HIPAA Privacy Rules Questions & Answers
Here are some of the HIPAA privacy rule questions asked of Bob Belfort, of Manatt, Phelps and Phillips, LLP at our "HIPAA: Ask the Lawyer" session held on April 29, 2003. (Due to inaudible portions on the tape, some questions and answers are not included in this presentation.)
Q. If you are subpoenaed to testify in court what protection is there for a client’s privacy?
A. According to both New York law and HIPAA, you are allowed to provide PHI (Protected Health Information) in response to a court order without consent of the client. However, New York law does not permit you to disclose mental health records in response to an attorney’s subpoena; there must be a court order. If you are compelled to appear in a court proceeding, you may decide to request a protective order, through your lawyer, to have the testimony provided in private, but the law does not require it.
Q. We have a privacy policy which is HIPAA compliant, but it doesn’t refer to NY State law. I am confused, do I need to reference NY State law in my policy and if so, how do I do it?
A. There are two problems. You don’t need to reference NY Law specifically, but the privacy law does say that other applicable laws may restrict the way you would otherwise be able to use information under HIPAA. The privacy rule specifically obligates you to incorporate those stricter rules into your privacy notice.
The policies I draft usually have paragraphs that relate to HIV related information or substance abuse treatment records. If it is for a non-mental health agency I might put in a special paragraph about mental health information. When you’re doing it for a mental health organization I don’t think it make sense to list the HIPAA rule and then say, oh by the way, if you have mental health information this other more stricter rule applies. I think you’ve got to integrate the New York law into your notice. The degree of detail is somewhat in your discretion, but the rule says it is sufficient to let people know what those restrictions are.
Q. Do you have separate authorizations for HIV and HIPAA?
A. That is a matter of preference. Some organizations like to have them separate, but I don’t think you have to do that. There is some benefit to integrating all of them because some information may contain both mental health information and HIV or mental health information and substance abuse information or all three. So, you don’t want someone to sign three different authorizations. It is not that difficult to integrate the requirements of the federal substance abuse treatment rules, HIV laws and HIPAA into a single authorization. The only thing I would be careful about is a provision in the HIV law that says you can’t use an HIV release that isn’t the official state form unless it has been approved by the state. I would at least make sure that everything in the official state form is in your authorization form. Then I think you’ll probably be OK.
Q. Regarding disclosure of substance abuse treatment and HIV status. Our intake screening requires that we review substance abuse history and treatment. If we are asked by another agency to give information about a client and we send the screening, are we required to delete the information regarding treatment of substance abuse? If a patient admits to having gone to AA or continues to go to AA — is that considered treatment?
A. The federal substance abuse rules apply to a subset of information that is called "records of federally assisted substance abuse (meaning alcohol or drug abuse) treatment programs". So the first thing you have to do is figure out whether a record that you’re transferring is a record from the federally assisted substance abuse treatment program. The federal confidentiality rules don’t apply to all substance abuse information. For instance if you go to a private counselor for substance abuse treatment, those records are not subject to federal protection. It is only federally assisted substance abuse treatment records which require protection.
Now, the definition of federal assistance is pretty broad, so that any institutional provider that is receiving Medicaid for federally supported reimbursement, that constitutes federal assistance. But generally, if you are not providing -- or the record is not being created in the course of providing -- a substance abuse treatment service, then it is generally not going to be subject to the federal rules. So, if you do a questionnaire and somebody says yes they went to AA, that is generally in the course of providing a mental health service and it’s not generally subject to the federal rules. If you do have a substance abuse treatment program, then any records you create during the course of that program are going to be protected. If you get substance abuse treatment information from another facility that provided substance abuse treatment and those records are protected, then the protection continues to apply once you get the records. So you can’t re-disclose that information without authorization.
I see no harm in getting a HIPAA authorization. One of the benefits of having a single form is that you can use it for any purpose. You can use the HIPAA form and it will generally be compliant (with the federal substance abuse rules) if 1) you specify that it is substance abuse treatment information that you’re disclosing and 2) you attached the warning about re-disclosure to the record when you send them out. That is one of the ways those rules are different than HIPAA.
