Subscribe (Free) to
Daily or Weekly Newsletters
Post a Job

Featured Jobs

401(k) Plan Administrator

Abacus Retirement Solutions, LLC
(Albuquerque NM)

Abacus Retirement Solutions, LLC logo

DB/DC Administrator

Primark Benefits
(Remote / San Mateo CA)

Primark Benefits logo

Retirement Plan Administrator

Nicholas Pension Consultants
(Remote)

Nicholas Pension Consultants logo

Senior Defined Contribution Account Manager

Nova 401(k) Associates
(Remote)

Nova 401(k) Associates logo

Retirement Plan Services Analyst

Jordan & Associates Retirement Services
(Santa Rosa CA)

Jordan & Associates Retirement Services logo

Director of Member Services, Member/ Employer Experience

Orange County Employees Retirement System
(Santa Ana CA)

Orange County Employees Retirement System logo

DC Plan Administrator

Heritage Pension Advisors, Inc.
(Commack NY)

Heritage Pension Advisors, Inc. logo

Retirement and Executive Compensation Consultant

Retirement Learning Center
(Remote / Brainerd MN)

Retirement Learning Center logo

Regional VP of Sales

The Retirement Plan Company
(Remote / AZ / CA / CO / MN / MO / OR / WA)

The Retirement Plan Company logo

Sr. Retirement Plan Administrator

Tycor Benefit Administrators, Inc.
(PA)

Tycor Benefit Administrators, Inc. logo

View More Employee Benefits Jobs

Free Newsletters

“BenefitsLink continues to be the most valuable resource we have at the firm.”

-- An attorney subscriber

Mobile App image LinkedIn icon
Twitter icon
Facebook icon

Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

HHS Guidance Clarifies Who Is a "Business Associate"


Summary: HIPAA's privacy rules generally do not require "business associate" contracts between a covered entity and its service technicians, janitors and couriers because they do not need protected health information (PHI) to perform their duties, according to a recent HHS guidance document. Another clarification of interest to plan sponsors is that covered entities may contact individuals other than the patient if necessary to obtain payment.

HIPAA's privacy rules generally do not require "business associate" contracts between a covered entity and its service technicians, janitors and couriers because they do not need protected health information (PHI) to perform their duties, the U.S. Department of Health and Human Services (HHS) clarified in a question-and-answer (Q&A) document posted Oct. 8 on the HHS Web site.

Regarding janitorial services, "any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented," HHS stated. "Such disclosures are incidental and permitted by the Privacy Rule."

A janitorial service might be considered a business associate if it is hired to handle records or shred documents that include PHI, HHS added. However, if this work is performed on a covered entity's premises, the entity can treat the service as part of its work force, with which a business associate contract is not required.

HHS also clarified that participating providers are not a health plan's business associates if the submittal and payment of claims is the extent of their relationship.

Obtaining Payment

Another clarification of interest to plan sponsors is that covered entities may contact individuals other than the patient if necessary to obtain payment. "The Privacy Rule permits a covered entity, or a business associate acting on behalf of, or providing a service to, a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made," HHS states.

A covered entity still must observe the minimum necessary standard, along with any reasonable individual requests to make communications confidential or agreed-to restrictions on use or disclosure.

Complaint Procedure

The HHS guidance also details the procedure for filing complaints under HIPAA's privacy rules with the agency's Office for Civil Rights (OCR). Activities occurring before April 14, 2003, are not subject to OCR enforcement, but thereafter, a person who believes a covered entity is not complying with a requirement of the rules may file a written complaint with OCR, either on paper or electronically. This complaint must be filed within 180 days after the complainant knew or should have known that the act had occurred, although the HHS Secretary may waive this 180-day time limit if good cause is shown.

Individuals also may file a complaint directly with the covered entity, HHS notes. The guidance refers individuals to the covered entity's notice of privacy practices for more information about how to file a complaint with the covered entity.

Implications

Much of the guidance in the Q&A has already been published in either the privacy regulations or the preamble to the regulations. However, HHS' clarification regarding payment may help plan sponsors determine when PHI may be disclosed to a patient's family members who are covered under the same group health plan. If the family members are involved in payment for care, the plan may be able to disclose relevant payment information to them.

Of interest to employers that self-administer a group health plan is the clarification that a covered health care provider may disclose a complete medical record, including portions created by another provider, if the disclosure is for a permitted purpose under the privacy rules. This suggests that for health plan sponsors that disclose PHI for treatment, payment, or health care operations, this disclosure also may include portions of files created by another provider or plan, as long as the other portions of the privacy rules are observed, such as the minimum necessary standard.

Likewise, HHS' clarification that covered providers may disclose PHI to obtain, or file claims under, professional liability insurance (as a "health care operation") suggests that disclosures to stop-loss or professional liability insurers of a health plan should also be considered health care operations.

Reprinted with permission from the November 2002 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.
© 2022 BenefitsLink.com, Inc.