The Office of General Counsel issued the following opinion on July 8, 2003, representing the position of the New York State Insurance Department.
Re: Health Insurance Portability and Accountability Act (HIPAA) Privacy Requirements, Workers Compensation
Do the HIPAA Privacy requirements affect a hospitals transmission of protected health information for the payment of workers compensation claims?
Workers Compensation is not directly affected by the HIPAA Privacy requirements. However, the contracts between the inquirers hospital and the entities with which it contracts might have to provide that these entities would hold protected health information confidential.
Since this was a general question, no facts were provided.
HIPAA, Pub. L. No. 104-191 (1996), is a comprehensive enactment dealing with health insurance. Section 264 of HIPAA, codified as a Note to 42 U.S.C.A. § 1320d-2 (West 2002 Supplement), required the Secretary of Health & Human Services (HHS) to promulgate a regulation dealing with privacy of protected health information. The Regulation as promulgated by the Department of HHS, 45 C.F.R. § 160.101 et seq. (2003), contains comprehensive requirements for the protection of protected health information.
The HIPAA Privacy Regulation is limited to regulation of protected health information in the custody of "covered entities".
A covered entity under the Regulation is defined, 45 C.F.R. 160.103 (2003), as:
Covered entity means: . . . (2) A health care clearinghouse (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
A health care clearinghouse is defined, 45 C.F.R. § 160.103, as:
Health care clearinghouse means a public or private entity . . . that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
A health care provider is defined, 45 C.F.R. § 160.103, as:
Health care provider means . . . a provider of medical or health services . . . and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Health care is defined, 45 C.F.R. § 103, as:
Health care means care, services, or supplies related to the health of an individual .
It appears, that as a hospital, Cayuga Medical Center is a health care provider and thus a covered entity.
Protected health information is defined in the HIPAA Privacy Regulation, 45 C.F.R. § 160.103 (2003):
Protected health information means individually identifiable health information: . . . that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described in the definition of electronic media . . . or (iii) Transmitted or maintained in any other form or medium.
Health information is defined, 45 C.F.R. § 160.103:
Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, . . . or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
The general rule, 45 C.F.R. §§ 164.502(a) (2003) and 164.508(a) (2003), is that authorizations are required before protected health information may be disclosed by covered entities. However, the HIPAA Privacy Regulation, 45 C.F.R. 164.512(l) (2003), provides:
Standard: Disclosures for workers' compensation. A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
Accordingly, the inquirers hospital may disclose protected health information to workers compensation insurers and self-insurers without the necessity of securing a HIPAA authorization.
The HIPAA Privacy Regulation, 45 C.F.R. § 160.103, defines a business associate:
Business associate . . . means, with respect to a covered entity, a person who: (i) On behalf of such covered entity . . . other than in the capacity of a member of the workforce of such covered entity . . . performs, or assists in the performance of: (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration. . . .
Entities, other than a health care clearinghouse, with which the inquirers hospital contracts to assist in billing workers compensation insurers or self-insurers might be considered to be its business associate. The HIPAA Privacy Regulation provides, 45 C.F.R. § 164.502(e):
(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. . . .
(2) Implementation specification: documentation. A covered entity must document the satisfactory assurances required by paragraph (e)(1) of this section through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e).
Section 164.504(e)(2) (2003) provides:
Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity . . . .(ii) provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware; . . . (H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary [of Health and Human Services] for purposes of determining the covered entity's compliance with this subpart . . . . (iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
If there are any questions concerning whether entities with which the inquirers hospital deals are business associates, they should be addressed to:
Office for Civil Rights
United States Department of Health and Human Services
26 Federal Plaza
New York, NY 10278
For further information you may contact Principal Attorney Alan Rachlin at the New York City Office.