Privacy Officer's Roundtable

Hi all,  

I need some of this group's wisdom. 

We are a senior living organization and are looking at a contract with an organization that provides "patient" referrals into personal care and assisted living.  The organization will not agree to sign a BAA stating they only pair us with individuals and do not have an PHI.  However, we will pay them when a referral transitions into an admission.  In order to facilitate this, we are to report the "patient" name, date of admission, and private pay dollars for the unit the individual moves into.  I believe we will have to have an appropriate HIPAA authorization signed by the new "patient" or the responsible party.  Is a HIPAA authorization sufficient, if no BAA is in place?

Thank you in advance!

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------

Original Message:
Sent: 9/20/2022 1:01:00 PM
From: Debra Larkin
Subject: Referral Source

Hi all,  

I need some of this group's wisdom. 

We are a senior living organization and are looking at a contract with an organization that provides "patient" referrals into personal care and assisted living.  The organization will not agree to sign a BAA stating they only pair us with individuals and do not have an PHI.  However, we will pay them when a referral transitions into an admission.  In order to facilitate this, we are to report the "patient" name, date of admission, and private pay dollars for the unit the individual moves into.  I believe we will have to have an appropriate HIPAA authorization signed by the new "patient" or the responsible party.  Is a HIPAA authorization sufficient, if no BAA is in place?

Thank you in advance!

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------

Thank you Alex,

I suppose where I was questioning the BA relationship is in the need for us to return information to the referral company after we admit the "patient".  By admitting the "patient"  and then sharing their PHI (Name, Date of admission and payment for the unit), we disclosing PHI to for something other than TPO, correct?

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------

Original Message:
Sent: 09-20-2022 01:45 PM
From: Alexander Slosman
Subject: Referral Source

I'm confused. The referral company knows the patient and provides the patient information on facilities that may provide needed services. The patient looks in to refered facilities and decides which facility to use. I'm not seeing a business associate relationship.

Original Message:
Sent: 9/20/2022 1:01:00 PM
From: Debra Larkin
Subject: Referral Source

Hi all,

I need some of this group's wisdom.

We are a senior living organization and are looking at a contract with an organization that provides "patient" referrals into personal care and assisted living.  The organization will not agree to sign a BAA stating they only pair us with individuals and do not have an PHI.  However, we will pay them when a referral transitions into an admission.  In order to facilitate this, we are to report the "patient" name, date of admission, and private pay dollars for the unit the individual moves into.  I believe we will have to have an appropriate HIPAA authorization signed by the new "patient" or the responsible party.  Is a HIPAA authorization sufficient, if no BAA is in place?

Thank you in advance!

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------

I'm not totally up to speed on all the services provided in senior living, personal care, and assisted living - is the information you are sharing covered under the defition of PHI, thus subject to HIPAA and then BAA requirements?  (Snip from HHS.gov website).



------------------------------
Marie Wagner, CHC, CHRC
Operations Manager, Corporate Compliance
The Queen's Health Systems
Honolulu, HI
------------------------------

Original Message:
Sent: 09-20-2022 02:43 PM
From: Debra Larkin
Subject: Referral Source

Thank you Alex,

I suppose where I was questioning the BA relationship is in the need for us to return information to the referral company after we admit the "patient".  By admitting the "patient"  and then sharing their PHI (Name, Date of admission and payment for the unit), we disclosing PHI to for something other than TPO, correct?

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer

Original Message:
Sent: 09-20-2022 01:45 PM
From: Alexander Slosman
Subject: Referral Source

I'm confused. The referral company knows the patient and provides the patient information on facilities that may provide needed services. The patient looks in to refered facilities and decides which facility to use. I'm not seeing a business associate relationship.

Original Message:
Sent: 9/20/2022 1:01:00 PM
From: Debra Larkin
Subject: Referral Source

Hi all,

I need some of this group's wisdom.

