June 25, 2002
Wanda F. Moore
Dear Ms. Moore,
I have received your letter dated June 18 concerning compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Under the application regulations, I am not a "business associate" of CHN and have no intentions of becoming one. The most recent federal regulations, issued on March 27, 2002, state as follows:
The Privacy Rule excepts from the business associate standard certain uses or disclosures of protected health information. That is, in certain situations, a covered entity is not required to have a contract or other written agreement in place before disclosing protected health information to a business associate or allowing protected health information to be created by the business associate on its behalf. Specifically, the standard does not apply to: disclosures by a covered entity to a health care provider for treatment purposes; disclosures to the plan sponsor by a group health plan, or a health insurance issuer or HMO with respect to a group health plan, to the extent that the requirements of § 164.504(f) apply and are met; or to the collection and sharing of protected health information by a health plan that is a public benefits program and an agency other than the agency administering the health plan, where the other agency collects protected health information for, or determines, eligibility or enrollment with respect to the government program, and where such activity is authorized by law. See § 164.502(e)(1)(ii).
67 FR 14776, 14787 (Mar. 27, 2002) (emphasis added).
This is particularly important because I do not qualify as a "covered entity" subject to the privacy requirements of HIPAA. The government has expressly stated, in litigation concerning the Privacy Rule, that "[t]he proverbial country doctor who deals only in paper, or who has a computer but conducts none of the transactions referred to in section 1173(a) electronically, would not be a covered entity, and would not be subject to this legislation [HIPAA]." MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF DEFENDANTS' MOTION TO DISMISS dated Nov. 20, 2001, Argument II.B (emphasis added). I fall squarely within that category of doctors "not ... subject to" HIPAA.
Of course I protect my patients' privacy, and am in full compliance with applicable state and federal laws. But HIPAA and the Privacy Rule, and its privacy-invading provisions, do not apply to my practice.
Please acknowledge your recognition of these provisions of the federal rule.
Jane Orient, M.D.
Andy Schlafly, Esq. 908-719-8608