Submit a Case Find a Neutral

HIPAA, protected healthcare information and ADR: What rules apply?

HIPAA, protected healthcare information and ADR: What rules apply?

Source: InsideCounsel.com
Date: September 29, 2014

Ronald Ravikoff, Esq.

Resolution Centers


HIPAA, protected healthcare information and ADR: What rules apply? Treating the neutral as a business associate and executing a BAA seems to be the safest and most practical route to follow By Ron Al D B. RAv Ikoff September 29, 2014 BusIness InsIgHTs foR lAW DePARTmenT leADeRs Reprinted with permission from InsideCounsel Arbitration and mediation have become major forums for healthcare business disputes, which extend far beyond traditional medical issues between patients and providers. Major claims involving contrac- tual issues between providers and business associates are taking center stage in the healthcare ADR arena. Many of these disputes require the use or disclosure of protected healthcare information (PHI) as defined by HIPAA. The use of PHI is governed by the HIPAA privacy rules. Organizations and individuals required to comply with the HIPAA privacy rules are called covered entities. Covered entities include health plans, healthcare clearing- houses and any healthcare provider that transmits health information in electronic form in connection with transactions for which the secretary of Health and Human Services has adopted standards under HIPAA. Major revisions to HIPAA were made under the HITECH Act’s provisions as part of the American Recovery and Reinvestment Act of 2009, making the privacy and security rules explic-itly applicable to business associates of covered entities. Business associates are now subject to direct regulatory enforcement. Further, business associates must now treat their subcontractors that create, receive, transmit or main- tain PHI in the same manner that covered entities treat their business associates. Covered entities and business associates are responsible for their own workforces, including employees, volunteers and others who are under their direct control. Typically, a business associate should treat its independent contractors as subcontractors for purposes of com- plying with the regulations. In light of the new regulations and the increased use of ADR, the question raised is this: If mediation or arbitration requires disclosure of or questioning about PHI to the neutral mediator or arbitrator, is the neutral covered by the HIPAA PHI restrictions, and if so, should the neutral be considered a business associate? Protection of PHI in ADR There does not seem to be any clear guidance on whether ADR neutrals who receive PHI in the course of a proceeding are properly classified as business associates. But given that it is now accepted that lawyers and even court reporters who received PHI are business associates, ADR neutrals should also, out of abun- dance of caution, be treated as such. The regulations offer three possible routes to protect PHI in ADR: individual consent, a judicial pro- ceedings disclosure, or a business as- sociate agreement (BAA). However, as discussed below, only the BAA seems both practical and offers clear protection. Disclosure after consent: Certainly, disclosure of PHI may be made with the consent of the individual whose PHI is at issue. Individual consent would seem impractical, however, when a large amount of information needs to be reviewed. Thus, it is not a preferred alternative for business- type disputes where multiple indi- viduals’ data may be needed. Judicial and administrative proceed- ings disclosure: Also, covered entities may disclose PHI in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a qualified protective order are provided. Does the ADR process fall into the judicial and administrative proceedings disclosure allowance? Again, there is little guidance on this question—particularly after the new rules expanding liability for business associates. Certainly, one would be hard-pressed to argue that mediation falls within this permit- ted disclosure route as a judicial or administrative proceeding. However, many mediations are court ordered, and this could provide a vehicle to obtain a qualified protective order, thus offering some protection. Also, Scott D. Stein suggested in “What litigators need to know about HIPAA” that arbitration should qualify as a judicial or ad- ministrative proceeding, but again, there appears to be no direct author- ity supporting this position. Are mediators and arbitrators busi- ness associates under HIPAA? As noted above, there seems to be little argument that lawyers who receive PHI from covered entities are business associates and that lawyers’ subcontractors that receive or interact with PHI would gener- ally also be considered business associates. Accordingly, it is suggested that, given the broad scope of the new business associate regulations and absent clear guidance to the con- trary, mediators and arbitrators should be treated as business associ- ates as well. What best practices should be followed under the current state of the regulations? When practical and possible, secure authorization from the individu- als whose PHI is sought to be used as permitted by 45 CFR 164.508. When the mediation is court- ordered, consider seeking a qualified protective order, which covers the mediation as part of the court-or- dered referral. However, as men- tioned above, there is no assurance that mediation would qualify as a judicial or administrative proceed- ing, even allowing for a qualified protective order. In this instance, the protective order should be consid- ered as merely added protection for the covered entity and business associate. Treat the mediator or arbitrator as business associates under HIPAA and have the neutral sign a BAA. Indeed, as many BAAs already have dispute resolution clauses in them, advance planning would suggest that mandatory mediation or arbitration clauses anticipate the requirement of a BAA as part of the contracted-for ADR process. Treating the neutral as a business as- sociate and executing a BAA seems to be the safest and most practical route to follow. Ronald Ravikoff, Esq. has more than 35 years of experience in mediation, arbitration, complex litigation, and dispute counseling. His dispute resolution practice focuses on complex commercial matters with a par- ticular emphasis on matters involving antitrust and trade regulation, class actions, financial institution litiga- tion, securities litigation and regulatory proceedings, healthcare litigation and trade secrets matters. He can be reached at rravikoff@jamsadr.com. HIPAA, protected healthcare information and ADR: What rules apply? | Page 2

