Health Information Compliance Alert

Published on Fri Jul 28, 2006 PDF

ARE PHOTOGRAPHS PHI INDENTIFIERS?

Question: For demonstration purposes in a sales context, if a picture or video of a patient were used with no identifying information, would this violate HIPAA?

Answer: A photo is an identifier, explains Kristen Rosati, an attorney in the Phoenix office of Coppersmith Gordon Schermer Owens & Nelson.

She says the Department of Health and Human Services lists photos as identifiers, "and therefore any photos where you can tell an individual's identity are treated as protected health information." That means any disclosure of that photo has to be viewed under HIPAA, but the legality of that disclosure depends on how you're using the information, she notes.

There are a lot of issues that need to be evaluated to determine whether that disclosure would count as a violation, but what you do need to know is that disclosure of a photo is a disclosure of protected health information, Rosati asserts.

If you're making a disclosure for marketing purposes, you have to follow the HIPAA marketing rules. There's a definition of what marketing is, so take a look at whether the communication that you're making with the photo even constitutes marketing, and if it does, there are a couple of exceptions where you don't need authorization to do the marketing.

This is a pretty complicated issue, and Rosati advises entities to take a closer look both at the definition of marketing and also the exemptions from authorization for the marketing rule.

TWO QUESTIONS HELP CREATE A BA AGREEMENT

Question: "We're a small hospital and we have several business associate agreements contracts in place, but we're not always sure whom to contract with and what would constitute a business associate. Is there an efficient and easy way to determine the necessity of a BA agreement?"

Answer: Yes, there is. Martha Baxter, an attorney in the Columbus office of Bricker & Eckler says there are a couple of threshold questions you should ask yourself when wishing to determine what qualifies as a BA: (A) does the business perform or assist in the performance of an activity or function involving the use or disclosure of protected health information? or (B) Does the business provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services that require the disclosure of PHI from the physician?

If you answered "yes" to either of these questions, then a business associate agreement may be needed.

Baxter tells Eli clients often ask her about service people who come into a covered entity to work on,  say, an MRI or the CE's laser equipment, and those technicians might stumble across some PHI in the process. "Well, that's incidental to the agreement,"  she emphasizes, and a BA agreement wouldn't be required. "But if you're contacting a software vendor and that vendor will need to look at PHI in order to undertake their audits or develop the software, then they will be a BA."

Caveat: Baxter says some CEs are sending BA agreements that aren't needed. "Nursing homes often send BA contracts to hospitals when it's really just for treatment purposes," and BA contracts aren't required in that situation. She advises CEs to thoroughly examine their own circumstances before creating a BA agreement.

STAFF FOLLOW SAME PHI ACCESS RULES AS PATIENTS

Question: How should a medical facility handle employees' access to their own medical records? That is, should employees within a medical center or practice who have PHI on the facility's computer system be able to view their own PHI?

Answer: "Everybody has access rights under HIPAA," reminds Robyn Meinhardt, an attorney in the Denver office of Foley & Lardner.

Meinhardt says she's aware of some facilities with electronic medical records that have allowed their health care provider employees to access their own records with "minimal interference from the system."

In other words, if the employee inputs his Social Security Number, that'll give him access to his own protected health information.

Meinhardt says one way to prevent employees from gaining easy access to their records would be to make them go through the normal access procedures, just like any other patient would have to go through.

The question that arises is, "Can you make it easier on employees to see their own records than for other patients?" Meinhardt says there may be some prohibitions under state law that might come into play here.

For example, "if your state law contains a prior physician review requirement, that could prevent an employee from gaining easy access to his records," she notes.

But Meinhardt says it's likely - though not definite - that HIPAA would preempt the state law if that state law imposes a prior physician review requirement, so you should review your state laws to determine how they approach this requirement.