• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Definition: Health Care Operations

February 28, 2013 HIPAA Law No Comments

Today, we continue to examine definitions pertaining to the HIPAA Privacy Rule, for which we shall begin to examine modifications of provisions next week. Today’s definition is health care operations, as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Here is the discussion in the Final Rule related to the proposed modification to the definition of health care operations from the Notice of Proposed Rule Making (NPRM), with the proposed modification altered, then accepted in the Final Rule:

“The definition of ‘‘health care operations’’ at 45 CFR 164.501 includes at paragraph (3) ‘underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits * * *.’  To avoid confusion with the use of both ‘underwriting’ and ‘underwriting purposes’ in the Privacy Rule, and in recognition of the fact that the proposed definition of ‘underwriting purposes’ includes activities that fall within both the definitions of ‘payment’ and ‘health care operations’ in the Rule, the Department proposed to remove the term ‘underwriting’ from the definition of ‘health care operations.’  We also proposed to add the term ‘enrollment’ to the express list of health care operations activities to make clear that the removal of the term ‘underwriting’ would not impact the use or disclosure of protected health information that is not genetic information for enrollment purposes. These proposed revisions were not intended to be substantive changes to the definition and thus, health plans would be permitted to continue to use or disclose protected health information, except genetic information, for underwriting purposes.  …

“Due to the confusion and concern expressed by the commenters regarding the removal of the term ‘underwriting’ from the definition, we retain the term ‘underwriting’ within the definition of ‘health care operations’ at 45 CFR164.501. However, to make clear that a health plan may continue to use or disclose only protected health information that is not genetic information for underwriting, we include a reference to the prohibition on using or disclosing genetic information for underwriting purposes within the definition. The final rule also retains the term ‘enrollment’ within the definition because we believe it is helpful to clarify that this is a permitted health care operations activity.”  78 Federal Register 5666

Here is the modified definition of health care operations, which will be effective March 26, 2013, with the modifications underlined in (1) and (3):

Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

(3) Except as prohibited under 45 CFR 164.502(a)(5)(i) [Prohibited uses and disclosures  Use and disclosure of genetic information for underwriting purposes], underwriting, enrollment, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of 45 CFR 164.514(g) [Standard:  Uses and disclosures for underwriting and related purposes, as modified, 78 Federal Register 5700] are met, if applicable;

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

(6) Business management and general administrative activities of the entity, including, but not limited to:

(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;

(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.

(iii) Resolution of internal grievances;

(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and

(v) Consistent with the applicable requirements of 45 CFR 164.514 [Other requirements relating to uses and disclosures of protected health information, as modified, 78 Federal Register 5700-5701], creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

Tags: compliance datecovered entitydefinitioneffective dateenrollmentgenetic informationHealth Care OperationsHIPAA Final RuleMarch 26 2013marketingmodificationNotice of Proposed Rule MakingNPRMPrivacy RuleprohibitionSeptember 23 2013underwritingunderwriting purposesuse or disclose
No Comments
Share
0

You also might be interested in

Access Control: What This HIPAA Security Rule Technical Safeguard Standard Means

Jun 2, 2009

This is the first Technical Safeguard Standard of the HIPAA[...]

Nearly 8.3 Million Individuals Impacted by 249 Privacy and Security Breaches Reported by HHS; More Training on Safeguarding PHI Required

Mar 22, 2011

Under the Health Information Technology for Economic and Clinical Health[...]

Final HIPAA Rule: Security Statutory Authority and Direct Regulation of Business Associates

Feb 4, 2013

February 4, 2013.  Today, we cover the security safeguards of[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next