Questions and Answers

PROPOSED RULE - The proposal would create the concept of "incidental uses

and disclosures" and clarify that these are not violations "as long as a

covered entity met the minimum necessary standards and took reasonable

safeguards to protect personal health information."

QUESTION - A service that is provided usually through a BA in hospitals that deliver babies is photographing the newborn and providing the family the opportunity to purchase photos. Is this a service that could be listed in the notice of privacy practices and give the mot,. her a chance to opt out or would an authorization be required? Could it be considered operations?

ANSWER - The simplest question can have the longest answers. First, the newborn photographing isn't treatment and it doesn't meet the definition of healthcare operations, so the hospital's consent won't allow the use of the information to solicit the photo sales.

However, it would be allowable under the marketing exception. Marketing is defined as "a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service." §514 (e)(2) describes when and how PHI can be used for marketing communications:

(2) Implementation specifications: requirements relating to marketing.

(i) A covered entity is not required to obtain an authorization under § 164.508 when it uses or discloses protected health information to make a marketing communication to an individual that:

(A) Occurs in a face-to-face encounter with the individual;

(B) Concerns products or services of nominal value; or

(C) Concerns the health-related products and services of the covered entity or of a third party and the communication meets the applicable conditions in paragraph (e)(3) of this section.

Note, however, that (e)(2)(ii) provides, if the company makes the initial communication instead of the hospital:

(ii) A covered entity may disclose protected health information for purposes of such communications only to a business associate that assists the covered entity with such communications.

The communication that you make to the patient must meet the following requirements of (e)(3):

(e)(3) Implementation specifications: requirements for certain marketing communications. For a marketing communication to qualify under paragraph (e)(2)(i) of this section, the following conditions must be met:

(i) The communication must:

(A) Identify the covered entity as the party making the communication;

(B) If the covered entity has received or will receive direct or indirect remuneration for making the communication, prominently state that fact; and

(C) Except when the communication is contained in a newsletter or similar type of general communication device that the covered entity distributes to a broad cross-section of patients, enrollees, or other broad groups of individuals, contain instructions describing how the individual may opt out of receiving future such communications.

(ii) If the covered entity uses or discloses protected health information to target the communication to individuals based on their health status or condition:

(A) The covered entity must make a determination prior to making the communication that the product or service being marketed may be beneficial to the health of the type or class of individual targeted; and

(B) The communication must explain why the individual has been targeted and how the product or service relates to the health of the individual.

(iii) The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future marketing communications, under paragraph (e)(3)(i)(C) of this section, are not sent such communications.

Greg

Question - The earlier message noted that "not providing address, phone and fax numbers, etc. for the secretary in the Notice of Privacy Practices is easily supportable by the rules." If we do list address etc., do you think it should be of the Secretary or the Office of Civil Rights?

Answer - Another good question. §160.103 defines "Secretary" as "the Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated." Conjunctions can sometimes be tricky, but the language appears to allow you to use either. Note that I can find no discussion in the preamble or comments one way or the other. I hope that helps.

Question - Please let me know your thoughts on whether nurses providing case management services to self-funded health plan members are considered healthcare providers or business associates of the health plan.

Answer - Although the comments to the rule at first appear to be on point, a closer examination reveals complete uncertainty on this issue. The comments state:

"To the extent that a disease or case manager provides services on behalf of or to a covered entity [i.e., a health plan] as described in the rule's definition of business associate, the disease or case manager is a business associate for purposes of this rule. However, if services provided by the disease or case manager meet the definition of treatment and the person otherwise meets the definition of "health care provider," such a person is a health care provider for purposes of this rule."

"Treatment" is defined in Section 164.501 as "the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another."

The preamble to the rules contains the following statement in its discussion of the definition of treatment:

"We delete specific reference to risk assessment, case management, and disease management. Activities often referred to as risk assessment, disease and case management are treatment activities only to the extent that they are services provided to a particular patient by a health care provider; population based analyses or records review for the purposes of treatment protocol development or modification are health care operations, not treatment activities. If a covered entity is licensed as both a health plan and a health care provider, a single activity could be considered to be both treatment and health care operations...

01/21/2002

 

Question - I have a scenario that I would like to run by you...

 

Peer Review Process-internal (we are considering this TPO). Some physicians on medical staff (not employees) see the medical records of a patient of Dr. Y for Peer Review.

 

1. We need to decide if the Medical Staff will be considered part of workforce or Business Associate for Peer Review (can some med staff be workforce and some not? we would have to list actual phys in consent?) We also have external physicians (company) that review the records (we will be requiring business associate agreement for external persons/companies)...