Q. If a patient asks to look at his file and you feel that, even though the person may not injure himself or others, the information will be harmful. Are you still required to show him the file?
A If the subject of the information is the one requesting it: YES. This is a preemption question. Preemption questions are complicated, but the basic rule is that state law is preemptive if it is contrary to HIPAA, unless if fits within an exception to preemption. One of the exceptions to preemption is that the state law is more stringent. ("More stringent" in the context of an access request by the subject of the information means that the law provides a greater level of access.) So in this case HIPAA is more stringent than state law when the subject of the information is requesting access. You have to follow the HIPAA rule.
If it is someone other than the client, like a personal representative of the client, then it gets a little more complicated because the rule says that the law is more stringent if it provides greater privacy protection to the subject of the information. So for instance, if the parent is asking for information about the child, you have a lot more flexibility to deny access to that information. There is a special provision under HIPAA that says you can deny access if you think it will cause substantial harm to the child. And you might even say that a state law that was more restrictive provided greater privacy protection to the subject of the information. But if it is the subject of the information, the patient themselves, that are asking for the information you have to follow the more stringent law which provides greater access, which in this case is HIPAA.
The only way you can deny access to the subject of the information is if it fits within one of the HIPAA exceptions. For example: if the is information prepared in anticipation of litigation; if it’s psychotherapy notes; or someone who is a licensed healthcare professional must say that there is a reasonable likelihood that the information could endanger the life or physical safety of the patient or another person. You have got to find a HIPAA exception in order to deny the subject access to the information.
There are 2 sets of exceptions:
Non-reviewable: psychotherapy notes; information in anticipation of litigation; information which is not part of a designated record set (information which is not medical records, billing records or other information used to make decisions about health care); you’ve receive the information under the promise of confidentiality made with someone other than another health care provider.
Reviewable grounds: request is by personal representation and you decide that the disclosure may cause substantial harm to the patient or another person; that the request is made by the subject and the disclosure might endanger the life or physical safety of the subject or another person; or that the information includes a reference to another person, other than health care provider, and the professional determines that access is reasonably likely to cause substantial harm to the other person.
Q. Does a landlord need to sign a business associate agreement?
A. Landlords will not want to agree to abide with all these confidentially rules. They just want to fix the plumbing, take rent, etc. Instead of having the landlord sign a business associate agreement, you could treat the disclosure as outside the scope of treatment, payment and health care operations, and get the client’s authorization. Then, it may be easier to have a simple paragraph in the lease which says that you (the landlord) agree that you will only use the information we give you about our tenants for purposes related to providing housing services to them. These services might include collecting rent, fixing things, evicting people and whatever it is that they have to do, but that they are not going to use the information or sell the information or do something else with it that is totally unrelated to the services. Even when the lease is in the name of the agency you still need to provide certain information to the landlord. You should either take the business associate approach or the authorization approach.
If you the agency are paying rent to the landlord you should have them sign the business associate agreement or tell your clients that the authorization form they are signing includes disclosing information necessary for you to pay rent on their behalf. It may be easier to have the client sign the authorization form than to get the landlord to sign a business associate agreement.
Q. If the authorization is good only for a limited time, does that mean you’ve got to get the client to resign every time it expires?
A. Under HIPAA there is a lot of flexibility about how long the authorization can be in effect. I don’t think it has to be a specific date, it could be an event that is linked to the purpose of the disclosure. I would be fairly comfortable saying that the authorization is valid for as long as they reside in that particular building. And that would be linked to the reason you are disclosing the information.
Q. Are malpractice carriers business associates? What are other types of business associates? Employees?
A. Yes, malpractice carriers should be treated as business associates. General liability insurers are also business associates.
Any outside consultants you hire to do quality assurance or chart reviews, any types of compliance audits, or billing audits should all have business associate agreements.
