Frequently Asked Questions:
Privacy Rule

Q: As an outpatient mental health clinic do we need a signed authorization to contact a patient's insurance company to see if our services will be covered or can we disclose this information without an authorization in an effort to carry out treatment/payment? (January 2004)

A: Under both HIPAA and the NYS Mental Hygiene Law, it is permissible to make disclosures of information necessary to determine eligibility for or receive payment for treatment services. However, if you are a covered entity under HIPAA, before making this type of disclosure, you should first check with your Privacy Official to ensure that your Notice of Privacy Practices indicates that you may make disclosures to insurance companies to determine eligibility or obtain payment with patient authorization, and you must make certain that you only disclose the minimum amount of information necessary to do so. You should also confirm with the Privacy Official your ability to make these disclosures without patient consent, since, as a business decision, some providers are electing to routinely obtain consent or authorization, even when not legally required. Finally, patients have the opportunity to request restrictions on disclosures, so for each patient, you should make sure the clinic has not agreed to abide by any restrictions requested by the patient regarding contact with the insurance company.

Q: As a covered entity are we required to document a PHI disclosure if it is pursuant to a signed patient authorization and is not to carry out treatment, payment, or health care operations? (January 2004)

A: HIPAA does not contain any specific documentation requirements with regard to disclosures of information, but it does provide patients with a "right to an accounting of disclosures" wherein covered entities must be able to tell them, upon their request, to whom their information has been disclosed. Therefore, covered entities must establish procedures to ensure that all disclosures subject to the right to an accounting of disclosures are routinely documented, so that they are readily accessible and producible in the event the patient elects to exercise his/her right to an accounting of disclosures. Under HIPAA, information disclosed for treatment, payment or health care operations purposes is not subject to the right of accounting of disclosures.

However, under the New York State Mental Hygiene Law, in general, a notation of all disclosures, including those made for treatment purposes, is required to be made in the clinical record whenever information is disclosed from it. The Mental Hygiene Law excepts some payment disclosures from this requirement, including disclosures made to government agencies requiring information necessary for payments to be made. Further, for disclosures to insurance companies, a notation need only be entered at the time the first disclosure is made.

Therefore, in general, as a matter of State law rather than HIPAA, disclosures made for treatment or operations purposes should be documented, and payment disclosures that do not meet the exception criteria should be documented as well.

Q: Where can I download the OMH consent to release info form? (December 2003)

A: OMH forms are official documents intended for use by employees of OMH in State operated facilities and therefore are not available for download. Unless otherwise indicated on a particular document or form, OMH grants permission to reproduce and distribute any material, including forms, policies, employee brochures, and training programs for non-commercial purposes and usage, so long as the contents remain unaltered and it is noted that OMH is the source.

Q: I work for a psychiatric unit for adults and have been told that if a person calls for a patient that refuses consent for me to speak with that person, I can listen to what they have to say and even return phone messages. Doesn't that inform them that the person is a patient by me returning the call and even listening to them provides information? Also, if the patient refuses to sign a consent for family involvement, is it against HIPAA to allow the family to visit our unit during visiting hours? Isn't that an admission that the patient has been admitted in the hospital? (December 2003)

A: Although it is critical that you speak to your program’s attorney for legal guidance in this regard, some general information may assist in this analysis. Unless another exception applies, an adult patient with capacity has the right to agree or object to disclosures to family members or persons involved in his/her care. Therefore, in this case, if a patient were to object to these disclosures and you were then to speak to that individual and/or return messages, this could indeed be an unauthorized disclosure of patient identifying information. However, there are several procedures you could consider in handling these situations.

For example, your program might simply institute a procedure wherein any call is responded to by asking the caller to hold, without indicating that the person is or is not a patient at your facility. The patient is then contacted and asked if he/she wishes to take the call. If so, the call is transferred and the patient can then self disclose his/her own information. If not, or if the patient has already indicated he/she does not wish to speak to this particular caller, staff should simply inform the caller that federal law does not permit even the disclosure of whether or not the person in question is a patient.

Another strategy, if the patient has not agreed to disclosures to a certain caller, is to respond by saying that while you cannot tell the caller whether or not the person is a patient, if he or she is a patient, you will give him/her a message from the caller. Simply taking a message is not prohibited by HIPAA, but you need to make sure that you do not reveal, either directly or indirectly, that the person is a patient at your facility.

With regard to your question about visitors, if a patient has indicated he or she does not want the family involved, how to handle the situation if the family then shows up to visit is really a matter for clinical consideration. Regardless, allowing visitors to roam about a unit, regardless of whether or not they been given permission to receive disclosures about a certain patient, actually compromises the confidentiality of all of the other patients on the unit, who visitors may see as they proceed to see the patient they are actually visiting. Therefore, programs must structure their visiting policies with this in mind, and make reasonable efforts to avoid this result. One strategy to consider is setting aside a common room for visiting and clearly advising patients the times at which this room will be used exclusively for visiting (a sign to this effect could also be posted outside the door to reinforce this notice). Any patient that enters the room during these times would then be choosing to self-disclose that he/she is a patient at the facility.

Q: Is a fax communication under New York law deemed an electronic transmission and thus causes you to be subject to HIPAA? (December 2003)

A: Fax imaging and voice response transmissions are not considered “electronic transactions” and are therefore not subject to the HIPAA transactions standards (i.e., the EDIstandards). If you are a health care provider that communicates information via fax transmission but you do not otherwise engage in any electronic business activities that do constitute transactions under the HIPAA regulations (e.g., billing), you would not be a “covered entity” and therefore would not be required to comply with HIPAA. However, if you are a health care provider that not only uses fax transmissions but also engages in any other electronic business activities that do constitute “transactions” under the HIPAA regulations, then all of your activities, including fax imaging and voice response transmissions, would be subject to the HIPAA privacy and security standards if individually identifiable health information is contained in these transmissions.

Q: Which New York state regulations are more stringent than the HIPAA regulations? (November 2003)

A: The Office of Mental Health Counsel’s Office reviewed the HIPAA Privacy regulations (45 Parts 160 and 164) and a variety of New York State statutes, regulations and other precedent commonly referred to when using and disclosing mental health treatment information. This analysis has been posted on the OMH website. However, it is critical to note that the document is intended for use by the Office of Mental Health and its employees, and is not intended to serve as legal advice to anyone outside of the Office. It is being made available by OMH for general guidance, but covered entities should consult their own attorney for specific legal advice concerning their HIPAA compliance.

Q: Do NYS health proxies need to be amended to include the new HIPAA language regarding release authority (e.g. 42 USC 1320d and 45 CFR 160-164)? (November 2003)

A: For purposes of HIPAA, persons who are named as health care proxies become a patient’s personal representative when the proxy authority goes into effect (i.e., the patient becomes incapacitated). The NYS Public Health Law contains the requirements for health care proxies in New York State. Questions regarding the impact of HIPAA on this law should be directed to the Department of Health.

Q: We have a mental health clinic and treat children. The question is with regard to parent's rights to access their children's records. Is there an age at which the parent cannot access the records without the child's consent? (November 2003)

A: The term “minor” is defined in the Mental Hygiene Law as an individual who has not attained the age of 18. Generally, parental consent is required to treat minors and the right to access clinical records follows the authority to consent for treatment. There are a number of exceptions to the requirement for parental consent to treatment of minors, which are set forth in Section 33.21 of the Mental Hygiene Law. For example, parental consent to treat is not required in cases where a minor is emancipated or is on voluntary status on his or her own application pursuant to section 9.13 of the Mental Hygiene Law. Another example, in cases where outpatient treatment is sought, is where a parent or guardian has refused to give consent and a physician determines that treatment is necessary and in the best interests of the minor, the treatment can be provided without parental consent. In all of these cases, if parental consent is not legally required in order to provide treatment, then the minor must consent to the parent’s access to his or her clinical information in connection with that treatment.

Q: We are an outpatient clinic. We have requested protected health information from local hospitals to complete Incident Reports for OMH and QCC-100's for the Commission on Quality of Care as we are required to do. The hospitals are refusing to release any information, and are requesting a signed authorization. They stated that they would only release such information for their own health care operations, not ours. We requested basic information, such as dates of stay, if applicable, and cause of death. Does HIPAA allow the release of such information under health care operations required by law? In some cases, there would be no other resource to obtain the information. (October 2003)

A: The HIPAA privacy rules set forth conditions under which a covered entity is allowed, or permitted, to release individually identifiable health information without patient consent or authorization. However, unless there is a specific State or federal law that mandates the reporting of information, HIPAA would not otherwise require covered entities to share such information. Therefore, there is nothing in HIPAA that would prevent a hospital from electing not to disclose information to another covered entity for a health care operations purpose without patient consent or authorization. There is currently no state law that would require a facility licensed by the Department of Health to report the type of information you describe, for the purpose you describe, to the Office of Mental Health. If there is no other way to obtain certain information and obtaining patient consent or authorization is not a possible strategy, the reasons why such information is lacking from the report and could not be obtained should be documented and the report be completed to the greatest extent possible.

