HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a complex law that, in large part, ensures privacy of electronic exchange of personal health information (PHI) between health care providers, with insurance companies and also with providers of business services, such as accounting. The law requires specific duties of "covered entities:" (e.g. physicians, health plans) and service companies that the law calls “business associates.” Since there are substantial federal penalties for failure to comply with HIPAA, it is important to clarify the relationship of independent gamete banks to covered entities.
The Federal Register states: "We delete from the definition of 'health care' activities related to the procurement or banking of blood, sperm, organs or any other tissue for administration to patients" (65 FR 82572). This is a pretty clear statement that gamete banks are not "health care providers," i.e. "covered entities."
The regulations could be interpreted to include tissue banks as health care providers because the definition of “health care” includes providers of care, services or supplies related to the health of an individual patient. However, independent gamete banks are not required to have nor request knowledge of the chief complaint of the patient, her diagnosis, her treatment plan, or even the therapeutic outcome. (Xytex asks that patients voluntarily submit an anonymous report of pregnancy outcome. Xytex does not “chart” the patient). Indeed, the bank only supposes that the patient is a patient because she is physician-referred.
Interestingly, some physicians who authorize their patients to interact with a gamete bank have asked that bank, namely Xytex, to execute a business associate contract. The regulations define a business associate as an entity who must have individually identifiable health information in order to provide “legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for a covered entity.” Also, by definition, a business associate does not have direct contact with patients. Clearly, a gamete bank may have direct contact with patients, and clearly the bank does not provide any business associate services to the patient’s physician. Therefore, gamete banks are not business associates.
It may be reasonably argued that the knowledge that a gamete bank gathers of patients is acquired "incidentally" or "accidentally," two means of health information disclosure specifically excluded from HIPAA regulation. This puts gamete banks in a class of knowledge acquirers that includes patients in reception rooms and janitorial services, both of whom may come in contact with information that clearly identifies patients by name. Such transfer of knowledge is "permitted" so to speak by HIPAA.
Nevertheless, it is the policy of Xytex to protect the confidentiality of individually identifiable information it has on physician-referred persons who select a gamete donor. Xytex does not divulge the names of these persons nor their selected donors nor financial information that could be used to construct individually identifiable information. Furthermore, it is Xytex’s policy of many years to immediately terminate any employee who discloses such information to persons other than Xytex employees with a defined need-to-know.