HIPAA Provisions

Organ Procurement and HIPPA​

Nationwide, hospitals are updating their agreements to comply with the privacy regulations contained in the Health Insurance Portability and Accountability Act (HIPAA). The core functions of an Organ Procurement Organization (OPO) are subject to two regulatory exemptions in the final HIPAA privacy regulations. First, a health care provider may use or disclose information if and as required by law. This exemption allows OPOs and hospitals to comply with the Medicare Conditions of Participation, 42CFR § 482.45 which specifically authorize referrals and records audits.

The second, and most broad exemption is found at §164.512(h) which allows information to be released to organ procurement organizations or other entities involved in the procurement, banking or transplantation of cadaveric organs, eyes, or tissue for the purposes of facilitating organ, eye or tissue donation and transplantation. This allows the release of information by and to, donor hospitals, transplant hospitals, United Network for Organ Sharing (UNOS), tissue banks and laboratories.

Pursuant to these two exemptions, hospitals do not need to obtain patient consent for OPOs to do their core jobs; the coordination of donation and transplant, and the review of records. Furthermore, the Centers for Medicare and Medicaid Services' (CMS) responses to comments on the regulations clarify that OPOs are not 'business partners' of hospitals. The response states, in pertinent part: "...organ procurement organizations and tissue banks are generally not business associates of hospitals."

Thus, OPOs do not need to enter into "business partner agreements" with hospitals, unless they are acting as something other than OPOs. LifeNet Health Affiliation Agreement does not contemplate that we act in any capacity other than as an OPO. Finally, in the preamble to the final rule, CMS states that OPOs are not "health care providers" when they are engaged in the procurement or banking of organs, blood or tissues. Thus, with regard to hospital affiliations, OPOs are neither covered entities, nor business partners, and are specifically permitted to perform their core functions, with stringent confidentiality, but outside the ambit of HIPAA.

Background Information:

For further information please contact your respective hospital liaison.