Q: We are a Mental Health Agency for Children. Once our Social Workers have given the parent or guardian a Notice of Privacy Practices, and received back a signed Consent For Treatment form , and a signed Privacy Practices Policy Receipt form have we met our HIPAA obligations? Note that all of our mental health records are secured under lock and key with only authorized access and all of our electronic transmissions are done via HIPAA compliant software. (October 2003)

A: Assuming that you have determined that you are a "covered entity" under HIPAA (e.g., you are a health care provider that engages in standard electronic transactions), then you must be in compliance with HIPAA regulations governing electronic data interchange, privacy, and security. Therefore, if you are a covered entity, you need to examine all 3 sets of regulations and be compliant with each.

With sole regard to the HIPAA Privacy regulations, each covered entity is required to appoint a Privacy Official or equivalent. The Privacy regulations also set forth a number of administrative requirements for covered entities. For example, in addition to the appointment of a Privacy Official, covered entities must: (1) have HIPAA compliant privacy policies; (2) have or develop certain organizational processes and systems to be able to account for information disclosures and allow individuals to access and amend their health information; (3) if you are a health care provider, you must develop and utilize a privacy notice and an authorization form; (4) develop and implement business associate contracts; (5) develop a workforce privacy training course; and (6) document your determinations.

You are also required to have certain policies and procedures in accordance with the HIPAA Security regulations. Although your description of your activities to date suggests that you have made good progress toward becoming compliant with the applicable regulations, it also appears that there are a number of activities that may still need to get underway in order for you to fully meet the requirements of all 3 regulations. It is recommended that you consult with your agency's attorney to tie up any loose ends.

Q: What are the specific provisions of "Mental Hygiene Law 33.16"? (October 2003)

A: In general, New York State Mental Hygiene Law Section 33.16 sets forth the ability of a "qualified person" (i.e., the patient or a person with legal authority to make health care decisions on behalf of the patient) to access mental health treatment records and the procedures that must be followed as a matter of State law in providing such access. A copy of this section of law can be obtained by contacting the New York State library, at www.nysl.nysed.gov.

Q: Does a provider violate confidentiality if other patients can see the names of patients on urine specimens? (October 2003 )

A: The HIPAA regulations are not intended to impede customary and necessary practices, but they are intended to ensure that covered entities use reasonable safeguards to ensure that PHI will be protected. Common sense and a reasonable standard of care are necessary to fulfill the goals of HIPAA.

For example, HHS has stated that calling a patient's name in a waiting room is a customary practice, and is a permissible incidental disclosure, so long as the information disclosed is appropriately limited. The HIPAA Privacy rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called. However, these incidental disclosures are only permissible when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate (for example, when using sign-in sheets, the sheets should not display medical information, such as the medical problem about which the patient is seeing the physician, when signing in). If there are no reasonable measures that could be employed that would shield the names of patients on specimen containers, this may be considered an "incidental disclosure" under HIPAA. However, it is recommended that a covered entity examine whether or not there are any reasonable alternatives that might be considered, such as having patients place their labeled specimens inside an unlabeled container, or handing their specimens directly to a staff person, before continuing this practice.

Q: We provide no billable services. Under HIPAA are we obligated to make copies of records for inactive clients seen over 8 years ago? (October 2003)

A: Even if you provide no billable services and do not bill electronically, you may still be considered a "covered entity" for purposes of HIPAA, because "billing" is only one of a number of "electronic transactions" that may cause a provider to be a "covered entity" under HIPAA. For example, other transactions that are included in the list of "standard transactions" are the 270/271 eligibility inquiry and response or the 278 service authorization. Therefore, you need to more fully examine your agency's activities to ensure that , besides billing, you do not engage in any of the other enumerated transactions that would cause you to meet the definition of a "covered entity" health care provider.

If you determine that you are, in fact, a covered entity under HIPAA, then you must maintain documentation of all PHI disclosures for a period of 6 years. In other words, HIPAA does not require covered entities to release a patient's medical record after 8 years of inactivity.

However, the inquiry does not stop here. Even if you are not a "covered entity" under HIPAA, it is important to note that NYS Mental Hygiene Law Section 33.16 would permit a "qualified person" (i.e., the patient or a person with legal authority to make health care decisions on behalf of the patient) to request access to a clinical record that is "in the possession" of a facility. Therefore, if a qualified person requested access to an 8 year old record of an inactive patient that was nonetheless still in the possession of a facility, and the grounds for withholding the information were not met, that information should be released as a matter of State law. It is recommended that you consult with your program attorney to clarify exactly what legal requirements are applicable to you in this regard.

Q: What are the general rules and forms to implement HIPAA regulations for psychologists? (September 2003)

A: The first step for any health care provider in determining what is necessary for HIPAA compliance is to determine whether or not it is, in fact, required to comply with the HIPAA regulations. The HIPAA regulations apply to “covered entities,” which include health care plans and health care clearinghouses. They also apply to health care providers, but only to those who conduct certain financial and administrative health care transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary of the federal Department of Health and Human Services (HHS) under HIPAA, such as electronic billing and fund transfers. If you are a psychologist with a private practice , you should first determine whether or not you engage in any of the standard electronic transactions that will cause you to be a “covered entity” under the HIPAA regulations. If you are a “covered entity,” generally, required privacy activities include: (1) notifying patients about their privacy rights and how their health information can be used; (2) adopting and implementing privacy practices for your practice, hospital, or plan; (3) establishing and using a patient authorization form that meets HIPAA requirements to record patient permission to use and disclose their health care information in accordance with the rules; (4) training employees so that they understand the privacy procedures; (5) designating an individual to be responsible for seeing that the privacy procedures are adopted and followed; and (6) securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Notably, there is no standard set of forms prescribed by HHS, so each covered entity is responsible for developing its own, based upon its own circumstances. OMH has posted the forms and policies that the State operated psychiatric facilities will be using in fulfillment of HIPAA compliance, but these forms and policies are only applicable to, and required to be used by, the mental health providers that are directly operated by New York State. While mental health providers that are licensed by OMH, as well as others, are welcome to refer to these forms and policies for educative guidance, they should work with their own attorneys to develop forms and policies unique to their own HIPAA compliance efforts.

If you are a psychologist in private practice and have determined that you are a covered entity under HIPAA, you may wish to contact the State Education Department or a trade association of psychologists to determine how others sharing your circumstances have developed their HIPAA compliance strategies.

Q: When a patient signs an authorization to release written information to another agency, should you attach both a copy of the acknowledgement of NPP and signed authorization or just the signed authorization to the information you are sending? (August 2003)

A: There is no requirement in HIPAA that a copy of the acknowledgement of the notice of privacy practices be affixed to authorizations. Therefore, this is an individual business decision that this provider needs to make.

Q: As an OMH certified county mental health clinic, are we mandated to use the OMH Notice of Privacy Practices form or can we use a "modified" "shorter" version? (August 2003)

A: The OMH Notice of Privacy Practice forms an internal document. While OMH requires it to be used by State operated facilities or programs, it has been made publicly available to others only for education and guidance purposes. While licensed or funded mental health providers that are covered entities are required by HIPAA to distribute a Notice of Privacy Practices (NPP) , they can and should develop their own NPP that accurately reflects how THEY may use/disclose patient information.

Under HIPAA, effective April 14, 2003, health care providers that are covered entities must establish procedures to provide every patient (and personal representative of the patient, if applicable) an NPP at the time of first service delivery. Health care providers are permitted to provide a short notice that briefly summarizes the patient's rights, as well as other information, provided that the standard NPP is layered beneath the short notice; the short notice, however, cannot be a substitute for the full NPP.

HIPAA also provides that covered entities must employ every reasonable effort to obtain a written acknowledgement from the patient indicating that he or she has received the Notice. If such written acknowledgement cannot be obtained, the reason for failing to obtain the acknowledgement should be documented. Whenever practical, the provider should make continued attempts to obtain such acknowledgement as reasonable and should document these attempts.

Finally, HIPAA requires that the current NPP in effect must be prominently posted by the covered entity provider at each service delivery site. Copies must be available for patients to access at any service delivery site.

Q: Does your office have any information regarding preemption standards for the health care proxies of elderly patients? Does either HIPAA or NY law set a standard for disclosure of information to health care proxies of elderly and adolescent patients. (August 2003)

A: If a person is named the health care proxy of another individual, the health care proxy has the authority to make health care decisions on behalf of the individual if he or she becomes incapacitated and cannot make decisions for him/herself. Under both New York State Law (MHL Section 33.16) and HIPAA, at the time when the person becomes incapacitated and the proxy authority begins, the proxy has the same authority to the individual's health care information as the individual would have had, were he/she not incapacitated.

Q: I am starting to read up on the Security Compliance with HIPAA. I ran across an article regarding "Confidentiality of Alcohol and Drug Abuse Patient Records." Where can I find more information about this? (July 2003)

A: Title 42 of the Code of Federal Regulations (CFR), Part 2, sets forth the standards related to the disclosure of alcohol and drug abuse patient records. The full text of 42 CFR Part 2 is available at www.access.gpo.gov/nara/cfr/waisidx_02/42cfr2_02.html . You may also wish to contact the NYS Office of Alcoholism and Substance Abuse Services at their website, www.oasas.state.ny.us , for more information with regard to these regulations.

