HIPAA is the acronym for the Health Insurance Portability and
Accountability Act of 1996. One part of that law, the Privacy Rule,
went into effect on April 14, 2003. If your business is a “covered
entity” as defined by the privacy regulations, you must comply with
the requirements of these regulations.
The final regulations for the HIPAA Privacy Rule were released
by the Department of Health & Human Services (DHHS) in August
2002. The Office for Civil Rights (OCR) that is charged with
enforcement of the provisions of the Rule. Because these
regulations are rather new, OCR is continuing to interpret them as
well as to provide both technical assistance and information to
entities required to comply. Thus, clarification of the issues
under the HIPAA Privacy Rule is an on-going process.
A key concept under the privacy regulations is that of “business
associate.” This term is defined as “a person or entity that
performs a function or activity on behalf of a covered entity that
involves individually identifiable health information.” The
regulations require that your business have a written agreement
with persons/entities who are business associates to ensure that
the personal health information that you share with them is both
used and safeguarded appropriately (“satisfactory assurances”).
Thus, a covered entity cannot generally disclose protected health
information (PHI) to a business associate without such a written
agreement. Interestingly, the burden is on the covered entity to
initiate the business associate agreement, but there is no
requirement that the covered entity monitor how the business
associate abides by the terms of the agreement. Furthermore, under
the regulations, you are not legally liable for the actions of your
business associate, but, if you discover that your business
associate has violated the agreement, you must take reasonable
steps to correct the violation; if you cannot correct the
violation, you must terminate the agreement.
Identifying your business associates is not an easy task. The
regulations add some information: The business associate is a
person/entity who performs, or assists in performing, a “function
or activity involving the use or disclosure of” personal health
information. These functions or activities include “claims
processing or administration; data analysis, processing or
administration; utilization review; quality assurance; billing;
benefit management; practice management and repricing,” and it also
includes providing “legal, accreditation or financial services.”
Complex legal language!
For the use of O&P businesses, a “business associate” is NOT
a member of your workforce. Also, it is NOT another healthcare
provider to whom you disclose personal health information for
treatment purposes, such as a referring physician or physical
therapist. Furthermore, it is NOT a payer nor is it a health plan
to which you disclose personal health information for the purposes
of payment or accepting a discounted rate for your services. It is
NOT your janitorial service or a courier service, UPS, FedEx, or
the US Postal Service. Finally, it is NOT a telephone or copier
repair person who might stumble across some personal health
information; this sort of situation is referred to within the
regulations as an “incidental disclosure;” it is a very different
situation with a software vendor who sees PHI while installing or
developing new software for you.
Thus, you can start the process of defining your business
associates by asking three questions:
(1) Does the business perform or assist in the performance of an
activity or function involving the use or disclosure of PHI? Or
(2) Does the business provide legal, actuarial, accounting,
consulting, management, claims processing, accreditation, or
financial services that require the disclosure of PHI? And
(3) Does the business require the PHI in order to perform its
function or does the person need the PHI to perform his/her
duties?
In O&P, we do know that a central fabrication facility is
considered part of “treatment” and is not a business associate.
However, an entity that sells componentry and receives PHI in order
to provide the appropriate componentry would be considered to be
your “business associate.” In fact, such a provider is referred to
as a “specialty vendor” or a vendor that assists the direct
treatment provider or enables the direct treatment provider to
provide its services. Another business associate question has
arisen regarding an entity that receives PHI as part of the
warranty process: such an entity should be considered a business
associate under the definition of the regulations as it is
receiving PHI in order to perform its duties, i.e. warranty a
particular component.
It is important to note that, even if your business is a covered
entity, it may also be a business associate. For example, if you
have a contract to provide services to a clinic or hospital and you
are paid by that entity for the provision of services, you are a
business associate of that clinic or hospital. The key in this
situation is that you are being paid under a contract to provide
services. Also, there has been some advice issued regarding the
signing of a business associate agreement with another provider
even if you are not a business associate under HIPAA. However, your
lawyer would most likely tell you that it is never advisable to
undertake legal obligations when it is not necessary to do so.
The issue of “business associate” will, no doubt, continue to be
clarified by OCR as the implementation of the privacy regulations
proceeds, and you will receive that information in later issues of
The O&P Edge.
Sheila M. Press, Attorney, is president of Healthcare Compliance
Solutions, a company providing consulting services, including HIPAA
and OIG compliance, and customized compliance programs for O&P.
Contact her at 480.767.9477; e-mail [email protected]; www.hccsolutions.com.