the Rehabilitation Services Administration (RSA).”
So, what happens when it handles sensitive medical information that would typically require protection?
In the 2022 case of Sharon Robinson v. Department of Vocational Rehabilitation, the plaintiff filed a complaint against DVR, claiming they violated her HIPAA rights.
The court eventually dismissed these claims, explaining that HIPAA does not provide a private right of action. Furthermore, HIPAA can only be enforced by federal agencies, like the U.S. Department of Health and Human Services (HHS), not private individuals.
Although this case clarifies that DVR is not a covered entity, it also shows that situations involving PHI could still require HIPAA compliant practices.
Whenever medical information is involved, it is best to use HIPAA compliant communication platforms to safeguard patients' privacy and security, even if there’s no legal obligation to do so.
Paubox email, for example, allows the DVR to:
A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that handles protected health information (PHI).
PHI can only be shared without patient consent for treatment, payment, and healthcare operations or when required by law.
Individuals have the right to access, request corrections, and obtain a copy of their PHI. They can also request an account of PHI disclosures, file complaints, receive electronic copies, opt out of certain uses, and must be notified of PHI breaches.