Q: I work for a non-profit, peer-run agency. Am I allowed to discuss and disclose pertinent consumer information to fellow staff? (July 2003)

A: First, you must determine what laws or requirements about the sharing of confidential mental health information govern the operation of your particular agency. If you meet the definition of a "covered entity" under HIPAA (for example, you provide health care services and engage in at least one of the standard electronic transactions, such as billing Medicaid), then you will be bound by the HIPAA privacy and security regulations (45 CFR Parts 160, 164). If you have a "Business Associate Agreement" with another covered entity, even if you are not a covered entity yourself, then you will be bound by the HIPAA privacy and security regulations. If you are licensed by the NYS Office of Mental Health, then you are bound by the provisions of NYS Mental Hygiene Law Section 33.13. If you are neither of these, then you may be bound by terms of a contract (if you receive funding from the county local mental hygiene department or OMH). So first, it is important to determine what laws or requirements do or do not apply to you. You should ask your supervisor to help you find the right person in your organization to advise you whether or not the agency that you work for has not made a determination as to whether or not it is covered by HIPAA, and whether or not you are licensed or funded by OMH, and who can help you identify what rules apply in the situation you describe.

Assuming that you are a "covered entity" under HIPAA and/or that you are licensed by OMH, you probably would be permitted to reveal, or internally "use" information with other staff within your agency that are also involved in providing services to a particular client. You should not, however, reveal information to anyone within your agency that has no "need to know" the information in order to provide services to the patient, and you probably should only reveal the minimum amount of information necessary for the purpose of the disclosure. Again, however, you really need to speak with the right people within your organization to determine what rules or contractual requirements apply to your particular agency.

Q: Are there stricter rules for SPOA applications that require Health careproviders to have individuals sign authorizations prior to being allowed to present a case at SPOA meetings? (July 2003)

A: Although your own attorney should provide you with specific legal guidance in this case, the answer here is "probably no," if the information is being shared for treatment purposes. In that case, New York State law is probably stricter than HIPAA in terms of determining whether or not patient consent/authorization is needed to make the disclosure, since HIPAA does not require patient consent to make disclosures for treatment purposes. However, if the disclosure is not permitted in the NYS Mental Hygiene Law without patient consent (e.g., if the provider receiving the information is not operated, licensed, or funded by OMH or has no other "nexus" with OMH), then consent would still be needed.

HIPAA does not specifically address the information sharing rules of a structural entity like SPOA. Therefore, if a covered entity health care provider is sharing information in the context of a SPOA, the question to ask is what is the purpose for these disclosures, and is the authorization of the patient needed to make these disclosures? For example, if the disclosures are being made for treatment or care coordination purposes, authorization may not be needed under HIPAA and NYS Mental Hygiene Law Section 33.13(d), depending on the circumstances. Or, if the disclosures are being made in the context of a county's health oversight responsibilities, patient authorization may not be required. However, depending on the organizational construct, it may be that there is no exception under which the disclosures can be made without patient authorization. In this case, the analysis should then turn to whether there is a business associate relationship contemplated in the organization. If so, a business associate agreement would enable the disclosures to occur without patient authorization. This analysis should be undertaken by the organization's attorney.

Finally, assuming the disclosures are permissible without patient authorization, the analysis should turn to good risk management strategies to ensuring the security of the information in the course of the disclosures. Strategies like having participants sign individual confidentiality statements could be considered here, and only those participants having a "need to know" the information should receive it. Finally, steps should be taken to ensure that only the minimum amount of information necessary to fulfill the purpose of the disclosure is released.

Q: We are an outpatient mental health clinic for the treatment of both adults and children. My question concerns multidisciplinary committees (e.g., Single Point of Access) at which client admission, discharge and disposition is discussed in the presence of members from probation, parole, adult protection who are not necessarily involved in the case of every client under discussion. What is our obligation in protecting the privacy of PHI in this instance? (June 2003)

A: First, you need to make sure that the disclosures in question are permissible without patient authorization. Assuming they are, or that the appropriate authorizations are in place to make these disclosures, the analysis should then turn to employing good risk management strategies to ensure that the security of the information is protected in the course of the disclosures. Strategies like having participants sign individual confidentiality statements, while not technically required by HIPAA, could be considered here, and all reasonable efforts should be taken to assure that only those participants having a "need to know" the information receive it. Finally, reasonable measures should be undertaken to ensure that only the minimum amount of information necessary to fulfill the purpose of the disclosure is released.

Q: Who should the agency give the privacy notice to if the client is a child (and not an emancipated minor)? (June 2003)

A: The Privacy regulations provide that the Notice of Privacy Practices is to be given to the "individual," which is defined as the patient or his or her "personal representative." A "personal representative" is a person who has the legal authority to make health care decisions on behalf of another person, e.g., a legal guardian. In most cases, a minor (under age 18) will not have the legal authority to make his/her own health care decisions. In these cases, the child's "personal representative" should be given a copy of the Notice of Privacy Practice and/or sign the authorization to disclose the child's PHI. Please consult your own attorney for guidance in individual cases.

Q: When health oversight activities require a disclosure of PHI, does there need to be an accounting of this disclosure documented? (June 2003)

A: Yes. Disclosures made to health oversight agencies are subject to the right to an accounting of disclosures. However, if, during the time period for the accounting, multiple disclosures have been made to the same entity for a single purpose, the accounting may provide the required information for the first disclosure, and then summarize the frequency, periodicity, or number of disclosures made during the accounting period and the date of the last such disclosure during the accounting period.
Note that the patient's right to receive an accounting of PHI made to a health oversight agency must be suspended if the health oversight agency provides a written statement that indicates that the provision of the accounting would be reasonably likely to impede the activities of the agency and which specifies the time period of the suspension.

Q: I am writing from the Suffolk County Courts, we would like to have a poster outlining or explaining HIPAA that we could place in our record room. Do you have any education or training materials that we could use for this purpose ? (June 2003)

A: Information on OMH training material and how to submit inquiries concerning its training program, is available at www.omh.ny.gov/omhweb/hipaa/training/index.htm.

Q: We are using a HIPAA patient authorization for case management and service coordination. HIPAA indicates that we can indicate an expiring event rather than a date. Are we still obligated to expire the authorizations to 90 days? (May 2003)

A: There is no requirement in the HIPAA privacy regulations that authorizations remain in effect for 90 days or any other specific period of time. However, HIPAA requires authorizations to include an expiration date, condition, or event upon which it will be deemed to have expired (e.g., upon discharge from a program or a facility, or upon reaching the age of 18). The revised OMH-11 form, which is utilized by State operated psychiatric facilities but is not otherwise a mandated form, includes 90 days as one of three options for an expiration date for a one-time use or disclosure. You should consult with your own attorney or Privacy Official to determine appropriate authorization expiration end dates or events for your facility.

Q: To de-identify PHI - Can you use just the person's first name? Is this allowed? (May 2003)

A: The HIPAA privacy regulations specifically describe what must be done to consider PHI "de-identified" so that it may be used and disclosed freely, without being subject to the Privacy Rule's protections. Health information is de-identified, or not individually identifiable, under HIPAA if it does not identify an individual and if the covered entity has no reasonable basis to believe that the information can be used to identify the individual. In order to meet this standard, the Privacy Rule provides two alternative methods for covered entities to de-identify PHI.

First, a covered entity may demonstrate that it has met the standard if a person with appropriate knowledge and experience, applying generally acceptable statistical and scientific principles and methods for rendering information not individually identifiable, makes and documents a determination that there is a very small risk that the information could be used by others to identify a subject of information.

Alternatively, a covered entity may choose to use the Privacy Rule's "safe harbor" method for de-identification. Under this method, covered entities must remove all of a list of 18 enumerated identifiers and have no actual knowledge that the information remaining could be used, alone or in combination, to identify a subject of the information. The identifiers that must be removed include direct identifiers, such as name, street address, social security number, as well as other identifiers, such as birth date, admission and discharge dates, and five-digit zip code. The safe harbor requires removal of geographic subdivisions smaller than a State, except for the initial three digits of a zip code if the geographic unit formed by combining all zip codes with the same initial three digits contains more than 20,000 people. In addition, age, if less than 90, gender, ethnicity, and other demographic information not listed may remain in the information.

Q: We work at a clinic that provides mental health services - do you recommend requiring people to take a number to be called out of the waiting room? What do you suggest in terms of calling people out of the waiting room? (May 2003)

A: The HIPAA regulations are not intended to impede customary and necessary practices, but they are intended to ensure that covered entities use reasonable safeguards to ensure that PHI will be protected. Common sense and a reasonable standard of care are necessary to fulfill the goals of HIPAA.

HHS has stated that calling a patient's name in a waiting room is a customary practice, and is a permissible incidental disclosure, so long as the information disclosed is appropriately limited. The HIPAA Privacy rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called. However, these incidental disclosures are only permissible when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate (for example, when using sign-in sheets, the sheets should not display medical information, such as the medical problem about which the patient is seeing the physician, when signing in).

Q: We have an in-house patient-produced newsletter and a staff "bulletin" where we may print material submitted by a patient or about a patient. For example, a patient writes a poem, receives an award or is highlighted in an article about patients who have quit smoking. What should we do (if anything) about obtaining authorization to print something that may include a patient's name (even if we use first name and last initial only)? (May 2003)

A: Although the newsletter is evidently intended to be an internal document, it is always possible, once printed, that it could be shared outside the facility. Therefore, there is some risk that PHI could be unintentionally, but inappropriately, disclosed. Although you should consult with your own attorney, obtaining permission from patients to use their material or information in the publication may be advisable. It also ensures the patient knows and is comfortable with his/her material or information being published in this fashion.

