Is the Division of Vocational Rehabilitation a HIPAA-covered entity?

Generally no, but since the Division of Vocational Rehabilitation (DVR) often handles protected health information (PHI), using HIPAA compliant emails can help them safeguard client privacy and security, and reduce legal risks.

What is the Division of Vocational Rehabilitation (DVR)?

The DVR is a state-operated program that helps disabled individuals get and maintain employment. The DVR of each state is usually part of a larger network funded partly by the federal government, particularly through the Rehabilitation Services Administration under the Department of Education. 

The Wisconsin DVR, for example, offers the following services:

• “Employment services and counseling to people with disabilities.
• [Arranging] for services to enable an individual to go to work.
• Training and technical assistance to employers regarding disability employment issues.”

While every state has a DVR program, the specifics of services and funding, along with how programs are structured, can differ from state to state. 

Some states even have multiple DVR offices, like New York, which has the New York State Office of Adult Career and Continuing Education Services - Vocational Rehabilitation (ACCES-VR)and the New York State Commission for the Blind (NYSCB). 

Moreover, local offices that serve different regions or types of disabilities can complicate service delivery. Especially, whether the DVR should follow state-level privacy and security standards like the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA and covered entities

HIPAA mandates that covered entities (including healthcare providers, health plans, and healthcare clearinghouses) and their business associates safeguard individuals’ protected health information (PHI).

More specifically, covered entities and their business associates must use a HIPAA compliant communication solution, like Paubox, to safeguard PHI during transmission and storage. These solutions use advanced security measures, including encryption, access controls, and audit trails to maintain regulatory compliance and avoid legal ramifications.

Is the DVR a covered entity?

No, the DVR isn’t a HIPAA-covered entity since it doesn't provide healthcare services but instead offers employment services.

Wisconsin DVR confidentiality rules explain, “DVR is not an entity covered under the Health Insurance Portability and Accountability Act (HIPAA) as determined by the Rehabilitation Services Administration (RSA).”

So, what happens when it handles sensitive medical information that would typically require protection?

Case example: Sharon Robinson v. Department of Vocational Rehabilitation

In the 2022 case of Sharon Robinson v. Department of Vocational Rehabilitation, the plaintiff filed a complaint against DVR, claiming they violated her HIPAA rights.

The court eventually dismissed these claims, explaining that HIPAA does not provide a private right of action. Furthermore, HIPAA can only be enforced by federal agencies, like the U.S. Department of Health and Human Services (HHS), not private individuals.

Although this case clarifies that DVR is not a covered entity, it also shows that situations involving PHI could still require HIPAA compliant practices.

When should the DVR use HIPAA compliant communication?

Whenever medical information is involved, it is best to use HIPAA compliant communication platforms to safeguard patients' privacy and security, even if there’s no legal obligation to do so.

Paubox email, for example, allows the DVR to:

• Collaborate with healthcare providers, arranging services like physical therapy or mental health counseling without exposing sensitive information.
• Securely handle health information for employment accommodations, like arranging ergonomic workstations or modified schedules.
• Communicate with third-party service providers (such as job training programs or vocational counselors) while maintaining confidentiality of medical records and employment-related health information.

How the DVR should set up HIPAA compliant emails

• Perform a deep risk analysis to identify potential vulnerabilities in current emailing system.
• Choose a HIPAA compliant email platform with encryption, access controls, and audit trails.
• Sign a BAA with the platform, outlining the responsibilities of both parties in protecting PHI.
• Train staff on compliance protocols and how to report potential security risks.
• Use role-based access controls, allowing only a certain number of people to view or handle PHI. 
• Regularly monitor and audit email activities.
• Develop a response plan for potential data breaches.
• Regularly revise and update policies according to federal laws and best practices. 

FAQs

What is a covered entity?

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that handles protected health information (PHI).

Can covered entities share PHI without patient consent?

PHI can only be shared without patient consent for treatment, payment, and healthcare operations or when required by law.

What are individuals’ rights under HIPAA?

Individuals have the right to access, request corrections, and obtain a copy of their PHI. They can also request an account of PHI disclosures, file complaints, receive electronic copies, opt out of certain uses, and must be notified of PHI breaches.