Here is my opinion. The PHI is the patient's. All covered entities are required to keep it for 6 years minimum. I think that means that the provider keeps it and the payer must keep it. A clearing house would keep it based on their relationship (BA)to the entity paying the bill (probably the provider).
In your example the provider is responsible for accounting for access to the PHI for a minimum of 6 years. If they want it destroyed and they are paying for your services they I would destroy it. Also there are several places in the rule that have different requirements for clearing houses depending upon their role as a clearing house or a business associate. Here is an excerpt from the comments (See the last sentence): "The revised language provides that clearinghouses are not subject to certain requirements in the rule when acting as business associates of other covered entities. As revised, a clearinghouse acting as a business associate is subject only to the provisions of this section, to the definitions, to the general rules for uses and disclosures of protected health information (subject to limitations), to the provision relating to health care components, to the provisions relating to uses and disclosures for which consent, individual authorization or an opportunity to agree or object is not required (subject to limitations), to the transition requirements and to the compliance date. With respect to the uses and disclosures authorized under Sec. 164.502 or Sec. 164.512, a clearinghouse acting as a business associate is not authorized by the rule to make any use or disclosure not permitted by its business associate contract. Clearinghouses acting as business associates are not subject to the other requirements of this rule, which include the provisions relating to procedural requirements, requirements for obtaining consent, individual authorization or agreement, provision of a notice, individual rights to request privacy protection, access and amend information and receive an accounting of disclosures and the administrative requirements." Hope that helps. -----Original Message----- From: Ronde, Suzanne [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 6:17 AM To: '[EMAIL PROTECTED]' Subject: TCS/Privacy: Whose Data Is It??? Does anyone on here have an opinion about the following situation? In discussions with various individuals, there's a gray area in regards to who's data is it and at one point in regards to Protected Health Information (PHI) and so forth. Here's a situation we're looking at. As a clearinghouse, we are a Covered Entity (CE). We are also a Business Associate (BA) to providers and some health plans, otherwise a trading partner (TP) to other health plans. Our dilemma is this: Under the Privacy provisions, to many extents our business of being a Clearinghouse would enact that we would need to follow CE items. From my understanding, covered entities hold onto PHI for a minimum of 6 years in case of a request for access (164.524), but if we are acting as a BA to the provider, would we be held responsible to hold that data for the 6 period? If so, I am assuming since we are doing this as a service, a reasonable charge can be associated with this. Also within the Privacy regulations (164.504) as a BA to entities, they have the ability upon termination of a contract, request for return of PHI or Destruction of the PHI if feasible. So here are my questions: 1 Whose PHI is it at what point that they can ask for destruction or return if the contract is terminated? Is it the provider's until they submit the claims to a health plan and then becomes the health plan's after the submission? If so, can we destroy that information if it is now the health plan's when it is a provider who terminates the contract? Would this be considered one of the "not feasible" situations? What if the health plan who was once a BA now terminates the agreement? Same kind of quandary there. 2 If we are able to destroy or return the data, I can not find anywhere in the regulations of who covers the cost of returning or destroying the PHI. Can the provider or health plan be charged a reasonable fee for such work? There is a section that discusses assessing a reasonable fee to access any PHI. If anyone has an opinion or can shed some light on this subject it would be great appreciated. Thank you in advance. Suzanne Ronde Proservices Health Information Technology HIPAA Project Manager Change is the law of life. And those who look only to the past or the present are certain to miss the future. - Kennedy, John F. This electronic message is intended only for the use of the addresse(s) named above and may contain legally privileged and/or confidential information. If you are not the intended recipient of this message, you are notified that any dissemination, distribution or copying of this message is strictly prohibited. If you received this message in error, please notify the sender by telephone and delete the original message. Thank you for your cooperation. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=business and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=business and enter your email address.