Q: Can the positions of Privacy Official (or Officer) and Privacy Liaison be combined into one or is it necessary to appoint individuals to each position? (May 2003)

A: The only requirement in the HIPAA privacy regulations with regard to this topic is that each covered entity designate a Privacy Official, who is responsible for the development and implementation of the covered entity's policies and procedures with regard to PHI. No other provisions are found in HIPAA describing what the precise requirements for that position must be.

Because the Office of Mental Health is a large organization, it made a business decision that its privacy compliance plan would benefit from the establishment of an additional role to supplement the work of the Privacy Official, and hence, as a policy decision, established Privacy Liaisons at all of its directly operated facilities. This, however, is not required by HIPAA. As long as you, as a covered entity, have designated your Privacy Official, whether or not you determine additional roles should be established, and how that position would interact with the Privacy Official, is an internal business decision for you to make.

Q: I work in a health office in a public school. I was wondering how HIPAA will affect the way that information is released to other schools when a student transfers from one district to another? (May 2003)

A: There are several initial questions that need to be asked in order to answer this question. First, you need to determine whether or not you are required to be in compliance with HIPAA, that is, are you a covered entity? If you are (i.e. you are a health plan, health care clearinghouse, or health care provider that engages in standard electronic transactions), you are required to comply with the HIPAA electronic data interchange, privacy, and security regulations. If you are not, however, these rules do not apply to your activities.

Secondly, assuming you have determined that you are a covered entity, you need to determine whether or not the records in question are subject to the Federal Educational Rights and Privacy Act (FERPA). "Education records" and records defined at 20 U.S.C. Section 1232 g (a)(4)(B)(iv) are excluded from the definition of PHI. HHS did not include records covered by FERPA within the reach of HIPAA because Congress expressly provided privacy protections for these records and explained how these records should be treated in FERPA.

Assuming that you are not a covered entity under HIPAA and/or that these records are covered by FERPA, focus should turn to the NYS Education Law which requires parental consent if the school wishes to attach clinical information to a student's educational record. Therefore, if a school wants to transfer a student's clinical information to his/her next school district, along with his/her educational record, parental consent would be required, not under HIPAA, but under State law.

Q: We recently submitted a 'Consent to Release of Information' form, signed by a consumer, to a County Mental Health Department Single Point of Access Program in order to arrange for the consumer's case management and residential services. It was rejected because it was not a HIPAA compliant authorization. I thought that an authorization is not needed for the purposes of treatment. We cannot provide case management or residential services unless we receive client health information, such as diagnosis, etc. Can you clarify this and would you consider giving guidance to the counties regarding this? (May 2003)

A: Unfortunately, the confusing development of the final HIPAA privacy regulations has led to some problems in its implementation. Originally, the HIPAA privacy regulations required general consent for use of PHI for treatment, payment, and health care operations purposes (TPO), and specific authorization for other uses. When the regulations were finally adopted, the requirement for general consent for TPO purposes was removed (i.e., PHI could be used/disclosed for TPO without patient consent or authorization), and the specific authorization remained as the sole required document for establishing a person's permission to use/disclose PHI for any other purpose (unless an exception applies). However, under New York State law, "consent" is still required for certain uses and disclosures of PHI, some of which would not require any patient permission under HIPAA, and therefore, the New York State law would control. For example, under NYS Mental Hygiene Law Section 33.13, consent is not needed to exchange information for treatment purposes with a NYS licensed mental health provider, but it may be required if the information is being exchanged with an out of state provider that is not licensed by OMH, even if the purpose of the disclosure is for treatment.

Since the consent requirement was removed from HIPAA, there is no guidance as to what information must be contained in a document that requires "consent" under New York law but does not rise to the level of a use or disclosure that would require an "authorization" under HIPAA. Therefore, as a matter of practice, many covered entity providers, including OMH, are utilizing documents that fulfill the HIPAA authorization requirements to establish any patient permission to use/disclose PHI, even if technically a HIPAA authorization is not legally required. However, in cases where some sort of patient permission is required under New York State law, it may be simply easier to work with only one document for all situations, as opposed to two.

It is possible that the SPOA mechanism in your county is utilizing standard forms to record patient permissions that meet the HIPAA authorization requirements, for all purposes where patient permission is needed. Therefore, even though you are correct that patient authorization is not needed to release PHI for treatment purposes under HIPAA, patient "consent" may still be required under New York State law (i.e., Mental Hygiene Law or Public Health Law), depending on the circumstances. The SPOA likely wishes to use uniform documents in all cases, and therefore wants all patient permission documents to meet HIPAA authorization requirements. It is important to remember that the HIPAA privacy rules are intended to set a floor, not a ceiling, of privacy requirements. Providers can always offer individuals more control of their information than is required by HIPAA.

We recommend contacting the County again to clarify that they are using standardized documents; if so, you may wish to consider either utilizing forms developed by the County for this purpose or making necessary modifications to your forms so that you are able to easily obtain the information you need.

Q: I represent an OMH licensed program and I would like to use the OMH training manual and video (as found on the OMH HIPAA web site) to train our own workforce. Should every staff member get a copy of the OMH Privacy Policy Manual as a part of the training or is a copy of the Learning Program, along with a viewing of the videotape, sufficient. Are we required to post the OMH Notice of Privacy Practices at each of our locations? (April 2003)

A: All OMH-developed HIPAA materials - training video, policy manuals and forms - have been prepared for internal use by the NYS Office of Mental Health (the 'State') and its employees. These materials were not intended to serve as legal advice to any other individuals or entities. The State expressly disclaims: (a) any warranties or representations as to the accuracy or completeness of the information contained herein; and, (b) any responsibility of liability to third parties who may rely upon it. Individuals and entities that wish legal advice are advised to consult their own attorneys.

However, OMH has no objections if a licensed MH provider wants to use any of these materials for the purpose of workforce training or as a template for developing their own HIPAA forms and materials. As a covered entity under HIPAA, you are required to provide patients with a written Notice of Privacy Practices (NPP) and to prominently post the Notice at each service delivery site. The NPP must provide a clearly written explanation of how your organization will use and disclose patient health information, and also inform patients of their rights with regard to their health information under the federal privacy regulations. The wording of OMH's own NPP is probably not appropriate for your organization and you should consult with your lawyer in this matter.

Q: How do HIPAA privacy regulations apply when a covered entity sends psychiatric inpatient information to State operated mental health treatment facilities (e.g., Creedmoor), or other providers of mental health care? Currently, our patients do not give consent for release in these cases. Because these releases are being made for continuity of care (i.e., a treatment purpose), are patient authorizations required? (April 2003)

A: Assuming that the covered entity disclosing the inpatient health information (or PHI) is an OMH licensed mental health treatment provider, and the purpose of disclosure is treatment or care coordination, patient authorization is not required. Under HIPAA, patient authorization is only required if PHI is disclosed for a purpose other than treatment, payment or health care operations (TPO for short) or if certain other exceptions do not apply (e.g., for health oversight purposes, for law enforcement purposes, or if the use/disclosure is required by law.) Under the NYS Mental Hygiene Law, patient consent is not required if the disclosure is being made to a facility licensed or operated by the Office of Mental Health, to a facility operating under standards developed by the Commissioner of OMH, or to a provider that is included in a county's local or unified services plan (see NYS Mental Hygiene Law Section 33.13(d)). Of course, your own attorney or HIPAA Privacy Official should be consulted for specific advice.

Q: With the consent, PHI can be disclosed for "treatment" purposes. Does the individual/ facility receiving the information have to be a "health care provider" to be covered with the consent or can they be a "third party" involved in treatment? Examples of people in question are PINS Workers, Probation Officers, DSS Caseworkers (other than CPS), teachers, SPOA members, etc. (April 2003)

A: Amendments to the HIPAA privacy regulations removed the requirement to obtain consent before using or disclosing PHI for treatment purposes (please note, however, the Mental Hygiene Law still requires patient consent before disclosing information for treatment purposes in some circumstances; see question above). "Treatment" generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. However, care must be taken in over-generalizing disclosures as "treatment disclosures." Unless another exception applies, some of the disclosure sources you cite (e.g. teachers), depending on the circumstances, may require patient authorizations. Please consult your own attorney or HIPAA Privacy Official for specific guidance.

Q: We run 2 OMH certified residences and I am looking for the standard surrounding releasing information to family (not necessarily involved in client care) and to other organizations involved in client care, such as day programs. Is it not the case that releases are required in both cases? If the client reads the Privacy Notice that says that we can release to these groups does that client have to specifically object to its use in writing? (April 2003)

A: There is no provision of Mental Hygiene Law Section 33.13 that would permit families of adult patients to have access to their relative's clinical record or to privileged information contained in it without that relative's authorization (assuming the adult patient is not mentally incapacitated). Families must obtain their relative's authorization in order to be granted access to the relative's clinical record or to information that should be kept between therapist and patient.
A Notice of Privacy Practices cannot change legal requirements. Therefore, it would be improper for a covered entity to indicate on its Notice that information could be provided to family members without patient authorization.

