The Common Law
Nonprofit organizations: what is HIPAA?
By Luke Ellis, Fri., July 23, 2004
The Health Information Portability and Accountability Act was passed by Congress in 1996. In accordance with the operation of HIPAA, the Department of Health and Human Services promulgated a series of regulations that were made final in 2002. The most widely discussed portion of those regulations is a section referred to as the Privacy Rule.
The Privacy Rule sets standards for protecting the privacy of personal health information. However, it applies to only three types of "covered entities": health plans, health care clearinghouses, and certain health care providers.
The question suggests that you are not a HIPAA-covered entity and that you are concerned with obtaining and retaining health information from other entities. I assume that you are not treating the subject of the information, that you are not being paid for such treatment, and that you are not part of the internal health care operations of the covered entity.
Assuming that is correct, then what is the answer to your question? Well, it depends.
If the organization from which you seek to obtain the data is not a covered entity, the organization should not rely on HIPAA to withhold it from you. Use whatever pre-existing arrangement or contract that you have with the organization to request or require the data.
If the entity from which a nonprofit organization collects data is bound by HIPAA, then the answer depends on whether the information meets the definition of "protected health information." This is a determination best made by the HIPAA-covered entity. If the information does fall within the definition of PHI, a nonprofit organization will probably be able to obtain it – with certain limitations.
For example, in many situations an organization that evaluates data of a covered entity is a "business associate" of the entity. In these situations, the covered entity may release information to business associates after an agreement that meets the requirements in 45 C.F.R. § 164.504(e) (see below) has been signed. In addition, the covered entity is required to limit the disclosure to the minimum information necessary to fulfill the purposes for which the information is disclosed.
For links to the HIPAA regulations and more-detailed information as to how HIPAA might affect your specific organization, see www.hhs.gov/ocr/hipaa.
Please submit column suggestions, questions, and comments to [email protected]. Submission of potential topics does not create an attorney-client relationship, and any information submitted is subject to being included in future columns.
Marrs, Ellis & Hodge LLP, www.mehlaw.com.
The material in this column is for informational purposes only. It does not constitute, nor is it a substitute for, legal advice. For advice on your specific facts and circumstances, consult a licensed attorney. You may wish to contact the Lawyer Referral Service of Central Texas, a non-profit public service of the Austin Bar Association, at 512-472-8303 or www.austinlrs.com.
