[ Saturday, January 19, 2013 ]
Nugget 4(a): more hybrid entity stuff: If you have an on-site clinic that provides healthcare services to employees, it is only a covered entity if it also transaction electronic transactions, like getting paid electronically. If it doesn''t transmit the information anywhere electronically, it's probably not a covered entity at all, so HIPAA doesn't apply to it. If it does, then HIPAA applies to the entire company unless you designate the clinic s a hybrid entity. If the clinic is a CE, then the PHI it holds that is part of an employment record (sick leave requests, on-the-job injury reports, pre-employment physicals, etc.) is not PHI, so needs not be protected under HIPAA, but other health information that is not part of an employment record would be PHI and would have to be protected. Finally, you probably also have state law obligations to protect that data, so even if HIPAA doesn't apply, don't think you can be entirely cavalier about it.
Jeff [11:04 AM]
Blogger: HIPAA Blog - Edit your Template