Q: Is there any provision of HIPAA that would allow an OMH-licensed community residence for adults to file a missing persons report with the police and contact hospital emergency departments if a client did not return to the facility within 24 hours of when he/she was expected to return? (April 2003)

A: The HIPAA privacy rule specifically provides that a covered entity can disclose a limited amount of protected health information in response to a law enforcement official's request for such information to identify a missing person. Covered entities may also use or disclose protected health information under HIPAA if the entity believes in good faith that the use or disclosure is necessary to prevent or lessen a serious or imminent threat to a person or the public, and the disclosure is made to someone reasonably able to prevent or lessen the threat, or the disclosure is to law enforcement authorities to identify or apprehend an individual who has admitted to violent criminal activity that likely caused serious harm to the victim or who appears to have escaped from lawful custody. Disclosures of admitted participation in a violent crime are limited to the individual's statement of participation and are not permitted when the information is learned in the course of treatment to affect the propensity to commit the subject crime, or through counseling, or therapy, or a request to initiate the same. Please consult your own attorney or HIPAA Privacy Official for specific guidance in individual circumstances.

Q: It is my understanding that a mental health clinic does not need written authorization to release information for treatment, payment and operations purposes. In the forms I received from my agency, which were developed using a "HIPAA kit," I am noticing both Consent for Release AND Authorization for Release of Information. The Authorization is more detailed and specific. If I am correct in that we do not need an authorization for the reasons listed above, when would we use the Consent for Release? I would imagine that we would either not need any consent or we would need the more formal Authorization. (April 2003)

A: You are correct that the HIPAA privacy regulations do not require patient consent for uses and disclosures made for treatment, payment and health care operations purposes. However, in some cases, New York State law may still require patient consent for some treatment disclosures. You should go back and ask your agency why it provided both forms, and what their intended use is.

Q: As an outpatient provider of both adult and children's mental health services, we frequently need to discuss our consumers with probation officers, teachers, etc. Does this require patient authorization, since they are not treatment providers? Does each interaction require that we log it on a personal health inventory sheet? (April 2003)

A: Authorizations to make these disclosures may indeed be needed, depending on the purpose of the disclosure. When disclosures are made, they should be recorded so that a covered entity is able to respond to a patient's "request for an accounting of disclosures." Your agency's HIPAA Privacy Official should be able to advise you as to how and where you should record these disclosures, consistent with your agency's practices and procedures.

Q: Is a twelve-year old patient allowed to sign a release of information? (April 2003)

A: Authorizations should be signed by the individual who has health care decision-making authority for the patient. In most cases, a minor (under age 18) will not have the authority to make his/her own health care decisions. In these cases, the child's "personal representative" should sign the authorization. Please consult your own attorney for guidance in individual cases.

Q: In reviewing OMH consents/authorizations, do we need specifically add a section about 42CFR (Alcohol and Drug Abuse) for clients who are dually diagnosed? (April 2003)

A: The federal regulations governing the confidentiality of alcohol/drug treatment information apply to "federally funded alcohol or drug abuse treatment programs." In New York, a good way to identify if you are a "federally funded alcohol or drug abuse treatment program" is to see if you are required to be licensed by the NYS Office of Alcoholism and Substance Abuse Services (OASAS) and/or if you receive any funding from that agency. A provider that is licensed by the Office of Mental Health that does not have an OASAS license or an OASAS licensed unit, and whose primary function is NOT the provision of alcohol/drug services, is likely not a "federally funded alcohol or drug abuse treatment program" even if patients in its general population are diagnosed as having a drug or alcohol abuse problem and/or these issues are reflected in the patient's clinical record. If you are, in fact, a federally funded alcohol/drug abuse treatment program, then you must ensure that your records are released in accordance with both 42 C.F.R. Part 2 and the HIPAA privacy regulations, and the current OMH-11 form would not be sufficient.

Q: Is it best for residential providers to use HIPAA's individualized Authorization or continue using the release of information we have always used? (April 2003)

A: If information that, under HIPAA, requires an authorization before it can be released, the authorization must meet HIPAA requirements in order to be considered a valid authorization. In general, to be legally valid under HIPAA, an authorization must include at least the following: (1) a specific and meaningful description of the information to be used and disclosed; (2) the name or identification of the person or class of persons authorized to make the use or disclosure; (3) the name or identification of the person or class of persons to whom the requested use or disclosure is to be made; (4) the purpose of the disclosure (unless, if the disclosure is being made at the request of the patient, no other purpose need be identified); (5) an expiration date, condition or event that relates to the individual or the purpose of the use or disclosure; (6) a statement that the patient may refuse to sign the authorization; (7) a statement that unless an exception applies, treatment, payment, or eligibility for benefits may not be conditioned on the patient's provision of an authorization for the use or disclosure of PHI; (8) a statement identifying any remuneration to the covered entity for the use or disclosure; (9) a statement of the patient's right to revoke the authorization in writing, and exceptions to the right to revoke, together with a description of how the patient may revoke the authorization; (10) a statement that the information can only be re-released with the written authorization of the patient, unless required by law; (11) the dated signature of the patient; and (12) if the authorization is signed by a personal representative of the patient, a description of the representative's authority to act on behalf of the patient. You should consult your own attorney or Privacy Official to determine if your authorization meets these requirements.

Q: Who signs the authorization to release patient information for clients in family care? Is a patient's capacity to authorize disclosure of his/her PHI determined on admission to the program? (April 2003)

A: Authorizations should be signed by the individual who has health care decision-making authority for the patient. Authorizations for a person who has been determined not to have capacity to make his/her own health care decisions should be signed by the individual who has such authority.

Q: Do you have information for consumers about what HIPAA is in Spanish? (April 2003)

A: Each covered entity is responsible to develop its own written Notice of Privacy Practice (NPP) and should provide a foreign-language version NPP to its non-English speaking consumers.

Q: What is the procedure to be HIPAA compliant when a multitude of non- covered entities (other agencies, teachers, client advocates, client family members) are participating in case discussions in a utilization review fashion, as is typically found in a Single Point of Access meeting? What steps should be taken to ensure patient confidentiality? If the case involves a minor, parents sign releases acknowledging what agencies and groups will be in attendance. Do we need to train agency staff or enter a business associate agreement with them? (April 2003)

A: The first question to consider is what is the structure under which the non-covered entities are organizing, and is that structure a covered entity under HIPAA? HIPAA only comes into consideration when a covered entity is using or disclosing information. So, in a vacuum, a group of non-covered entities do not need to follow any procedures to be HIPAA compliant since they are not bound by HIPAA.

If there is an overarching organizational structure, which is a covered entity under HIPAA, under which the non-covered entities are participating, or if covered entities are using or disclosing PHI during these Single Point of Access meetings, then HIPAA concerns do need to be addressed. If this is the case, the next question to ask is what is the purpose for these disclosures, and is the authorization of the patient needed to make these disclosures? For example, if the disclosures are being made for treatment or care coordination purposes, authorization may not be needed under HIPAA and NYS Mental Hygiene Law Section 33.13(d), depending on the circumstances. Or, if the disclosures are being made in the context of a county's health oversight responsibilities, patient authorization may not be required. However, depending on the organizational construct, it may be that there is no exception under which the disclosures can be made without patient authorization. In this case, the analysis should then turn to whether there is a business associate relationship contemplated in the organization. If so, a business associate agreement would enable the disclosures to occur without patient authorization. This analysis should be undertaken by the organization's attorney.

Finally, assuming the disclosures are permissible without patient authorization, the analysis should turn to good risk management strategies to ensuring the security of the information in the course of the disclosures. Strategies like having participants sign individual confidentiality statements could be considered here, and only those participants having a "need to know" the information should receive it. Finally, steps should be taken to ensure that only the minimum amount of information necessary to fulfill the purpose of the disclosure is released.

Q: I work at a University Hospital hospital where we have several programs licensed by OMH. Do we need to have a business associates agreement (or addendum to) with OMH in order to comply with HIPAA? Does a healthcare facility with programs licensed by OMH need to obtain a business associates agreement with OMH in order to comply with HIPAA? (April 2003)

A: Probably not. Remember, HIPAA is a federal law, not an OMH regulation. Assuming the protected health information (PHI) is being shared for treatment purposes, and that it is being shared with OMH state-operated or licensed facilities, facilities included in a local/unified services plan, or facilities operating in accordance with standards set by the Commissioner of OMH, it can be shared without patient consent or authorization. A "business associate agreement" would only be needed if an entity were performing a service for or on behalf of a covered entity (like OMH) for which access to PHI was necessary in order to provide the service. In this case, the "business associate agreement" would permit the covered entity to share PHI with the business associate without patient authorization. Health care facilities are licensed by OMH to provide mental health services directly to patients - not for or on behalf of another covered entity - therefore, a business associate relationship with OMH is not contemplated and no business associate agreement is necessary.

Q: Our agency provides mental health services in an adult home as the onsite clinic. Is Goodwill, as a workshop program that does not provide mental health treatment, considered a Business Partner or a Covered Agency? How about vocational programs or psychosocial clubs? Are these Business Partners or Covered entities? In an adult home setting (HFA), where our agency provides onsite clinic services, is a Business Associate Agreement required in order to communicate with the adult home? (April 2003)

A: OMH cannot make a legal determination with regard to whether the programs you cite are covered entities under HIPAA because not enough information is provided to make that determination. However, you would only need a business associate agreement with the workshop program if it is providing a service for you or on your behalf for which PHI is necessary to provide the service; if this is the case, you can enter into a Business Associate Agreement with the program to provide them with that PHI without patient authorization. However, you could always simply obtain patient authorizations to make disclosures to the workshop program, the vocational program, or the psychosocial club. Also, if you are able to characterize the types of disclosures you are making (e.g. to the adult home) as treatment disclosures, and the disclosures are permissible under the Mental Hygiene Law without patient consent, you could make the disclosures without patient authorization and without having to obtain a business associate agreement. Remember, however, that if you can obtain patient authorizations to make disclosures, this removes the need to explore whether or not the entities to which you wish to disclose information are covered entities or business associates.

