• E-mail
• Print
• RSS

Work with legal counsel to define 'healthcare operations'

HIPAA Training Advisor, November 30, 2006

By now, most organizations understand which uses and disclosures fall under treatment or payment. But HIPAA's definition of "healthcare operations" isn't as clear. Consult now with your organization's legal counsel to ensure that you comply with the HIPAA requirements and avoid inappropriate disclosures.

"Because the language in the rule is so broad and sweeping and there are additional restrictions attached, it's more challenging to understand and comply with the requirements, says Leigh-Ann M. Patterson Durant, JD, partner and founder of Nixon Peabody, LLP, in Boston. You can't just consider anything that doesn't fall under treatment or payment as healthcare operations, she says.

Healthcare operations can cover everything from quality improvement to risk management to training, says Sandy O'Rourke, RHIA, privacy officer and director of health information services at Southwest Washington Medical Center in Vancouver. HIPAA stresses the importance of the right to access, she says. Not all employees are part of the same group or entitled to the same access. Emphasize the need to know.

"Who can hear or see confidential information?" asks O'Rourke. "And if you're providing training, what are staff learning?" There's a difference between teaching and discussing something that's interesting, she says. "And it's not teaching when you're standing in the hallway or cafeteria talking." If you're truly teaching, it should be in a more formal setting, so you avoid inappropriate disclosures, says O'Rourke.

Distinguish between disclosures that are clinical and for treatment purposes and those that are for quality improvement or outcomes evaluation and that, therefore, fall under healthcare operations, says Durant. And identify potential disclosures that don't fall under treatment, payment, or healthcare operations. For example, Bring Your Child to Work Day doesn't fall under healthcare operations, she says. "You can do it, but you need to be cognizant of restrictions." In such a case, consider having employees sign an agreement that they will not expose their children to PHI, says Durant.

Involve your legal counsel
The language in the privacy rule is vague, and the definition for healthcare operations is less straightforward than for treatment or payment, says Kim Wells-Ball, RHIT, CPC, privacy officer and director of health information management at Barton Healthcare System in South Lake Tahoe, CA.

Consult your legal team with any questions, she says. "You don't want to make an already complicated issue more complicated." Common areas of concern for Barton Healthcare System-and for other organizations-involve workers' compensation and fundraising, says Wells-Ball. "We don't give out any specific information for fundraising-just general numbers of patients with specific conditions," she says. "Better safe than sorry."

There's a whole section of the privacy rule about fundraising with specific requirements, says Durant. Some organizations are more aggressive, whereas others, such as Wells-Ball's organization, are more conservative. All uses and disclosures that fall within healthcare operations must comply with HIPAA's minimum necessary standard, and, if a disclosure is between two covered entities (CE), both CEs must have a relationship with the patient at the time of the disclosure, says Durant.

It is impermissible for a CE to share PHI with another CE for quality assurance purposes if the other CE doesn't have a relationship with the patient. "The other organization isn't trying to profit financially from the sharing of information, but it's impermissible without the patient's authorization."

Meet with your legal counsel, she says. It can provide you with guidelines and address some of the grey areas.

Editor's note: Adapted from "Work with legal counsel to define 'healthcare operations,' " Briefings on HIPAA, November 2006.

• E-mail to a Colleague
• Print
• RSS
• Archive