Matt, I agree that two CEs who are sharing PHI for the purposes of treattment do not need a BA agreement, which is why I included the statement that you must consider who is doing "what" for whom. If the "what" is treatment services, then a BA agreement is not necessary. The specific examples which I was addressing, however, involved a Clearinghouse providing data translation services for a CE who was a provider. Clearly, in that situation, a BA agreement is required, even though both entities are CEs, unless they fell into the exception where a CE provides a service to an Organized Health Care Arrangement in which it participates. Darrell Rishel, J.D. Direction of Information Services Arapahoe House, Inc. This message is not legal advice.
-----Original Message----- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 9:50 PM To: 'WEDI SNIP Privacy Workgroup List'; Darrell Rishel Subject: RE: More questions on Business Associate Darrell, I respectfully disagree. Under HIPAA, a BAC is NOT required between two or more health care providers disclose PHI to each other for the purpose of treating a patient. And while the Privacy rules do say that a CE may act in the capacity of a BA (as in the scenario that I described below related to a physician providing "peer review" services), when two entities are engaged in sharing PHI (as CEs) no BAC would be required. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com <http://www.cpidirections.com/> CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 2:21 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: More questions on Business Associate In both cases a BA would be required. In your example, the clearinghouse is providing "a function or activity regulated by HIPAA" (formatting the data to be compliant with HIPAA) for both the provider and the health plan. The regulations clearly state that the relationship between two covered entities may require a BA. The key concept to keep in mind is not what kinds of entities are involved, but the relationship between the entities in terms of who is doing what for whom. Darrell Rishel, J.D. -----Original Message----- From: Ken Steen [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 8:28 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: More questions on Business Associate What about providers sending data to clearinghouses. Or payers sending data to clearinghouses, who reformat the data and send in a proprietary format to the provider. Do they require a BA contract anywhere along the line? Ken Steen Apollo ----- Original Message ----- From: Matthew <mailto:[EMAIL PROTECTED]> Rosenblum To: WEDI SNIP Privacy Workgroup <mailto:[EMAIL PROTECTED]> List Sent: Wednesday, January 08, 2003 10:51 PM Subject: RE: More questions on Business Associate Andy, In most instances, when PHI is shared between CEs, no BA relationship exists, and no BA contract would be required. For example, when a CE (provider) discloses PHI to another provider for the purpose of treating a patient, no BA relationship exists, and consequently, no BA contract would be needed. Further, when a CE (provider) discloses PHI to a health plan for the purpose of payment activities, no BA relationship exists, and consequently no BA contract is required. Generally, BA contracts are only required by HIPAA when a CE discloses PHI for the purpose of a 2nd entity using the PHI on behalf of the CE to help the CE perform a payment activity or health care operation (i.e., non-treatment activities that include a litany of HIPAA specified functions such as accounting, legal, consulting, etc.) For example, if a hospital discloses PHI to an IT vendor, a BA contract would probably be required. Also, if a hospital discloses PHI to a physician for the purpose of performing "peer review" a BA relations DOES exist, and a BA contact might be required. (Note that "peer review" is a "health care operation" and NOT a "treatment" activity.) It is also worth noting that even though a BA relationship may exist between a CE and a vendor, sometimes HIPAA does NOT require a formal BA contract. As in the case of consultants who do most of their work on-site (within the CE's physical space) and are working under the control or supervision of the CE. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com <http://www.cpidirections.com/> CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Andy Watts [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 7:25 PM To: WEDI SNIP Privacy Workgroup List Subject: More questions on Business Associate I am new to the group so I am not sure if some of these issues have been discussed before. I have seen some e-mails on the issue of Business Associates. We are also facing some situations and would appreciate if someone can help clarify the doubts: 1. From time to time we refer some of our patients to companies that lease Home care equipment. Would such companies be our Business Associates? 2. We refer patients to Home health agencies. Would they be BA? 3. We use contract Physical therapists to provide different types of therapies to our patients. Would they be our BA as they come into contact with PHI. 4. Some social workers provide services to our patients. Since these are not necessarily for treatment purposes, would they be our BA? 5. Finally, we use medical technologists from another company from time to time to operate some of our medical equipment such as X-Rays. Would that company or the medical technologists be our BA? Regards, Andy _____ Do you Yahoo!? Yahoo! <http://rd.yahoo.com/mail/mailsig/*http:/mailplus.yahoo.com> Mail Plus - Powerful. Affordable. Sign up <http://rd.yahoo.com/mail/mailsig/*http:/mailplus.yahoo.com> now --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
