Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
Business Associates’ Use of Information for Their Own Purposes
/in Data Privacy, HIPAAby Kim Stanger
Business associates may want to use a covered entity’s protected health information (“PHI”) for the business associates’ own purposes, e.g., for their own product development, data aggregation, marketing, etc. However, with very limited exceptions, HIPAA prohibits business associates from doing so without the patient’s written authorization. Misusing PHI may expose the business associate to HIPAA fines, criminal penalties, breach of contract claims by the covered entity, and perhaps civil liability to individuals whose PHI was improperly used. (See, e.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).
Limits on Use or Disclosure of PHI.
The business associate’s authority to use or disclose PHI derives from the covered entity’s authority. The covered entity may only use the patient’s PHI for certain purposes without the patient’s authorization, e.g., for the covered entity’s own treatment, payment or healthcare operations. (45 C.F.R. § 164.502). HIPAA allows covered entities to share PHI with business associates to assist the covered entity in performing authorized activities for or on behalf of the covered entity, but with very limited exceptions, the same limits that apply to the covered entity also apply to the business associate, e.g., absent the patient’s written authorization, it may only use the information for purposes of the covered entity’s treatment, payment, healthcare operations or other permitted use. (Id.). The business associate agreement (“BAA”) between the covered entity and business associate must specify the permissible uses of PHI. 45 C.F.R. § 164.502(e) states:
Read moreIMGMA Q/A: Sharing PHI for Treatment Purposes
/in Data Privacy, HIPAAby Kim Stanger
Republished with permission from Idaho Medical Group Management Association (MGMA). Original article appeared in Idaho MGMA’s September 2019 e-newsletter.
Question: May I share records with another healthcare provider without the patient’s authorization?
Answer: It depends on the purpose. If the disclosure is for purposes of the patient’s treatment, including continuation of care, then you may disclose the information without the patient’s authorization or consent unless you have agreed otherwise with the patient. (See 45 CFR 164.522(a)). The HIPAA privacy rule states, “[a] covered entity may disclose protected health information for treatment activities of a health care provider.” (45 CFR 164.506(c)(2)).
Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
Read more
New Patient Rights Rules for Idaho Hospitals
/in Hospitals & Health Systems, Idaho Healthcare Law, Legislation, State Law Updates, Uncategorizedby Kim Stanger
The Idaho Department of Health and Welfare has implemented new patient rights rules for hospitals effective July 1, 2019. (See IDAPA 16.03.14.220 to .350). The rules were advanced by patient advocacy groups and, to a large degree, incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals. Because many of those regulatory conditions did not apply to critical access hospitals (“CAHs”), CAHs may need to implement new policies and procedures to satisfy the rules. All Idaho hospitals as well as providers rendering services in hospitals should check their existing policies and practices against the new rules, including the following:
Read more2019 New Mexico Legislative Update: What All Healthcare Providers Should Know
/in LegislationBy Little V. West
In 2019, the Legislature enacted several bills affecting healthcare practitioners in New Mexico. Although some bills have a general applicability to health care providers, others address more specific medical practices. Following is a summary of several bills impacting health facilities and providers. Read more
Mental Holds in Idaho
/in Idaho Healthcare LawBy Kim Stanger
In Idaho, a competent patient generally has the right to consent to or refuse their own healthcare. By statute,
Any person who comprehends the need for, the nature of and the significant risks ordinarily inherent in any contemplated health care is competent to consent thereto on his or her own behalf. Any healthcare provider may provide such health care and services in reliance upon such consent if the consenting person appears to possess such requisite comprehension at the time of giving the consent. Read more