| OCR FAQs | |
|
Dated Oct. 2, 2002
· Is a physician required to have business associate contracts with technicians such as plumbers, electricians or photocopy machine repairmen who provide repair services in a physician's office? Response: No, plumbers, electricians and photocopy repair technicians do not require access to protected health information to perform their services for a physician's office, so they do not meet the definition of a business associate. Under the Privacy Rule, "business associates" are contractors or other non-workforce members hired to do the work of, or for, a covered entity that involves the use or disclosure of protected health information. See 45 C.F.R § 160.501.
Response: Generally, janitorial services that clean the facilities of a covered entity (i.e., a health care provider, health plan or health care clearinghouse) are not business associates because the work they perform for covered entities does not involve the use or disclosure of protected health information, and any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the Privacy Rule. See 45 C.F.R. § 164.502(a)(1). If a service is hired to do work for a covered entity where disclosure of protected health information is not limited in nature (such as routine handling of records or shredding of documents containing protected health information), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on the covered entity's premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate contract with the service. See 65 Fed. Reg. 82462, 82480 (December 28, 2000). · Are the following entities considered "business associates" under the Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management? Response: No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity. See 65 Fed. Reg. 82462, 82476 (December 28, 2000). · Are State, county or local health departments required to comply with the Privacy Rule? Response: Yes,
if a State, county or local health department performs functions that
make it a covered entity, or otherwise meets the definition of a covered
entity. For example, a state Medicaid program is a covered entity (i.e.,
a health plan) as defined in the Privacy Rule. Some health departments
operate health care clinics and thus are health care providers. If these
health care providers transmit health information electronically in connection
with a transaction covered in the HIPAA Transactions Rule, they are covered
entities. For more information, see the definitions of covered entity,
health care provider, health plan and health care clearinghouse in 45
C.F.R.§160.103. See also, the "Covered Entity Decision Tools"
posted at http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp.
These tools address the question of whether a person, business or agency
is a covered health care provider, health care clearinghouse or health
plan. · Are the following types of insurance covered under HIPAA: long/short term disability; workers compensation; automobile liability that includes coverage for medical payments? Response: No, the listed types of policies are not health plans. The HIPAA administrative simplification regulations specifically exclude from the definition of a "health plan" any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 C.F.R. § 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs:
· Is an entity that is acting as a third party administrator to a group health plan a covered entity? Response: No, providing services to or acting on behalf of a health plan does not transform a third party administrator (TPA) into a covered entity. Generally, a TPA of a group health plan would be acting as a business associate of the group health plan. Of course, the TPA may meet the definition of a covered entity based on its other activities (such as by providing group health insurance). See 45 C.F.R. § 160.103. · HIPAA
allows "small health plans," defined as health plans having
annual receipts of $5 million or less, an additional year (in the case
of the Privacy Rule, until April 14, 2004) to come into compliance. How
should a health plan determine what receipts to use to decide whether
it qualifies as a "small health plan?" |
|