HIPAAdvisor: Q & A with Steve Fox

BUSINESS PARTNER AGREEMENTS

QUESTION #6: I need to learn more about the transmission of patient statements to printing/stuffing/mailing companies. We are working with a physician group in California who is looking for a local company to print their patient statements. When it comes to HIPAA, there has been much focus on the payors, providers and employers, but what about such statement printing companies? To what extent must they comply with HIPAA? What questions should the group practice be asking them? Should we ask different questions if the statements are transmitted electronically from the group practice's information system via a secure line, vs. downloading the statements from the practice management system to a diskette or CD-Rom and providing them to the printing company on diskette/CD-Rom?

ANSWER: Printing companies are beyond the authority and scope of HIPAA. Even though a printing company may be privy to individually identifiable health information under an arrangement such as the one described, they are not covered entities under the Act and are therefore not subject to its rules and regulations.

The proposed rules attempt to fill this gap in the protection of individually identifiable health information by requiring covered entities to impose HIPAA's administrative requirements and other mandates on the "business partners" they contract with for services. Therefore, there are several prudent inquires you may want to make before choosing a printer.

First, ask if there is anyone who oversees and/or is charged with insuring the confidentiality of their customer's materials. The answer you get to this question will tell you a lot about a potential partner's sensitivity and awareness of issues related to patient confidentiality.

Second, how well are employees educated about the importance of exercising discretion? Are they required to sign a confidentiality statement? Ask about the rate of employee turnover. It is more likely that an employer with a high rate of turnover does not have enough time with each of its employees to properly train them.

Third, what protections does the printer have in place to deal with anticipated threats to the privacy of information? Are employees encouraged to report incidents that violate or could potentially violate the company's policy regarding confidentiality?

This short list of questions is far from exhaustive but should set you in the right direction toward framing questions to adequately screen potential business partners. You may also want to review the proposed privacy and security standards for HIPAA.

To answer your second question, there is no difference in the questions you should ask if the patient statements are transmitted electronically or downloaded to a diskette or CD-Rom. Once individually identifiable information has been maintained or transmitted electronically, covered entities are required to protect such information as mandated by HIPAA. This is true regardless of the medium subsequently used to maintain the information. Conversely, if the physician group stored patient statements in paper records that were never maintained or transmitted in an electronic format, HIPAA would not apply.

Read past HIPAA Legal Q/A articles.

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.