Important Recommendations for Providers Related to OnBoard: Limited Release

Important Recommendations for Providers Related to OnBoard: Limited Release

The New York State Workers’ Compensation Board (Board) would like to address a potential privacy concern related to the provider registration process for the Board’s new online information system, OnBoard: Limited Release (OBLR).

Following the implementation of Phase One of OBLR on March 7, 2022, concerns were raised about providers who work for multiple offices/practices that have different tax identification numbers. Since OBLR registration is based on an individual provider’s NPI number, rather than a particular practice group’s tax identification number, a provider receives only one account for OBLR access. As a result, a provider’s delegate for one office/practice may be able to view medical information pertaining to another office/practice, resulting in the potential for a HIPAA violation.     

The Board has suggested recommendations to avoid HIPAA violations, as it’s not practical for providers with multiple offices/practices to not use delegates.

Recommendations to Avoid HIPAA Violations 

To avoid a possible HIPAA violation, the Board recommends providers ensure all members of their workforce are trained with respect to the requirements of HIPAA and HIPAA’s Privacy Rule, as well as Workers’ Compensation Law (WCL) § 110-a. Under the federal regulation governing protected health information, 45 CFR 160.103, “workforce” is defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”

It is further recommended that providers enter into a business associate agreement (BAA) with those who are defined as a “business associate” under 45 CFR 160.103. A BAA governs parameters for the creation, receipt, maintenance, transmission, and disclosure of private health information by business associates. Typically, business associates are the provider's subcontractors and vendors, who are not members of a provider’s workforce. Business associates should also be trained with respect to the requirements of WCL § 110-a.  


Providers who have questions regarding this announcement should email the Board’s Office of General Counsel at

For general questions about the OnBoard project, email