HIPAA Compliance Issues: OCR Offers Guidance

By Mike Wilson J.D.
March, 2003

The January 2002 issue of Connections Magazine gave an overview of the Health Insurance Portability and Accountability Act and explained that call centers would be treated as business associates of health care providers under the law.  Recently, the Office of Civil Rights (OCR) issued some additional guidance, though not with as many specifics as call centers might like.

First, the law does not impose rules upon call centers directly because call centers are not subject to regulation by the Department of Health and Human Services (HHS).  Instead, health care providers and other covered entities are required under HIPAA and other pertinent regulations to obtain from business associates, such as call centers, contractual assurances that information will be handled in conformity with the law.  Thus, a suit by the health care provider for breach of contract is a potential exposure for the call centers.  HHS cannot impose civil monetary penalties on call centers for breaching those contractual duties.

Disclosing the minimum necessary: One question frequently asked of OCR is whether doctors may leave messages on patients' answering machines to remind them of appointments or provide information about prescriptions.  OCR says yes, provided that care is taken "to limit the amount of information disclosed."  For example, says OCR, the health care provider "might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back."  OCR says the "Privacy Rule permits disclosure of limited information to family members, friends, or other persons regarding an individual's care" but that health care providers should "use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed."

This raises a significant question: "How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?"  The OCR says that health care providers must "make their own assessment of what protected health information is reasonably necessary for a particular purpose…and implement policies and procedures accordingly."  There is more language regarding reasonableness, but the bottom line is that no safe harbor is given in OCR's guidance.  However, it is clear that the health care provider, rather than the business associate, is responsible, according to HHS, for establishing the minimum necessary policies and procedures.

Next steps for call centers: Since a business associate's obligations are contractual, rather than regulatory, a call center might ask the health care provider to specify in the contract what information can be released to whom in given situations.  A call center might ask for a contract that creates a kind of safe harbor, relieving the call center from breach of contract claims by the health care provider if the specific policies and procedures of the health care provider (as opposed to a general policy) have been followed, whether or not those policies ultimately are found to be in compliance with HIPAA.  Getting assistance from legal counsel in forming such contracts is a good idea. 

The OCR has sample business associate contract provisions at www.hhs.gov/ocr/hipaa/contractprov.html.  This article should not be construed or relied upon as legal advice.

Mike Wilson is an attorney and author.  He teaches at Sullivan University in Lexington, Kentucky.

Return to List of Articles || Read more articles at MyArticleArchive.com