Q: As a mental health professional, where can I find my rights as a clinician to withhold information from a client if it is in his/her best interest? (April 2003)

A: Under the Mental Hygiene Law, these provisions are found in Section 33.16. Under HIPAA, these provisions are found in 45 C.F.R. Section 164.524.

Q: I was told that there is a comparison on your website comparing OMH/OASAS/HIPAA regulations. I was unable to access this information. (April 2003)

A: The OMH HIPAA website includes a comparison of 42 C.F.R. Part 2 in the OMH preemption analysis (click on 'What's New' and scroll down to the last bullet for the link to the OMH Preemption Analysis). Please note that this comparison was done by OMH, not the Office of Alcoholism and Substance Abuse Services (OASAS).

Q: Do New York State/New York City regulations differ from the federal HIPAA regulations? Where can I find the New York State/New York City regulations? (April 2003)

A: For a comparison with New York State regulations, consult the OMH Preemption Analysis (posted on the OMH HIPAA web site). For a comparison with New York City regulations, please contact the New York City Department of Health and Mental Hygiene.

Q:
1) Is a videotape considered part of the record?
2) Can the patient request and then receive a copy of the tape?
3) Where and how should the tape be stored?
4) Can the tape be reused or should it be destroyed when it is at the end?

A: In making a determination as to whether or not a videotape is part of a clinical record, or designated record set under HIPAA, the purpose of why the videotape was made is the key. For example, if it is being done for treatment purposes and is used to make treatment decisions about the patient, then arguably it is part of the record. Therefore, it would be subject to the same rights as any other part of the record that a patient chooses to exercise. Security follows Privacy in definition of PHI: Privacy includes visages if it is personally identifiable. Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card. Rationally, it is PHI and electronic (although analogue, rather than digital). For OMH operated programs, the security required would be as follows: Storage: locked office. Disposal: shredding. Resource document: IS Security Policy - Info Classification Section.

Q: Since a Continuing Day Treatment Program provides group therapies in a therapeutic community setting, how does HIPAA apply to the following? Sign-in sheets have always had the roll of clients on them. Will this now be disallowed? In the Day Treatment group rooms there are collages and picture frames of events that the clients participated in such as Anniversary Parties, Cultural Programming, Graduations, etc. Will such photo collages be disallowed in the CDTP-only common areas? Must the "client of the year" plaque be removed from display? The clients like to videotape events such as the Anniversary Party Talent and Fashion shows for their later viewing. (Never to be displayed outside of the CDTP). Under HIPAA is this now prohibited? If I understand what I read, the schedule of a client who needs a lot of assistance to remember/find scheduled groups can no longer be displayed? In the CDTP setting, a client can no longer be paged by first and last name? Basically, a CDTP provides more than the individual treatment that a clinic does. In such an environment, what changes have to be made and what can still be considered acceptable and allowed under HIPAA with respect to shared groups and common areas? (April 2003)

A: Many customary treatment communications and practices play an important or even critical role in ensuring that patients receive prompt and effective health care. Due to the nature of these communications and practices, as well as the various environments in which patients receive health care or other services from covered entities, the potential exists for health information to be disclosed "incidentally." While covered entities should use their best efforts to implement the minimum necessary privacy standards and take reasonable safeguards to protect PHI, incidental disclosures (such as a patient overhearing a fragment of conversation
about another patient) are generally not considered to be impermissible disclosures under HIPAA.

Common sense should be employed in making a determination as to whether or not a disclosure is a permissible incidental disclosure. There are some activities that could result in unintentional disclosures that, by their nature, reflect both a lack of understanding of the need for confidentiality and a lack of care in taking reasonable safeguards to protect PHI. Because such unwitting disclosures are easily preventable, they would not be considered permissible incidental disclosures and could, in fact, be considered violations of the HIPAA privacy regulations. Examples of impermissible incidental disclosures might include posting patient art work in public areas with the patient's name on it, without his or her authorization to do so; leaving a clinical record in an unsecured area; disposing of unshredded materials containing PHI in a public trash can; and/or discussing a patient with a colleague in an area where non-authorized personnel can easily overhear the discussion.

Examples of permissible incidental disclosures might include: direct care staff verbally coordinating services at, e.g., nursing stations; nurses or other health care professionals discussing a patient's condition over the phone with the patient, a provider, or family member; a health care professional discussing laboratory test results with a patient or other provider in a joint treatment area; a health care professional discussing a patient's condition or treatment regimen in the patient's semi-private room; health care professionals discussing a patient's condition during training rounds in an academic or training institution; or a pharmacist discussing a prescription with a patient over the pharmacy counter, or with a physician or the patient over the phone.

Q: The place where I obtain my mental health services ---- there is a glass wall where the consumers go up and register when they arrive. Often, the counselors and secretaries discuss cases at the window so that I can hear them. Is this against the HIPAA Law and what can I do about it? (April 2003)

A: It may or may not be considered a HIPAA violation, depending on whether or not the disclosures could be considered permissible "incidental" disclosures, as described in the previous question. The Notice of Privacy Practices with which the facility should have provided you should contain information on how you would file a complaint, if you feel your rights have been violated under HIPAA.

Q: We have file cabinets in the Admissions Lobby. Each drawer has a lock on it. Is this sufficient to protect the information in a patient area? (April 2003)

A: Neither the HIPAA Privacy rules nor the Security rules identify the specific physical safeguards that must be applied to protect the privacy and security of PHI. Therefore, risk analysis is a key requirement of both of these rules. This analysis should identify and assess risks and provide recommendations to reduce risk to a reasonable and appropriate level. While storing protected health information in locked file cabinets is one way to safeguard PHI, lacking information on how and where the cabinet is stored, and who has access to its keys, a definitive answer to your question cannot be provided. An accurate risk analysis would need to be done on-site by persons familiar with your organization before a determination could be made as to whether or not the locked files cabinets offer sufficient security in light of the potential threats to the PHI. Please consult your own attorney or Privacy Official in this matter.

Q: If insurance forms are NOT submitted electronically do we need to comply with HIPAA? Can a specific release form example be obtained from the 'State'? If the insurance company asks for psychotherapy notes or evaluations, do we need patient authorization in order to release such information? (April 2003)

A: Generally speaking, health care providers that do not bill or transmit protected health information electronically are not required to comply with HIPAA. There are no State waivers that would release a health care provider, health plan or clearinghouse from the HIPAA requirements. To determine if you are a covered entity under HIPAA, please review CMS' Covered Entities Decision Tool (on the OMH HIPAA homepage, click on 'Information for Counties & Providers, then on 'General', then on 'Additional Resources/Related HIPAA Sites' and the first link under 'Centers for Medicare and Medicaid Services') or consult with your own attorney or Privacy Official.

With regard to your inquiry about psychotherapy notes, you should carefully review the definition of "psychotherapy notes" as found in 45 CFR Section 164.501: "Psychotherapy notes" means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date."

Be aware that the term "psychotherapy notes" has little application in the NYS mental health system. Providers directly operated by the Office of Mental Health are required to include everything in the Uniform Case Record; psychotherapy notes are generally not used at all in the State operated system. New York State regulations that govern OMH licensed providers identify what needs to be included in the clinical record, all of which is excepted from the HIPAA definition of "psychotherapy notes." It is important to remember that the term "psychotherapy notes" is not synonymous with "mental health treatment record" in New York State.

However, if you do get a request for information that meets the HIPAA definition of "psychotherapy notes," patient authorization is required before you can release that information.

Q: How much coverage does an organization have when they receive a signed confidentiality statement from their business associates? (March 2003)

A: The Privacy Rule allows covered providers and health plans to disclose protected health information (PHI) to its "business associates" without obtaining patient consent or authorization to do so if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity and that the protected health information it receives or creates on behalf of the covered entity will be appropriately safeguarded. The satisfactory assurances must be in writing, either in the form of a contract or other agreement between the covered entity and the business associate (e.g., a "Business Associate Agreement." Sample "Business Associate Agreement" provisions are included in the Appendix to the Preamble in the August 14, 2002 version of the HIPAA Privacy Regulations). Covered entities may disclose protected health information to a business associate only to help the covered entity carry out its health care related functions (e.g., treatment, payment, or health care operations purposes) - not for the business associate's independent use or purposes.

The HIPAA Privacy rule does not require covered entities to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract/agreement. Nor is the covered entity liable for the actions of its business associates. However, if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, it must terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services, Office for Civil Rights.

With respect to business associates, a covered entity is considered to be out of compliance with the HIPAA Privacy rule if it fails to take the steps described above. If a covered entity is out of compliance with the rule because of a failure to take these steps, further disclosures of PHI to the business associate are not permitted. In cases where a covered entity is also a business associate, the covered entity is considered to be out of compliance with the Privacy rule if it violates the satisfactory assurances it provided as a business associate of another covered entity.

