We all know that new HIPAA regulations – with a compliance deadline of September 23, 2013 – affect all of Ohio’s County Boards of Developmental Disability. Hopefully, policy development and other compliance activity is well underway. In most cases, the affiliated non-profit that secures contracts and provides employment for adults in the sheltered workshops is NOT a HIPAA covered entity. However, sometimes it is, and further, your non-profit may be a HIPAA Business Associate. In either case, there will be compliance obligations for your non-profit.
First of all, the test to determine whether your non-profit is a HIPAA covered entity is this – does your non-profit engage in the HIPAA-specified electronic transactions with a third party payer (e.g. Medicaid) including electronic claims, eligibility inquiry, electronic remittance advice, claim status inquiry or response to claim status inquiry? The most common instance would be the electronic claim to DoDD or Medicaid which could be for physical or occupational therapy, supportive nursing or other service. For most non-profits, the answer is NO, and in this case, they are NOT HIPAA covered entities.
Next, determine if the non-profit a HIPAA Business Associate. There is a long definition of Business Associate, but generally, an entity becomes a HIPAA Business Associate if it has a business relationship with a HIPAA Covered Entity that involves the use, disclosure, transmission or maintenance of Protected Health Information. The most likely situations are where the non-profit acts like an employment agency and under contract with the County Board, pays its individuals to provide services to the County Board. Consider the following examples:
- The Non-Profit provides individuals who perform janitorial services for the County Board – does NOT create a BA relationship. Janitorial work does not involve the use of PHI.
- The Non-Profit provides individuals who scan old case files that contain PHI into a new imaging system – DOES create a BA relationship. Scanning records DOES involve the use of PHI.
- The Non-Profit provides individuals who serve in the capacity of receptionist – DOES create a BA relationship. Answering the phone involves speaking with individuals served, their parents and other conversations involving PHI.
If the Non-Profit is either a HIPAA covered entity, or a HIPAA business associate, then it has compliance obligations. It will require its own policy and procedure manual (different, and much simpler than the county board’s HIPAA manual), and will require that the non-profit provide confidentiality training to its employees that are working with the board’s PHI.