HIPAA Consult

November 5, 2004

Answers to your questions about...outside researchers; record removal; business associates; covered entities

A. Yes, as long as he fulfills one of two requirements: He could obtain individual patient authorization. But, of course, this option is probably too time-consuming and cumbersome for all but the most limited studies. Or, he could obtain a partial waiver of individual authorization by an Institutional Review Board (IRB) or a Privacy Board (a review body established by a covered entity expressly for this purpose). Keep in mind that if you use a staff member to identify potential research subjects, she won't be subject to either of these requirements.

The privacy rule doesn't require you to enter into a business associate agreement with the independent researcher.

A. Probably not. The question is: Was the physician who left your office using or disclosing patient information or simply moving what he considered to be his files to another location? Un-doubtedly, he would argue that he was doing the latter and that any subsequent use or disclosure on his part would be for treatment purposes, which, of course, is permitted under HIPAA.

But his actions raise a non-HIPAA question: Who owns the physical files he removed? The answer is, "You do" as the owner of the practice. Indeed, although the information contained in a file belongs to the patient, the physical paper and file containing this information belong to the owner of the facility. In this context, the independent contractor's actions were inappropriate. Consult a lawyer to determine your legal options.

Business associates Q. Are the US Postal Service, FedEx, and UPS considered business associates under HIPAA?

A. No. Each is a conduit-that is, an entity that simply transports information from one location to another. A business associate, in contrast, is an entity or a person that not only has access to medical information but is acting on your behalf. One example of a business associate in this context would be the transcriptionist who transcribed a report for you before the post office or FedEx delivered it to another location.

Covered entities Q. I send paper claims directly to my health plan, which transforms these claims into an electronic format in order to process and pay them. Does that make me a covered entity under HIPAA?

A. That depends. If you're receiving remittances back electronically, you are considered a covered entity. But if you run a paper-only office, don't submit claims through a billing company that converts them into an electronic format, and don't conduct any of the other standard transactions electronically (checking eligibility and requesting authorization, for example), then you're not considered a covered entity under HIPAA.

____________________________________________________________

Margaret M. Davino (mdavino@kbrny.com
) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn’t intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA Consult. If we select your query, we’ll address it in an upcoming issue. Your name will not be used.