Many of the issues that have arisen for radiologists can now be addressed with greater confidence and certainty. Radiologists need to become familiar with the ins and outs of the Privacy Rule that just went into effect.
sigma Direct or indirect treatment relationships. The Privacy Rule places ifferent requirements regarding the notice of privacy practices (NPP) on direct and indirect treatment providers. Direct treatment providers are required to actually distribute a copy of their NPP to a patient as of the first service delivery and to make a good faith effort to obtain the patient's written acknowledgment of receipt of the NPP. Indirect treatment providers are required only to make a copy of their NPP available upon request.
The distinction between direct and indirect treatment providers hinges on the definition of indirect treatment relationship:
"Indirect treatment relationship means a relationship between an individual and a health care provider in which:
"(1) The health care provider delivers health care to the individual based on the orders of another health care provider; and
"(2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual."
A direct treatment relationship is then defined as a treatment relationship that is not an indirect treatment relationship.
Most of the activities of most diagnostic radiologists-at least in a setting outside their own offices-would appear to fall within the indirect treatment
category. These radiologists generally would not have to provide a copy of their NPP to patients unless requested to do so. The relationship is not so clearly
indirect in some situations, however, such as when radiologists provide screening mammography services and report results directly to the patient rather than just to the treating physician. Interventional radiologists and radiation oncologists are generally direct treatment providers.
While further guidance on this issue from the Department of Health and Human Services Office of Civil Rights (OCR) would be helpful, it is not yet forthcoming. In situations in which the treatment relationship is ambiguous, the safe option for a radiology group is to provide the NPP as required for a direct treatment relationship.
Organized healthcare arrangement option. The Privacy Rule offers hospital-based radiologists the opportunity to use an "organized health care arrangement" (OHCA) to comply with Privacy Rule requirements. The Privacy Rule includes within the type of entities that can form an OCHA a clinically integrated care setting in which individuals receive healthcare from more than one provider, which occurs when radiologists provide services in a hospital. Participants in an OCHA can agree to a set of privacy practices and issue a joint notice of these practices for their patients.
Therefore, in addition to disclosures for treatment purposes between providers such as hospitals-and even independent diagnostic testing facilities-and radiologists, disclosures between the participants for joint healthcare operations activities of the participants are permitted, even if the recipient of the information does not itself have a treatment relationship with the individual who is the subject of the information.
One advantage of an OHCA is that the participants can agree to a set of privacy practices and issue a joint NPP for provision to those patients who
interact with the OHCA. The NPP provision and acknowledgment requirements of the Privacy Rule can be jointly discharged for all OHCA participants when only one of them, such as the hospital at the time of the first service delivery to a patient, makes the required disclosure of the NPP and seeks the recipient's acknowledgment.
The Privacy Rule requires agreement among the providers who will participate in the OHCA that they will abide by the joint NPP. While this need not be written, it is safer from a compliance standpoint to be able to show an OCR privacy program specialist something in writing showing that the requisite agreement is present. Some discussion or negotiation among the OHCA participants about what privacy practices are being agreed to is a good idea, considering the disparate parties involved and their different ways of doing things. Template joint NPPs should not be adopted by a hospital and a radiology group without some review. As for what the NPP must say, HHS gives a reasonably clear explanation:
"[T]he joint notice must reasonably identify the covered entities, or class of covered entities, to which the joint notice applies and the service delivery sites, or classes of service delivery sites, to which the joint notice applies. If the covered entities participating in the organized health care arrangement will share protected health information with each other as necessary to carry out treatment, payment, or health care operations relating to the arrangement, that fact must be stated in the notice."
Treatment exception to the business associate agreement requirement. Numerous radiologists have been asked to enter business associate agreements by various healthcare providers for whom they interpret diagnostic imaging studies, such as hospitals or physician groups. Typically, these business associate agreements are not required by the Privacy Rule, and radiologists would be advised not to enter them.
The general principle under the Privacy Rule is that a covered healthcare provider such as a hospital or physician group is permitted to disclose protected health information (PHI) to another healthcare provider such as a radiologist for treatment purposes. To the extent that covered healthcare providers disclose PHI to a radiologist for the treatment of patients, the Privacy Rule does not require a business associate agreement. Likewise, the Privacy Rule would not require a group of radiologists to obtain a business associate agreement from healthcare providers to whom the group discloses PHI for the treatment of a patient.
