HIPAA

Can the Secretary sanction a business associate for HIPAA Privacy Rule violations?
Question
Has the Secretary exceeded the HIPAA statutory by requiring "business associates" to comply with the Privacy Rule, even if that requirement is through a contract?
Answer
The HIPAA Privacy Rule does not “pass through” its requirements to business associates or otherwise cause business associates to comply with the terms of the Rule. The assurances that covered entities must obtain prior to disclosing protected health information to business associates create a set of contractual obligations far narrower than the provisions of the Rule, to protect information generally and help the covered entity comply with its obligations under the Rule.
Business associates, however, are not subject to the requirements of the Privacy Rule, and the Secretary cannot impose civil monetary penalties on a business associate for breach of its business associate contract with the covered entity, unless the business associate is itself a covered entity. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer, or develop policies and procedures for use and disclosure of protected health information.

What agreements are needed when the business associate receives only a limited data set?
Question
If the only protected health information a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?
Answer
No. Where a covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function, the covered entity satisfies the Rule’s requirements that it obtain satisfactory assurances from its business associate with the data use agreement. For example, where a State hospital association receives only limited data sets of protected health information from its member hospitals for the purposes of conducting and sharing comparative quality analyses with these hospitals, the member hospitals need only have data use agreements in place with the State hospital association.

Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?
Question
Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?
Answer
No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of protected health information and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. Also, a covered entity may use a business associate to distribute its notice to individuals.

Are entities such as mail carriers or delivery companies business associates?
Question
Are the following entities considered "business associates" under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?
Answer
No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

Is a business associate contract needed for plumbers, electricians, or other repairments?
Question
Is a physician required to have business associate contracts with technicians such as plumbers, electricians or photocopy machine repairment who provide repair services in a physician's office?
Answer
No, plumbers, electricians and photocopy repair technicians do not require access to protected health information to perform their services for a physician’s office, so they do not meet the definition of a “business associate”. Under the HIPAA Privacy Rule, “business associates” are contractors or other non-workforce members hired to do the work of, or for, a covered entity that involves the use or disclosure of protected health information. See the definition of “business associate” at 45 CFR 160.103.
Any disclosure of protected health information to such technicians that occurs in the performance of their duties (such as may occur walking through or working in file rooms) is limited in nature, occurs as a by-product of their duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the Privacy Rule. See 45 CFR 164.502(a)(1).

Do business associates have obligations to individuals with respect to their information?
Question
Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?
Answer
The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof.
Under 45 CFR 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must amend protected health information in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity.
Under 45 CFR 164.528, the Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate.

What does the HIPAA Privacy Rule do?
Question
What does the HIPAA Privacy Rule do?
Answer
Most health plans and health care providers that are covered by the new Rule must comply with the new requirements by April 14, 2003.

The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.

It gives patients more control over their health information.
It sets boundaries on the use and release of health records.
It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
It empowers individuals to control certain uses and disclosures of their health information.

For more detailed information about health privacy, you may want to visit our Medical Privacy: National Standards to Protect the Privacy of Personal Health Information site (http://www.hhs.gov/ocr/hipaa/) and our full set of Frequently Asked Questions.

Disclaimer: Note that any and all actions or decisions to implement such program requires the assistance and direction of a competent adept health care attorney licensed in your own state. State and federal statues are complex and may be agressively pursued by various regulatory bodies if not thoroughly researched. Practice Perfect and its agents demand that each and every client and all their associates, take full responsibility for implementing any program taught to ensure state and federal compliance. Just as well, Practice Perfect and its agents require that at all times, all clients and their associates practice with the highest level of ethics in rendering all treatments. Practice Perfect and its agents pride themselves in continuously promoting and teaching ethical genuine and medically necessary treatments to all patients.

  MD DC DC PT INTEGRATION      MD DC DC PT INTEGRATION     MD DC DC PT INTEGRATION
  MD DC DC PT INTEGRATION      MD DC DC PT INTEGRATION     MD DC DC PT INTEGRATION
  MD DC DC PT INTEGRATION      MD DC DC PT INTEGRATION     MD DC DC PT INTEGRATION

MD DC DC PT INTEGRATION'S MOST RECOGNIZED EXPERTS