Senior Housing & Care Resources

Assisted living facilities have had an ambiguous relationship with HIPAA since it became effective in 2003.  Since they provide some help-related services, they may assume that the information that they hold about their residents is subject to the HIPAA privacy and security rules. This supposition has been enhanced in recent years, when the term “HIPAA” has come to be used to denote any privacy requirements in almost any business context. Thus, it might be suggested that failure by any entity to treat personal information in a confidential manner constitutes a HIPAA violation, for which the perpetrator will suffer appropriate penalties. This is an overstatement of the matter, both for assisted living facilities and other businesses.

Covered Health Care Providers

To understand HIPAA’s application, one must follow the definitions that have been embodied in it since its effective date. HIPAA applies to “covered entities.” A “covered entity” is defined as a health plan (i.e., a medical insurance company, HMO, or other payor), a health care clearinghouse (a business that converts health care data into standard electronic formats), or a “covered health care provider.” The question is whether assisted living facilities fall into the last category. A “health care provider” is a provider that is recognized by Medicare for purposes of reimbursement or that furnishes, bills, or is paid for “health care” in the normal course of business. “Health care” consists of “care, services, or supplies related to the health of an individual,” and includes, among other things, “maintenance,” “care,” and “assessment” with respect to “the physical or mental condition, or functional status, of an individual.” Assisted living is not reimbursed by Medicare. However, it does involve services related to the health of an individual, including assessment and maintenance of functional status. Given the broad definition, assisted living facilities appear to be “health care providers” within the meaning of HIPAA.

It is, however, not sufficient to be a health care provider for purposes of HIPAA coverage. It is necessary to be a covered health care provider. A covered health care provider is one that engages in electronic exchanges of health information with payors in connection with certain transactions that occur during the billing and collection process. Under HIPAA, such transactions must be carried out using prescribed data code sets. This has become the standard way that health care providers and payors communicate with one another and is used by both public and private health plans. A provider that receives payment from such entities will engage in electronic transactions using the mandated data code sets and therefore will be subject to HIPAA. A provider that does not do so will not be subject to HIPAA. Assisted living facilities for the most part do not participate in the health care payment system, let alone engage in electronic billing using HIPAA-prescribed standard data transaction code sets. Therefore, they generally are not subject to HIPAA.

Possible Exceptions

There is a possible exception for assisted living facilities in so-called “Medicaid waiver states” in which the state Medicaid plan has been expanded to provide reimbursement for assisted living services provided to persons who otherwise would qualify for skilled nursing care. A facility that participates in such a program may bill the state Medicaid plan electronically for its services to beneficiaries using the HIPAA-prescribed electronic data code sets. In that case, it will fall within the definition of a “covered health care provider” and will be subject to HIPAA. While California has a limited Medicaid waiver program, some assisted living facilities that participate in it do not transmit health information electronically to Medi-Cal in connection with the transactions identified by HIPAA. Rather, they use alternative billing mechanisms and therefore are not covered by HIPAA. On the other hand, assisted living facilities in the California Medicaid waiver program that do engage in electronic billing using the HIPAA code sets are subject to the HIPAA privacy and security rules.  In that case, the entire assisted living facility and all resident records that it holds will be subject to its requirements, and not just the records of the Medicaid beneficiaries.

It should be noted that, for HIPAA to apply, the electronic billing must be through the HIPAA-mandated code set. It is not sufficient for the facility to engage in electronic billing as that term might commonly be used. HIPAA will not be triggered, for example, by the simple transmittal of a bill as an email attachment or the electronic transfer of payment from the resident’s bank account to the assisted living facility’s bank account. In none of these situations is the assisted living facility using HIPAA-prescribed data code sets. Therefore, the HIPAA privacy and security rules do not apply.

Business Associates

It has been suggested that assisted living facilities may fall under HIPAA as “business associates” of covered health care providers. This is critical, because HIPAA makes business associates subject to many of the same privacy and security obligations as covered entities. A business associate is a person or entity that requires access to protected health information (PHI) in the course of assisting a covered entity in its operations. Examples are data aggregation companies, billing contractors, quality assurance consultants, electronic medical record software vendors, and attorneys.

Assisted living providers perform none of these services for health professionals, health facilities, or other covered entities. Therefore, they are not business associates. They do, however, exchange personal information, including PHI, about their residents with outside health professionals and health facilities on a regular basis. HIPAA allows covered entities to disclose PHI to health care providers, whether or not they are covered by it. Since assisted living facilities fall within the broad HIPAA definition of health care providers, they can access and receive PHI in order to care for their residents. They can disclose personal, including health, information about their residents to health care providers, as permitted by the state laws to which they are subject.

Multi-Level Facilities

There is one final point about assisted living facilities and HIPAA. A provider that operates an assisted living unit as part of a larger continuing care or multi-level retirement community that includes skilled nursing may choose to have the assisted and independent living services made subject to HIPAA. HIPAA characterizes such an organization as a “hybrid” entity, meaning one that performs some functions that are subject to its requirements (skilled nursing) and others that are not (assisted and independent living). In that case, the provider may limit the application of HIPAA to the covered, or skilled nursing, portion. However, this means that it must treat the uncovered portions as unrelated, external operations for purposes of sharing PHI, thereby severely limiting the ability to do so. Given this reality, continuing care and multi-level retirement communities invariably choose to have the entire operation covered by HIPAA. In that case, the assisted and independent living portions will be subject to all of the HIPAA rules.