Jackie Bentley, a law student, writes:
HIPAA applies to any health care provider1 who transmits health care information in electronic form in connection with a transaction covered by the statute. HIPAA also applies to ‚Äúhealth care clearinghouses.‚Äù
AIM may be a ‚Äúhealth care clearinghouse‚Äù as defined by the statute, and it is certainly a health care provider. If it is a health care clearinghouse, no further analysis is needed to determine that AIM is bound by HIPAA. As a health care provider AIM need only to participate in one of the activities defined by the regulations as covered electronic transmissions in order to fall within the scope of HIPAA, they include:
(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions that the Secretary may prescribe by regulation.
To my knowledge, AIM does not accept health insurance, so it does not participate in many of the activities listed. If AIM releases medical records to insurance companies for any reason by any electronic form2, I am of the opinion that they would fall within the scope of a covered health care provider.
Health care clearinghouse is defined as:
Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Because of the nature of AIM‚Äôs website where data is stored and users (agencies, production companies, etc.) log into the site and view the information, I think that it may fall within the definition of a health care clearinghouse.
Whether or not AIM is a health care provider that falls within the statute or a health care clearinghouse, for argument‚Äôs sake, let us say that that AIM is a covered entity under HIPAA. What are the organization‚Äôs statutory obligations to protect the patient‚Äôs privacy?
It should be noted that none of this discussion applies to Sasha Grey, since it was not AIM that disclosed her anal warts, but her agent, who would mostly like not be covered under HIPAA because he is not her employer, and even if determined to be her statutory employer, the statute as I read it, does not cover the ways in which employers disseminate information. I am of the opinion that the restraints of HIPAA have little to do with the fact pattern involving Sasha Grey.
In the case of an HIV-positive performer, even if bound by HIPAA, I do not think AIM is required to keep that information private. Patients who visit AIM presumably sign a valid release of their medical information for the purpose of working in the adult industry. For argument‚Äôs sake, even if the release is not valid or for some reason the patient did not consent, I think a health care professional who is aware of the fact that they have provided medical services to an adult performer, and that that performer has tested positive for a communicable disease, has a statutory right, and in CA a legal obligation3 to disclose that information. A contradictory federal law could potentially preempt the CA law requiring disclosure, but 42 C.F.R. 164.512 provides specific instances of when information may be disclosed without patient authorization. The regulation specifically includes:
(iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.
Even if AIM is bound by HIPAA, which I am not sure that it is, I do not share the same concerns as Moxie regarding HIV reporting and HIPAA‚Äôs effects on it. I do have concerns about the AIM system. I find the website‚Äôs security to be minimal considering the wealth of personal information that it provides4, and I also think it is unnecessary to report a patient‚Äôs entire health history when only the most recent results are required.
1 Health care provider is defined as ‚Äúa provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business,‚Äù at 45 C.F.R. 160.103.
2 It is important to note here that if AIM only sends records for these covered transactions via mail, telephone or facsimile this is not electronic media within the definition of the statute.
3 As of April 17, 2006 California, along with 40 other state requires the mandatory reporting of HIV-positive test results to local health authorities. Senate Bill 699.
4 The AIM website allows you to view not only a patient‚Äôs test results and full legal name, but their date of birth and driver‚Äôs license or passport number as well.