In situation #1, the activity going on in the operating room is treatment, being provided by the hospital under the terms of a HIPAA consent. The "non-hospital employee" must be either a member of the hospital's workforce or a business associate before the hospital may permit access to the patient's PHI. In general, the hospital will contract with the vendor as a BA, and require that any trainer employed by the vendor who will have access to PHI in the possession of the hospital will receive privacy/security training. However, the hospital could also contract with the vendor in a way that would give it sufficient control over the trainer that it could claim the trainer as a member of its workforce. The trainer would then receive the same privacy/security training as other hospital workforce members.
In situation #2, the students are not performing a function on behalf of the hospital, so they will not be likely to fit the definition of business associate. The hospital will want to have an agreement with the students' educational institution that specifies that they are under the hospital's control as members of the workforce, and must receive the hospital's security/privacy training before having access to any PHI. In either case, observation of any patient care would best be considered as access to PHI. Bill William A. MacBain Principal MacBain & MacBain, LLC 1108 Hector St. Ithaca, NY 14850 607-256-1522 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 04, 2002 10:58 AM To: [EMAIL PROTECTED] Subject: Question on non-employees' access Are the following scenarios covered by "consent...for treatment and operations", or by "business associate agreement", or is a "signed authorization" required??? Situation 1: A "non-hospital employee" vendor representative assists in the surgery room, to explain or train surgeon and/or staff on the equipment used in the procedure. Is this "operations"? Does this require a patient authorization? Likewise Situation 2: A surgery is "observed" by an individual or by a class of students (the patient is not identified), is this covered by "consent ...for operations", or does it require a signed patient authorization? Or is this not covered by HIPAA, since the patient's identifiable information is not disclosed, except for the possibility of seeing the patient's face? John L. Schwarz I/S Director, Enterprise Applications --------------------- ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