Q. When is an employee health benefit plan subject to HIPAA?
A. If you are fully insured, meaning that you purchased health insurance from a commercial insurance carrier and you don’t receive protected health information from your insurance carrier, then HIPAA provides an exemption from compliance with the privacy rule by the health plan. And you have two very minor obligations, but your group health plan effectively doesn’t have to appoint a privacy officer and privacy notice with policies and procedures and all that stuff. The belief has been that all group health plans that are sponsored by small organizations that are not self insured, are going to have very minimal obligations under HIPAA. (For guidance on the Treatment of Flexible Spending Accounts under HIPAA, please see our website.)
Q. We are considering self insuring for dental. Does that mean that we now will have access to PHI and need to comply with HIPAA?
A. It doesn’t matter. It doesn’t matter whether you have access to PHI because as soon as you self insure you’re no long eligible for the fully insured exception. So, if you self insure you are a covered entity that has to comply with all of the requirements of the rule. If you are not handling PHI, your policies and procedures are likely to be relatively simple because there is no information you are safeguarding. But you will still have to have a privacy officer and you still have to issue a privacy notice to your employees.
Q. We have foundations who are giving our clients money and then want reporting back from the agency. Can we provide this information back to the foundation?
A. If the money were going to you, I would say that you can provide information back to the foundation because it’s payment. It’s the same thing as providing information to an insurance company. But if the money is really going to the client and you don’t really ever take possession of the money nor is it reimbursement to you for any services you provided, then I think you’re outside the scope of your own payment activities and you would have to get to the client’s authorization to share the information.
Any type of reimbursement that you get for services whether by Medicaid, a private insurance company, a foundation providing a grant, or a government agency providing a grant, you are allowed to share information with the person paying you in order to get reimbursed, without getting an authorization.
Q. People are sending me Business Associates Agreements. We have a Medicaid waiver program, CDT and people who provide services are sending me BA Agreements. When I call them I say I don’t believe I need to sign this because we are providing treatment. They say well, it would make us feel better and I don’t believe that I need to sign a contract to make people feel better. So I am at somewhat of an impasse: Contracts are piling up on my desk and I’m not signing them.
And I’m having an issue with HIPAA meaning what people want it to mean. I had a patient in the hospital. The hospital calls and they want some information. I feel that they don’t want to use the information in the patient’s best interest as they want to do something that I know that patient doesn’t want. They said you have to give it to me it’s HIPAA. At the same hospital when I call wanting information about the same patient say we can’t give that to you, it’s HIPAA. This is getting to be an issue with me and I’m not clear about how I can resolve things, because everybody’s the expert.
A. You’ve raised a couple of different scenarios. The second scenario is a little easier to deal with. If the hospital asked you for information, and you don’t want to give it to them, you are not obligated to give it to them. All HIPAA says is that you may disclose information for treatment and health care operations without the authorization of the client. It doesn’t mandate that you give information to anybody except when HHS comes in to do compliance audits. That’s the only provision in HIPAA which mandates that you give information to anyone other than the subject of the information under the access provision. So you’re not obligated to give any information to any provider who asks for it. Even when you don’t have to get authorization to give them the information under the law, you still retain your rights to decide that it’s not in the best interest to your client to give this out, or talk to your client before you give it out, or to do whatever you think is appropriate.
It seems that what doctors have learned from their HIPAA training is not to give information to anyone. So, I would find the person at the institution who actually knows something: whether it’s the privacy officer or in-house counsel or somebody who is the designated person there. Find someone who is not just going on instinctive defensive reactions and is actually thinking about things. And, what I’ve found when you get the right person is that they can call the person who is giving you a hard time and usually you can work it out. I wouldn’t beat my head against the wall with the person who is just saying "no, no, no, I could go to jail if I give you this information."
As far as the business associates agreements, there is definitely the need for some sort of non-proliferation treaty. I don’t know why this is happening, but I’ve heard this from a lot of people. I think you are absolutely right about not signing things you don’t have to. You’re committing to legal obligations for which you have no reason to commit to.