 

2. If we decide that they will be treated as member of workforce - we will need joint consent and notice?

 

The phys that is under peer review - and probably will lose privileges- wants to have copies of medical records in order to defend him/her self... I am thinking that this does not fall under TPO or business associates and would need authorization (does not meet any of the exceptions either)...??

 

Answer - Good questions! I'll break them up a little differently and try to work through them one at a time.

 

A. Is peer review activity considered TPO within the meaning of Section 506?

Yes, you are clearly correct. The definition of "health care operations" in Section 501 includes the following:

 

"Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities"

B. With regard to the physician/medical staff members who are on the committees, let's back up a little. Since the function that they are performing is "on behalf of" the hospital, they are clearly business associates unless they meet one of the exceptions. The exception that you are referring to is "member of the workforce," which definition clearly includes volunteers and is defined as follows:

 

"Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity."

Assuming that you can satisfy yourself that they meet the "direct control" criteria (which includes using the PHI on the premises), you are correct that you can treat them either as a member of the workforce or as a business associate. In either event, the hospital's consent, which covers peer review (see above), will cover disclosure to and use by these physicians for this purpose. No joint consent or notice is required at this level.

 

That analysis is different from whether they are part of an "organized health care arrangement," which is defined as follows:

 

"Organized health care arrangement means:

(1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;

(2) An organized system of health care in which more than one covered entity participates, and in which the participating covered entities:

(i) Hold themselves out to the public as participating in a joint arrangement; and

(ii) Participate in joint activities that include at least one of the following:

(A) Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;

(B) Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or

(C) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.

(3) A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;

(4) A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or

(5) The group health plans described in paragraph (4) of this definition and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans. "

OHCA's are an optional status. That is, providers can use the OHCA status (the classic example is, of course, the hospital medical staff) to do joint consents and notices. It is not required, however, and really has no direct bearing on use by the hospital of its own records to have peer review performed by its own staff physicians.

 

C. With regard to the external physician reviewers, you are correct that they are business associates and will require an agreement.

 

D. Can some physicians be workforce members and some business associates? The answer to that is yes. Whether someone is a business associate is a functional test, not a positional test (i.e., what position do they hold). If the function they are performing is on behalf of the hospital, and if they don't meet the workforce or other exception, then they are business associates. Therefore, the analysis should be made on a "case-by-case" basis, and will very probably lead to different results for different physicians.

 

E. The hardest part of your question concerns access by the physician who is subject to the review. You are correct that the consents that he/she and the hospital obtained would not permit the transfer of the information between them for these purposes. However, R.S. 13:3715.3 (the peer review confidentiality statute) arguably requires the hospital to give those records to the physician, and that disclosure therefore falls under the "required by law" exception in Section 512(a). However, if I were representing the hospital and I didn't want to release the records, I would certainly argue that HIPAA prevented the disclosure and I would make the physician go to court and try to force me to do it.

 

Greg Frost

www.HIPAAPrivacyWorkGroups.com

1-800-841-8240

225-929-7033

01/18/2002

 

Question - If we use a third party administrator, are we still considered a

"health plan" under HIPAA if we have a > self-insured health plan for our

employees?

 

Answer - Yes, you will almost always be covered. > § 160.102 makes the

regulations applicable to "group health plans" which are defined, by

reference to the ERISA definitions, to include almost any payer or medical

payment system that:

 

"(1) Has 50 or more participants ...; OR (2) Is > administered by an entity

other than the employer that established and > maintains the plan."

Therefore, the third party administrator actually makes all health plans

covered, even the ones with less than 50 participants.

The one interesting exception to group health plan coverage is when the

employer provides "coverage for on-site medical clinics." That is, if the

employer only provides these clinics (for example, a large unionized

employer where the union provides the health insurance coverage), the

clinics don't make it a "health plan." However, as the preamble states,

"while coverage for on-site medical clinics is excluded from definition of

"health plans," such clinics may meet the definition of "health care

provider" and persons who work in the clinic may also meet the definition of

health care provider."

All of the HIPAA regulations are on the HIPAA Privacy WorkGroups website and

the definition of "group health plan" can be found in § 160.103 Definitions.

 

 We will provide links to the other provisions referred to in the

definitions so that you can see the full definitions.

 

Greg Frost

www.HIPAAPrivacyWorkGroups.com

1-800-841-8240

225-929-7033

01/18/2002

 

Answer - The closest privacy provision to this requirement is in the

"safeguards" standard in §164.530 (administrative requirements), which

requires that "A covered entity must have in place appropriate

administrative, technical, and physical safeguards to protect the PRIVACY of

protected health information." (emphasis added).

