HIPAA Business Associates Leadership Group Meeting June 28, 2001

Privacy Rule Definitions Business Associates A person or organization who on our behalf, performs or assists in the performance of: A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, and practice management…or provides…legal, actuarial, accounting, consulting, data aggregation, accreditation, or financial services…where the provision of service involves the disclosure of individually identifiable health information…to the person or organization.

Privacy Rule Definitions Individually Identifiable Health Information or Protected Health Information Health information, past, present or future physical or mental health or condition, (including demographic information collected from an individual), in any form (whether oral or written), created by or received (1) that identifies the individual or (2) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Individual Identifiers Names All geographic subdivisions smaller than a State… All elements of dates (except year) for dates directly related to an individual… Birth date, admission or discharge date Telephone numbers Fax numbers Electronic mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code

Privacy Rule Definitions Disclosure The release, transfer, or provision or access to, or divulging in any other manner of information outside the entity holding the information. Exception for disclosures of PHI by one provider to another provider for treatment (includes consultation & referral) purposes.

Business Associate Examples Institution handling billing (collection agency) - is a BA Consulting service receiving PHI - is a BA Offsite Medical Record storage - is a BA Software vendors with access to patient data files to trouble shoot system errors - is a BA Outside data aggregation services - is a BA Hospital provides billing services to physician with staff privileges - is a BA

Business Associate Examples Consulting service does not receive PHI - not a BA Provider provides PHI to health plan in submitting a claim for payment - not a BA Researcher receiving information under the Privacy regulation research provisions - not a BA Conduit for PHI (Post Office, electronic equivalent such as phone or ISP) - not a BA Financial institution processing transactions (credit card, lock box) - not a BA

Business Associate Examples Medicaid or agencies that determine eligibility - not a BA Employees, volunteers, trainees and others under direct control of covered entity regardless of whether paid - not a BA Persons under contract who perform a substantial proportion of activities at our location who follow our P & P’s - not a BA Two covered entities participating in an organized health care arrangement - not BA’s Physicians with staff privileges treating a patient - not a BA