Health Information Compliance Alert

THE THIRD DEGREE:

READER QUESTIONS ANSWERED

YOU CAN GET FIT WITHOUT LOSING PHI

Question: As a health insurer, we would like to work with our at-risk enrollees' local fitness centers to provide exercise classes. The centers will bill us electronically for time spent on fitness and nutrition counseling with the enrollees. Would this relationship make the fitness center a business associate?

- North Carolina subscriber

Answer: "No," states Jeff Boyer, HIPAA Compliance Coordinator for the HIPAA DC Program Management Office in Washington, DC. "If the centers bill electronically for their health services, they are a covered entity," he says.

Most fitness centers won't be interested in working with you once they find out they'll have to abide by the privacy and security rules, Boyer expresses. Good idea: "Ask the centers to submit claims on paper," he suggests. That way they can still provide the health service without having to worry about HIPAA.

The Bottom Line: Fitness centers that provide health care services - and bill for them electronically - are covered entities, not business associates, Boyer says. If the centers don't want to send paper claims, track down either a fitness center already working with the rule or a rehab center instead, he offers.





Question:
A visiting doctor wants to use our patients' medical information in an article she is co-authoring with three other doctors. Would this be covered under the privacy rule's research allowance, or do we need to ask our patients to authorize this disclosure?

- Mississippi subscriber

You have to ask for your patients' authorization for this disclosure, says Debbie Larios, an attorney with Miller & Martin in Nashville, TN. "The privacy rule's research provision is for clinical trials with an internal review board's approval," she explains.

Try this: Ask the visiting doctor to narrow down what kind of patients she and the other authors are interested in studying. Then you can track down those patients only, she suggests. Caution: This will involve a ton of work and may not be very successful, Larios warns.

The Bottom Line: Unless you have the time and resources to devote to the necessary legwork, your safest bet is to deny the visiting physician access to your patients' medical information, Larios advises.

Next step: If you want to work with researchers or contribute your patients' PHI to medical studies, ask patients to sign an authorization when they come in. Tip: The form must clearly state that the patient's signature means "you can release her general medical information to former staff members or other researchers without notifying her each time," Larios asserts.