Do Hospital-Based Physician Groups Need an OHCA to Comply With HIPAA?
For most physician groups, the fact that they need to establish HIPAA/HITECH programs for their organizations is an unquestioned fact of life, but there are other types of physician groups who may legitimately wonder if they must do this.
For instance, do physicians affiliated with a hospital, and working exclusively at the hospital, need their own HIPAA/HITECH programs and Notice of Privacy Practices? Let’s look at the specifics of some of these arrangements and how they relate to the HIPAA Rules.
There are many types of physician groups who provide services to hospitals, such as radiology, anesthesia and pathology. Most often, these groups are functioning as separate HIPAA covered entities—meaning they are separate businesses who provide a service through contract with their hospitals, and are not employees of the hospital. As covered entities, HIPAA requires that they establish Privacy and Security programs, and that patients’ personal health information (PHI) be protected. The argument can be made that the information is already secured through processes used by the contracted hospital, but only up to the point that it is given to the physician group. At that point, the PHI becomes the responsibility of the group, and the use/storage/ billing records (especially if sent to a 3rd party—a business associate—on behalf of the group) must be secured.
There are some items specific to these types of physician groups that their HIPAA policies must address. How will they handle billing issues such as breaches of PHI with their contracted billing companies, who are their HIPAA Business Associates? Will the billing companies perform the required notifications to the patient, to the Department of Health and Human Services, and to the media? How is the PHI transferred to the billing company? Is it through the hospital billing system, by currier, or some other means? How is it secured and protected from unauthorized use? Do the physicians have access to PHI by using laptops that could be lost or stolen? Are there required Business Associate Agreements in place? Has a required HIPAA risk assessment been performed in order to know if there are other security areas that need attention?
The HIPAA Rules address this through the use of an “Organized Health Care Arrangement” (OHCA), which is defined in the HIPAA privacy rules as legally separate covered entities "in a clinically integrated care setting in which individuals typically receive health care from more than one health care provider" ( § 160.103). There are many benefits to establishing an OHCA. The hospital and physician group may use a combined Notices of Privacy Practices (NPP), which prevents patients from having to sign multiple Notices of Privacy Practices (NPP), and sign multiple forms to release his/her Protected Health Information (PHI) when treated at a hospital. Having an OHCA may help these physician groups with some recordkeeping and administrative work, but there is also increased liability, since all members of the OHCA are responsible for complying with the HIPAA Rules, and are dependent on the individuals assigned to perform specific tasks.
Before establishing an OHCA, physician groups should perform a HIPAA risk assessment in order to determine the needs of the group. The pros and cons should be examined, and a determination made as to whether the OCHA will fit their needs. Will the OHCA be able to supply the support needed to comply with all the HIPAA requirements? OHCAs are not required, but in certain circumstances may be helpful.