Privacy Officer's Roundtable

 View Only
  • 1.  Referral Source

    Posted 6 days ago
    Hi all,

    I need some of this group's wisdom.

    We are a senior living organization and are looking at a contract with an organization that provides "patient" referrals into personal care and assisted living.  The organization will not agree to sign a BAA stating they only pair us with individuals and do not have an PHI.  However, we will pay them when a referral transitions into an admission.  In order to facilitate this, we are to report the "patient" name, date of admission, and private pay dollars for the unit the individual moves into.  I believe we will have to have an appropriate HIPAA authorization signed by the new "patient" or the responsible party.  Is a HIPAA authorization sufficient, if no BAA is in place?

    Thank you in advance!

    ------------------------------
    Debra Larkin
    Corporate Director of
    Compliance/Privacy Officer
    ------------------------------
    SCCE Membership


  • 2.  RE: Referral Source

    Posted 6 days ago
    I'm confused. The referral company knows the patient and provides the patient information on facilities that may provide needed services. The patient looks in to refered facilities and decides which facility to use. I'm not seeing a business associate relationship.



    SCCE Membership


  • 3.  RE: Referral Source

    Posted 6 days ago
    Thank you Alex,

    I suppose where I was questioning the BA relationship is in the need for us to return information to the referral company after we admit the "patient".  By admitting the "patient"  and then sharing their PHI (Name, Date of admission and payment for the unit), we disclosing PHI to for something other than TPO, correct?

    ------------------------------
    Debra Larkin
    Corporate Director of
    Compliance/Privacy Officer
    ------------------------------

    SCCE Membership


  • 4.  RE: Referral Source

    Posted 6 days ago
    I'm not totally up to speed on all the services provided in senior living, personal care, and assisted living - is the information you are sharing covered under the defition of PHI, thus subject to HIPAA and then BAA requirements?  (Snip from HHS.gov website).



    ------------------------------
    Marie Wagner, CHC, CHRC
    Operations Manager, Corporate Compliance
    The Queen's Health Systems
    Honolulu, HI
    ------------------------------

    SCCE Membership


  • 5.  RE: Referral Source

    Posted 5 days ago
    If the organization is not operating as a Business Associate and they are not a HIPAA Covered Entity, then you are correct, you cannot share patient information with them absent written patient authorization. I would put this back in the lap of the referral organization and ask them how they have handled this situation in the past. They may already have documents prepared that they suggest giving to patients explaining the relationship along with an authorization.

    ------------------------------
    Brenda Manning JD, CHC, CHPC
    Privacy Counsel
    Maximus, Inc.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    SCCE Membership


  • 6.  RE: Referral Source

    Posted 5 days ago
    If you're a covered entity then I'd say you need an authorization from the resident to disclose their information to the referral agency.  I don't think the referral agency is a BA as they are not providing a function on your behalf.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    SCCE Membership


  • 7.  RE: Referral Source

    Posted 4 days ago
    Thank you all for the feedback and support.  I am sticking to my request that we obtain an authorization from the "patient" and I will be asking that a BAA be signed.

    It is so helpful for my department of one when I have this group to solicit feedback from.

    ------------------------------
    Debra Larkin
    Corporate Director of
    Compliance/Privacy Officer
    ------------------------------

    SCCE Membership