Patient Information Policy
Use and Disclosure of Protected Health Information to Business Associates
SCOPE:
All Louisiana State University (LSU) System health care
facilities and providers including, but not limited to
hospitals, physician practices, clinics, schools, etc. on
the LSU Health Sciences Center New Orleans Academic Campus.
Note Bene: All LSU System health care facilities and
providers including, but not limited to hospitals, physician
clinics, schools, etc. on the LSU Health Sciences Center New
Orleans Academic Campus, are referred to in this policy as
LSUHSC-NO.
PURPOSE:
To provide guidance to the health care facilities and
providers affiliated with LSUHSC-NO on the requirements of
the Health Insurance Portability and Accountability Act (HIPAA),
Standards for Privacy of Individually Identifiable Health
Information (HIPAA Privacy Regulations) that relate to the
disclosure of a patient’s Protected Health Information to a
Business Associate (BA) of LSUHSC-NO.
POLICY:
All LSUHSC-NO health care facilities and providers must
enter into a business associate contract with any Business
Associates as provided in this policy.
DEFINITIONS:
Business Associate – For
purposes of this policy, a Business Associate is a person or
entity that performs certain functions, or activities on
behalf of LSUHSC-NO or provides certain services to LSUHSC-NO
that involve the use or disclosure of Protected Health
Information from LSUHSC-NO.
Examples of Business Associate functions and
activities include but are not limited to:
-
claims processing or administration;
-
data analysis;
-
processing or administration;
-
utilization review;
-
quality assurance;
-
billing;
-
benefit management;
-
practice management; and
-
re-pricing.
Examples of
Business Associate services include but are not limited
to:
-
legal services
(e.g. malpractice case);
-
actuarial
services;
-
accounting
services (e.g. if PHI is disclosed to CPA);
-
consulting
services;
-
data
aggregation;
-
management
services;
-
administrative
services;
-
accreditation;
and
-
financial
services.
The following are
NOT Business Associates for purposes of this policy:
-
A member of
LSUHSC-NO’s work force;
-
A third-party
payer (e.g. HMO, Medicare) that LSUHSC-NO discloses
PHI to obtain payment for services to its insured; or
-
An independent
contractor that performs services on-site at LSUHSC-NO
(e.g. independent contractor transcriptionist that
works at the Facility or Clinic).
Protected Health Information (sometime referred to as “PHI”)
– for the purpose of this policy means individually identifiable health information that relates to past,
present or future health care services provided to an
individual. Examples of Protected Health Information include
medical and billing records of a patient.
PROCEDURE:
| 1.0 |
General. LSUHSC-NO may disclose PHI
to a Business Associate and may allow a Business
Associate to create or receive PHI on its behalf, if
LSUHSC-NO enters into a business associate contract
regarding the use and disclosure of PHI. The business
associate contract must provide that the business
associate will appropriately safeguard the information.
The following are examples of when a business associate
contract may be needed: |
| 1.1 |
A third party administrator (TPA)
assists LSUHSC-NO with claims processing. |
| 1.2 |
Certified Public Accountant (CPA)
whose accounting services to LSUHSC-NO involve access to
PHI. |
| 1.3 |
A consultant who performs utilization
reviews for LSUHSC-NO. |
| 1.4 |
A health care clearinghouse that
translates a claim from a non-standard format into a
standard transaction on behalf of LSUHSC-NO and forwards
the processed transaction to a payer. |
| 1.5 |
An independent medical
transcriptionist who provides transcription services to
LSUHSC-NO and does not perform the work on the premises
of LSUHSC-NO. |
| 2.0 |
LSUHSC-NO may share PHI with a health
care provider for treatment purposes without a business
associate contract. However, LSUHSC-NO should enter into
a business associate contract for some other purposes,
for example, if you enlist the services of another
health care provider to assist in the training of
medical students. |
| 3.0 |
Attorneys are not exempted from the
business associate agreement requirement and where
feasible or permitted by law the attorney must also
return or destroy all PHI at termination of the
contract. |
| 4.0 |
LSUHSC-NO does not need a business
associate contract in the following situations: |
| 4.1 |
Disclosures to a health care provider concerning the
treatment of the individual. For example:
| 4.1.1 |
A hospital is not required to
have a business associate contract with the
specialist to whom it refers a patient and transmits
the patient’s medical chart for treatment purposes. |
| 4.1.2 |
A physician is not required to
have a business associate contract with a laboratory
as a condition of disclosing PHI for the treatment
of an individual. |
| 4.1.3 |
A hospital laboratory is not
required to have a business associate contract to
disclose PHI to a reference laboratory for treatment
of the individual. |
|
| 4.2 |
Disclosures to a researcher for
research purposes. This is true even when LSUHSC-NO has
hired the researcher to perform research on LSUHSC-NO
own behalf because research is not a covered function or
activity. However, LSUHSC-NO must enter into a data use
agreement prior to disclosing a limited data set for
research purposes to a researcher. |
| 4.3 |
With a janitorial service because the
performance of such service does not involve the use or
disclosure of PHI. |
REFERENCES:
45 C.F.R. § 164.502
45 C.F.R. § 164.504
| 