Q. What if you have a CPA or malpractice carrier who will not sign a Business Associates Agreement?
A. If the CPA is providing an audit on behalf of a health oversight agency, then they are not your business associate because they are not providing a service to you. If it’s your own accounting firm, which you hire, that won’t sign the Business Associates Agreement I’d be surprised by that and would consider telling them that you might be hiring another firm. Any accounting firm that is familiar with the health care industry, which presumably is the kind you have, should know about this and should be complying cooperatively with you. Just like every law firm.
It’s a tough issue with the malpractice carrier and it’s not as easy to replace the coverage. The Business Associates Agreement provisions of the rule allow you to report a privacy breach with a business associate. If you deem that termination of the contract is not feasible you can report the problem to HHS but that exception doesn’t apply to signing the agreement in the first place. There is no process for letting HHS know that one of your business associates won’t sign and that it is not feasible to replace them with someone else. So, I don’t have a great answer for that. If you can threaten them or have other options I would do that, if not…I don’t have a great answer.
Q. How do we know exactly who are business Associates are?
A. Generally you want to ask yourself three questions.
1) Do you share PHI with this person or entity? If you don’t share PHI then they are not your business associate. If you do share PHI go to step two.
2) Is this person or entity providing services to you or on your behalf? This means they’re your vendor or contractor or service provider. They are not a health oversight agency, they’re not a provider that you just have a referral relationship with, and they are not a health plan providing coverage to one of your clients. They really have to be your service provider or vendor. If they mean these two criteria, then they are your business associate. But then you need to go to step three to find out if there are exceptions.
3) Do any of the exceptions to the business associate definition apply? The exceptions that are most likely to apply are: 1) The person or entity is a provider rendering treatment, 2) The person or entity is a conduit for information — meaning they are a messenger service, AOL, Federal Express, the US Post Office, 3) They have incidental access to PHI, meaning they don’t really need the information to carry out their job, but they might stumble across it, like a cleaning service company, or the photocopier repair guy, or the person who fixes the plumbing or whatever it is.
If you ask yourself those three questions you’ll know who your business associates are.
Q. What specifically needs to be included in a Business Associate Agreement?
A. You need to look at section 164.504 E of the privacy rule and that will tell you what you need to include. In particular section E2. (160 45 CFR 164.504 E2)
(The Security rule also in 160 45 CFR 164.) Basically it says you have to identify permissible uses and disclosure information. There need to be safeguards: they will only use the information as necessary to carry out their duties or provide services to you or otherwise as required by law, there needs to be similar reassurances from their subcontractors, they will assist you in accommodating patient access requests, patient rights, etc. There is a model in the Coalition’s tool kit.
Q. What documentation is needed to identity a program as a hybrid entity?
A. All the rule says is you have to document the designation. That generally means you would have some sort of written policy that incorporates the hybrid designation and specify in the policy what programs are part of the health care component and what programs are not.
Q. Does a hybrid entity need business associates agreements with other parts of the agency? For example fiscal and clerical support partners that might see PHI?
A. The answer is NO. The hybrid entity provision of the rules says that any centralized support function of the fiscal department or billing department or in-house counsel or whatever, those people who provide support to multiple programs can be included in the healthcare component. Essentially your healthcare component would be the programs that are covered entities standing alone plus others performing centralized functions that provide support for those programs. The only thing to be careful about is that the people who are performing those centralized functions can’t use information that they’ve obtained from the healthcare component for purposes related to the non-healthcare component. The people who are in the support area should be HIPAA trained.
Basically the idea is, let’s say that you have a mental health clinic and a recreation program. You’ve decided that you are a hybrid and the mental health clinic is covered and the recreation program is not. And you have a billing department that does the billing and the fiscal oversight for everything. The people in the fiscal department can’t take information they’ve gotten from the mental health clinic and give it to people who are involved in running the recreation program because that’s not a disclosure for TPO -- unless you’ve decided that recreation is treatment. Basically you have to treat the recreation program as if it were an outside entity so the person who has that information has to draw a line down the middle of their brain and not use the information they take from one program for purposes of the other.
Q. Is an authorization required for disclosure of an incident report?
A. Incident reports that you file are going to be permitted without authorization either because they are required by law, or because it’s for health oversight purposes. You can disclose whatever you are required to disclose in order to comply with state law. HIPAA shouldn’t affect that.
