Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
20 use or disclosure. De-identified health information is that information that does not identify an indi- vidual. If âthere is no reasonable basis to believe that the information can be used to identify an individualâ the information âis not individually identifiable health information.â177 Thus, covered entities and business associates may divulge in- formation that is de-identified. HIPAA provides two ways for information to be de-identified. One method is by a formal determi- nation by a qualified statistician. A properly qualified statistician using accepted analytic tech- niques must conclude that there is a substantially limited risk of identifying the subject of the in- formation.178 The second method is by a covered entityâs or business associateâs removal from the information of 18 specified identifiers of an individual.179 IX. WHETHER HIPAA APPLIES TO TRANSIT AGENCIES A. Introduction As one source notes, some transit agencies as- sume that HIPAA applies to their paratransit ser- vice, while other agencies âstruggle to understand their role within the HIPAA regulationsâ or âques- tion how HIPAA applies to their service.â180 Whether HIPAA is applicable to transit agen- cies having health information on patrons is ad- dressed in Metro Transitâs response to the survey conducted for this digest. Metro Transit is not a health care provider and it does not make claims for service. Care organi- zations opt to make use of transit infrastructure to further their programs and for cost efficiencies. 177 45 C.F.R. § 164.514(a) (2013), . 178 45 C.F.R. § 164.514(b) (2013). 179 45 C.F.R. § 164.514(b) (2013). The identifiers that must be removed are names; geographical subdivisions smaller than a state; all dates excluding years; tele- phone and telefax numbers; email addresses; and social security, medical record, health plan beneficiary, ac- count, and certificate or license numbers; vehicle identi- fiers; device identifiers; Web URLs; IP address num- bers; biometric identifiers, such as fingerprints; full face photographic images; and any other unique identifying number, characteristic, or code. 180 Maureen Hensley Quinn, RTAP National Re- source Center, The Health Insurance Portability and Accountability (HIPAA) Ruleâs Affect on Rural Transit Agencies (Fall 2006), hereinafter referred to as âQuinn,â available at http://www.ctaa.org/webmodules/ webarticles/articlefiles/hipaabrief.pdf. Utilizing public transit has a direct impact on patient care, costs, and access. Applying HIPAA regulations to public transit at each point of ser- vice would result in an increase cost to the service and potentially a reduction in service available. Public transportation entails requesting informa- tion about the nature of the trip which could po- tentially contain protected health information[.] [I]f HIPAA regulations applied to public transit, it would in turn require that public transit comply with all HIPAA regulations, including providing privacy notices and acknowledgment of said no- tice (via gathering signatures at the time of each applicable boarding) implementing security meas- ures for electronic transmissions of manifests, and [the use of] direct service as opposed to shared ride service to avoid inappropriate disclosure to unauthorized persons at the time of boarding. The implication if HIPAA is applied to public transit is a fundamental change in the manner in which public transit is delivered, increased costs, and decreased access not just for health care, but all trip purposes and would adversely affect all in- volved parties (emphasis added).181 One article concludes that that very few, if any, transit systemsâ operations are subject to HIPAA: There is no concrete guidance available on how transpor- tation, particularly non-emergency medical transporta- tion, relates to the HIPAA privacy rule. However, a pri- vacy expert at HHSâs Office for Civil Rights reiterated theâ¦definition for a covered entity by indicating that only those organizations that provide health care and bill for services electronically must comply with the HIPAA law. So, there are very few, if any, transit systems that fall within that category.182 The above article concludes that transit sys- tems do not violate HIPAAâs privacy rule, for ex- ample, if they have a bus stop at a social service agency; coordinate transportation with mental health agencies, health care facilities, or social service agencies; or use a paratransit vehicle with the agencyâs systemâs logo âto provide door-to-door service.â183 B. Health Information Provided by or Authorized by Patrons Five agencies responding to the survey that have health information on their patrons stated that they have not been advised, nor have they assumed, that they are subject to HIPAA simply because of having such information. Five agencies stated that they assumed without being so ad- 181 Response of Metro Transit. 182 Quinn, supra note 180. 183 Id.
