Senior housing operators keep detailed track records of who they are renting their units to, for how much, and for how long. The information is translated into rent rolls which are often shared with landlords, lenders, potential purchasers and a host of others. But in sharing this information about their residents, are operators inadvertently violating HIPAA?
HIPAA (the Health Insurance Portability and Accountability Act) prohibits a covered entity from using or disclosing to a third party “protected health information” unless permitted by HIPAA or the HIPAA Privacy Rule (45 C.F.R. §160.103). A “covered entity” is defined by HIPAA as “a health care provider who transmits any health information in electronic form . . . . “ (the italicized terms are defined by HIPAA). A “health care provider” is defined in the HIPAA Privacy Rule to include any person or organization “who furnishes, bills, or is paid for ‘health care’ in the normal course of business.” The term “health care” is also defined in the HIPAA Privacy Rule and under this definition, it would appear that a skilled nursing facility is providing “health care,” but a typical assisted living facility is probably not providing “health care” (although arguments could be made that an ALF is within this definition, especially depending on the factual circumstances).
Further, “protected healthcare information” is defined broadly by HIPAA to include information that is (i) created or received by the covered entity; (ii) relates to the past, present or future physical or mental health condition of an individual, the provision of healthcare to an individual or the past, present or future payment for healthcare; and (iii) identifies an individual or can be used to identify an individual (i.e., a social security number).
As mentioned above, there is a question as to whether an assisted living facility is a “covered entity” under HIPAA’s definition, and there is no clear-cut answer, as the answer is fact-specific. But, if an assisted living facility is a HIPAA covered entity, then it cannot disclose protected health information to a third-party unless a HIPAA exception applies. Because residence at an assisted living facility potentially implicates the “past, present or future physical or mental health condition of an individual” (particularly if a resident is in a memory care unit), the prudent approach for owners and operators providing a rent roll to a third-party is to redact any resident-specific identifying data (e.g., names, social security numbers, etc.) before disclosure.
