Information Access Management: Isolating Healthcare Clearinghouse Functions-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is required.

What to Do

If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Remember, a clearinghouse is defined as a covered entity, but also can serve in the role of a business associate to other covered entities, namely a health plan or healthcare provider.

How to Do It

This implementation specification is required, but is not likely to apply directly to health plans or to healthcare providers. A health plan and healthcare provider, as covered entities, must document in writing that they are not clearinghouses, so that this implementation specification does not apply.

A health plan or healthcare provider covered entity must be aware of this implementation specification, which may impact the covered entity indirectly if either uses a clearinghouse, as a business associate, that is part of a larger organization. In that case, if the clearinghouse materially breaches its obligations to the covered entity under the business associate agreement by allowing an unauthorized person in the larger organization to access the covered entity’s protected health information, and the covered entity allows the breach to continue without terminating the contract, if feasible, or reporting the breach to the U.S. Department of Health and Human Services, if termination is not feasible, then the covered entity would be in violation of HIPAA Administrative Simplification Privacy or Security Rules, or both. Because clearinghouses also are covered entities, it is likely that clearinghouses would have policies and procedures in place to protect against the unauthorized disclosures covered by this implementation specification.

Further, as we noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17 , 2010. As a result, the clearinghouse in its business associate role, reflected in a new business associate agreement with a health plan or healthcare provider covered entity, would have direct responsibility for a breach and reporting the breach to affected parties. Until then, as a covered entity health plan or healthcare provider, make sure in your business associate agreement that a clearinghouse that is part of a larger organization safeguards your protected health information from unauthorized persons in the organization who are not part of the clearinghouse operations.