HIPAA/LAW:
Legal Q/A
January 2002
"Organized Arrangements vs. Affiliated Entities"
by Steve Fox, Esq., & Rachel Wilson, Esq.,
Pepper Hamilton LLP
QUESTION: What is the difference between an organized health
care arrangement (OHCA) and affiliated entities?
ANSWER: There are two primary differences between affiliated
covered entities and an OHCA. First, affiliated entities and an
OHCA differ from one another regarding the way that information
may be used or disclosed by and between the covered entities that
populate them. Second, the common required element shared between
the components of an affiliated entity and the participants in an
OHCA are different.
Entities sharing common ownership or control may adopt the "affiliated
entity" designation recognized under the Privacy Standards.
For example, a corporation which owns hospitals in several different
states could opt to make such an election. The designation basically
functions to erase the individual identity of each separate entity
and create one single covered entity for the purpose of complying
with the Privacy Standards. The exception is that each component
of an affiliated entity is required to erect firewalls to protect
against the improper use or disclosure of protected health information
(PHI) within the affiliated entity. Because they enjoy the fiction
of existence as a single entity under the Privacy Standards, affiliated
entities may utilize a single consent form and notice of privacy
practices.
Unlike an OHCA, discussed below, the covered functions performed
by each distinct component of an affiliated entity are not required
to be similar to one another or arise out of a single integrated
enterprise or practice.
Forming an OHCA is generally, but not exclusively, permissible
in those integrated care settings where participants need to share
PHI about their patients in order to manage and benefit the common
enterprise. One example would be a hospital setting where both the
hospital and the physician with staff privileges provide treatment.
The principal concept underlying the OHCA is the idea that in certain
integrated settings, covered entities need the unrestricted right
to share health information. Accordingly, the Privacy Standards
permit participants in an OHCA to use and disclose PHI for the treatment,
payment, and health care operations of the entire arrangement just
as they would for their own such purposes. Toward that end, component
entities may join together to promulgate a joint notice of privacy
practices as well as a joint consent.
In general, component entities of an OHCA may share PHI for the
joint management and operations of the arrangement without patient
consent or authorization. This is true except where direct providers
are included in the arrangement. In that event, a general consent
is required before any component entity would be permitted to use
or disclose PHI.
Read past HIPAA Legal Q/A articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP. This article was co-authored by Rachel H. Wilson,
Esq., of Pepper Hamilton LLP. www.pepperlaw.com
Disclaimer: This information is general in nature and should not
be relied upon as legal advice.
|