Most issues that have come up with incidents reports relate not to the disclosure of the incident reports to the oversight agencies but what happens when one of the people involved in the incident tries to exercise their right to access records. Generally those records are confidential under state law and then you have to analyze that in relation to the HIPAA access rights. So let’s say that the victim of an incident requests access to their records including the incident report and the incident report mentions others. The first thing you have to decide is whether the State confidentiality rule that protects incident reports is preempted by the HIPAA provision which grants access rights to the client. I think the answer has to be that the state law is preempted, because the subject of the information has greater access rights under HIPAA than state law.
However, you are only required to provide access to information that is in the designated record set and the designated record set means a) medical records, b) billing records c) any other records that are used by the agency to make decisions about the individual. It’s the third one where we get into a mushy area. Because fundamentally the incident report is not about making decisions about the client, it about a report to an agency to meet your legal obligations and perhaps to take certain precautions about how you run your agency in the future. However there are certain cases where the incident report might recommend some sort of corrective action which does affect the treatment of the people who are involved in the incident. There is an OMH regulation (or OMRDD) that says that you’re supposed to keep the incident report separate from the basic records but reflect any treatment related information that is included in the report in the clinical record. So my conclusion is if you do that, then the incident report should not be part of the designated record set because all the treatment information in the report is in the basic medical record and there is no additional treatment related information that would be in the incident report. This hasn’t been clarified by HHS yet, this is my take on it.
The disclosure of the incident report must be accounted for in the clinical file and the reason for the disclosure, but the information in the report does not have to be revealed. The fact that you filed an incident report is not confidential; what is confidential is the report. You have to account for the fact that you disclosed PHI even if that report is not included in the designated record set.
Q. What can we do in a clubhouse environment to insure HIPAA compliance? Club members have access to PHI i.e. names and addresses, they do outreach to club members, enter attendance into the members database. These activities are integral to the working of the club.
A. I wouldn’t assume that they are not in line with privacy regulations. First, HIPAA doesn’t prohibit group therapy or other reasonable arrangements where patients unavoidably learn things about one another if it is part of the treatment process. The fact that people in a are learning each other’s names is not an improper disclosure under HIPAA. To the extent that you have members that are essentially functioning like volunteers of the clubhouse to administer the clubhouse services then you might want to treat them as members of the workforce (the definition of workforce under HIPAA includes volunteers) and provide them with some basic training about confidentiality to meet your training requirements. I don’t think you are barred from using club members under HIPAA. (HHS has made is pretty clear that sign-in sheets are OK as long as it just has names and no information about treatment.)
Q. We have a Project Liberty contract which involves peer outreach and a warm line. We do not maintain individual client charts but outreach workers facilitate groups in various locations and have people sign in. These sign in sheets are then maintained as records of service. I have no idea what to do in this regard. I can’t see how the workers can present notices of privacy practices while doing outreach. I am wondering if there are any Coalition members who have similar issues and if they had come up with any solutions?
A. My guess is that this program can be carved out, so the easiest thing to do would be to declare yourself a hybrid.
Q. I noticed on the OMH website they have developed a separate authorization for photograph and or video taping. Is there a reason a regular authorization could not be used for this purpose?
Is there any standard language for the expiration event in terms of use of the photograph in agency publications and or website?
A. I don’t see any particular reason why a separate authorization for taping is necessary as long as the authorization makes it clear why you are using the information. I don’t know why they developed a separate form. It is not necessary under HIPAA.
As far as the expiration dates are concerned, the only time you can effectively have an indefinite ending date is for a research study. This the only time you can say "none" for expiration date. In all other cases you need to have some date or event upon which the authorization expires. Examples: The authorization expires when the student leaves the school; if the photo is in a publication, you could say that authorization is in effect as long as the publication is being distributed.