HIPAA, protected healthcare information and ADR: What rules apply?
Treating the neutral as a business associate and executing a BAA seems to be the safest and most practical route to follow
By Ronald B. Ravikoff September 29, 2014
Arbitration and mediation have become major forums for healthcare business disputes, which extend far beyond traditional medical issues between patients and providers. Major claims involving contractual issues between providers and business associates are taking center stage in the healthcare ADR arena. Many of these disputes require the use or disclosure of protected healthcare information (PHI) as defined by HIPAA. The use of PHI is governed by the HIPAA privacy rules.
Organizations and individuals required to comply with the HIPAA privacy rules are called covered entities. Covered entities include health plans, healthcare clearinghouses and any healthcare provider that transmits health information in electronic form in connection with transactions for which the secretary of Health and Human Services has adopted standards under HIPAA.
Major revisions to HIPAA were made under the HITECH Act's provisions as part of the American Recovery and Reinvestment Act of 2009, making the privacy and security rules explic-itly applicable to business associates of covered entities.
Business associates are now subject to direct regulatory enforcement. Further, business associates must now treat their subcontractors that create, receive, transmit or maintain PHI in the same manner that covered entities treat their business associates. Covered entities and business associates are responsible for their own workforces, including employees, volunteers and others who are under their direct control. Typically, a business associate should treat its independent contractors as subcontractors for purposes of complying with the regulations.
In light of the new regulations and the increased use of ADR, the question raised is this: If mediation or arbitration requires disclosure of or questioning about PHI to the neutral mediator or arbitrator, is the neutral covered by the HIPAA PHI restrictions, and if so, should the neutral be considered a business associate?
Protection of PHI in ADR
There does not seem to be any clear guidance on whether ADR neutrals who receive PHI in the course of a proceeding are properly classified as business associates. But given that it is now accepted that lawyers and even court reporters who received PHI are business associates, ADR neutrals should also, out of abundance of caution, be treated as such.
The regulations offer three possible routes to protect PHI in ADR: individual consent, a judicial proceedings disclosure, or a business associate agreement (BAA). However, as discussed below, only the BAA seems both practical and offers clear protection.
Disclosure after consent: Certainly, disclosure of PHI may be made with the consent of the individual whose PHI is at issue. Individual consent would seem impractical, however, when a large amount of information needs to be reviewed. Thus, it is not a preferred alternative for business-type disputes where multiple individuals' data may be needed.
Judicial and administrative proceedings disclosure: Also, covered entities may disclose PHI in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a qualified protective order are provided.
Does the ADR process fall into the judicial and administrative proceedings disclosure allowance?
Again, there is little guidance on this question—particularly after the new rules expanding liability for business associates. Certainly, one would be hard-pressed to argue that mediation falls within this permitted disclosure route as a judicial or administrative proceeding. However, many mediations are court ordered, and this could provide a vehicle to obtain a qualified protective order, thus offering some protection.
Also, Scott D. Stein suggested in "What litigators need to know about HIPAA" that arbitration should qualify as a judicial or administrative proceeding, but again, there appears to be no direct authority supporting this position.
Are mediators and arbitrators business associates under HIPAA?
As noted above, there seems to be little argument that lawyers who receive PHI from covered entities are business associates and that lawyers' subcontractors that receive or interact with PHI would generally also be considered business associates.
Accordingly, it is suggested that, given the broad scope of the new business associate regulations and absent clear guidance to the contrary, mediators and arbitrators should be treated as business associates as well.
What best practices should be followed under the current state of the regulations?
When practical and possible, secure authorization from the individuals whose PHI is sought to be used as permitted by 45 CFR 164.508. When the mediation is court-ordered, consider seeking a qualified protective order, which covers the mediation as part of the court-ordered referral. However, as mentioned above, there is no assurance that mediation would qualify as a judicial or administrative proceeding, even allowing for a qualified protective order. In this instance, the protective order should be considered as merely added protection for the covered entity and business associate.
Treat the mediator or arbitrator as business associates under HIPAA and have the neutral sign a BAA. Indeed, as many BAAs already have dispute resolution clauses in them, advance planning would suggest that mandatory mediation or arbitration clauses anticipate the requirement of a BAA as part of the contracted-for ADR process.
Treating the neutral as a business associate and executing a BAA seems to be the safest and most practical route to follow.