QUESTION: Our health system is comprised of multiple entities, including several hospitals and a large physician group practice. We wanted to know how we can promote consistency and economies of scale by coordinating our efforts to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). We also wanted to know whether we could share protected health information amongst and between the multiple entities.
ANSWER: Yes, you can. The easiest way to do this is under the HIPAA regulations, at 45 C.F.R. §164.105(b)(1), governing affiliated covered entities. Per this section, “legally separate entities that are affiliated” may designate themselves as a single covered entity for purposes of the security and privacy requirements of the HIPAA regulations. However, all of the covered entities in the system must be under common ownership and control and the designation must be documented. The designation documentation must be maintained in written or electronic form and for a period of six years from the date of its creation or the date when it last was in effect, whichever is greater. Often, this designation can be accomplished with a brief board resolution. The practical effect of the affiliated covered entities designation is that all of the covered entities in your system which are under common ownership and control are treated as one covered entity for HIPAA privacy and security purposes. Thus, they can share a single set of privacy policies and can freely share protected health information as if they were a single entity. This may result in significant efficiencies when navigating the regulatory complexity of the HIPAA rules.