Covered entities participating in an organized health care arrangement (OHCA) enjoy primarily two benefits: (1) They can exchange protected health information (PHI) about an individual for any health care operations activities of the OHCA; and (2) They can utilize a single joint notice of privacy practices. However, the HIPAA privacy regulations do not provide guidance on whether, or how, covered entities must document their participation in an OHCA. Furthermore, while the benefits to organizing as an OHCA may prove great to some covered entities, there are also important issues that entities should consider before deciding to participate in an OHCA.

The Concept of OHCAs
HHS first incorporated the notion of OHCAs into the December 2000 final privacy rule "in order to describe certain arrangements in which participants need to share protected health information about their patients to manage and benefit the common enterprise." 65 Fed. Reg. 82,462, 82,494 (Dec. 28, 2000). HHS describes five arrangements that qualify as OHCAs, three of which involve group health plans. The two arrangements relevant to health care providers are:

(1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider; and

(2) An organized system of health care in which more than one covered entity participates, and in which the participating covered entities (a) hold themselves out to the public as participating in a joint arrangement; and (b) participate in joint activities that include utilization review, quality assessment and improvement activities, or payment activities.

In explaining arrangements that constitute OHCAs, HHS notes that each of the "arrangements involve clinical or operational integration among legally separate covered entities," and "individuals who obtain services from them have an expectation that these arrangements are integrated and that they jointly manage their operations." 65 Fed. Reg. at 82,494. Recognizing that OHCA participants need to share PHI in order to effectively manage their joint enterprise, HHS incorporated the concept of OHCAs into the Privacy Rule.

Exchange of Protected Health Information
Perhaps the greatest advantage to participating in an OHCA is that participants are permitted to exchange PHI about an individual for any of the OHCA's "health care operations" activities. 45 C.F.R. § 164.506(c)(5). Under this provision of the Privacy Rule, however, a covered health care provider participating in an OHCA would not be permitted to disclose PHI to another participating covered entity for a health care operations activity of the covered entity if the activity is not part of the OHCA's common enterprise.

The HIPAA Privacy Rule does not clearly address whether all participants in an OHCA must be covered entities. With the exception of the first prong of the definition of OHCA, an OHCA is defined as only including covered entities as participants. Under the first prong, however, an OHCA is defined as including health care providers furnishing services in an integrated care setting. Under the Privacy Rule, health care providers are covered entities only if they transmit health information in connection with one of the standard transactions. HHS used the term covered health care providers in other parts of the HIPAA Privacy Rule where it intended other provisions to apply only to covered health care providers, and not noncovered providers. Given that HHS used the term health care providers rather than covered health care providers in defining the first type of arrangement that meets the requirements of an OHCA, arguably, noncovered health care providers can participate in an OHCA.

However, the provision permitting participants in an OHCA to exchange PHI for health care operations activities is limited to covered entities participating in an OHCA. See 45 C.F.R. § 164.506(c)(5). Furthermore, in the preambles to both the December 28, 2000 final Privacy Rule and the August 14, 2002 modifications to the Privacy Rule, HHS repeatedly describes OHCAs as only including covered entities as participants. Further, in the August 14, 2002 modification to the final Privacy Rule, HHS rejects commenters' suggestions to allow covered entities to disclose PHI to noncovered health care providers under the provisions permitting covered entities to exchange PHI for limited health care operations activities. See 45 C.F.R. § 164.506(c)(4). HHS notes that permitting disclosures of PHI to noncovered providers for treatment or payment activities "is warranted and appropriate so as not to impede such core activities." 67 Fed. Reg. 53,182, 53,218 (Aug. 14, 2002). Nonetheless, because an individual's health information is no longer protected under the Privacy Rule when disclosed to a noncovered health care provider, HHS concludes that a noncovered health care provider's health care operations do not warrant the same consideration as do its treatment and payment activities. However, given that HHS defines OHCAs as including health care providers furnishing services in an integrated care setting, HHS may have concluded that the value in preserving the exchange of communication in such settings outweighs the fact that the PHI is no longer protected if shared with a noncovered health care provider. This does not, unfortunately, explain the clear language of the regulatory provision that limits participants who are permitted to exchange PHI for health care operations activities of the OHCA to those that are covered entities.

Joint Notice of Privacy Practices
Covered entities participating in an OHCA may maintain separate notices of privacy practices or use a joint notice of privacy practices. 45 C.F.R. § 164.520(d). If the participants utilize a joint notice, they must agree to abide by the terms of the joint notice with respect to PHI created or received by each of them as part of their participation in the joint enterprise. 45 C.F.R. § 164.520(d)(1). Thus, the policies and procedures of each participating covered entity would not necessarily have to be identical with each other's, but would at least have to be consistent with the joint notice of privacy practices.

A joint notice must meet each of the requirements for notices of privacy practice as set forth in the Privacy Rule. 45 C.F.R. § 164.520(d)(2). In addition, a joint notice must describe with reasonable specificity the covered entities and the service delivery sites to which the joint notice applies. 45 C.F.R. § 164.520(d)(2)(i), (ii). The joint notice must also state, if applicable, that the entities will share PHI to carry out treatment, payment, or health care operations relating to the OHCA. 45 C.F.R. § 164.520(d)(2)(iii). Even where a health care provider participating in an OHCA chooses to maintain a separate notice of privacy practices, the health care provider should include a statement in the notice informing the patient that the health care provider participates in an OHCA, and will be sharing PHI with other participants for purposes of treatment, payment, and the health care operations of the OHCA. If one covered entity participating in an OHCA delivers the joint notice upon first delivering services to a patient, the delivery will satisfy the requirements regarding delivery of the notice as to all of the other covered entities participating in the OHCA. 45 C.F.R. § 164.520(d)(3).

Although the Privacy Rule does not require covered entities participating in an OHCA to document, other than in their notices of privacy practices, that they participate in an OHCA, covered entities should consider memorializing their agreement to participate in an OHCA. This can be done through a simple memorandum of understanding that is signed by the individual authorized to act on behalf of each participating covered entity. Entities participating in a large OHCA may also want to agree on a process for adding or removing participants.

Disadvantages to OHCA Participation
As described above, entities participating in an OHCA enjoy the benefits of exchanging PHI for the health care operations activities of the OHCA, and can utilize a joint notice. However, before participating in an OHCA, entities should consider some of the possible disadvantages. Given that entities participating in an OHCA may hold themselves out to patients and the public as participating in a joint enterprise, there may be a basis for arguing that the participants should be held jointly liable for the common operations of the OHCA. Further, the HIPAA Privacy Rule does not answer whether participants of an OHCA will be held jointly liable for violations of the HIPAA Privacy Rule that occur within the operations of the OHCA.