How to Handle a Request for Assisted Living or Group Home Rent Rolls under HIPAA

HIPAA can be confusing, and is often misunderstood by people in and outside of the health care industry.  Witness the occasional pro athlete or politician citing HIPAA when refusing to answer questions about their health. Owners of assisted living homes can easily avoid mistakes regarding protected health information (“PHI”). Disclosing rent rolls is one of the areas that deserves extra consideration when owners and operators are considering buying, selling, or refinancing an assisted living business.

Assisted Living and HIPAA

Assisted living residences are health facilities under Colorado law[1], and are considered health care providers under HIPAA.

HIPAA is the Health Insurance Portability and Accountability Act, a federal law  (“HIPAA”). Under HIPAA, every health care provider that electronically transmits health information concerning certain transactions is classified as a "covered entity."[2]

At the heart of HIPAA is the principle of safeguarding "individually identifiable health information," commonly known as protected health information or “PHI.” PHI encompasses data that relates to an individual's health, the healthcare services they've received, and payments for these services. Key identifiers, including names, addresses, birth dates, and Social Security Numbers, make the information identifiable.

Residents of assisted living homes are, usually, receiving assistance with the activities of daily living (“ADLs”) – services.

Thus, including a person’s name on a typical rent role of an assisted living business discloses at least three pieces of PHI - their name, address, and the fact that they are receiving services related to their ADLs.

Understanding the HIPAA Privacy Rule will help owners and operators address this issue.

The Privacy Rule & PHI

HIPAA's Privacy Rule meticulously outlines the situations under which a covered entity can use or disclose PHI.

Per Code of Federal Regulations

Basic Principle. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.[6]

In other words, there are two pathways to release PHI for assisted living residents:

1. When the Privacy Rule allows or mandates it.

2. When the individual, whose information is in question, gives written authorization.

More could be said about when the release of PHI is mandated, but this  article is focused on the release of rent rolls by owners and operators for transactional purposes.

An assisted living resident typically signs a HIPAA release form upon move in. However, that release form is very specific about who is permitted to receive the PHI, and does not, ordinarily, extend permission to future undisclosed potential financiers and potential business purchasers. (See example from the American Bar Association here.)

Accessing and/or disclosing someone's personal healthcare information without proper authorization is a serious violation of privacy laws in many jurisdictions worldwide. In the United States, this is governed by HIPAA.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.[8]

HIPAA's overarching goal with the Privacy Rule is to ensure that individuals' health information remains secure while enabling the seamless flow of necessary health data. This balance aims to facilitate quality healthcare provision and protect public health and welfare.

Buyers, Sellers, and Financiers

Assisted living buyers and their financiers sometimes want to see the rent rolls of assisted living operators. They want this information as evidence of the occupancy rate of the business. Shared rent rolls usually include the name of the resident and are usually provided under a confidentiality agreement. However, a confidentiality agreement, or Non-Disclosure Agreement, may not be sufficient under the HIPAA Privacy Rule because the owner of the information did not expressly provide permission for disclosure of the health information that is not for treatment, payment or healthcare operations.

The Privacy Rule underscores the issue.

A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.[4]

Incidentally, the same issue arises with use of the bookkeeping records for an assisted living business.

HIPAA Complaints

Mistakes happen and sometimes PHI is inappropriately released. HIPAA is enforced at the federal level by the Office for Civil Rights (“OCR”) in the U.S. Department of Health and Human Services (“HHS”).

The OCR investigates complaints, conducts compliance reviews to ensure entities are in compliance, and maintains education and outreach programs to foster compliance with the rules. If violations are identified, OCR can issue penalties, and in extreme cases, criminal charges may be brought by the Department of Justice (“DOJ”).

Several agencies at the federal level in the United States enforce laws related to medical privacy. Here are a few of the agencies involved in enforcement:

1. The OCR is the main agency that enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, which protect the privacy and security of health information.

2. The Federal Trade Commission (FTC): The FTC enforces certain health privacy laws, particularly in relation to consumer protection and deceptive practices. The FTC's Health Breach Notification Rule requires health-related electronic record companies to notify individuals when their health information is breached.

3. The Substance Abuse and Mental Health Services Administration (SAMHSA): SAMHSA enforces the confidentiality regulations for substance use disorder patient records.

4. Centers for Medicare & Medicaid Services (CMS): CMS enforces the Administrative Simplification provisions of HIPAA related to health insurance reforms.

In addition to these federal agencies, each state has its own laws related to medical privacy and corresponding enforcement agencies. These state laws can sometimes provide even greater privacy protections than federal law.

In Colorado, health privacy is addressed under a number of laws and regulations. These are enforced by the Colorado Department of Public Health and Environment (“CDPHE”).

More information about Colorado law, regulations, and enforcement of health privacy can be found in the Colorado Health Information Guidebook, which provides a detailed summary of the applicable laws, and enforcement.

For countries outside of the United States, the agencies responsible for enforcing medical privacy laws will vary, but typically involve health departments or ministries, data protection authorities, or consumer protection agencies.

How to Handle the Rent Rolls and Request for Financial Records.

One solution is to disguise or code the resident’s names in the rent rolls and bookkeeping data. In addition to hiding the resident’s name, there must be no other information provided that allows a reader to identify the individual resident.

This may take some planning during the establishment of the business operations for an assisted living or when there is a need to prove occupancy rates of the business.

But the alternative is to risk an enforcement action by the federal government, state government, or both.

The information herein is intended to be educational and an introduction to the subject matter presented. Despite any statutory or regulatory references cited in the article above, it is NOT specific legal advice to be relied upon for specific individual circumstances. Contact your own legal professional or reach out to our firm if you would like specific advice on this topic.

Look for additional blog posts on topics of interest to Assisted Living, Group Homes, and Behavioral Health operators. We welcome topic suggestions! Write to Brian@Pinkowskilaw.com if you are curious to learn more about a certain topic impacting assisted living or other group housing concerns.

[1] C.R.S. 25-3-101(1)

[2] U.S. Department of Health & Human Services, Office of Civil Rights, OCR Privacy Brief. Summary of the HIPAA Privacy Rule. Pg. 2.

[3] U.S. Department of Health & Human Services, Office of Civil Rights, OCR Privacy Brief. Summary of the HIPAA Privacy Rule. Pg. 2.

[4] 45 C.F.R. § 164.508.

[5] 45 C.F.R. § 160.103 and U.S. Department of Health & Human Services, Office of Civil Rights, OCR Privacy Brief. Summary of the HIPAA Privacy Rule. Pg. 1.

[6] 45 C.F.R. § 164.502(a).

[7] 45 C.F.R. § 164.502(a)(2).

[8] Ibid., Pg. 1.