3

Suppose that in a US county the County Board of Commissioners wants to engage a retired physician to look into the county ambulance dispatch system to see what it takes to create proper records and successful billing. In the US, the HIPAA rules restrict to whom and under what conditions a health care provider or facility can disclose Protected Health Information (PHI). But such information can be disclosed provided the rules are complied with.

What do the HIPAA rule say needs to be done in such a case to allow such a person to look at protected health information (PHI), review records and billing/coding without violating privacy, and specifically to comply with the HIPAA privacy rule?

Steve Foutz
  • 39
  • 1

1 Answers1

1

What you are describing is effectively an audit—a fairly common practice among healthcare organizations of all sizes, who often use them for exactly the sort of purpose you describe. Under the scenario you are describing, the physician would be considered a business associate, which is a defined term under HIPAA. To comply with the Privacy Rule, the covered organization (ambulance company in your example) must obtain a signed business associate agreement; as well as "obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule."

Michael
  • 2,217
  • 15
  • 31