HIPAA: A Food Bank Guide

What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of
rules and regulations that was created to protect an individuals health
information and regulate how this information can be shared.

Who is responsible:
Health Plans - health insurance organizations
Health Care Clearinghouses - intermediates between two health care
organizations, like billing services
Health Care Providers - an organization that provides a medical service and
transmits this information electronically
Business Associates - any organization that works with or for a health plan,
a health care clearinghouse, or a health care provider and handles
protected health information as a part of its responsibilities

What information is protected?

According to HIPAA, any medical information, or information that can be used
to identify an individual, is considered to be protected health information
(PHI). This information is only protected if as it is in the possession of any
organization that falls into one of the categories above.

PHI includes: names, addresses, contact information, certain dates,

medical information, social security number, etc.

Patient authorization is needed when transferring PHI to another

organization, unless the treatment exception applies.

Treatment exception - this exception allows any organization who is treating

a patient to send PHI to another organization, without patient
authorization, in order to continue a patients treatment. An example
would be
 Food Banks and HIPAA
Food banks do not usually fall into categories of organizations that must
abide by HIPPA regulations. However, when food banks begin to partner with
more health care providers, these food banks may find themselves having to
abide by HIPPA regulations.

When food banks must comply

When they enter into a business associate agreement with a HIPAA
compliant organization, like a hospital
When food banks provide a medical service while also billing for this
service
When a food bank receives PHI from a health care facility
When the treatment exception applies

Acting as a Business Associate or a Covered Entity adds legal obligations to

comply with HIPAA requirements. Some food banks may decide to take on
this responsibility, but there are ways to achieve similar actions without taking
on HIPAA. As a reminder, any medical information that an individual shares
about themselves to a food bank, is not protected under HIPAA.

These actions include:

Health care facilities can provide patients with an application to a food
bank program
A client can self report medical information to a food bank
Food Banks can ask client to fill out medical questionnaires
Food bank representatives can be introduced to a patient by a member of
a health care facility with the permission of the patient
Health care facilities can provide their patients with recommendations on
food box type they should get from a food banks as long as the health
care facilities and the food banks do not communicate directly·
External health care providers can come to the food bank to screen
patients
Dietitians can provide nutritional services like diabetes education as long
as no billing occurs, and no summaries are shared
Food banks can refer clients to medical resources like primary care
providers