21 vised that HIPAA applied to them, or they at least treated the information as being confidential without knowing whether HIPAA actually ap- plied.184 There are several reasons a transit agency would not be subject to HIPAA as a result of hav- ing health information on patrons. When a transit agency receives health information from a patron or pursuant to a patronâs authorization or a re- lease, the health information in the possession of a transit agency arguably is not PHI within the meaning of the HIPAA regulations. PHI is cre- ated, received, maintained, or transmitted only by covered entities. Moreover, a transit agency may be receiving and acting on the information on be- half of a patron, not on behalf of a covered en- tity.185 To be subject to HIPAA, a transit agency would have to meet HIPAAâs definition of a busi- ness associate and have a business associate agreement with a covered entity that authorized the transit agency to create, receive, maintain, or transit PHI, as defined by HIPAA, on behalf of a covered entity. If a patron authorizes a covered entity such as a health care provider to furnish health informa- tion to a transit agency, the information thereaf- ter in the possession of the transit agency is no longer subject to HIPAA. HHS long ago recog- nized the existence of this gap in privacy cover- age: We understand that many entities may use and disclose individually identifiable health information. However, our jurisdiction under the statute is limited to health plans, health care clearinghouses, and health care pro- viders who transmit any health information electronically in connection with any of the standard financial or ad- ministrative transactions in section 1173(a) of the Act. These are the entities referred to in section 1173(a)(1) of the Act and thus listed in § 160.103 of the final rule. Con- 184 Response of EBPC (stating that it replied affirma- tively to the survey questions but had nothing in writ- ing that HIPAA applied to the agency); Response of KAT (stating that that it has not been advised that HIPAA applies but âjust work[s] under the assumption that the information would be covered under HIPAA lawâ); Response of Manchester (stating that the agency has not been âformally advised but it has long been our assumption that we were subject to HIPAA, having no evidence to the contraryâ); Response of Pierce County (stating that â[t]he agency is not assumed to be a desig- nated HIPAA organization, but we do handle some in- formation that is protected under HIPAAâ); Response of Utah Transit (stating that â[a]s we receive information from healthcare providers on our clientsâ disabilities, we assume that we are to treat such information as confi- dentialâ). 185 78 Fed. Reg. 5572. sequently, once protected health information leaves the purview of one of these covered entities, their business associates, or other related entities (such as plan spon- sors), the information is no longer afforded protection un- der this rule.186 Of the 17 agencies responding to the survey that have health information on their patrons, twelve agencies replied that they do receive health information from covered agencies for the purpose of providing transportation service to their patrons. However, based on the transit agenciesâ responses to the survey, with some pos- sible exceptions, it appears that their patrons provide information directly to the transit agen- cies or provide a release or an authorization to enable transit agencies to receive health informa- tion from the patronsâ health care providers or other covered entities.187 186 U.S. DEPâT OF HEALTH AND HUMAN SERVICES, OFFICE OF THE SECRETARY, 45 C.F.R. parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information, Final Rule, 65 Fed. Reg. 82,462, 82,567 (Dec. 28, 2000), hereinafter referred to as âHHS Dec. 2000 Final Rule,â available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/ privacyrule/prdecember2000all8parts.pdf. 187 Response of EBPC (âstating that â[i]n order to use the ADAâ¦paratransit programâ¦applicants must com- plete a certification process, which [is] a requirement under the ADA. For EBPC, this includes a paper appli- cation, an in-person interview, and at times, a medical verification received from a health care providerâ and that â[a]ll information in the riderâs file is strictly confi- dential and EBPC does not transmit this information to anyoneâ); Response of New Haven Transit (clients re- quired to sign a release of information); Response of HART (requires medical certification forms be com- pleted by physicians on patrons for eligibility of para- transit services); Response of KAT (receives medical information regarding a clientâs need for paratransit service); Response of Kitsap (in some cases contacts named medical professionals for additional information regarding applicantâs âfunctional abilitiesâ to travel in- dependently); Response of Manchester (âclients must submit documentation from their health care provider that illustrates disability [and] its impact on clientsâ ability to use fixed routesâ); Response of MATA (re- quires certification of all patrons whose medical infor- mation is âreceived and stored on siteâ); North County (receives health information from medical providers to determine eligibility of service; eligibility application requires a patron to acknowledge the use of PHI); Pierce Transit (seeks âprofessional verification and re- ports from health care providersâ for paratransit ser- vice); Response of Utah Transit (receives health infor- mation that may affect an individualâs functional ability to ride public transportation; information is received by fax or provided to the authority by the client); and
