HIPAA, protected healthcare information and ADR: What rules apply?
Treating the neutral as a business associate and executing a BAA seems to be the safest and most practical route to follow
By Ronald B. Ravikoff September 29, 2014
Arbitration and mediation have become major forums for healthcare business disputes, which extend far beyond traditional medical issues between patients and providers. Major claims involving contractual issues between providers and business associates are taking center stage in the healthcare ADR arena. Many of these disputes require the use or disclosure of protected healthcare information (PHI) as defined by HIPAA. The use of PHI is governed by the HIPAA privacy rules.
Organizations and individuals required to comply with the HIPAA privacy rules are called covered entities. Covered entities include health plans, healthcare clearinghouses and any healthcare provider that transmits health information in electronic form in connection with transactions for which the secretary of Health and Human Services has adopted standards under HIPAA.
Major revisions to HIPAA were made under the HITECH Act's provisions as part of the American Recovery and Reinvestment Act of 2009, making the privacy and security rules explic-itly applicable to business associates of covered entities.
Business associates are now subject to direct regulatory enforcement. Further, business associates must now treat their subcontractors that create, receive, transmit or maintain PHI in the same manner that covered entities treat their business associates. Covered entities and business associates are responsible for their own workforces, including employees, volunteers and others who are under their direct control. Typically, a business associate should treat its independent contractors as subcontractors for purposes of complying with the regulations.
In light of the new regulations and the increased use of ADR, the question raised is this: If mediation or arbitration requires disclosure of or questioning about PHI to the neutral mediator or arbitrator, is the neutral covered by the HIPAA PHI restrictions, and if so, should the neutral be considered a business associate?
Protection of PHI in ADR
There does not seem to be any clear guidance on whether ADR neutrals who receive PHI in the course of a proceeding are properly classified as business associates. But given that it is now accepted that lawyers and even court reporters who received PHI are business associates, ADR neutrals should also, out of abundance of caution, be treated as such.
The regulations offer three possible routes to protect PHI in ADR: individual consent, a judicial proceedings disclosure, or a business associate agreement (BAA). However, as discussed below, only the BAA seems both practical and offers clear protection.
Disclosure after consent: Certainly, disclosure of PHI may be made with the consent of the individual whose PHI is at issue. Individual consent would seem impractical, however, when a large amount of information needs to be reviewed. Thus, it is not a preferred alternative for business-type disputes where multiple individuals' data may be needed.
Judicial and administrative proceedings disclosure: Also, covered entities may disclose PHI in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a qualified protective order are provided.
Does the ADR process fall into the judicial and administrative proceedings disclosure allowance?
Again, there is little guidance on this question—particularly after the new rules expanding liability for business associates. Certainly, one would be hard-pressed to argue that mediation falls within this permitted disclosure route as a judicial or administrative proceeding. However, many mediations are court ordered, and this could provide a vehicle to obtain a qualified protective order, thus offering some protection.
Also, Scott D. Stein suggested in "What litigators need to know about HIPAA" that arbitration should qualify as a judicial or administrative proceeding, but again, there appears to be no direct authority supporting this position.
Are mediators and arbitrators business associates under HIPAA?
As noted above, there seems to be little argument that lawyers who receive PHI from covered entities are business associates and that lawyers' subcontractors that receive or interact with PHI would generally also be considered business associates.
Accordingly, it is suggested that, given the broad scope of the new business associate regulations and absent clear guidance to the contrary, mediators and arbitrators should be treated as business associates as well.
What best practices should be followed under the current state of the regulations?
When practical and possible, secure authorization from the individuals whose PHI is sought to be used as permitted by 45 CFR 164.508. When the mediation is court-ordered, consider seeking a qualified protective order, which covers the mediation as part of the court-ordered referral. However, as mentioned above, there is no assurance that mediation would qualify as a judicial or administrative proceeding, even allowing for a qualified protective order. In this instance, the protective order should be considered as merely added protection for the covered entity and business associate.
Treat the mediator or arbitrator as business associates under HIPAA and have the neutral sign a BAA. Indeed, as many BAAs already have dispute resolution clauses in them, advance planning would suggest that mandatory mediation or arbitration clauses anticipate the requirement of a BAA as part of the contracted-for ADR process.
Treating the neutral as a business associate and executing a BAA seems to be the safest and most practical route to follow.
- Rules / Clauses
- Alternative Dispute Resolution (ADR) Clauses ›
- Comprehensive Arbitration
- Streamlined Arbitration
- Class Action Procedures
- International Dispute Resolution Rules ›
- Construction Arbitration Rules ›
- Employment Arbitration Rules ›
- Arbitration Discovery Protocols
- Consumer Minimum Standards
- Optional Appeal Procedures
- Download Rules / Forms ›
- Alternative Dispute Resolution (ADR) ›
- Mediation ›
- Arbitration ›
- Neutral Analysis
- In-House Counsel ADR Strategies
- Online Dispute Resolution-Endispute
- Educational Programs & CLE Offerings
- ADR Forms
- JAMS Global Reach
- International Arbitration
- International Rules & Clauses ›
- International Policies & Guidelines ›
- Privacy Shield Frameworks ›
- Organizations Endorsed by JAMS International
- Panel Latinoamericano