Even in those situations in which a radiologist is paid directly by another physician group to supervise and/or interpret diagnostic imaging studies (e.g., outside reading arrangements), the disclosure of PHI from the group to the radiologist is a disclosure to a healthcare provider for treatment and is excepted from the business associate requirement of the Privacy Rule.
Relationships that require business associate arrangements. If radiologists have relationships with other covered entities that go beyond the treatment of patients and that involve the use or disclosure of PHI, the Privacy Rule may require one of the entities to obtain a business associate agreement from the other. The best example is billing or clearinghouse activity performed for a radiologist by a third party. The Privacy Rule would require a radiologist to obtain a business associate agreement from such a billing service provider. Other examples would be the outside transcriptionist or a courier service that delivers film from office to office.
While a hospital is typically not a business associate, if the hospital contracts to compensate a radiology group for services outside the scope of their professional services-for example, to assist in the hospital's training of medical students-the relationship has changed. In this case, the hospital would be required to obtain a business associate contract from the radiology group before the hospital could allow the radiology group access to patient health information.
Radiologists may also contract with vendors for practice management software. Whether such a vendor would be a business associate depends on the nature of the relationship between the vendor and the radiologist. The extent to which the software vendor accesses PHI maintained by the radiologists is the primary consideration in determining whether the vendor is a business associate. Most PACS and radiology information system vendors, in my view, will undoubtedly access PHI, and radiologists who use their services should obtain business associate agreements from these vendors.
Business associate transition period. The business associate requirements of the Privacy Rule had a compliance date, along with all of the other Privacy Rule provisions, of April 14. Therefore, unless an exception applies, to continue in relationships that involve a business associate using and disclosing PHI, a radiology group would have had to obtain a business associate agreement from that associate.
Covered entities that had and have continued to maintain-unrenewed and unmodified through April 14-a written contract or arrangement with a business associate, on or before Oct. 15, 2002, may continue, however, to operate under those existing written arrangements until April 14.
If a covered entity entered into or modified or renewed a written arrangement with a business associate after Oct. 15, 2002, that arrangement is not within the transition and must be compliant with the business associate requirements of the Privacy Rule as of April 14.
Provision of healthcare to enrollees of health plans does not create a business associate relationship. Some radiologists have wondered whether they must have business associate agreements with health plans. The answer is no. The OCR's HIPAA Privacy Guidance makes clear that a business associate contract is not required
". . . [w]hen a health care provider discloses protected health information to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan's network. A provider that submits a claim to a health plan and a health plan that assesses and pays the claim are each acting on its own behalf as a covered entity, and not as the 'business associate' of the other."
Compliance Mesaures
Radiologists who are not on track to comply with the Privacy Rule standards in effect as of April 14 need not close up shop in despair. The OCR has indicated that enforcement of the Privacy Rule will be compliance-driven, and that enforcement will be directed more at education and cooperation than at immediate penalties. A noncompliant radiology group should be able to demonstrate that it is in the process of bringing itself into compliance with Privacy Rule standards.
Since complaints can go either to the radiologist or to the HHS, the first line of defense for a radiology group should be to develop a complaint process that can capture and resolve the dissatisfactions of patients before they decide to escalate their complaints to the government. While an individual is not required to exhaust complaint options within the covered entity, a proactive complaint process may have this effect.
Radiologists should analyze their treatment relationships and identify situations in which they will be required to distribute an NPP. If possible, the OHCA mechanism should be used for joint notice of privacy practices in the hospital context. While business associate agreements are not required between healthcare providers for disclosures of PHI for treatment of a patient, or between a provider and a health plan for disclosures of PHI for reimbursement activities, in other situations the radiologist may be required to obtain a business associate agreement, such as from a clearinghouse or a PACS vendor.
The first step in Privacy Rule compliance should be to develop an NPP and a complaint process to address any potential individual dissatisfaction. Each group should appoint a privacy officer, educate staff and radiologists regarding privacy requirements, develop mechanisms to deal with patient complaints and sanction privacy breaches, and document and retain compliance activity for six years.