HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAcompliance Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

To OHCA or Not to OHCA – at This Late Date?

By Clyde Hewitt, Principal, Phoenix Health Systems
October 2003

An Organized Healthcare Arrangement (OHCA), as defined under the HIPAA Privacy and Security Rules, is an arrangement between legally separate covered entities. This arrangement, typically between a hospital and the local independent physician practices, permits the independent covered entities who provide treatment in a common environment to present a single face to the consumer through an arrangement, thus simplifying the administrative requirements of the Privacy Rule. OHCAs also have the option of publishing a Joint Notice of Privacy Practices providing certain criteria are met.

By now, nearly all hospitals and physician practices have published and distributed a Notice of Privacy Practices satisfying their requirements of the HIPAA Privacy Rule. A much smaller percentage of these organizations have addressed the OHCA issue and have issued a Joint Notice of Privacy Practices following an acknowledgement by all OHCA members.

The status quo of retaining separate Notices is arguably desirable where hospitals have already invested the effort to create, print, and distribute the Notice. There may seem to be no compelling issues that would require changing this course since HIPAA doesn't require a hospital to provide a Notice for other covered entities operating within the OHCA. The Joint Notice is clearly a voluntary next step.

Why would a hospital want to reopen this issue given the additional workload necessary to draft, coordinate, and issue a Joint Notice?

There are three factors that potentially outweigh the effort required to publish a Joint Notice:

  1. A hospital's reputation is linked to the actions of the other covered entities operating in its facilities. If one of these other covered entities is investigated or sanctioned by HHS, possibly relating to not having policies or a Notice, then any coverage of this by the media will undoubtedly tarnish the hospital's reputation. Although under HIPAA the hospital may not be subject to a legal risk, it will still lose in the 'court of public opinion'.
  2. There is evidence that some covered entities and the non-employee physicians working for the covered entity assume that they are already in compliance under the hospital's Notice. There are likely two reasons for this misperception. First, there is still a general lack of understanding of the OHCA requirements among health care providers. Second, many hospitals have contracts with the third-party covered entities operating in their facilities that may have created a misperception that the contract already addresses HIPAA requirements. Based on anecdotal evidence, many contracts do not specifically address the HIPAA Joint Notice requirements since they don't specifically address the OHCA and Notice provisions.
  3. Covered entity hospitals and the other members of their OHCA should seek to reduce the complexity of the Privacy Rule requirements to the general population. For many patients, understanding one Notice of Privacy Practices is difficult, but comprehending three or four different Notices upon admittance is unrealistic. A single Notice with one Privacy Officer's contact information and one process for exercising the rights afforded under HIPAA will greatly increase patient satisfaction.

There are several advantages for a hospital to publish a Joint Notice of Privacy Practices, including:

  • Extend good will between the hospital and the external physician community
  • Present a single face to the public, increasing the perception of a professional organization
  • Reduce duplication of forms presented during the patient registration process
  • Eliminate the public confusion that would exist if they are presented with separate Notices of Privacy Practices, each with different rules and complaint processes
  • Reduce the risk of violation of patients' desires (not necessarily their written instructions) about the exercise of their rights, e.g., restrictions, confidential communications, and accounting of disclosures
  • Reduce the training requirements for non-employee staff who would require training in separate policies and procedures
  • Reduce printing requirements – economical and eco-friendly

There are also disadvantages to publishing a Joint Notice of Privacy Practices, including:

  • Additional HIPAA training issues with affiliated covered entity staff
  • Public perception of a single entity may result in increased joint litigation
  • The hospital's Privacy Office will be single point of contact for all complaints as a result of actions by other OHCA participants
  • Increased workload on behalf of the hospital's Privacy Officer
  • Increased coordination requirements

Before a hospital pursues documenting an OHCA and adopting joint policies, it should engage in a systematic decision and documentation process with the covered entities that are candidates for participation. For a complete discussion of the factors involved in establishing an OHCA, a Joint Notice and joint policies and procedures, see our latest whitepaper entitled "Organized Healthcare Arrangements for Providers Demystified" in our new Knowledge Library.

Clyde Hewitt, M.S., is a Principal at Phoenix Health Systems where he is responsible for consulting in program management, strategic planning and systems implementation, and HIPAA compliance services, and security remediation.

Go to TOP