 |
|
 |
 |
 |
|
 |
HIPAAdvisory > HIPAAction > HIPAAdvisor |  |
 |
 |
 |
|||||||||||||||||||||||
|
HIPAAdvisor: Q & A with Steve Fox*** Of Affiliates and Associates ***QUESTION: We are a hospital that is affiliated with a number of other health facilities in our community including mammography, occupational health, and nursing care facilities. We do not own any of the health facilities and each of the affiliated entities has a separate Board of Directors but there is representation from all of the affiliates on each of the boards. The affiliation allows each facility to offer its patients a seamless network of fully integrated care. Accordingly, some of our information systems are shared. These shared systems contain several computer applications, some containing protected health information, that do not have segregated databases. Do we need to enter into some sort of contract with each affiliate in order to be in compliance with the privacy regulation under HIPAA? ANSWER: No. The affiliation you have described is not a business associate relationship as defined in the privacy regulation (the "Rule") and therefore, the parties are not obligated to execute a business associate agreement. In order to ensure continuity in the care and protection of individually identifiable health information, the Rule requires covered entities to impose certain contractual obligations on business associates that perform functions or activities on behalf of covered entities. Although the Rule clearly states that covered entities may perform the function of a business associate, the mere fact that two covered entities share certain information systems does not make either of the covered entities a business associate of the other. Affiliations like the one you have described are called "organized health care arrangements" under the Rule. Organized health care arrangements are clinically or operationally integrated care settings in which individuals receive health care from more than one of the participating health care providers. Health care providers are generally required to obtain an individual's consent before using or disclosing that individual's protected health information. However, individuals can consent to the use of their protected health information by the entire membership of any one organized health care arrangement instead of individually consenting to each provider's use of such data. Entities that participate in organized health care arrangements may develop joint consent forms for this purpose. Your hospital may want to work with all of the affiliates to develop a joint consent form. Finally, it is important to note that shared systems contain electronically maintained health information and are therefore subject to HIPAA's security regulation. Although the final security regulation has not been released, the proposed regulation requires, among other safeguards, information access controls and entity authentication. Accordingly, any shared systems should either have segregated databases or their use should be governed by a chain of trust agreement in order to insure that the same level of security is maintained by all of the affiliates. Read past HIPAA Legal Q/A articles. Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/ This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton. Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice. Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.
|
 |
 |
