Health Information Compliance Alert

Safeguard Yourself, But Don't Let Your Arrangements Impede Data Sharing

If you’re dealing with complex information, make sure you’re covered.

As the Memorial Health System breach highlights, the more diverse the affiliations, the more in-depth the controls need to be. And when you have this kind of integrated relationship with a mix of hospitals, physicians’ offices, business associates and more — you need to protect yourself, your patients, and the data you are sharing.

An Organized Health Care Arrangement or OHCA provides relief and aims to assist with the coordination of care, protecting the separate covered entities and increasing workflow across the different healthcare spectrums.

OHCA defined: An Organized Health Care Arrangement (OHCA) allows the different covered entities in the separate clinically integrated healthcare settings to work together under HIPAA, AHIMA suggests in its guidance on compliance arrangements. “The HIPAA privacy rule also permits providers that typically provide healthcare to a common set of patients to designate themselves as an OHCA for purposes of HIPAA,” AHIMA explains. See the AHIMA guidance here: http://library.ahima.org/doc?oid=60011#.WMLT4BiZNAY.

More info: “By participating in an OHCA arrangement under HIPAA, legally separate covered entities without common ownership or control that are clinically or operationally integrated can more easily share appropriate and necessary information,” says attorney Kathleen D. Kenney, Esq., of Polsinelli LLP in Chicago. However, those involved need to remember that they still need to follow compliance standards. “The obligation under HIPAA to ensure access and audit controls are in place for any user that accesses a covered entity’s system containing ePHI does not change because of an OHCA arrangement,” Kenney points out.

Think ahead: Many providers complain that mandates and administration get in the way of helping patients. But, it’s important to note that safeguarding your practice upfront can help you avoid the hassles later on. As more and more complex information is passed from one provider to the next via technologically-implemented devices — particularly within a multi-layered organization similar to Memorial Health System — it is easy to see how ePHI can be lost. Having HIPAA controls in place ahead of time can help prevent such problems.

Tip: The feds don’t “want HIPAA to serve as a barrier for data sharing arrangements — but it’s important for organizations to evaluate HIPAA compliance as they begin to do more with their data,” advises Kenney. “Thinking through the regulatory issues first and putting in place checks and balances allows covered entities to ensure safeguards and protocol do not get overlooked along the way.”