 

The preamble references to this section make it clear that the

'safeguarding' that this section requires is not preservation but protection

from misuse. It notes that "the proposed HIPAA SECURITY Standards would

require covered entities to safeguard the privacy and integrity of health

information." (emphasis added). I could find no reference anywhere in the

preamble or comments to requirements in the privacy rules for protecting

data integrity.

 

I would therefore suggest that the makers of these statements be asked to

"put up or shut up" and identify the specific requirement they are

referencing. If they do, please share it with the list. Thanks.

 

Greg Frost

www.HIPAAPrivacyWorkGroups.com

1-800-841-8240

225-929-7033

01/07/2002

 

Answer - I know that it seems odd, but you are correct. Part of the definition of psychotherapy notes is the requirement that they are not part of the "regular" medical record. As the comments state:

"Although all psychotherapy information may be considered sensitive, we have limited the definition of psychotherapy notes to only that information that is kept separate by the provider for his or her own purposes. It does not refer to the medical record and other sources of information that would normally be disclosed for treatment, payment, and health care operations."

The rule has no "special category" other than psychotherapy notes, and treats all other information the same. Therefore, except for those "process notes [that] capture the therapist's impressions about the patient, contain details of the psychotherapy conversation considered to be inappropriate for the medical record, and are used by the provider for future sessions" which are kept separate from the medical record, mental health information is treated no differently from physical health information under HIPAA.

Part of HIPAA training and implementation may very well be educating your therapists to this distinction so that they can use it to provide extra protection for that sensitive information that doesn't actually have to be in the medical record.

Greg Frost

www.HIPAAPrivacyWorkGroups.com

1-800-841-8240

225-929-7033

01/03/2002

 

The following question came up at the 2001 Louisiana HIPAA Conference:

Question - Is a medical staff member a "business associate" when performing (1) uncompensated committee work, or (2) paid administrative duties, such as medical directors?

 

Answer - While there is no explicit answer, if they perform their work "on site", and the PHI to which they have access is not removed from the Covered Entity's premises, it appears that the Covered Entity can elect to treat them either as a member of its workforce or as a business associate. If the PHI is removed from the premises, then there must be a business associate agreement.

Analysis for Answer - A business Associate is defined in §160.103 as follows:

"(1) ... business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement ... in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person."

Since both volunteer medical staff committee service and paid administrative duties fall with the above definition, the member would therefore have to be either a member of the "workforce", or would be a business associate.

"Workforce" is defined is §160.103 as follows:

"Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity."

The Preamble includes the following discussion concerning where the work is performed:

"In addition, we clarify that if the assigned work station of persons under contract is on the covered entity's premises and such persons perform a substantial proportion of their activities at that location, the covered entity may choose to treat them either as business associates or as part of the workforce, as explained in the discussion of the definition of business associate. If there is no business associate contract, we assume the person is a member of the covered entity's workforce. We note that independent contractors may or may not be workforce members. However, for compliance purposes we will assume that such personnel are members of the workforce if no business associate contract exists."

On the subject of removing the PHI from the Covered Entity, the comments explain:

"If the volunteer performs its work off-site and needs protected health information, a business associate arrangement will be required."

Regarding whether volunteers are treated differently than other employees, the comments also note:

"We believe that differentiating those persons under the direct control of a covered entity who are paid from those who are not is irrelevant for the purposes of protecting the privacy of health information, and for a covered entity's management of its workforce. In either case, the person is working for the covered entity."

Related Question(s) - What are the advantages and disadvantages of treating someone as a member of the workforce, or as a business associate? (Answer tomorrow)

12/30/2001

 

"I was asked by someone if HIPAA had any requirements as far as

transportation of patients. The specific question had to deal with transporting patients

on elevators which the public also uses. I had not thought of this as an issue with

regards to HIPAA and told them that I did not think it would have an impact on this aspect of the facility but I thought I would see if anyone else has had this issue raised."

6.

5.

 

When an attorney requests medical records and billing information, unless the authorization specifies release of billing information, the Business Office would not be able to release a payment history or an itemization of charges. Correct?

 

You are correct. §508(c)(1) describes the required content for all authorizations, and the first item on the list is "A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion." Therefore, if the billing information is not identified, it would not be included in the authorization. Unless there is some other provision under HIPAA which would allow you to release the records (which depends on the particular circumstances but which will probably not be true), it would therefore be a violation of HIPAA to release the billing information unless it is covered by the authorization.

 

This is an excellent point, and I'll amend the sample authorization form accordingly.

 

I am the Privacy Officer for our organization.  I have a question, and I think I am making it too complicated for myself.  So I need your advice.

