|
| |
|
RECENT FREQUENTLY ASKED QUESTIONS ABOUT HIPAA PRIIVACY AND SECURITY | |
The U.S. Department of Health and Human Services, Office of Civil Rights (OCR) and the Center for Medicare and Medicaid Services (CMS) have recently added to their lists of frequently asked questions and responses concerning the Health Insurance Portability and Accountability Act (HIPAA). Below are some recently posted questions and summaries of answers that may be of interest to our clients who are covered entities or business associates of covered entities under HIPAA. Question: Is an authorization or business associate agreement needed to share information with a medical device company? OCR Response: No OCR replied that, in general, the Privacy Rule permits a covered provider to disclose protected health information (PHI) to a medical device company representative without the individual’s authorization for the covered provider’s own treatment, payment or health care operations, or for the treatment or payment purposes of a medical device company that is also a health care provider. The Privacy Rule also allows disclosures to a medical device company or other person under the jurisdiction of the FDA for activities related to the quality, safety or effectiveness of an FDA-regulated product or activity for which the person has responsibility. OCR further explained that, in certain circumstances, a covered provider may disclose PHI to a medical device company without the individual’s written authorization if the medical device company is a health care provider. The device manufacturer is a health care provider under the Privacy Rule if it needs PHI to counsel a provider on, or determine the appropriate size or type of prosthesis, or to assist the doctor in adjusting a device for a patient. In addition, when a medical device company needs PHI to provide support and guidance to a patient, or to a doctor with respect to a patient, it is providing health care and is considered a provider. Conversely, a device company that simply sells medical devices is not a health care provider. OCR indicated that, in many cases, permitted disclosures to a medical device company would not require a business associate agreement. These circumstances include a provider’s disclosure of PHI to a device company for the purposes of obtaining advice or consultation regarding a particular patient, or sharing PHI for the purposes of obtaining payment. In other circumstances, such as where a covered provider asked a device company to provide an estimate of cost savings it might achieve by use of a particular device, a business associate agreement would be required because the device company would be performing a health care operations function on behalf of the covered entity. OCR’s response reinforces the concept that the name of an entity may not, in and of itself, always indicate whether an entity is a covered health care provider. Rather, whether an entity meets the definition of a provider may depend upon the specific activities performed by the entity in a given situation. Similarly, whether a business associate agreement is necessary in a certain context may depend more upon the nature of the relationship between the provider, the patient, and the potential business associate than the label (i.e., medical device company, laboratory technician) of the potential business associate. Question: Does a covered entity need a business associate contract to use a certified telecommunications relay service? OCR Response: No OCR explained that the sharing of PHI between a covered health care provider and a patient through the Telecommunications Relay Service (TRS) is permitted, and that a business associate agreement is not required. The TRS enables telephone communication for people with hearing or speech impairments by using a communications assistant (CA) that transliterates conversations. The TRS CA relays information, which may include PHI, between a text telephone (TTY) user and another person communicating via voice. The Federal Communications Commission (FCC) certifies all State TRS programs, which in turn contract with one or more TRS providers. The TRS is a public service that is available without cost to all persons and businesses, none of whom need to employ, contract with or otherwise establish business relationships with the TRS. Thus, when performing these services, the TRS is not acting for or on behalf of the covered entity and is not a business associate. OCR also explained that PHI can be shared during a telephone communication using the TRS because the individual will have an opportunity to agree or object to disclosures of protected health information to the CA. For example, where the individual initiates the call through the TRS, it is reasonable for a covered health care provider to infer that the individual has identified the CA as involved in the individual’s care, and that the individual does not object to the disclosure. Moreover, where the need for use of the TRS becomes apparent prior to a call being placed, the opportunity to agree or object to the TRS can be provided at that time. The rationale for the above response would also seem to apply to emergency call centers used, for example, by substance abuse treatment providers. A call center, like a TRS, may be viewed as acting on behalf of the individual caller, not the covered provider. Similarly, individuals who initiate a call to a call center may be presumed to not have any objection to their own disclosure of information to the call center operator. For these reasons, a business associate agreement would not be necessary in these circumstances. Question: Is it necessary for a provider to obtain permission before a record is released to a health oversight agency? CMS Response: No The Privacy Rule allows the use and disclosure of PHI without the authorization of the subject of that information for health oversight activities that are authorized by law. Authorized activities include inspection, licensure and other activities necessary for the appropriate oversight of entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards. The Rule also provides that PHI may be used and disclosed without the authorization of the subject to the extent a law requires the production of that information. Question: Is it necessary to have a business associate agreement between a provider and state or federal surveyors before a survey can be done? CMS Response: No CMS replied that surveyed entities do not need to execute a business associate agreement with federal or state surveyors prior to releasing PHI, because surveyors are “health oversight” agencies and not business associates of the surveyed entities under the Privacy Rule (see above). Question: Do the Security Standards require use of specific technologies? CMS Response: No CMS answered that the Security Standards were designed to be technology neutral in order to facilitate use of the latest and most promising technologies that meet the needs of different health care organizations. It was determined that any regulatory requirement for the implementation of specific technologies would have bound the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements. | |