Wendy:
I can see why you are concerned. DHHS has not addressed this question
directly. But the text of the Privacy Rule, and DHHS statements suggest
that this relationship is not one that requires a BA agreement. Here is the
logic:
1. (a) A business associate agreement is not required for "disclosures by a
covered entity to a health care provider concerning the treatment of the
individual.." (45 CFR 164.502(e)(1)(ii)(A));
(b) "Treatment" is defined to mean: "the provision, coordination, or
management of health care and related services by one or more health care
providers, including the coordination or management of health care by a
health care provider with a third party; consultation between health care
providers relating to a patient; or the referral of a patient for health
care from one health care provider to another". (45 CFR 160.103)
(c) "Health care" includes, but is not be limited to, preventive,
diagnostic, therapeutic, rehabilitative, maintenance and palliative care,
and counseling, service, assessment, or procedure with respect to the
physical or mental condition, or functional status, or an individual or that
affects the structure or function of the body; and the ...sale or dispensing
of a drug, device, equipment, or other item in accordance with a
prescription". (45 CFR 160.103)
Based on (a), (b), and (c), I have no doubt that EVMS disclosure of PHI to
the diagnostic center is a disclosure "by a covered entity health care
provider concerning treatment", and permitted by the Privacy Rule w/o
consent or authorization. The only question is whether the diagnostic
center is somehow acting as a business associate.
2. The definition of "business associate" points towards provision of
services other than treatment services. It is: (i) a person or organization
that, on behalf of a covered entity or an organized health care arrangement,
performs functions involving the use or disclosure of individually
identifiable health information, including claims processing, data analysis,
data processing or administration, utilization review, quality assurance,
billing, benefit management, re-pricing, or other functions regulated by
[the HIPAA rules], or (ii) a person or organization (other than a member of
the workforce) that provides legal, actuarial, accounting, consulting, data
aggregation, management, administrative, accreditation, or financial
services to a covered entity or organized health care arrangement, and
receives protected health information in the course of performance of those
services. (45 CFR 160.103)
3. DHHS has made it clear that business associate agreements are not
required between health care providers, between hospitals and members of the
medical staff, between clinical providers and clinical laboratories, or
between health plans and health care providers. (The fact that the health
plan pays a provider that delivers treatment doesn't make the provider a
business associate.) (See the 3/27/02 NPRM at 67 Federal Register 14787 and
the 12/02 guidance from the DHHS Office of Civil Rights.)
4. Your financial relationship with the diagnostic center is similar to that
of a health plan and a network provider. That fact that you pay them on a
capitated basis doesn't make the diagnostic center your agent, or mean that
they are "acting on your behalf".
5. Overall, your relationship is more like that between covered entities
interested in arranging "treatment" services to a group of individuals, and
less like one in which the diagnostic center is acting on your behalf with
regard to a function other than direct treatment.
That's my two cents. I suggest that you present the question to EVMS'
attorneys. Please don't rely on my opinion (or that of anyone else other
than your legal counsel).
Paul
NOTICE: This message and its attachments are confidential and may be
protected by the attorney/client privilege. If you have received it in
error, please notify the sender immediately by e-mail and delete and destroy
this message and its attachments.
--------------------
Paul Litwak
Attorney & Counselor at Law
2832 S. Lynnhaven Rd., Suite 202
Virginia Beach, VA 23452
Ph: 757-431-2020
Fax: 757-431-3688
EMail: [EMAIL PROTECTED]
Web: www.paul-litwak.com
Web: www.hipaacomplianceguide.com
-----Original Message-----
From: Reynolds, Wendy J [mailto:[EMAIL PROTECTED]
Sent: Monday, November 10, 2003 1:06 PM
To: WEDI SNIP Privacy Workgroup List
Subject: business associate - yes or no?
I am in the process of reviewing a contact which will entail an agreement
between us (a covered entity) and the contractor (another covered entity) in
which the contractor will provide cancer screening/diagnostic tests to a
specific category of women (income guidelines, age, etc.) per grant
parameters. I am having trouble with this one, because usually "treatment"
reasons do not necessitate a business associate agreement between two
covered entities. However, we are paying the contractor a per capita rate
to provide the services (diagnostic tests) to these patients. If patients
need further treatment, they are referred back to us to take care of.
In this situation, I am not sure the contractor is really providing
"treatment" to the patients. Furthermore, in this situation, the contractor
is providing this service on our behalf, for us, and are receiving money
from us to provide these services. This arrangement does not fit the
business associate exceptions or examples as listed on the OCR website. I
have read the definition of treatment in the regs, but really think this
arrangement should have a BAA. But of course the contractor disagrees.
Am I being too picky? Any opinions out there?
Wendy J. Reynolds, MPA, CHP
EVMS Director of Privacy Program
EVMS HS Clinical Auditor
Eastern Virginia Medical School
Fairfax Hall, 1st floor
721 Fairfax Avenue
Norfolk, VA 23507
(757) 446-0337
[EMAIL PROTECTED]
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.537 / Virus Database: 332 - Release Date: 11/6/2003
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions
on this listserv therefore represent the views of the individual participants, and do
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If
you wish to receive an official opinion, post your question to the WEDI SNIP Issues
Database at http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and services.
They also are not intended to be used as a forum for personal disagreements or
unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the
address subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org