22 For instance, Metro Transit, which maintains that HIPAA does not apply to the agency, stated that that it has a contract with a covered entity, but that ânone of the health records come from the covered entity. Health records come directly from the patron. The covered entity obtains a release from the patron to voluntarily participate in the program.â188 Likewise, Pierce Transit stated that the agency âis not assumed to be a designated HIPAA organi- zationâ but that the agency does âhandle some information that is protected under HIPAA.â In a follow-up interview, a representative of Pierce Transit described his agencyâs procedure. Pierce Transit seeks professional verification as needed to support our paratransit eligibility deci- sion making. Our paratransit application includes a release of information that allows us to contact relevant treatment professionals. Pierce Transit commonly seeks information by faxing specific questions to these treatment professionals or by seeking copies of existing evaluations. The infor- mation we seek is related to claimed limitations or conditions the applicant has identified as bar- riers to regular bus use. This information helps to further define the applicantsâ need for service and reduces the need for in person assessment (em- phasis added).189 Pierce Transit further explained that it does not directly receive any information from the Medi- caid system or Health Department. The medical informa- tion we receive comes directly from the medical providers who are the primary care sources for our applicants for our ADA paratransit service. We receive this via a release of information during the eligibility process. Pierce Transit contracts with First Transit as a service provider[;] they do the actual ADA para- transit driving. [Pierce Transit] does not provide specific health information to the transportation provider beyond the pick-up and drop off points and what type of mobility aid will be used. This information is transferred by way of a manifest. There is no specific data transfer agreement that I am aware of (emphasis added).190 Whatcom (seeks professional verification from physi- cians and other providers to assist the eligibility spe- cialist in making an ADA paratransit determination). 188 Metro Transit also stated âparatransit service manifests are generated for distribution to directly op- erated service drivers and to contracted service drivers for transportation purposes only. â¦No health related information is provided on the manifests. Manifests are distributed manually and electronically.â 189 Email, dated Oct. 15, 2013, from Pierce Transit. 190 Id. In sum, based on the survey responses, transit agencies receive health information directly from patrons or from their health care providers pur- suant to a release or authorization signed by pa- trons. Although transit agencies such as Metro Transit and Pierce Transit may receive and main- tain health information from applicants or from their health care providers pursuant to a release of information, neither Metro Transit nor Pierce Transit assumes that it is subject to HIPAA. It appears that HIPAA only applies to a transit agency if the agency meets HIPAAâs definition of a business associate and receives PHI directly from a HIPAA-covered entity pursuant to a busi- ness associate agreement with a covered entity. C. Effect of HIPAA on Coordinated Transportation Services Programs 1. Development of Coordinated Human Transportation Services Programs In February 2004 President George W. Bush signed Executive Order 13330 that mandated the coordination of human service transportation ser- vices.191 A 2005 report to the president regarding Executive Order 13330 recognized five statesâ Florida, Maryland, North Carolina, Ohio, and Washingtonâfor âbuilding and implementing transportation infrastructure, policies and pro- grams that facilitate human service transporta- tion coordinationâ¦by implementing strategies such as transportation brokerages, Medicaid tran- sit pass programs, and joint planning efforts.â192 As of 2012, nearly 60 percent of transit agencies were coordinating with health and human ser- vices providers to improve ADA paratransit ser- vices.193 Transit operators must provide ADA 191 Human Service Transportation Coordination, 69 Fed. Reg. 9185 (Feb. 26, 2004), available at http://www.gpo.gov/fdsys/pkg/FR-2004-02-26/pdf/04- 4451.pdf. 192 United We Ride, Coordinating Council on Access and Mobility, Report to the PresidentâHuman Service Transportation CoordinationâExecutive Order 13330 (2005), available at http://www.unitedweride.gov/ 1_866_ENG_HTML.htm. 193 U.S. GOVâT ACCOUNTABILITY OFFICE, GAO-13-17, ADA Paratransit Services: Demand Has Increased, but Little is Known about Compliance (Nov. 15, 2012) (see unnumbered page in section entitled What GAO Found), available at http://www.gao.gov/products/GAO- 13-17. Another GAO report entitled Transportation Coordination, Benefits and Barriers Exist, and Plan- ning Efforts Progress Slow states that âthe lack of coor- dination among human services transportation provid-
23 complementary paratransit service, but state and local social services agencies offer paratransit for clients using government funding provided by one of approximately 90 programs.194 Under HIPAA, if a covered entity is providing PHI to a business associate, the parties must have a business associate agreement that complies with HIPAAâs specifications. Although there is an issue of whether transit agencies satisfy HIPAAâs definition of a business associate,195 some transit agencies are serving as brokers and/or have busi- ness associate agreements with covered entities to deliver transportation services. Some transit agencies are subcontractors of business associ- ates. In addition, some transit agencies may have contracts as direct providers with one or more cov- ered entities. Regardless of whether transit agen- cies come within the meaning of HIPAAâs defini- tion of a business associate, the contracts reviewed for this digest stipulated that the transit agencies will comply with HIPAA. 