We are a senior living organization and are looking at a contract with an organization that provides "patient" referrals into personal care and assisted living.  The organization will not agree to sign a BAA stating they only pair us with individuals and do not have an PHI.  However, we will pay them when a referral transitions into an admission.  In order to facilitate this, we are to report the "patient" name, date of admission, and private pay dollars for the unit the individual moves into.  I believe we will have to have an appropriate HIPAA authorization signed by the new "patient" or the responsible party.  Is a HIPAA authorization sufficient, if no BAA is in place?

Thank you in advance!

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------

If the organization is not operating as a Business Associate and they are not a HIPAA Covered Entity, then you are correct, you cannot share patient information with them absent written patient authorization. I would put this back in the lap of the referral organization and ask them how they have handled this situation in the past. They may already have documents prepared that they suggest giving to patients explaining the relationship along with an authorization.

------------------------------
Brenda Manning JD, CHC, CHPC
Privacy Counsel
Maximus, Inc.

The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
------------------------------

Original Message:
Sent: 09-20-2022 03:16 PM
From: Marie Wagner
Subject: Referral Source

I'm not totally up to speed on all the services provided in senior living, personal care, and assisted living - is the information you are sharing covered under the defition of PHI, thus subject to HIPAA and then BAA requirements?  (Snip from HHS.gov website).



------------------------------
Marie Wagner, CHC, CHRC
Operations Manager, Corporate Compliance
The Queen's Health Systems
Honolulu, HI

Original Message:
Sent: 09-20-2022 02:43 PM
From: Debra Larkin
Subject: Referral Source

Thank you Alex,

I suppose where I was questioning the BA relationship is in the need for us to return information to the referral company after we admit the "patient".  By admitting the "patient"  and then sharing their PHI (Name, Date of admission and payment for the unit), we disclosing PHI to for something other than TPO, correct?

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer

Original Message:
Sent: 09-20-2022 01:45 PM
From: Alexander Slosman
Subject: Referral Source

I'm confused. The referral company knows the patient and provides the patient information on facilities that may provide needed services. The patient looks in to refered facilities and decides which facility to use. I'm not seeing a business associate relationship.

Original Message:
Sent: 9/20/2022 1:01:00 PM
From: Debra Larkin
Subject: Referral Source

Hi all,

I need some of this group's wisdom.

We are a senior living organization and are looking at a contract with an organization that provides "patient" referrals into personal care and assisted living.  The organization will not agree to sign a BAA stating they only pair us with individuals and do not have an PHI.  However, we will pay them when a referral transitions into an admission.  In order to facilitate this, we are to report the "patient" name, date of admission, and private pay dollars for the unit the individual moves into.  I believe we will have to have an appropriate HIPAA authorization signed by the new "patient" or the responsible party.  Is a HIPAA authorization sufficient, if no BAA is in place?

Thank you in advance!

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------

If you're a covered entity then I'd say you need an authorization from the resident to disclose their information to the referral agency.  I don't think the referral agency is a BA as they are not providing a function on your behalf.

------------------------------
David Garrison
Compliance/Privacy Officer
SEARHC
Juneau,AK
------------------------------

Original Message:
Sent: 09-21-2022 05:28 AM
From: Brenda Manning
Subject: Referral Source

If the organization is not operating as a Business Associate and they are not a HIPAA Covered Entity, then you are correct, you cannot share patient information with them absent written patient authorization. I would put this back in the lap of the referral organization and ask them how they have handled this situation in the past. They may already have documents prepared that they suggest giving to patients explaining the relationship along with an authorization.

------------------------------
Brenda Manning JD, CHC, CHPC
Privacy Counsel
Maximus, Inc.

The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

Original Message:
Sent: 09-20-2022 03:16 PM
From: Marie Wagner
Subject: Referral Source

I'm not totally up to speed on all the services provided in senior living, personal care, and assisted living - is the information you are sharing covered under the defition of PHI, thus subject to HIPAA and then BAA requirements?  (Snip from HHS.gov website).



