Question

Create a list of 3 businesses (other than the example below) that a hospital, physician's office, nursing home, or other healthcare organization would contract with that would be considered business associates under HIPAA. For each business associate, please indicate at least one issue that would need special attention and how would the healthcare organization would ensure that PHI was being safeguarded?

Example:
A hospital may choose to contract with a technology recycling company to take care of the disposal of all of its tech items such as computers, printers, and monitors. One special issue that should be noted in the contract is that for any items that contain a hard drive such as desktops, laptops, and some printers, the hard drive must be removed from the device and destroyed using a pneumatic hard drive crusher. In order to ensure that this is done, the hospital could specify that the destruction of the hard drives be done onsite.

Answer 1

Examples Business Associates under HIPAA are as follows:

• A third party administrator that assists a health plan with claims processing.
• A CPA firm whose accounting services to a health care provider involves access to protected health information.
• An attorney whose legal services to a health plan involve access to protected health information.
• A consultant that performs utilization reviews for a hospital.
• An independent medical transcriptionist that provides transcription services to a physician.
• A pharmacy benefits manager that manages a health plan’s pharmacist network.

·         A third-party administrator.

The TPAs assists a health plan with claims processing and act as a mediator between insurance company and patient. For the processing of the insurance, all relevant PHI must be shared with the TPAs. TPAs should have entered into a legal contract with the insurance company not to trade information and records of its business required to maintain the confidentiality of the health information obtained

·         An independent medical transcriptionist that provides transcription services to a physician.

Breach of confidentiality is a potential problem in independent medical transcriptionist that provides transcription services to a physician. Notice of Proposed Rulemaking (NPRM) that expands the definition of the business associate under HIPAA to include subcontractors which include medical transcriptionist independent contractors (ICs) who work for MTSOs. It makes the medical transcriptionist ICs directly liable to the federal government for failure to comply with HIPAA regulations.

·         A pharmacy benefits manager that manages a health plan’s pharmacist network.

A signed authorization from patients prior to service must be obtained, allowing the pharmacies and hospitals to access to use their PHI during their care during the course of business. Use of protected patient information beyond the business will lead to serious actions as per HIPAA rules.

The Privacy Rule demands that a HIPAA disclosure authorization contains either an expiration date or event that relates to the individual or the purpose of the use or disclosure. The authorization obtained from the patient remains valid until its expiration date or event unless effectively revoked in writing by the individual before that date or event.