Q: I am a Psychologist who does not submit any type of electronic information or claims forms. My reading of the HIPAA laws indicates - I think - that I do not have to file a compliance plan at this time. Is this correct? In anticipation of future demand by carriers that I use electronic billing/claims, what steps do I need to take now to get ready for EDIcompliance? What documents are available to help me? (March 2003)

A: Providers that do all their health care transactions on paper are not covered by the HIPAA rules, regardless of the size of their workforce. In other words, no further action is needed as long as you do not bill electronically, or share PHI electronically with other entities.

With regard to future demand by carriers that you bill electronically, please know that effective October 16, 2001, Medicare will no longer pay paper claims. An exception to this rule are small providers, who will be able to continue to submit paper claims after the October 16, 2003 deadline. Under this rule, a small provider or supplier is:

  1. any provider of health care services with fewer than 25 full-time equivalent employees or
  2. a physician, practitioner, facility or supplier (other than provider of services) with fewer than 10 full-time equivalent employees.

Note: this provision does not preclude providers from submitting paper claims to other health plans, including Medicaid.

To get ready for EDIcompliance, you should contact your health plans and software vendors to find out how and when they will conduct HIPAA EDItraining and compliance testing, and what providers are expected to do. Importantly: each health care provider is responsible for making sure that the software he/she uses will be fully HIPAA compliant.

Q: When do we need written patient authorization? Do we need it for treatment, payment and health care operations? Can we have patient schedules visible in our office? Can we put medical charts outside of a patient's room? (March 2003)

A: The HIPAA Privacy rule permits covered entities to use and disclose PHI without patient authorization for treatment, payment and health care operations purposes. Unless another exception applies (e.g. for health oversight purposes, for law enforcement purposes, or the use/disclosure is required by law), patient authorization is required for an other use or disclosure of PHI (other than treatment, payment and health care operations).

The HIPAA Privacy rule does not prohibit covered entities from engaging in common and important health care practices, nor does it specify the specific measures that must be applied to protect an individual's privacy while engaging in these practices. However, covered entities must implement reasonable safeguards to protect an individual's privacy.

For example, HIPAA does not prohibit covered entities from engaging in the following practices, where reasonable precautions have been taken to protect an individual's privacy:

The above examples of possible safeguards are not intended to be all-inclusive. Covered entities may engage in any practice that reasonably safeguards protected health information from inappropriate use and disclosure.

Q: Has OMH issued new patient authorization forms? (March 2003)

A: OMH has revised its OMH-11 form, which is used in its own directly operated facilities and programs to obtain patient authorization to release information. The revised form is included as Appendix 3 of the new OMH Privacy Policy Manual and can be viewed on-line at http://www.omh.ny.gov//omhweb/forms/omh11.pdf.

Q: Our organization is an outpatient mental health clinic, but we also provide case management and crisis services. At times it is necessary to have access to a client's PHI, be it in the evening or on weekends, when the agency is closed. How do we comply with HIPAA Privacy rules under these circumstances? Do we need locked briefcases or file boxes in our vehicles to guarantee patient confidentiality? (March 2003)

A: The HIPAA Privacy rule is not intended to impair the flow of information necessary to provide patient care; however, it does provide that a covered entity must implement reasonable safeguards to protect a client's PHI. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect against uses and disclosures not permitted by the Privacy Rule and limit any incidental uses or disclosures. The rule does not , however, prohibit or prescribe the exact means by which a covered entity must achieve this goal.

Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity organization and the nature of its business. In implementing reasonable safeguards, covered entities should examine their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to their patients' privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.

Q: We recently received a sample Notice of Privacy Practices (NPP) for providers of OMRDD services. Does OMH have a similar Notice of Privacy Practice that we can view as we draft our agency's NPP? (March 2003)

A: Yes. OMH has completed development of its Notice of Privacy Practices, which it will use in its own directly operated facilities or programs. The notice appears in Appendix 6 of the OMH Privacy Policy Manual. To view OMH's NPP on-line, click on http://www.omh.ny.gov/omhweb/hipaa/manual/appendix6.pdf. It is important to keep in mind, however, that although the OMH NPP can be used for general guidance, each covered entity's NPP must reflect its own individual uses and disclosures of its patients' PHI, which may or may not be reflected in the OMH NPP.

Q: Are providers obliged to share with a client his/her entire medical record, including information received from the referring provider that is used by the current provider to determine suitability for services? Or must providers only share a client's PHI created by their own agency? (March 2003)

A: The HIPAA Privacy rule provides basic rights for individuals with respect to their protected health information (PHI), including the right to inspect, or request an amendment to the information contained in his or her "Designated Record Set." The HIPAA Privacy rules define the "Designated Record Set" as " a group of medical records maintained by or for a covered entity that is: (1) the medical records and billing records about individuals maintained by or for a covered health care provider; (2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. Therefore, the patient has a right to view and inspect whatever information is contained in the patient's Designated Record Set, which likely will include information received from referring providers if this information was used by the current provider to make decisions about the patient.

Q: Are employers working with a Supported Employment program considered business associates? (March 2003)

A: First, the Supported Employment program must determine whether or not it is a "covered entity" under HIPAA. If so, the second question to be considered is whether or not patient authorization is required to disclose protected health information (PHI) to the employers. It is probably reasonable to assume that it is, if the disclosures cannot be fairly characterized as being made for treatment, payment, or health care operations purposes. If patient authorization is indeed needed, the Supported Employment program has three options to consider: (1) simply obtain patient authorization to make these disclosures; (2) include the employers as members of its workforce and require that they participate in the Supported Employment's HIPAA training program; or (3) execute a Business Associate Agreement, if the employers can be fairly characterized as providing a service for or on behalf of the Supported Employment program for which access to PHI is necessary. It may be that the most practical solution here would be to simply obtain patient authorizations to make these disclosures, in which case determinations about whether or not it is necessary to execute a Business Associate Agreement, or to require training, would not be necessary.

Q: Our facility operates a detox unit, a mental health unit and a medical/surgical unit. A patient, who is admitted with a diagnosis of alcohol intoxication, is first treated in the detox unit and then sent to our mental health unit for additional treatment. At intake into the detox unit, the patient signs an authorization form. Can the mental health unit use the same authorization to release PHI to his primary care physician after the patient was discharged, even though the psychiatric discharge summary shows a diagnosis of alcohol intoxication? Are inpatient providers that are covered entities required to obtain a new patient authorization for each treatment stay? (March 2003)

A: The first question that must be answered here is under what licenses are your facility operating? For example, a facility that operates a detox, a med/surgical, and a mental health unit might possibly be operating under licenses issued by the NYS Office of Alcoholism and Substance Abuse Services (OASAS), the NYS Department of Health (DOH), and OMH. This is relevant because the laws governing the use and disclosure of information in these 3 discrete areas occasionally differ. For example, if the detox unit is licensed by OASAS, the activities of that unit are probably governed by the federal regulations governing the confidentiality of alcohol/drug treatment records (42 CFR Part 2), in which case, those rules would need to be consulted to determine how the information obtained from that unit can be further used and disclosed, and what restrictions need to accompany these disclosures.

If your facility is licensed by OMH, neither the HIPAA, Privacy rules, nor the New York State Mental Hygiene Law, require mental health providers that are covered entities to obtain authorization in order to use or disclose a patient's PHI for the purpose of treatment, payment and health care operations, provided those uses and disclosures are made in accordance with the New York State Mental Hygiene Law. If a mental health provider chooses to obtain such consent or authorization, the HIPAA Privacy rules do not address whether a new authorization must be obtained each time a patient is admitted for treatment, since the obligation to obtain one is not required. Therefore, providers should use good risk management principles to make determinations in this regard.

However, the NYS Public Health Law, which governs uses and disclosures made by facilities licensed by DOH, does, in fact, require patient consent before using/disclosing patient information for treatment purposes. That law would need to be consulted to determine whether a new patient consent must be obtained each time the patient was admitted for care. Therefore, depending on what licenses your facility holds, the answer to this question may be different.

In any event, the purpose of an authorization is to permit a patient to identify to whom his/her information can be disclosed. Therefore, if an authorization is obtained by the detox unit, that authorization should indicate whether or not the information can be disclosed to the primary health care physician and would need to be consulted to see if this type of disclosure was contemplated by the patient. We strongly encourage the originator of this question to consult with the facility's attorney to determine how to best address this issue.

Q: Our HIPAA committee got very confused today regarding health information about alcohol and substance abuse, and "psychotherapy" notes. Do these require separate authorizations other than TPO and if so what must be included. Is it OK to have a generic authorization and then fill in the specifics or does the form need to be printed with a heading such as "Release of PHI related to A&SA" Thanks. (March 2003)

A: In determining what a covered entity's obligations are with regard to certain health information, you must consider the following:

  1. First, you need to determine what laws and regulations apply to your specific program with regard to the confidentiality of patient records. For example, if you are a "covered entity" that is a mental health program licensed by OMH, you will be bound by NYS Mental Hygiene Law and the HIPAA privacy regulations. If you are a "covered entity" that is an alcohol/substance abuse program licensed by OASAS, you will be bound by NYS Mental Hygiene Law, the HIPAA privacy regulations, and 42 CFR Part 2.
  2. Once you have determined which laws apply, you can determine whether or not you need to do anything differently with regard to alcohol/substance abuse information. If you are a federally funded alcohol/substance abuse program (if you are, you probably have an OASAS license), then you are bound by both 42 CFR Part 2 and HIPAA. You will need to follow both rules when making any disclosures with regard to alcohol/substance abuse treatment information. There are, indeed, specific requirements as to what must be included in a consent to release alcohol/drug treatment information under 42 CFR Part 2, which is generally - but not always entirely - consistent with the HIPAA Privacy regulations. You may wish to consult the OMH Preemption Analysis, which is available on the OMH website, for some guidance as to how these two federal regulations interact. It is important to remember that that special 42 CFR Part 2 regulations apply to alcohol/drug treatment records created/maintained by federally funded alcohol/drug abuse programs; they do not apply to alcohol/drug information created/maintained by a program that is not a federally funded alcohol/drug treatment program.

