Joint Commission Resources
Memorandum
TO: All CSR Participants
FROM: Lucille Skuteris, Executive Director, CSR Program
SUBJECT: Compliance with HIPAA Regulations Medical Record Privacy Provisions
________________________________________________________________________
The HIPAA regulations on privacy and confidentiality protected health information will be enforced commencing April 14, 2003. These regulations will be enforced by the Department of Health and Human Services, Office of Civil Rights (OCR). OCR has stated that they will enforce the regulations in a reasonable manner and they will base enforcement on complaints rather than routine survey activity.
Essentially these regulations require covered entities to protect the confidentiality of medical records and grant patients access and certain rights with respect to their records. Covered entities are health plans, health care clearing houses, and health care providers. This includes those organizations that would have or create medical records as a normal part of doing the business of health care, e.g., hospitals, physicians, nursing homes, home care agencies, health plans, etc.
The HIPAA regulations further require a covered entity such as a hospital to have a “business associate agreement” with any organization whose activity involves the use or disclosure of the covered entity’s protected medical information. The responsibility for obtaining the “business associate agreement” and having it on file is placed on the health care facility.
Health care consultation is specifically recognized in the regulation as an activity for which access to protected health information is necessary and allowable. Thus, JCR, as the entity providing such assistance to your facility, is recognized as a business associate under these regulations. Depending on the form of the CSR program in your area, your facility may have signed a CSR commitment with JCR, your state hospital association, or both. However, since the CSR program requires that the CSR representative have access to a facility’s medical records, the business associate agreement that the HIPAA regulations require your facility to have on file must be between your facility and JCR.
Most probably your facility’s attorneys have reviewed a business associate agreement for your facility’s use with other business associates. If so, in order to keep your facility’s paperwork and expenses to a minimum, it is suggested that this associate agreement be forwarded to JCR for approval. If the agreement is found to be appropriate, JCR will sign and return it to you.
You may either provide your agreement to the CSR representative who will send it to the JCR office or you may send your agreement directly to JCR at the following address:
Continuous Service Readiness
Joint Commission Resources, Inc.
1515 West 22nd Street, Suite 1300 West.
Oak Brook, IL 60523
(630) 268-7484
Fax (630) 268-2984
If your facility does not have a business associate agreement form at this time, JCR has prepared a generic form. This form is located below. Please be sure and send a completed copy to the address above. The form may also be requested in electronic form by email to the address above.
Although there are various provisions in the regulations that may extend the time a facility is required to have business associate agreements on file past the April 14, 2003 effective date, it is strongly advised that your facility have the CSR business associate agreement completed and on file by that date.