In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic…
“We just want to make sure they’re using it correctly”
One group of folks I work with creates, supports and sells a variety of medical devices. Those delivering and servicing the devices must know how to use them more intimately than the doctors they are selling them to, and must know every capability of how they work, and also all the data items collected and stored by them. It is common for such medical device representatives to actually assist by observing in surgeries and answering surgeons’ questions about the devices, be present for fittings, and so on, during the initial times that the doctor is using them, to make sure they are used correctly.
Reviewing policies and procedures
This group recently asked me to review their HIPAA policies and procedures to ensure they met HIPAA compliance under the Omnibus Rules. As I was reading their “Uses and Disclosures for TPO” policy and supporting procedures, I at first saw some very good examples they had included that described what would be considered to be incidental access situations under HIPAA. A few of these examples are the same as provided as examples on the Department of Health and Human Services (HHS) website:
For example, a hospital visitor may overhear a provider’s confidential conversation with another provider or a patient, or may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard.
Good examples of how others may unintentionally happen to see, view or hear the PHI of others during the provision of care; the CE did not intend for them to, it just happened as a matter of circumstance for how the CE did business in a way that otherwise tried to feasibly limit access to PHI, but yet get patients cared for efficiently. However, one example that the group had included in their examples of incidental access was not, and would not be posted on the HHS incidental disclosures list of the examples; is simply is not an incidental disclosure. Their paraphrased example:
“When sales reps are asked to be present during patient care, and provide advice and/or guidance about the use of medical devices to the providers/doctors during such provision of care”.
This not only is a bad example of an incidental access situation, but it is simply not a valid example at all. The doctors are enlisting the medical device representative to assist in care, knowingly putting the representative in a situation where he or she will have direct access to possibly a large amount of protected health information (PHI), much of which could be quite sensitive in nature, depending on the device and type of care being provided. The disclosure of PHI is purposefully directed by the provider to the representative. This is not and could not be considered to be an incidental disclosure. The permission is based on an assessment of the safeguards and minimum necessary standards as applied to the underlying intentional disclosure. An intentional disclosure to support healthcare treatment, payment or operations (TPO) is not incidental. The covered entity (CE) in this situation has made the representative a business associate (BA).
BA software that fundamentally supports TPO
In a similar situation prior to this I had one of my clients who provides healthcare analytics software to CEs, tell me as they were getting all their policies, procedures and other supporting HIPAA compliance documentation created that they did not need BA Agreements. Knowing the purpose of their software, and having a hunch that they provide ongoing assistance for the software use, I asked them to explain why they thought they wouldn’t be a BA, and asked if they had access to the data processed by their software.
“Well, yes as we are providing support to the hospitals and clinics, we have access to the data, but we need that to support the software, not for TPO. That access is considered to be incidental. Plus, we don’t pay attention to the PHI; we are focused on making sure the software is working appropriately. If we happen to look at it, is just incidental.”
Sorry. The provider is knowingly having you access software, that provides access to PHI, to ensure the software provides for accurate results used to support patient care. This is purposeful access, not accidental. This software provider is a BA, and so must abide by all applicable HIPAA requirements, including the execution of a BA Agreement.
Being there to film surgeries
The third situation was a huge hospital system that contracted a company to record all their surgeries to then be able for review and to be used for learning purposes for other staff, as well as medical students. The CE said that there was no PHI in the recordings, and nothing that could reasonably point to a specific individual within the recordings (“you can’t really see the patients’ faces”), so they did not get a BA Agreement with the recording company.
Upon further questioning, I learned the recording company personnel were within the surgery facilities, and often was in the same physical area with the patient prior to and following the recordings, and that when such situations occurred, the name of the patient and other PHI and medical information specific to the individual were often viewable on the screens, charts, arm bands, and other types of documentation that is common during surgeries.
So the CE was asking the company to perform an activity that purposefully directed the company employees to participate in surgeries as an observer within the room. Such access was not accidental, but was planned. Such access is not incidental. Get a BA Agreement in place!
If it is intentional it is NOT incidental
I’ve found over the years that most of the CEs I worked with understood pretty well that limiting incidental uses and disclosures generally meant that, after appropriate safeguards had been implemented, accidental disclosure may still occur, such as when a patient shares a hospital room with another patient, and overhears the doctor or nurse speaking about treatment details with the roommate. Along with an endless number of other examples, including those provided earlier.
Among the other pointers from the Privacy Rule to this section, the directive for incidental disclosures is about a longstanding, original HIPAA Security Rule requirement:
§ 164.530 Administrative requirements.
(2)(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
As the HHS has explained in numerous publications and venues, HIPAA is not intended to impede customary and essential communications and practices associated with healthcare, and so does not require that *all* risk of incidental use or disclosure be eliminated to satisfy its standards. Instead, HIPAA allows certain unintended, accidental, incidental uses and disclosures of PHI to occur when the CE, BA and subcontractor has in place reasonable safeguards and minimum necessary policies and procedures to appropriately protect privacy.
Bottom line for organizations of all sizes…
Every CE, BA and subcontractor under HIPAA, of all sizes, in all locations, must understand and follow all HIPAA requirements that apply to them. Part of this understanding is to recognize that situations where a CE asks an outside entity to be involved, in some way, with treatment, payment or operations (TPO), are purposefully intentional situations which are NOT incidental; they were not accidental but specifically allowed to the outside entity. So, the outside entity will generally be considered to be a BA, and so will need to have a BA Agreement in place.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, HHS, HIPAA, HITECH, IBM, incidental, Information Security, infosec, midmarket, non-compliance, OCR, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, subcontractor, training