Health Information Compliance Alert

The Third Degree:

Reader Questions Answered

Each month you submit your questions to Eli, and each month we do our best to answer them. Take a look below at a few of the HIPAA questions your peers still ponder over, and read the answers provided by HIPAA expert and health care attorney Robert Markette with Gilliland & Caudill in Indianapolis.

A HIPAA HYBRID?

Question: We're a large hospital and we have several small, clinical/primary care facilities at off-site locations. One of these off-site facilities consists of a very small after-hours clinic with a few full-time employees. These employees perform all of their billing functions manually using the phone and fax, and they submit bills on paper, so I'd consider them exempt from HIPAA. However, since they bill using the hospital's tax ID number, are they still considered exempt from HIPAA?

  - Florida subscriber

Answer: First of all, if the hospital's covered, then the clinic's covered as well because it's all a part of the same entity, says Markette.  However, he says there is a way around this issue, and that would involve taking advantage of the "hybrid entity provisions" of HIPAA. For example, take county health departments, which traditionally have both covered and non-covered functions. "A classic example is that they have clinics they bill Medicare for. Most bill electronically, and those are covered under HIPAA, but then they may do flu clinics at schools they're not billing for, and those are just public services" that aren't covered by HIPAA.
 
As HIPAA provides, one part of an entity is covered under the hybrid entity definition, while the entire entity's covered period.  "And if you recognize a hybrid entity status, you can designate a 'health care component,' which is the component of the entity that is covered and must comply with HIPAA," says Markette.
 
In this case, the hospital's tax ID number doesn't make a difference with respect to the after-hours under HIPAA, since the clinic could say it recognizes that it's a CE and has both covered and non-covered functions and that it's making the following hybrid entity designation. "Just be sure to formally designate in writing that you're making that designation as a hybrid entity status," he advises.
 
The Bottom Line: While the clinic may use the hospital's tax ID number for billing purposes, using the number doesn't affect the clinic with regard to HIPAA, and the clinic is still covered under the reg.
 




CONTRACTED USUALLY = BUSINESS ASSOCIATE

Question: How are contracted interpreters treated under HIPAA. As I see it, interpreters are individuals that are contracted either by providers or health plans to perform interpretation services. When they're a contracted entity, they bill their services to the payer using a CMS-1500 form. So, for those contracted interpreters, are they considered a provider under HIPAA? Are they a covered provider, since many of them submit claims electronically?  Or are they considered a business associate?

  - Nevada subscriber

Answer: Markette says contracted interpreters are most likely considered business associates (BAs) under HIPAA. "The general rule I've come to is that interpreters are BAs because you're sharing PHI with them. If you could find a way to make them part of treatment, obviously you could eliminate the concerns about sharing [PHI] with them," but Markette says he just doesn't see a way around that.
 
Markette notes that these contracted interpreters are not treatment providers; rather, they're providing a service to the entity that's allowing the entity to communicate with the patient.
 
If an interpreter were considered part of the workforce, that's a different story, and the interpreter's services would be considered part of everyday health care operations. 
 
The Bottom Line: In most circumstances you can treat your contracted interpreters as BAs under HIPAA. But if the interpreter is employed by the hospital, that would make him a member of your workforce with respect to HIPAA.
  



DON'T LET HIPAA SCARE OFF PATIENTS

Question: A heart patient went to a facility to have tests run to support his request for disability. The patient requested a copy of his records and was denied by the facility because the latter stated that its HIPAA policy would not allow it to release the records until payment had been made. Is this a valid reason to deny the release of records?

  - Kansas subscriber

Answer: There are specific reasons you can deny someone access to his medical records under HIPAA, but failure to pay your bill is not one of them, says Markette.
 
Take another look at the privacy rule ( 164.524). "There's not an exception for 'you didn't pay your bill,'" he notes. Markette adds that he'd be more than hesitant to deny a patient access to his medical records for failure to pay a bill "because ... that's not a game you want to play [with OCR]."
 
The Bottom Line: Since HIPAA is complaint driven, Markette reminds covered entities of the old adage, "the customer is always right." "If you tell a patient you're denying them access because they haven't paid their bill, you might as well just pick up the phone, dial HHS and hand the phone to the patient," he warns.