References:
Sign up today to receive a free gift as well as our latest insights and more in your inbox!
Like any other entity handling patients protected health information (PHI), a diagnostic management team (DMT) must comply with the health insurance portability and accountability act (HIPPA). This Q&A covers HIPAA consideration specific to DMTs handling PHI in consultation for patient treatment, along with practical compliance recommendations for providers working with the DMT on an everyday basis.
Q: Under the HIPPA Privacy rule, doctors, nurses, and other healthcare providers may share patient health information for treatment purposes without the patient's authorization. Are lab personnel on a DMT included in the class of covered entities permitted to share PHI in this manner?
A: Yes, lab personnel have the same status as doctors, nurses, and other providers who are HIPPA-covered professionals. Accordingly, PHI such as X-rays, lab and pathology reports, diagnosis and other medical information may be used or disclosed by the DMT members for treatment purposes without the patience authorization.1
Q: What about a DMT member including PHI in consultation with other providers about a patient's condition? Must the patient's written authoritization be obtained first?
A: No, the Privacy Rule's definition of "treatment" includes consulting with another provider about a patient. That means the DMT member is expressly permitted to disclose a patient's PHI to provide treating the individual.2
Q: Patient authorization isn't required for a DMT member to share PHI for treatment purposes. But does a hospital need to set up a Business Associate(BA) contract with the DMT?
A: No the office of civil rights which administers hip hop provisions does not require a BA contract to be in force for disclosures by covered entity to a provider for treatment of an individual.
Q: What does the BA exception mean in practical terms?
A: A physician doesn't need to have a BA contract with DMT as a condition of disclosing PHI for the treatment of an individual. Likewise, a hospital lab isn't required to have a BA contract in place to disclose PHI to a reference lab in order to disclose PHI during the course of treatment for patient.
Q: To recap, what are the key HIPAA observations considerations for a hospital or physician planning to disclose PHI to a DMT?
A: As long as the disclosure is for treatment purposes, no patient authorization is needed, nor is a BA agreement required. One caveat, though, is to check if your state's privacy laws may have precedence over the Privacy rule, especially regarding disclosure of PHI related to HIV.3
Q: What if the DMT resides in different state than the provider who requests the DMT services? Do any restrictions apply?
A: The DMT's lab must be CLIA-certified in the state where the testing is performed, but in general no other certificates or licenses are required. (However check state laws in New York and Washington, where more stringent statutes govern lab facilities.)
Q: What determines the location of treatment?
A: Since the practice of medicine requires licensure in the state where the direct patient care is being provided, the location of patient defines the location of treatment. Nonetheless physician-to-physician consultations are commonly allowed across borders under the state licensure requirements.
Q: Are there special legal and regulatory considerations when a health provider and a DMT are not operating within the same enterprise?
A: HIPPA and CLIA account for separate entities being engaged in the treatment of patients as previously described. There are operational advantages to having the treating provider and the DMT within the same enterprise. Some legal or regulatory advantages could apply in such a case, but it is likely they would not be as significant as the operational benefits.
Q: What is the best device for everyday interactions with the DMT?
A: Do not email or transmit PHI across an open network without encrypting the data. Additionally, HIV or genetic information should not be disclosed unless you are certain about what your state law allows. Finally, if working with DMT across state lines, make sure providers are appropriately licensed at the location of treatment-where the patient is during the encounter.
Q: When in doubt about the legal and the regulatory aspects of working with a DMT, who should be contacted?
A: Consult with your institution's privacy and information security offices.