2. Use of Brokerage Agreements and Subcontractors Some state and local governments, social ser- vices agencies, and transit districts coordinate their efforts to provide paratransit service by us- ing brokers, including the use of transit agencies as brokers.196 When there are coordinated trans- portation services using transit, the largest com- ponent is the Non-Emergency Medical Transpor- tation (NEMT) services program for Medicaid recipients.197 Medicaid, of course, is a health plan ers and public transit operators contributes to the du- plication or overlapping of transportation services. Thus, particular clients may be left unserved or under- served, while transportation providers serving other clients may have excess capacity.â U.S. GOVâT ACCOUNTABILITY OFFICE, GAO/RCED-00-1, Transporta- tion Coordination, Benefits and Barriers Exist, and Planning Efforts Progress Slowly, at 2 (Oct. 1999), available at http://www.gao.gov/new.items/rc00001.pdf. 194 Lave & Mathias, supra note 3, at 4. 195 See Section IX.E of this digest. 196 Lave & Mathias, supra note 3, at 5. See also Kenneth I. Hosen & Elisabeth Fetting, Transit Agency Participation in Medicaid Transportation Programs, TCRP Synthesis 65, TRANSPORTATION RESEARCH BOARD OF THE NATIONAL ACADEMIES, Washington, D.C. at 13 (2006) (see id., Table 2, âGeneral State NEMT Charac- teristics,â describing state and local practices), hereinaf- ter referred to as âTCRP Report 65,â available at http://www.nap.edu/catalog.php?record_id=13961. 197 ACCT Final Report, supra note 62. See also CENTER FOR WORKERS WITH DISABILITIES, AMERICAN covered by HIPAA.198 Under federal law, state Medicaid programs must âensure that recipients have necessary medical transportation to and from covered Medicaid services (42 CFR 431.53)â and that all âordering or rendering providers [are] enrolled direct with the Medicaid agency.â199 How- ever, some state coordination programs do not include NEMT.200 When there is a coordinated approach, transportation may be arranged by a broker for ADA passengers and Medicaid recipi- ents, as well as for urban or rural passengers, the elderly, low income persons, and other recipients of social services.201 Although the states use a variety of ap- proaches, transportation may be approved and arranged, for example, after a Medicaid recipient submits an eligibility form completed by his or her health care provider. Again the practice may vary, but a Medicaid recipient may call a broker or transit agency and provide the necessary informa- tion to obtain transportation. Information that is PUBLIC HUMAN SERVICES ASSOCIATION, Improving Hu- man Services Transportation: The Massachusetts Bro- kerage and Coordination Model, at 2, hereinafter re- ferred to as âThe Massachusetts Brokerage and Coordination Model,â available at http://www.aphsa. org/content/dam/CWD/PDF/Resources/Trans-Brief-MA- 2012.pdf. Since 2005, however, brokerages have been a âMedicaid state plan option.â Id. 198 See Section III of this digest. See also U.S. DEPâT OF HEALTH AND HUMAN SERVICES, available at http://www.hhs.gov/hipaafaq/providers/treatment/1040. html (May a Medicaid State Agency and a Medicare Advantage plan share protected health information to identify dually eligible enrollees); The Health Insurance Portability and Accountability Act (HIPAA) and Medi- caid Billing, available at http://www.oasas.ny.gov/ admin/hcf/medhipaa.cfm (regarding HIPAA-compliant claims); and N.C. DEPâT OF HEALTH AND HUMAN SERVICES, DIVISION OF MEDICAL ASSISTANCE (regarding Medicaid and HIPAA compliance), available at http://www.ncdhhs.gov/dma/hipaa/. 199 U.S. DEPâT OF HEALTH AND HUMAN SERVICES, REPORT TO THE JOINT LEGISLATIVE OVERSIGHT COMMITTEE ON HEALTH AND HUMAN SERVICES AND THE JOINT LEGISLATIVE OVERSIGHT COMMITTEE ON TRANSPORTATION, Non-Emergency Medical Transporta- tion Services Management Report, at 8 (Oct. 15, 2012), hereinafter referred to as âNEMT Services Management Report,â available at www.starnewsonline.com/assets/doc/WM25807107.DOC .NEMT. 200 The Massachusetts Brokerage and Coordination Model, supra note 197, at 2. 201 NEMT Services Management Report, supra note 199, at 3.
24 provided by a Medicaid recipient to a transit agency does not appear to be subject to HIPAA because a transit agency is not a covered entity. However, a state Medicaid program or agency or one providing coordinated transportation services may require a contract with a transit agency that provides that the transit agency is subject to HIPAA. In many states the department of social ser- vices or the equivalent acts as the lead coordinat- ing agency that is responsible for NEMT.202 More- over, about 40 states use brokers to administer their NEMT program.203 A recent TCRP Report on transit agencies and Medicaid transportation pro- grams discusses the diversity in approach among the states regarding eligibility, screening, and verification of recipients of transportation ser- vices.204 Arrangements vary widely from the use of a statewide broker to regional or county brokers. The brokers may be profit or not-for-profit entities or government agencies.205 Although brokers may fulfill a number of roles, typically their contracts with a sponsor provide that a broker will establish a network of vendors or subcontractors, verify eli- gibility of applicants, and arrange for the least expensive means of transportation.206 Massachusetts is one of the states that has de- veloped a âtransit administered brokerageâ sys- tem to coordinate NEMT and other human ser- vices transportation programs.207 The Massachusetts EOHHS manages a âstatewide brokerage network for eligible consumersâ to serve, for example, the Massachusetts Depart- ment of Public Health and other agencies.208 Bro- kers are selected through competitive bidding that is open to regional transportation agencies (RTA). The arrangement is essentially that [T]he RTA brokers contract with the [Human Service Transportation] (HST) Office to provide brokerage man- agement services for a negotiated annual rate, which in- cludes the brokerage services but not the cost of the rides. The brokerage services include phone banks, scheduling, verification of eligibility, quality reviews, and reporting. The brokers subcontract with local transportation provid- ers to provide the trips under one of two service delivery 202 Id. at 4. 203 Id. at 5. 204 TCRP Report 65, supra note 196, at 13. 205 NEMT Services Management Report, supra note 199, at 5. 