Q. My agency provides different programs, some are health care and some are not. In one of the programs we have an interpreter referral service and our mental health clinic sometimes needs a deaf interpreter for their mental health meetings. The staff may be discussing clients or have a conference with the client present. In these cases they would call in an interpreter and the mental health care program pays for it. The question is, is the interpreter part of our workforce or are they a business associate?
A. If the interpreter is a W2 employee then they are part of your workforce. If they are not a W2 employee, and they are providing services onsite, you have the option of treating them either as a member of your workforce or as a business associate. If you treat them as a member of your workforce then you have to train them and take responsibility for what they do. If you treat them as a business associate then you don’t have to train them but you have to have the business associate agreement. It’s really your choice.
Q. We are a clubhouse and have two mailing lists, one has the names of clients and second list has names of family members / relatives. I understand going forward we can use authorizations to continue to do mailings. We often use the combined lists to send out newsletters. We also use the family member list separately for an annual appeal. Is there anything we need to be concerned with regarding that?
A. If names on mailing list are obtained through provision of treatment to the client, then that is part of the protected health information. You can use that information if you get authorization from the client. The exception is that you can use basic demographic information like name, address and dates of service without any health or medical information for fund raising purposes You must include in your mailing a notice that they can opt out of future mailings if the want to. You have a choice. You can use the lists pursuant to authorization or fit your use within the fund raising exception.
Q. I understand that we need to maintain accounts of incident reports in the client’s file. What about internal reports discussing QAI meetings and healthcare oversight and operations?
A. Accountings only apply to disclosures. Disclosures mean transmission of information outside of the agency. Internal use of the information is not subject to an accounting. Authorized disclosures are not subject to an accounting.
Q. HMOs call up to get information not for payment reasons but to meet the QARR Standards. Should that be accounted for?
A. No. The privacy rule allows you to disclose information to another covered entity for quality improvement activities of another covered entity. The disclosure to the HMO would fall into that category. If the government comes in to do some sort of quality audit then that is something to be accounted for. (They are an oversight agency and have a right to see the information, but are still subject to an accounting.)
Q. We are having a problem determining the appropriate internal sanctions for HIPAA violations. I am having a problem determining how strict to be. For example if a clinician leaves their office open with medical records in there and a security officer walks by they’ve violated HIPAA. How do you determine how to follow up with staff and when do you determine when you should do something serious with them?
A. These are the same kind of issues as with all HR issues. Factors to keep in mind: Is this a first violation or a repeat offender? Was it negligence or intentional? Was it a failure to comply with an administrative requirement or improper use or disclosure of information? Those are the kinds of things I would reflect in my sanctions policy and some of them may trigger a warning and some may trigger a termination. My only advice is to leave your policy general and flexible, because you can never anticipate individual circumstances and you don’t want to have to do something that’s contrary to your policy.
Q. Is encryption necessary for electronically transmitting PHI?
A. If the communication is internal or over a virtual private network and the public doesn’t have access to those networks then you definitely don’t need to encrypt information. If you are transmitting information over the Internet then the final version of the security rule says, you are supposed to conduct a risk assessment to evaluate whether you should encrypt. And you should encrypt if feasible. If not, you should consider alternatives to safeguard the PHI.
The initial proposed security rule obligated you to encrypt over public networks and that is now been made more flexible. So, if you are not going to encrypt at least you should have a paper trail that documents why you’re not encrypting. If you are sending information every day to a certain party then you may decide that each of you purchase compatible encryption software. Since the volume of communication with the party is so high it’s worth the investment to set up an encryption protocol. If you’re transmitting to someone on a occasional basis or transmitting to hundreds of different people, right now from what I understand it not really feasible to set up encryption in that situation. You may want to explore new products where you send all email to a vendor’s website and they encrypt the information for you and they deal with compatibility issues. The bottom line is to go through the process to determine what is feasible.
Even though the security rule doesn’t go into effect until 2005, you still need to have administrative and technical safeguards under the privacy rule. These safeguards are not defined anywhere and there is some uncertainty about whether you should be looking at the security rule for guidance about what the privacy safeguards should be. There are certain basic things in the security rule that I would integrate in to the privacy compliance policy. Password protecting your electronic information is kind of fundamental and should be part of your privacy practices. Some of the more technical requirements, like encryption, I think could be deferred until 2005.