------------------------------
Marie Wagner, CHC, CHRC
Operations Manager, Corporate Compliance
The Queen's Health Systems
Honolulu, HI

Original Message:
Sent: 09-20-2022 02:43 PM
From: Debra Larkin
Subject: Referral Source

Thank you Alex,

I suppose where I was questioning the BA relationship is in the need for us to return information to the referral company after we admit the "patient".  By admitting the "patient"  and then sharing their PHI (Name, Date of admission and payment for the unit), we disclosing PHI to for something other than TPO, correct?

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer

Original Message:
Sent: 09-20-2022 01:45 PM
From: Alexander Slosman
Subject: Referral Source

I'm confused. The referral company knows the patient and provides the patient information on facilities that may provide needed services. The patient looks in to refered facilities and decides which facility to use. I'm not seeing a business associate relationship.

Original Message:
Sent: 9/20/2022 1:01:00 PM
From: Debra Larkin
Subject: Referral Source

Hi all,

I need some of this group's wisdom.

We are a senior living organization and are looking at a contract with an organization that provides "patient" referrals into personal care and assisted living.  The organization will not agree to sign a BAA stating they only pair us with individuals and do not have an PHI.  However, we will pay them when a referral transitions into an admission.  In order to facilitate this, we are to report the "patient" name, date of admission, and private pay dollars for the unit the individual moves into.  I believe we will have to have an appropriate HIPAA authorization signed by the new "patient" or the responsible party.  Is a HIPAA authorization sufficient, if no BAA is in place?

Thank you in advance!

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------

Thank you all for the feedback and support.  I am sticking to my request that we obtain an authorization from the "patient" and I will be asking that a BAA be signed.  

It is so helpful for my department of one when I have this group to solicit feedback from.

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------

Original Message:
Sent: 09-21-2022 05:28 AM
From: Brenda Manning
Subject: Referral Source

If the organization is not operating as a Business Associate and they are not a HIPAA Covered Entity, then you are correct, you cannot share patient information with them absent written patient authorization. I would put this back in the lap of the referral organization and ask them how they have handled this situation in the past. They may already have documents prepared that they suggest giving to patients explaining the relationship along with an authorization.

------------------------------
Brenda Manning JD, CHC, CHPC
Privacy Counsel
Maximus, Inc.

The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

Original Message:
Sent: 09-20-2022 03:16 PM
From: Marie Wagner
Subject: Referral Source

I'm not totally up to speed on all the services provided in senior living, personal care, and assisted living - is the information you are sharing covered under the defition of PHI, thus subject to HIPAA and then BAA requirements?  (Snip from HHS.gov website).



------------------------------
Marie Wagner, CHC, CHRC
Operations Manager, Corporate Compliance
The Queen's Health Systems
Honolulu, HI

Original Message:
Sent: 09-20-2022 02:43 PM
From: Debra Larkin
Subject: Referral Source

Thank you Alex,

I suppose where I was questioning the BA relationship is in the need for us to return information to the referral company after we admit the "patient".  By admitting the "patient"  and then sharing their PHI (Name, Date of admission and payment for the unit), we disclosing PHI to for something other than TPO, correct?

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer

Original Message:
Sent: 09-20-2022 01:45 PM
From: Alexander Slosman
Subject: Referral Source

I'm confused. The referral company knows the patient and provides the patient information on facilities that may provide needed services. The patient looks in to refered facilities and decides which facility to use. I'm not seeing a business associate relationship.

Original Message:
Sent: 9/20/2022 1:01:00 PM
From: Debra Larkin
Subject: Referral Source

Hi all,

I need some of this group's wisdom.

We are a senior living organization and are looking at a contract with an organization that provides "patient" referrals into personal care and assisted living.  The organization will not agree to sign a BAA stating they only pair us with individuals and do not have an PHI.  However, we will pay them when a referral transitions into an admission.  In order to facilitate this, we are to report the "patient" name, date of admission, and private pay dollars for the unit the individual moves into.  I believe we will have to have an appropriate HIPAA authorization signed by the new "patient" or the responsible party.  Is a HIPAA authorization sufficient, if no BAA is in place?

Thank you in advance!

------------------------------
Debra Larkin
Corporate Director of
Compliance/Privacy Officer
------------------------------