Does HIPAA even Apply Here?

[ERISAatty]

Hello,

I'm stumped and just need a reality check.

Here's the pretty simple fact pattern:

A public School District and a local Community Clinic (a health care provider) have entered into an arrangement whereby the Clinic will provide a day of health screenings for students in the District.

The Clinic has asked the District to sign a Business Associate Agreement.

The Agreement identifies the Clinic as the Busniess Associate. The District is referred throughout the agreement as the 'Facility' (where screenings will occur). And the Agreement refers to services provided on for or on behalf of a Covered Entity (which is not defined). I asked them to identify the CE, and the Clinic to me it is the District?!?!?!!? (That must be incorrect - District is not a health care provider, and not a CE).

Just to clarify, the District's Health Plan has no involvement here. This is just a Clinic (a CE) coming in to provide student health screenings. It is not clear to me why a business associate agreement is even needed, in that the District won't be providing services for, or on behalf of, the Clinic that require the use or disclosure of information.

Do you agree?

If the parties insist on having an agreement in place, I want to ask them to clarify that the Clinic is the CE, and that the District is a BA, but only to the extent that it should provide any services for or on behalf of the Clinic. Thoughts?

Thank you!

[leevena]

Your question gets a little confusing, so excuse me if I get it wrong.

The clinic is clearly a CE, the school is the BA and an agreement should be required. I assume that the clinic is conducting the exams on behalf of the school and that the results/information will be provided to the school.

I don't know if your comment (in the last paragraph) "to the extent that it should provide any services for or on behalf of the clinic" because I am assuming that some type of information is going back to the school. Correct?

[ERISAatty]

I am waiting to get a clear answer from the parties on what, exactly, will happen with the screening results. I guess I had been assuming that only the clinic would have them, and that the clinic might notify the students' families' of results specific to a given child. Under that assumption, the school has no involvement with/use of the any protected health information.

But you're right. It makes sense to think that a report of some kind may go to the school (I will confirm), in which case, I can see that the school needs to abide by Business Associate-type standards.

Thank you.

[Chaz]

I can't see how the school in this scenario under any reasonable circumstances is a business associate of the clinic. The school is not performing services at all for the provider, even if is receiving reports from the clinic. In addition, I presume the school is paying the clinic to do the screening; even if not, the clinic is performing the screenings for the school and not vice versa.

Without doing any research, I see two possible approaches to take:

The first approach is to take the position that the school has, perhaps inadvertently, created a health plan (a covered entity) for the students. The clinic, although a provider, is not acting as such; instead it is a BA. If this approach is taken, there needs to be a BAA between the school's plan and the clinic.

The second approach is that the clinic is acting in its role as a provider and is the only covered entity involved. In that case, no BAA is needed or appropriate but in order for the clinic to give any reports with PHI to the school, it would need to receive authorizations from the students (or their parents).

[ERISAatty]

This makes a lot of sense to me, and the second approach described above strikes me as the most practical under the facts. Glad I'm not the only one not seeing a BA party here.

I appreciate your insights/comment - always nicer to be able to bounce an idea around instead of puzzling at it alone. Thanks.

[leevena]

Chaz, or anyone else. Your post made me consider this from a different perspective. At the time HIPAA came in, I was at a healthplan. In many of the different seminars/training we attended at the time we were all cautioned about making sure we had agreements with all of our vendors that might come into our facility/office. The one that comes to mind immediatly is the outside cleaning service we used. They were subjected to an agreement. The reasoning being that they could come upon PHI.

So, did we overreact? And if not, shouldn't the school sign one anyway just in case one of their employees come upon PHI?

thanks.

[Chaz]

1-HHS has specifically said that, in most cases, janitorial services are not business associates so you didn't need to enter into a BA with your cleaning service. I recall that the only exception is if the service was hired to dispose of PHI.

2-The school is neither a business associate nor a covered entity (in alternative 2 of my scenarios, at least). Therefore it is not necessary nor appropriate to enter into a BA agreement even if the school was to receive students' PHI. As the covered entity, the clinic is responsible for making sure appropriate authorizations are in place before it shares the information with the school.

[leevena]

Ok, thanks.