Q. The court will often ask us for a letter saying how many appointments somebody had with our staff. Is it necessary for us to account for this disclosure?
A. It depends on what basis you’re making that disclosure. Those disclosures can be made based on the authorization of the client or can be made in response to a court order. Typically what happens in court ordered treatment is that the court doesn’t technically issue you an order to disclose. It tells the client go get treatment and if you stay with this treatment you won’t be sent to jail. The client than comes in and you have them sign an authorization form that authorizes you to give information to the court. That’s what you should be doing if there is no court order. Those disclosures are now pursuant to a client’s authorization and therefore not subject to the accounting requirement. If you get a court order to disclose then that is subject to an accounting.
Q. Does HIPAA require agencies to obtain consent to receive treatment?
A. HIPAA doesn’t have anything to do with informed consent. HIPAA is solely focused on the use of disclosure of PHI. You should continue to follow state law when it comes to informed consent, HIPAA doesn’t have anything to say about it.
Q. Administratively, should we be overseeing the disclosures? For instance, is anybody ever going to come in to ask about the number of disclosures we’ve made? Like an auditing body or anything?
A. If you are asking about statistical information, right now, there is nobody that is asking for that. One of the procedures that I’ve set up for some agencies is that a copy of a disclosure tracking form is put in the medical record and a copy is sent to the Privacy Officer. That way the Privacy Officer can keep a separate log of all these disclosures. This may be helpful if the medical record gets lost or if you want an overview of the system as a whole. As the Privacy Office I would want to get these, as it is a way to monitor what’s going on. If they are not getting any or very few it may suggest that people don’t understand the rule and are not complying. It’s a way for the Privacy Officer to monitor the situation without having to do a full audit of all the records.
Q. We have a day treatment program as well as a mental health program. We’re carving out the day treatment program, but we’ve been informed by IAC that early intervention is being exempt from HIPAA for the privacy rule. But they’re telling us that they will need to be complaint with the EDI in October. Is that correct?
A. The issue with early intervention is that the records held by these programs I believe are subject to FERPA (Federal Education Rights and Privacy Act). My assumption of why the IAC has taking the position that early intervention is not covered is that the definition of protected health information excludes records that are subject to FERPA.
I don’t understand why they would say that they are not subject to the privacy rule but are subject to the transaction rule because you only conduct a HIPAA transaction if you transmit protected health information in connection with one of these transactions. If you don’t have PHI you are not transmitting it when you bill. So to me, the two go hand in hand and you can’t be subject to the transaction rule without also being subject to the privacy rule.
Q. How extensive should your privacy policy be?
A. It should be reasonable. You should look at your agency and the nature of the activities and that generally that will dictate how extensive your policies will be. If you are a sizable agency with many different programs you will have a more extensive policy than a smaller agency with less programs.
Q. Do you suggest that you include HIPAA in a Corporate Compliance Manual or should HIPAA be separate?
A. For me it’s a little easier to keep it separate. I think it gets kind of complicated if you try to integrate it. Corporate compliance is so different from HIPAA compliance. There may be certain policies which cross over with multiple functions. It’s fine in those cases, but there are many HIPAA policies which are quite different.
Q. What about children’s artwork?
A. If the child’s name is on it, to be safe, I would get the authorization from the parent.
Q. What about a collage with clients in it?
A. If it is a private office that nobody sees, arguably it is not a disclosure to anybody else. But I would be a bit nervous even about that. If it’s in any place where anybody can see it I wouldn’t be displaying it without the client’s permission.
If you got permission from your client prior to 4/14/2003, it doesn’t have to be HIPAA compliant authorization as long as it is reasonably specific about the use of the information. Under the HIPAA transition rule you are probably OK (for any pictures taken prior to 4/14/2003). But for any new pictures added to the collage I would get a HIPAA authorization before adding it to the collage.
If you have any questions, please contact Karyn Krampitz by phone at 212-742-1600 x210 or by email at [email protected]
|