206 Id. at 7. 207 The Massachusetts Brokerage and Coordination Model, supra note 197, at 1. 208 Id. at 3. models: route based and demand response transporta- tion.209 The HST Provider Performance Standards ap- plicable to EOHHS require a broker/transit pro- vider to comply with HIPAA and that the con- tracts with transportation providers state that the providers will comply with HIPAA.210 Other states use brokers to coordinate transit services including for Medicaid recipients. In Flor- ida, âall programs that receive or administer state funds for transportation must participate in the coordinated transportation network.â211 Pennsyl- vania, New York, and Oregon use a brokerage system as well. For the Portland, Oregon area, TriMet serves as the broker, screens clients for eligibility, and contracts with transportation pro- viders.212 For a coordinated transportation ap- proach brokers also may use fixed-route transit service because many states have had significant financial savings by using fixed-route service for capable individuals.213 3. Whether HIPAA Applies to Coordinated Transportation Services HIPAA has been described as a âvery complex piece of legislation and regulations [that] is fre- quently cited as a barrier to coordinating trans- portation between Medicaid and other agen- cies.â214 There is some divergence of opinion regarding whether the above and similar broker- age arrangements are subject to HIPAA. One re- port notes the disagreement and states that there is âlittle guidanceâ for determining whether NEMT providers, the largest component of coor- dinated transportation services, âmeet the busi- 209 Id. at 4. 210 HST Provider Performance Standards (Massa- chusetts) (Updated Jan. 1, 2011), available at http://www.mass.gov/eohhs/docs/hst/provider- performance-standards.pdf. 211 Comparison of Non-Emergency Medical Transpor- tation across Various States, hereinafter referred to as âComparison of NEMT across Various States,â available at www.ime.state.ia.us/docs/StateComparisonsofMed Trans.doc. 212 Id. 213 Kenneth I. Hosen & Elisabeth Fetting, Transit Agency Participation in Medicaid Transportation Pro- grams, TRANSPORTATION RESEARCH BOARD OF THE NATIONAL ACADEMIES, Washington, D.C. at 29 (2006), (citing 45 C.F.R. §§ 164.502(e), 164.504(e), 164.532(d) and (e)), hereinafter referred to as âTCRP Synthesis No. 65,â available at http://www.nap.edu/catalog.php?record _id=13961. 214 ACCT Final Report, supra note 62, at 4.
25 ness associate requirements or exceptionsâ and are subject to HIPAA.215 This report also states that whether a participating agency may disclose information to another agency âfor a particular purpose is a highly fact specific determination that must be made on a case by case basis.â216 This report found that that the âHIPAA regula- tions are for the most part silent on the impact and responsibilities specifically for public trans- portation providers.â217 However, this report also found that transportation providers generally are ârequired to comply with HIPAA if it is deter- mined that, in addition to basic client demo- graphic and medical service trip information, a clientâs protected health information (PHI) is also being shared when consolidating medical trans- portation trip information.â218 As noted previ- ously, a subset of PHI is individually identifiable health information that includes âdemographic information collected from an individual.â219 The TCRP Report noted earlier discusses the âopportunitiesâ for public transit agencies to par- ticipate as a âdirect provider, broker, or subcon- tractorâ in Medicaid transportation programs.220 This report states that the confidentially of re- cords is a potential barrier to coordinated transit service because public transit agencies may not be âequippedâ to maintain the confidentiality of medical information.221 The TCRP Report also suggests, albeit in one brief sentence, that transit agencies are not subject to HIPAA regarding NEMT trips that may be arranged by a transit agency as a broker.222 However, as noted, a con- tract for NEMT could provide that HIPAA ap- plies. Although one issue is whether a particular ar- rangement for coordinated transportation services involves the sharing of PHI by covered entities with transit agencies, another issue is that âsome- times it is difficult to discern whether information is protected health information.â223 For example, it may be a patron who provides the health infor- mation or authorizes that it be provided to a tran- 215 Id. at 58. 216 Id. at 55. 217 Id. at 56. 218 Id. 219 45 C.F.R. § 160.103 (2013) (definition of individu- ally identifiable health information). 220 TCRP Report 65, supra note 196, at 4. 221 Id. at 21. 222 Id. 223 ACCT Final Report, supra note 62, at 57. sit agency, and it may be a patron who requests transportation and provides any additional health-related information needed by a transit agency that is serving as a broker and/or provider. Nevertheless, in a particular coordinated trans- portation services program, a transit agency serv- ing as a broker and business associate or as a sub- contractor could be expected to receive and transmit PHI.224 In addition to a business associ- ate agreement of the kind included in Appendix C there could be a âdata sharing agreementâ be- tween a covered entity and a business associate.225 4. Transit Agencies having Business Associate, Subcontractor, or Direct Provider Agreements Assuming that the HIPAA definition of a busi- ness associate applies to a person or entity, when a covered entity is sharing PHI with another en- tity for use on behalf of the covered entity, the two parties must have a business associate agreement âin place.