HIPAA

1.  PHI & BAAs

Posted 11 days ago
​Hi, everyone -
I'm just back from a HIPAA Bootcamp and had two ideas introduced that sort of threw me for a loop.  I'm hoping the collective wisdom here might help me sort these out.

First, one learned and accomplished speaker described PHI in terms of the 18 personal identifiers.  That is, she stated that the 18 identifiers are PHI.  I had always thought in terms of the identifiers plus health information.  As I go back to the CMS definition, I see how both points of view can be interpreted.  I don't think I'm in for a particularly huge shift in my approach, but it certainly is a foundational difference.

Second, another learned and accomplished speaker recommended implementing BAAs even with other covered entities.  I'd always used the WEDI decision tree for implementing BAAs as a basis while also considering what TPO transaction is actually occurring.  I'm curious, though, if anyone else approaches their BAAs as the speaker suggested, and if so, what rationale they use?  And, practically speaking, where is the cut-off and what is the rationale for how that is determined?

Thank you to the group for considering.

Adrianne

------------------------------
Adrianne Lara, MBA, CHC
Compliance Officer
Cancer Care Northwest
Spokane,WA
------------------------------


2.  RE: PHI & BAAs

Posted 11 days ago
Adrianne, my thinking on these issues is aligned with yours, not the speakers.

Sent from my iPad




3.  RE: PHI & BAAs

Posted 11 days ago
​Adrianne:
As for what is PHI, I teach that PHI is any identifier that can be traced back to a person PLUS any health information. I, too, have heard supposedly learned speakers state things like "A Social Security Number is PHI". It is an identifier.

As for BAAs, we do offer a BAA to some of our partners who handle our PHI that also happen to be a Covered Entity. This is a perfectly acceptable practice. However, the CE (that is considered a BA) is not mandated to sign the BAA. But, because they are a CE, they are mandated to follow all aspects of the Privacy, Security and Breach Notification Rules.

Just my two cents.

------------------------------
Dr. Randy Lewis, LMFT, CHPC
HIPAA Privacy Officer
Orange County Government
Orlando, FL
------------------------------



4.  RE: PHI & BAAs

Posted 8 days ago
The OCR has great guidance on PHI and the deidentification standard here: Methods for De-identification of PHI   note that they state that the relationship to health information is fundamental.

With respect to BAA's, I'm with you- I don't execute them with another CE unless that CE is acting as a BAA. I think the BAA is taken as a shifting of liability, but it's really not.  Best advice I ever heard on this topic was to take all of your concerns and put them in  your service level agreement.

------------------------------
Sara Krause
Compliance Officer & Privacy Ofcr
Travis County
Austin,TX
------------------------------



5.  RE: PHI & BAAs

Posted 8 days ago
I totally agree.  Having CEs who are not BAs sign a BAA really muddies the waters.  If the CE is not a BA the Privacy and Security issues are spelled out in the service agreement.

------------------------------
Steve Paterson CHC,CHPC
Chief Quality & Compliance Ofcr
United Church Homes & Services
Newton,NC
------------------------------



6.  RE: PHI & BAAs

Posted 8 days ago
Adrianne,

Briefly to some of the comments shared with you by these speakers I simply say...C'mon Man!  Is it any wonder why confusion continues to flourish in the compliance ranks?

------------------------------
Frank Ruelas
------------------------------



7.  RE: PHI & BAAs

Posted 7 days ago
As to the definition of PHI, if a person's name all by itself is PHI, then the phone book is PHI.

A covered entity might be a BA of yours and they might not. Your physician consulting with physician at another business would not be a BA. But if they process your claims for you they might be.

------------------------------
Carl Russell
Compliance Analyst
Delta Dental of Idaho
Boise,ID

Anything I say is my sole opinion and not of my company.
------------------------------



8.  RE: PHI & BAAs

Posted 7 days ago
​PHI is simply IIHI that is transmitted or maintained in electronic media or any other form or medium.

IIHI is a subset of "health information," that identifies the individual; or can reasonably identify an individual.

"Health information" being the optimum expression, a name is not health information. IMHO.

------------------------------
David Rothery, CHC
Compliance Officer
Marin County, CA


These are my personal opinions and not those of the County of Marin
------------------------------