Patient info & the privacy rule

Question: Is there a legal construct, in the absence of forming a group practice, that would allow four physicians who are solo practitioners operating out of a single facility in a cost-sharing arrangement to comply with HIPAA while also sharing a single practice management software system with a single patient database for appointment booking and billing?

Our physicians are each in business separately as solo practitioners, but they do tend to see one another's patients when convenient or necessary. Without forming a group practice, I would like to allow these four physicians to have unrestricted access to one another's patient information.

Answer: I don't think you need a legal construct to comply with HIPAA. If you have other issues, sure, but not for HIPAA.

HIPAA allows physicians total access to a patient's medical information for the purposes of treatment.

From the Office of Civil Rights (OCR) Web site for HIPAA: "The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual's authorization, to another health care provider for that provider's treatment of the individual. See 45 CFR 164.506 and the definition of 'treatment' at 45 CFR 164.501."

So the folks with whom you work alongside can have unrestricted access to one another's patient information for treatment purposes. The ability to schedule patients is part of their treatment.

The fact that everyone acts like this isn't allowed is quite beside the point. People went wacky when the privacy rule came out.

In addition, HIPAA allows you to share information freely for payment purposes, provided that information is limited as needed for payment only.

Again, from the OCR: "The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of 'payment' at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522." Your schedulers and other nonclinical staff presumably would already have limited access to patients' clinical data.

Here's another tidbit: The most common way people share data despite HIPAA is to become one another's business associate (as defined by HIPAA). But the OCR explicitly says providers need not be business associates to share information for treatment purposes: "The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1). Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose. For example, a hospital may enlist the services of another health care provider to assist in the hospital's training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to patient health information."

I think you're fine, but by all means pass it under a lawyer's eye to make sure.