â226 Some agencies responding to the sur- vey stated that they are business associates of a covered entity and provided copies of their busi- ness associate and subcontractor agreements.227 GATRA provided a copy of its business associ- ate agreement with EOHHS pursuant to which GATRA serves as a broker for coordinated trans- portation services. GATRAâs contract states that GATRA is a business associate as defined by HIPAA and subject to the Privacy and Security Rules.228 The HST Office of EOHHS contracts with six regional transit authorities who act as brokers to provide transportation services for par- ticipating agencies, including MassHealth (Medi- caid), MassHealth funded Day Habilitation, the Department of Developmental Services; and the Massachusetts Department of Public Health.229 The brokers subcontract with transit providers to provide direct transportation services to âEOHHS consumers.â230 224 Id. 225 Id. and App. C of this digest. 226 ACCT Final Report, supra note 62, at 57. 227 See App. C of this digest. 228 Copies of GATRAâs contract with EOHHS and of its internal operating policy and procedure and HIPAA compliance plan are included in Appendix C of this di- gest. 229 COMMONWEALTH OF MASSACHUSETTS, EXECUTIVE OFFICE OF HEALTH AND HUMAN SERVICES, HUMAN SERVICE TRANSPORTATION OFFICE, 2012 Annual Report, at 5, available at http://www.mass.gov/eohhs/ docs/hst/hst-annual-report-fy12.pdf. 230 Id.
26 Salem-Keizer in Oregon in a follow-up inter- view explained the process for its agency and oth- ers involved with coordinated transportation ser- vices but noted that the arrangements may be in the process of changing.231 Salem-Keizer provided a copy of a Provider Agreement that is required to enroll [A]s a Provider with the Oregon Health Authority (âAu- thorityâ)â¦to submit claims, and receive payment, for medical care, services, equipment and/or supplies fur- nished by Provider to persons eligible for medical assis- tance in Oregon (âRecipientsâ). Payments for medical as- sistance are made using Medicaid, State Childrenâs Health Insurance Program, or funds from other federally funded programs.232 Paragraph 7 of the agreement provides for the protection of confidential information that may be âreleased with appropriate written authorization of the recipient or their authorized representative, or for purposes directly connected with the ad- ministration of the OHA program in accordance with applicable federal and state law (emphasis added).â233 Paragraph 7 of the agreement, more- over, provides that the parties will comply with HIPAA.234 Salem-Kaiser also provided a copy of a new agreement entitled Subcontractor Agreement that may or may not be utilized in the future.235 The draft agreement states that the â[s]ubcontractor specializes in the provision, coordination and management of NEMT services and is designated and subcontracted currently as a transportation brokerage in the State of Oregon NEMT.â With respect to HIPAA compliance, Paragraph 4 of the draft agreement states: Individually Identifiable Health Information relating to specific individuals may be exchanged between Contrac- tor and the Oregon Health Authority for purposes directly related to the provision of services to Members. Since Subcontractor will have access to personally identifiable patient health information, Subcontractor agrees to enter into and abide by Contractorâs Business Associate Agree- ment under HIPAA as attached to this Agreement as Ex- hibit C âBusiness Associate Agreement.â236 The referenced business associate agreement states in paragraph B that HIPAA compliance is required because the âBusiness Associate will be providing servicesâ¦for one or more members of 231 Email, dated Oct. 18, 2013, from Salem-Keizer Transit. 232 See App. C of this digest. 233 See id. 234 See id. 235 See id. 236 See id. [an] Affiliated Covered Entity involving creating, receiving, maintaining, or transmitting [PHI] on behalf of [an] Affiliated Covered Entity.â237 Lastly, a Blanket Purchase Agreement that Sa- lem-Keizer uses with private providers that per- form NEMT trips also requires compliance with HIPAA.238 As discussed in the next subsection, however, it is not clear that a transit agency meets HIPAAâs definition of a business associate. According to HHS, if an entity does not satisfy the definition of a business associate, HIPAA does not apply. How- ever, in practice, there are business associate and subcontractor agreements that stipulate that a transit agency must comply with HIPAA when individually identifiable health information or PHI more generally will be transmitted (or there is a possibility of transmittal) by a covered entity. D. Whether Transit Service Is a Business Associate Function Under HIPAA The business associate and subcontractor agreements included with this digest stipulate that HIPAA applies to the arrangements because of the possible sharing of PHI. The parties may have stipulated that HIPAA applies because it is unclear whether HIPAA applies, because the cov- ered entity or entities simply require such a stipu- lation for one or more reasons, and/or because the stipulation seems to be the best practice for pro- tecting the privacy and security of a patientâs health information that otherwise would not be subject to HIPAA. Nevertheless, there is an ar- gument that such a stipulation is not warranted, because a transit agency does not meet HIPAAâs definition of a business associate. Indeed, one source notes that the HIPAA regulations place 237 See App. C of this digest (exhibit C to Subcontrac- tor Agreement). 238 Email, dated Oct. 18, 2013, from Salem-Keizer Transit. See App. C of this digest. The Blanket Pur- chase Agreement reflects that an agreement between Salem Area Mass Transit District as broker and the undersigned contractor has been established to provide non-emergency transportation for Medicaid and OHP PLUS recipients to and from Medicaid covered medical services in the Service Area. See App. C of this digest. Paragraph 28(3) of the agreement states: If Contractor reasonably believes that the Contractorâs or BROKERâs data transactions system or other application of HIPAA privacy or security compliance policy may result in a vio- lation of HIPAA requirements, Contractor shall promptly con- sult the OHA Information Security Office. Contractor or BROKER may initiate a request for testing of HIPAA transac- tion requirements, subject to available resources and the BROKER testing schedule.
