HIPAA 2013 is HERE!
The Health Insurance Portability and Accountability Act of 1996, as modified by the American Recovery and Reinvestment Act (ARRA) of 2009 and it’s Health Information for Clinical and Economic Health (HITECH) provisions brought to bear the necessity of a whole new slew of regulations which were handed down last week amid much fanfare. In the next few days, I’ll be posting some updates summarizing the highlights of HIPAA 2013!
A friend requested that I start with taking a look at HIPAA provisions relating to public health reporting and activities.
HIPAA 2013 Emphasizes That Covered
Entities Should NOT Use their Business
Associates for Public Health Reporting!
HHS emphasized that business associates do not have their own health care operations (see the definition of health care operations which is limited to activities of the covered entity). Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.
While a business associate does not have health care operations, it is permitted to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).
HIPAA 2013 HINT
Make sure that if you are a covered entity that you are doing your public health reporting, as required by state and federal law and NOT delegating that function to a business associate.
HIPAA 2013-What’s Coming Tomorrow
Tomorrow I will provide a quick overview of what’s become of the exception to the authorization requirement for public health exchanges in order to conduct public health activities.
I invite your to leave a comment and stay in touch!