Part A: What is HIPAA?
Generally. HIPAA stands for the the "Health Insurance Portability and Accountability Act of 1996". In this article, we shall confine ourselves to addressing the privacy provisions of HIPAA (hereinafter "the HIPAA Privacy Rule"). It applies to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses (known as "Covered Entities" in HIPAA parlance). Although the HIPAA statute passed by Congress only delegated authority to HHS to regulate privacy information in the hands of health care providers, health plans, health care clearinghouses, it became obvious to HHS, in drafting its regulations, that no effective privacy rules could be constructed unless independent contractors of Covered Entities also were subject to the same privacy standards as Covered Entities themselves. Thus, HHS, in its regulations, extended the reach of the HIPAA Privacy Rule beyond that which was delegated to it by Congress through creation of a requirement upon Covered Entities to get contractual assurances from their independent contractors who fit within the definition of "Business Associates" that they shall adhere and be bound by the same HIPAA privacy standards as Covered Entities. Covered Entities have until April 14, 2003 to contractually bind their Business Associates to comply with the HIPAA privacy standards.
What is the HIPAA Privacy Rule? "This rule includes standards to protect the privacy of individually identifiable health information. The rules, which apply to health plans, health care clearinghouses, and certain health care providers, present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information." Premable to Final Regulations issed by HHS pursuant to HIPAA, 45 CFR Parts 160 through 164; Federal Register: December 28, 2000 (Volume 65, Number 250).
What information is covered? "All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule." "Protecting The Privacy Of Patients' Health Information", HHS Fact Sheet (May 9, 2001).
Must health care providers receive consent from patients before disclosing Protected Health Information? Under the final modifications to the HIPAA Regulations issued by HHS in 2000, health care providers who directly treat patients are no longer required to obtain patient consent prior to the use or disclosure of protected health information ("PHI") for purposes of treatment, payment, and health care operations. However, please be aware that HIPAA does not preempt state law in this area and, thus, the states are free to require patient consent. Also, use or disclosure of protected health information for purposes other than treatment, payment, and health care operations does require patient consent the HIPAA Privacy Rule.
Part B: Who is a "Covered Entity"?
Who is a "Covered Entity" under HIPAA? The following are "Covered Entities" under HIPAA: Health plans, health care clearinghouses, and "health care providers who transmit any health information in electronic form in connection with a transaction covered by this subchapter" (i.e., generally meaning the transmission of any health information in electronic form but see below for complete definition) are "Covered Entities" under HIPAA. Please note that health care providers who do not submit electronic transactions of health care information may still become Covered Entites under this rule when another entity, such as a billing service or a hospital, transmits a standard electronic transactions on their behalf. Please also note that health plans and health care clearinghouses do not need to enter into an "electronic transaction" involving "Protected Health Information" ("PHI") before they can be defined as a "covered entity". Only a health care provider must engage in an "electronic transaction" involving PHI before it becomes a "covered entity". A "transaction" is defined in the regulations to HIPAA as follows:
"The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions that the Secretary may prescribe by regulation."
See Privacy Regulation, 45 C.F.R. § 160.103 Definitions.
Therefore, if a medical practice engages in any electronic transaction described above (even only one transaction), then the Privacy Rule of the HIPAA regulations applies to this medical practice. This is the case even if the medical practice uses another entity, such as a billing service or hospital, to transmit an electronic transaction described above. Even though coverage under HIPAA is triggered by use of electronic transactions, the HIPAA Privacy Rule applies to individually identifiable health information in any form, including oral, written and electronic communications.
For further information about who is a "covered entity", see:
Medical Society of the State of New York
HHS Fact Sheet
Brought to you by MedLawPlus.comŽ --
Online automated form: HIPAA Privacy Agreement betweeen "Covered Entity" and "Business Associate" Price: $9.99 (free trial) 
|
|
Part C: Who is a "Business Associate"?
A Business Associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A Business Associate is not a member of the health care provider, health plan, or other covered entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital.
"Q: Is it reasonable for covered entities to be held liable for the privacy violations of business associates?
"A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Covered entities are not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract. Moreover, a business associate's violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by the covered entity. The contract must obligate the business associate to advise the covered entity when violations have occurred. If the covered entity becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate's obligations under its contract, the covered entity must take "reasonable steps" to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship. If such steps are not successful, the covered entity must terminate the contract if feasible. The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for the covered entity. In such circumstances where termination is not feasible, the covered entity must report the problem to the Department. Only if the covered entity fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule."
OCR HIPAA Privacy TA 164.502E.001, Business Associates, 45 CFR § 160.103, 164.502(e), 164.514(e)
Part D: Required elements of Business Associate Contract
A contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of
such information by the business associate. The contract may not
authorize the business associate to use or further disclose the
information in a manner that would violate the requirements of this
subpart, if done by the covered entity, except that:
(A) The contract may permit the business associate to use and
disclose protected health information for the proper management and
administration of the business associate, as provided in paragraph
(e)(4) of this section; and
(B) The contract may permit the business associate to provide data
aggregation services relating to the health care operations of the
covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as
permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the
information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the
information not provided for by its contract of which it becomes
aware;
(D) Ensure that any agents, including a subcontractor, to whom it
provides protected health information received from, or created or
received by the business associate on behalf of, the covered entity
agrees to the same restrictions and conditions that apply to the
business associate with respect to such information;
(E) Make available protected health information in accordance with
§ 164.524;
(F) Make available protected health information for amendment and
incorporate any amendments to protected health information in
accordance with §164.526;
(G) Make available the information required to provide an
accounting of disclosures in accordance with § 164.528;
(H) Make its internal practices, books, and records relating to
the use and disclosure of protected health information received
from, or created or received by the business associate on behalf of,
the covered entity available to the Secretary for purposes of
determining the covered entity's compliance with this subpart; and
(I) At termination of the contract, if feasible, return or destroy
all protected health information received from, or created or
received by the business associate on behalf of, the covered entity
that the business associate still maintains in any form and retain
no copies of such information or, if such return or destruction is
not feasible, extend the protections of the contract to the
information and limit further uses and disclosures to those purposes
that make the return or destruction of the information infeasible.
(iii) Authorize termination of the contract by the covered entity,
if the covered entity determines that the business associate has
violated a material term of the contract.
HIPAA Regs., 45 C.F.R. § 164.504(e)(2).
|