27 âan enormous burdenâ on covered entities to de- termine which individuals and organizations are business associates under HIPAA.239 The HIPAA regulations define a business asso- ciate as a person or entity that performs on behalf of a covered entity a âfunction or activity regu- lated by [HIPAA], including claims processing or administration, data analysis, processing or ad- ministration, utilization review, quality assur- ance, patient safety activities listed at 42 C.F.R. 3.20, billing, benefit management, practice man- agement, and repricingâ¦.â240 These are not func- tions and activities that are performed by transit agencies on behalf of covered entities. Moreover, as specified by HIPAA, a transit agency is not an entity that [p]rovidesâ¦legal, actuarial, accounting, consulting, data aggregation, â¦management, administrative, accredita- tion, or financial services to or for such covered entity, â¦where the provision of the service involves the disclo- sure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.241 As one source observes, HIPAA has rules re- garding who is a business associate of a covered entity (footnotes omitted).242 Because the regulation is drafted to refer to âbusiness associatesâ in connection with a covered entity, the types of organizations covered as busi- ness associates are limited to those that assist with the business processes of a covered entity. The types of services covered as business associ- ates include âlegal, actuarial, accounting, consult- ing, data aggregation, management, administra- tive, accreditation, or financial services (footnotes omitted).â243 Another writer argues that covered entities may disclose PHI only to persons or entities that 239 Randi Heitzman, The Business Associate Brain Teaser: A Look at Problems Involving the Business As- sociate Regulations under the Health Insurance Port- ability and Accountability Act of 1996, 11 ANN. HEALTH L. 159, 194 (2002). 240 45 C.F.R. § 160.103 (2013) (subsection (i) of the definition of business associate) (definition excludes one who provides services as a member of the workforce of a covered entity or arrangement). 241 45 C.F.R. § 160.103 (2013) (subsection (ii) of the definition of business associate) (definition excludes one in capacity of a member of the workforce of the covered entity); see also, 78 Fed. Reg.5688. 242 Sonia W. Nath, Relief for the E-patient? Legisla- tive and Judicial Remedies to Fill HIPAAâs Privacy Gaps, 74 GEO. WASH. L. REV. 529, 538 (2006). 243 Id. meet HIPAAâs definition of a business associate.244 The definitional issue has arisen in connection with whether financial institutions are subject to HIPAA. A banking organization may be subject to HIPAA if it is considered either a âhealth care clearinghouseâ or a âbusiness associateâ of a âcov- ered entity.â When a financial institution processes health care payments, it may become subject to HIPAA standards. But there is still uncertainty as to where financial institutions fit under either the âhealth care clearinghouseâ definition or the âbusiness associateâ definition that would render them accountable for compliance with HIPAA.245 The article implies, however, that when banks provide health care clearinghouse services, they may agree by contract to comply with HIPAA.246 Nevertheless, HHS advises that â[i]f an entity does not meet the definition of aâ¦business asso- ciate, it does not have to comply with the HIPAA Rules.â247 A search of the HHS Web site did not disclose any HHS guidance, advice, opinion, or decision regarding whether transit agencies meet the criteria for being a business associate of a cov- ered entity. An online article states that HHSâs final rule clarifies its interpretation of entities that qualify as business associates by providing, for example, âthat entities that maintain or store protected health information on behalf of a cov- ered entity are business associates, even if they do not actually view the protected health informa- tion," a clarification that does not apply to transit agencies.248 244 Brian Zoeller, Health and Human Servicesâ Pri- vacy Proposal: A Failed Attempt at Health Information Privacy Protection, 40 BRANDEIS L.J. 1065, 1082 (2002). 245 Steven Robert Roach & William R. Schuerman, Jr., 2004 Privacy Year in Review Annual Update: Fi- nancial: Privacy Year in Review: Recent Developments in the Gramm-Leach Bliley Act, Fair Credit Reporting Act, and other Acts Affecting Financial Privacy, 1 ISJLP 385, 437-438 (2005) (footnotes omitted). 246 Id. 247 U.S. DEPâT OF HEALTH AND HUMAN SERVICES, HEALTH INFORMATION PRIVACY FOR COVERED ENTITIES AND BUSINESS ASSOCIATES, available at http://www.hhs. gov/ocr/privacy/hipaa/understanding/coveredentities/. 248 Kimberly J. Kannensohn, Nathan A. Kottamp, Amanda Enyeart & Lindzi M. Timberlake, HHS Adopts a Broad Interpretation of Entities that Qualify as Busi- ness Associates under HIPAA in the Omnibus Final Rule (January 30 2013), available at http://www.mondaq.com/unitedstates/x/218636/Healthc are/HHS+Adopts+A+Broad+Interpretation+Of+Entities