When contacting patients to remind them of their appointment, our receptionist asks for the patient.  Sometimes the patient is not home or the other person on the line asks who's calling.  My dilemma is can the receptionist say where she is calling from?  Because the physician that I work for is a gastroenterologist some might say that just admitting that the person is a patient here, relays something about his/her medical condition.  I know that other physician offices do it all the time, but is it right?

Not only does the receptionist do it, but the billing department, nurses, and other areas ask the same questions.  Also how much can we say on the answering machine?

We need a specific policy, I know.  I would like to know if you have anything that I can model our policy from.

 

I don’t think that you are making it too complicated. I’ll answer the question in two parts – pre-HIPAA and HIPAA.

 

Before HIPAA, what you are describing is possibly a very technical violation of Louisiana’s privilege and confidentiality requirements. However, as you noted, no one ever complains, and it is highly doubtful that you would ever really have a problem. Nevertheless, it is another reason to start using the HIPAA consent and privacy notice now, since they make it clear that you are going to use the information for notification purposes.

 

After HIPAA, when we will be required to get consent and provide the notice of privacy practices, your current practice (implemented carefully) should not be a problem. §510 allows notification to family members, as follows:

 

(b) Standard: uses and disclosures for involvement in the individual’s care and notification purposes.

 

(1) Permitted uses and disclosures. (i) A covered entity may, in accordance with paragraphs (b)(2) or (3) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s care or payment related to the individual’s health care.

3c.

 

Is there any reason not to get multiple consents?

 

Does a consent to release for treatment, payment and healthcare operations have to be obtained for each date of service?

3a.

Member Question: "It was my intent to combine a consent for treatment, consent to disclose health info, and assignment of benefits. But since I understood in the last WorkGroups session that it is necessary to obtain the consent once and it remains valid until revoked, it may be preferable to keep the consent separate. I was under the impression that a consent to disclose health info would have to be obtained for each date of service."

 

Can you combine consent to release for treatment, payment and healthcare operations with an informed consent for treatment and an assignment of benefits?

 

Yes, in fact the rules specifically use that combination as an example. §506(b) (3) & (4) provide as follows:

 

(3) A consent under this section may not be combined in a single document with the notice required by § 164.520.

 

(4) (i) A consent for use or disclosure may be combined with other types of written legal permission from the individual (e.g., an informed consent for treatment or a consent to assignment of benefits), if the consent under this section:

 

(A) Is visually and organizationally separate from such other written legal permission; and

 

(B) Is separately signed by the individual and dated."

2.

Q

     

Would an attorney who represents us and responds insofar as Chapter 13 bankruptcy cases be considered a business associate?  Or, is this considered an exception and the info could be disclosed without the guarantor's consent?

A

     I think that the attorney would clearly be a business associate, either under "claims processing" or "legal".  See the following:

       § 160.103 Definitions. Except as otherwise provided, the following definitions apply to this subchapter:

Business associate:
(1) ... business associate means ... a person who:
               (i) On behalf of such covered entity ... , but other than in the capacity of a member of the  workforce of such covered entity ... , performs, or assists in the performance of:
                         (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration ... ; or
               *      *      *
               (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, ... financial services to or for such covered entity, ... where the provision of the service involves the disclosure of individually identifiable health
information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

1.

     

 Under HIPAA, can we still give physician offices the information they need from the hospital record in order to file their own claims?

The answer to that question appears to be generally no, or at least not
directly.  §506(a)(5) states:

"Except as provided in paragraph (f)(1) of this section [see below], a
consent obtained by a covered entity under this section is not effective to
permit another covered entity to use or disclose protected health
information"

The comments to §506 make this even clearer when they note:

"We also permit covered entities to seek authorization from the individual
for another covered entity's use or disclosure of protected health
information for these purposes [i.e., payment, treatment and healthcare
operations]."  (p. 82649)

The clear implication of the term "authorization" is that you can't use
consent for that purpose.  The only exception, therefore, is that in f(1),
which provides:

"Covered entities that participate in an organized health care arrangement
and that have a joint notice under § 164.520(d) may comply with this
section by a joint consent."

The definition of organized health care arrangement is found in §501 and is
relatively complex, but the preamble to the rule notes that:

"Perhaps the most common example of this type of organized health care
arrangement is the hospital setting, where a hospital and a physician with
staff privileges at the hospital together provide treatment to the
individual."  (page 82494)

It would therefore seem possible, if the physician and the hospital have a
joint notice of privacy policies and the consent list the physicians
specifically.  I understand that this is at best cumbersome and may not be
possible, but it is at least worth considering.