This information was released in the SSVF Program Update yesterday.
HIPAA Compliance
Several SSVF grantees have raised concerns about HIPAA compliance as it relates to HMIS participation and Repository uploads. HIPAA, or Health Insurance Portability and Accountability Act, is a privacy rule that provides federal protections for patient data and establishes rules for certain organizations that collect, use, and disclose Protected Health Information (or PHI).
In order to be covered by HIPAA, and responsible for compliance with HIPAA protections, an SSVF grantee organization must be either a health care provider, health plan, or health care clearinghouse that transmits health information electronically. Operating an SSVF grant does not by itself constitute HIPAA-covered activity. The SSVF programs themselves, as they are defined by VA, are not HIPAA-covered entities. See the HHS website for more information about HIPAA responsibilities and regulations. (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html).
If a SSVF grantee is transmitting Protected Health Information (PHI) as a health care provider or clearinghouse; has completed an independent audit of their data collection and transmission practices and determined that HIPAA regulations apply to them; that grantee is encouraged to seek technical assistance through the SSVF program office to explore options for HIPAA compliance. In the event that a grantee is a HIPAA-covered entity as a result of other organizational activities, HIPAA requirements take precedence over any HMIS standards for privacy, and the responsibility for HIPAA compliance is with the HIPAA-covered entity (grantee).