28 As seen, the HIPAA regulations limit the kinds of entities that may be business associates and create, receive, maintain, or transmit PHI on be- half of a covered entity. With a patientâs authori- zation, however, a covered entity may disclose health information to anyone permitted by a pa- tient including a transit agency. Moreover, a cov- ered entity may disclose PHI without a patientâs authorization when a use or disclosure is required by law. Even if the required by law provision means medical information needed to qualify an individual for a program to receive public bene- fits, in practice a covered entity or agency admin- istering a public benefits program may require or receive an authorization from a patient before dis- closing PHI in connection with providing benefits. Finally, regardless of whether transit agencies meet the criteria to be a business associate under HIPAA, the survey responses and contracts pro- vided by transit agencies indicate that covered entities or their agents and transit agencies are stipulating that HIPAA applies, particularly when PHI may be shared by a covered entity with a transit agency, even if a patient already has pro- vided health information or authorized its disclo- sure. E. Whether Transit Agencies Must Provide a Privacy Notice Covered entities must provide a notice of their privacy practices. Business associates are not re- quired to do so. According to HHS, the Privacy Rule does not require a business associate to cre- ate a notice of privacy practices. However, a covered entity must ensure through its contract with the business associate that the business associateâs uses and disclosures of pro- tected health information and other actions are consistent with the covered entityâs privacy poli- cies, as stated in covered entityâs notice. Also, a covered entity may use a business associate to distribute its notice to individuals.249 Eleven transit agencies that have health in- formation on patrons stated that they do not pro- vide their patrons (or others) with a notice of their privacy policies or practices regarding any further use or disclosure of health information. At most, transit agencies notify their patrons that their +That+Qualify+As+Business+Associates+Under+HIPA A+In+The+Omnibus+Final+Rule. 249 U.S. DEPâT OF HEALTH AND HUMAN SERVICES, HEALTH INFORMATION PRIVACY, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/business_asso ciates/390.html. information will be kept confidential and/or re- quire that a patron provide a signed release for the disclosure of health information.250 EBPC stated that an applicant must sign a cer- tification acknowledging that the applicant un- derstands that all information given to EBPC is confidential and used only to certify whether the applicant is eligible for ADA paratransit service. Metro Transit provided a notice of confidentiality with a release of information that must be signed by an applicant. I, the applicant, understand that the purpose of this ap- plication form is to determine my eligibility to use Metro Paratransit Service. I agree to release the information re- quested to Metro and any eligibility review panel, and understand that the information contained herein will be treated confidentially. I understand further that Metro reserves the right to request additional information at its discretion. Finally, two agencies reported that they do pro- vide their patrons with a notice of privacy prac- tices.251 In practice, based on the survey responses, transit agencies come into possession of patronsâ health information when a patron provides the information or authorizes a health care provider (or other covered entity) to provide it. Transit agencies also may come into possession of PHI when they are a direct provider to one or more covered entities or when they participate in a co- ordinated transportation services program through a broker.252 In those instances, transit agencies could receive PHI from a covered entity or from a broker that arranges transportation for ADA, Medicare, and other qualified recipients. However, a covered entity similarly would need a patientâs authorization to disclose PHI unless the covered entity is required by another law to dis- close PHI. In that instance, if HIPAA does not apply to a person or entity receiving the health information, another federal or state law mandat- ing the disclosure of PHI could apply to the pri- 250 Response of MATA (noting that each application explains that medical information will be kept confiden- tial); Response of EBPC; Response of Utah Transit (stating that a patron is only advised verbally in an interview that all information is confidential and will not be shared without a request signed by the client or the clientâs agent). 251 Responses of Kitsap and Pierce Transit. 252 Health information subject to HIPAA does not have to be diagnostic information. A subset of PHI is individually identifiable health information or IIHI that includes demographic information collected on an indi- vidual. See Section VII of this digest.