    If you are not bound by 42 CFR Part 2, and are simply a mental health program licensed by OMH, you must follow the NYS Mental Hygiene Law and the HIPAA privacy regulations with regard to the use and disclosure of protected health information (PHI). In this case, any PHI regarding alcohol/drug abuse information that you may have will generally be treated the same way as any other PHI unless if it was obtained from a federally funded alcohol/drug abuse treatment program, in which case redisclosure restrictions (which should have accompanied the information when it was supplied to you) will apply. HIPAA does not contain any special requirements with regard to how alcohol/drug treatment information is otherwise used or disclosed.

  3. Psychotherapy notes are, in fact, given special protections under the HIPAA privacy regulations and authorizations are required to use/disclose psychotherapy notes, except for (1) use/disclosure by the originator of the notes for treatment purposes; (2) use/disclosure by the covered entity of the notes for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice/improve their skills in group, joint, family, or individual counseling; or (3) use/disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual. But what is important to remember here is that the term "psychotherapy notes" is not synonymous with the terms "mental health record" or "clinical record" as we currently use these terms in the public mental health system. "Psychotherapy notes" are specifically defined as "notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of the conversation during a private counseling session or a group, joint, individual, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date." As you can see, the majority of the information excluded from the definition of "psychotherapy notes" is the information required to be included in the clinical record of public mental health programs, via applicable NYS Mental Hygiene Law regulations (Title 14 NYCRR). Therefore, any special use/disclosure restrictions in HIPAA that are applicable to psychotherapy notes are not applicable to the clinical record, as commonly defined in the NYS public mental health system. In those cases, however, where a particular practice does maintain psychotherapy for patients (i.e., information that is recorded but is not required to be included in the clinical record), then the special restrictions on use/disclosure would, in fact, apply. In the public mental health system, we would expect the use of psychotherapy notes to be somewhat uncommon, though it is not prohibited - as long as the information required to be included in the clinical record via NYS regulations is so included.

Q: Who is a covered entity under the Privacy regulations? (April 2002)

A: You are a covered entity under the Privacy regulations if you are a: (1) health plan (e.g., HMOs, insurers, Medicare and Medicaid); (2) health care clearinghouse (e.g., billing services, repricing companies, community health management information systems); or (3) a health care provider that transmits health information electronically in connection with a covered transaction.

Q: What information is protected under the Privacy regulations? (April 2002)

A: "Protected health information" under the Privacy regulations is personally identifiable health information, in any form (verbal, written, or electronic) that is used or disclosed by a covered entity. This includes, but is not necessarily limited to, names; specific dates (e.g. birth, admission, discharge, death); telephone numbers; Social Security numbers; Medicaid numbers; medical record numbers; and photographs.

Q: What is the "general rule" under the Privacy regulations? (April 2002)

A: Under the HIPAA Privacy regulations, a covered entity may not use or disclose protected health information except for the purpose of treatment, payment or healthcare operations or as approved by the individual for certain purposes. Individuals have the right to control their personal health information, and covered entities have the duty to protect personal health information.

Q: How does an individual approve the use of his/her protected health information? (April 2002)

A: Under the Privacy regulations, a written authorization is required to permit the use or disclosure of patient protected health information for purposes other than treatment, payment, and health care operations.

Q: I've determined I'm a covered entity under the Privacy regulations. Now what? (April 2002)

A: Each covered entity is responsible for its own compliance with the Privacy regulations. A good action plan to follow is to first obtain, read, and begin to understand the HIPAA Privacy regulations. . The HIPAA Privacy regulation requires that each covered entity appoint a Privacy Officer or equivalent, and, though not required by HIPAA, it may be a good idea to establish a HIPAA compliance team. To help you determine what you must do to comply, you may wish to assess and identify the protected healthcare information across your organization's systems, and then analyze the gaps in your current practices.
HIPAA does set forth a number of administrative requirements for covered entities. In addition to the appointment of a Privacy Officer, covered entities must: (1) have HIPAA compliant privacy policies; (2) have or develop certain organizational processes and systems to be able to account for information disclosures and allow individuals to access and amend their health information; (3) if you are a health care provider, you must develop and utilize a privacy notice and an authorization form; (4) develop and implement business associate contracts; (5) develop a workforce privacy training course; and (6) document your determinations.

Q: I am a mental health provider but I also have a license from OASAS to provide substance abuse treatment. Does HIPAA do away with 42 C.F.R. Part 2, the federal regulations that protect the confidentiality of drug treatment records? (April 2002)

A: No. If you are a provider that was previously bound by 42 C.F.R. Part 2 for your substance abuse operations and you are now also bound by the HIPAA Privacy regulations, you must comply with both. When you are dealing with the substance abuse records in your facility and the two conflicts, the more stringent rule must apply.

Q: If health care providers are in compliance with Joint Commission standards, won't that cover HIPAA compliance? (April 2002)

A: Probably not.. While current Joint Commission standards address information security, they aren't as specific as HIPAA. For example, relevant JCAHO standards read:

I.M.2.2: Systems are designed to allow timely and easy use of data without compromising security and confidentiality.
I.M.2.3: Information is protected against loss, destruction, tampering, and unauthorized use. RI 1.3: Hospital demonstrates respect for patient privacy and confidentiality.

Also note that accredited hospitals are required to comply with state and federal laws and regulations.
The Joint Commission has indicated it is comparing its current standards and survey processes to HIPAA requirements. It is likely that accredited organizations can expect to see a more intense focus on information security in the survey process, although the Joint Commission is not the enforcement authority for HIPAA.

Q: Have OMH authorization forms been modified to reflect HIPAA privacy standards? (March 2002)

A: The new OMH-11 form (Standard Authorization Form) fulfills all requirements for HIPAA privacy standards, and it will be utilized for patient authorizations in facilities directly operated by OMH. They are not required to be used by licensed mental health programs, but can be reviewed for general guidance.

Q: We understand that, per MHL 33.13, the local mental health authority may inspect patient case records for the purposes of planning for services. How will HIPAA affect this? (March 2002)

A: NYS Mental Hygiene Law permits the disclosure of information about patients to the Director of Community Services (DCS) , provided that the information is requested and used in the exercise of the DCS' statutory authority pursuant to Sections 9.37, 9.45, or 41.13 of the Mental Hygiene Law.

There is an express provision of the HIPAA privacy regulations which should permit this type of disclosure to continue, without requiring patient r authorization. A covered entity is permitted to disclose protected health information (PHI) to a "health oversight agency" for oversight activities authorized by law.(45 CFR §164.512(d)). The definition of "health oversight agency" includes an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency…that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant (45 CFR §164.501)

It would appear that the authority given to the DCS in §41.13 of the Mental Hygiene Law would characterize it as a "health oversight agency" and that the planning function is consistent with the types of activities envisioned in this definition. Each county's attorney, however, should review this provision and render an opinion regarding this conclusion.

Q: With regard to Business Associate Contracts, are these to be executed in advance of the need to do business with an entity or not until we have an actual business need? For example, we have knowledge of a county or local service provider, but up until this time we have not received or referred patients there or processed any information exchanges. If we wait until an incoming patient appears or we wish to make a referral to this entity, our ability to execute a BA contract in a smooth and timely manner is uncertain. Yet if we attempt to cover the entire pool of possible agencies, we are talking about dozens and dozens of contracts, some perhaps never being acted upon. Also, how often do BA contracts have to be renewed? (March 2002)

A: Under the HIPAA privacy regulations, a "business associate" is a person or entity who provides certain functions, activities, or services for or to a covered entity, for which the use/disclosure of protected health information (PHI) is necessary in order to provide the services. Examples of common business associate services are legal, consulting, and actuarial services.

It is important to note that the business associate requirements do not apply to covered entities who disclose PHI to providers for referral or treatment purposes, e.g., information exchanges between an inpatient psychiatric facility and an Article 28 hospital in cases where a patient of the psychiatric facility has been transferred to the Article 28 hospital for medical/surgical services. The relationship envisioned from the description presented in the question does not appear to be a Business Associate relationship; instead, it appears to be one of a source of referral for continued care. In this regard, the service the referral entity provides is not to the covered entity, but to the patient; therefore, it is possible the referral entity is a covered entity in and of itself.

In cases where a Business Associate contract is appropriate, in general, the contract establishing the Business Associate's obligations needs to be in place for all PHI that is disclosed to that entity by the covered entity subsequent to April 14, 2003 (note that the proposed revisions to the privacy regulation would give covered entities up to an additional year to change existing contracts). There are no express requirements in HIPAA governing renewal of Business Associate contracts.