Matthew Fisher, ESQ and Jonathan Krasner
Healthcare represents a very large segment of our economy – approaching 20% by some estimates. As such, healthcare organizations come in many sizes and flavors. We are all, hopefully, familiar with the basics that HIPAA compliance requirements apply Covered Entities, Business Associates and subcontractors. A CE and a BA are distinct organizations, with each having independent legal status. Common organizational forms include corporations (both for-profit and non-profit), limited liability companies, and limited liability partnerships. But how should HIPAA be handled with organizations that operationally are integrated units with intertwining ownership or control relationships?
An often overlooked provision of HIPAA allows for businesses to combine themselves for HIPAA compliance purposes. The ability to consolidate allows for economies of scale and possible reduction of HIPAA administrative burden. HIPAA Secure Now! clients would be most interested in Affiliated Covered Entities (ACE), a special designation created by the HIPAA regulations. The term Affiliated Covered Entity is defined in 45 C.F.R. Section 164.105(b)(1), which is part of the HIPAA regulations.
Legally separate covered entities that are affiliated may designate themselves as a single covered entity for purposes of HIPAA. Under this self-certifying designation, the organizations need only implement one HIPAA compliance program. That would mean one set of policies, one Security Risk Assessment, etc.
To be an ACE, the separate covered entities must be under common ownership or control. For example, a doctor that owns a practice and a surgery center may designate these entities as an ACE for HIPAA purposes. Another example might be a chain of nursing homes where each location has its own Tax ID, but there is a common owner or ability to control. The designation must be formally documented, but this is done internally and no outside review is necessary. The documentation must be retained for 6 years.
A downside of forming an ACE is that all of the affiliated entities will share HIPAA liability jointly. Many times separate organizations are formed to limit or segment liability for the owner. Organizations should take this into account when evaluating the formation of an ACE.
If you think an ACE might be appropriate for your organization, please contact Matt Fisher, [email protected] or 508-929-1648.