HIPAA Policy and Sanico USA Operations
245 Hooker Place
Staten Island, NY 10303
Re: Inapplicability of HIPAA to Business
To who it may concern:
We were asked to provide a letter summarizing when and how HIPAA applies to various businesses and why it does not apply to our business and our business’s interactions with customers. This letter has three parts: a brief summary of our business, a summary of when and how HIPAA applies and why HIPAA should not be applicable to our business.
A summary of the Sanico USA business
Sanico USA provides janitorial and disinfecting services as a third-party service provider. Sometimes provided in these services is the provision of various temperature scanning technology. While Sanico USA may provide the various temperature scanning technology, it does not store or otherwise process any data from the technology. These services are provided to businesses of various sizes, in numerous industries and in numerous locations. These services range from one-time relationships to regular cleaning or maintenance. While Sanico USA does work for some businesses in the health care industry, it does not provide health care services itself.
When HIPAA applies to a business
HIPAA (the Health Insurance Portability and Accountability Act) applies only in certain circumstances. For HIPAA to apply to a business, there must be (1) a covered entity and (2) protected health information. References to HIPAA include all regulations and other guidance promulgated under HIPAA.
What is a covered entity?
A covered entity is any business that is one of the following: (1) a health plan, (2) a health care clearinghouse or (3) a health care provider who transmits health information electronically. Each of these terms is defined in HIPAA. A health plan is an individual, group or business that provides, or pays the cost of, health care. This includes employer provided health benefits, insurance companies that issue health insurance and government-provided health care (such as Medicare and Medicaid). A health care clearinghouse is an entity that processes, facilitates or receives health information in a nonstandard format and converts it to a standard format (or the reverse). This is normally in relation to Medicare or Medicaid payments. Health care providers include individuals, groups or entities that provide medical or health services or furnish, bill or are paid for health care in the normal course of their business. While medical or health services are broadly defined, they are still limited to physical or mental care of the human body. 45 C.F.R. 160.103.
Are only covered entities subject to HIPAA?
No, there is one exception. Business associates are also subject to HIPAA. To be a business associate, an individual, group or entity would need to provide services to a covered entity and as a result of or requirement of providing those services, will or could have access to protected health information. 45 C.F.R. 160.103.
What is protected health information?
Protected health information is any health information satisfying each of the three requirements:
(1) it relates to (a) past, present or future physical or mental conditions, (b) the treatment of a past, present or future physical or mental condition or (c) the payment for the treatment of a past, present or future physical or mental condition, (2) it is created or received by a covered entity or employer and (3) it identifies the individual or could reasonably be expected that a third-party could identify the individual to which it relates. 45 C.F.R. 160.103.
Does HIPAA apply to Sanico USA’s business?
There is no reason to expect Sanico USA’s business operations with customers would be subject to HIPAA based on its business and the scope of HIPAA. The provision of janitorial services is certainly not within the realm of what would make a business a health plan, health care provider or a health care clearinghouse as those terms are defined by HIPAA and described in this letter. Further, even when providing its services to covered entities, Sanico USA would not be a business associate because any HIPAA-compliant covered entity should not be providing access or the ability to access protected health information for the services Sanico is providing. As examples, if there is secure storage (such as locked drawers) and secure destruction of protected health information (such as shredding), then even if the services are provided to a covered entity within the physical bounds of an existing, ongoing business, Sanico USA should not have any reason to have access to, the use of or the right to disclose protected health information, nor should there be any reasonable belief they would have access to, the use of or the right to disclose protected health information. It should be noted that Sanico USA’s internal health benefits plan for employees is subject to HIPAA, but that is both standard and would have no impact on the application of HIPAA to Sanico USA’s business with its clients and customers.
Charles M. Russman