Re: "You will also need to include in your consent to disclose (which the patient must sign) the fact that this information is to be shared with the fiscal intermediary." (see message below)
A few observations in order to avoid confusion on this point: 1. By signing a HIPAA consent the patient is informed and agrees that his or her PHI "may be used and disclosed to carry out treatment, payment and health care operations." 45 C.F.R. 164.506(c)(1). 2. The Notice of Privacy Practices that must accompany that consent must give "a description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by [HIPAA] to make for each of the following purposes: treatment, payment, and health care operations." 164.520(b)(1)(ii)(A). 3. Therefore, while the consent and Notice will give the patient a general indication that information will be shared in order to accomplish payment, the disclosure to the FI need not be the example, or one of the examples, in the Notice, and should not be specifically mentioned in the consent. Hope that's helpful. Robyn A. Meinhardt Foley & Lardner Denver, Colorado 303-294-4414 -----Original Message----- From: Clay III, Roy G. (MCLNO) [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 10:41 AM To: 'Basu, Asis@DDS'; 'David Blasi'; [EMAIL PROTECTED]; Clay III, Roy G. (MCLNO); [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Obtaining social security numbers No. You do need to have chain of trust agreement between you and the fiscal intermediary as defined in the security rule. You will also probably need a business partner agreement described in the privacy rule. (These can be combined and included in the contract language.) You will also need to include in your consent to disclose (which the patient must sign) the fact that this information is to be shared with the fiscal intermediary. -----Original Message----- From: Basu, Asis@DDS [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 5:19 PM To: 'David Blasi'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Obtaining social security numbers Dear List, A quick question. Do we have to deidentify the personal information from X12 837 (Institutional or Professional) outbound data even during testing with our trading partners? Our trading partner is a pre-existing fiscal intermediary between us and Medicare. I tried to read it thru the final rule but been distracted in the process. Any help will be appreciated. Thanks, Asis Basu HIPAA EDI Compliance Analyst Department Of Developmental Services State Of California 1600 9th Street Room #206 Sacramento, CA 95814 916-654-2062 (Voice) 916-654-3352 (Fax) mailto:[EMAIL PROTECTED] CONFIDENTIALITY NOTICE. This e-mail and attachments, if any, may contain confidential information which is privileged and protected from disclosure by Federal and State confidentiality laws, rules or regulations. This e-mail and attachments, if any, are intended for the designated addressee only . If you are not the designated addressee, you are hereby notified that any disclosure, copying, or distribution of this e-mail and its attachments, if any, may be unlawful. If you have received this e-mail and attachments in error, please contact DDS-State Of California immediately at (916) 654-2062 and delete the e-mail and its attachments from your computer. Thank you for your attention. -----Original Message----- From: David Blasi [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 2:02 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Obtaining social security numbers This has been an interesting string and unfortunately this will probably be my last post on the subject because everyone is probably tired of reading it. I agree the health plan is not responsible for disclosures by the plan participant or the provider. I hope I didn't imply that in my previous messages. However, this # is designed by the plan to be shared with providers and other entities in the healthcare systems. You may hold the information in a secure manner, but there are now external sources who can link your unique number to identifying characteristics because it has been shared and you know it is being shared. I can say I secure my table linking the # to identifying characteristics, but there are now 20 other entities out there with the same table. I than have to say to myself, "Can I treat this # as still being de-identified and disclose it to other entities?" Our answer will probably be "No." Yours may be different based on your assumptions and analysis. Good luck. >>> "Clay III, Roy G. (MCLNO)" <[EMAIL PROTECTED]> 02/06/02 03:22PM >>> Does it really matter how many providers the number has been shown to, as long as the database that links that number to identifying information is kept under tight security? It is that identifying information that is not readily available. Now if the patient chooses to reveal identifying information to the provider in addition to the health plan beneficiary number, that is done with the patient's consent and the health plan is not responsible. -----Original Message----- From: David Blasi [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 6:33 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Obtaining social security numbers I think we are coming at this from two different perspectives. I'm guessing from your e-mail address that you are looking at it from the research perspective. This is especially relevant since the majority, if not all health plan reporting will be to the plan sponsor or their business associate. Your comments make sense from the research perspective about your need to issue and support your research and reports. However, from a health plan administration perspective, the number we are talking about assigning is not the SS# in 164.514(b)(2)(i)(H), but it is a "health plan beneficiary number" as is noted in 164.514(b)(2)(i)(I). You can make the argument that this number is not "reasonably available"and do your statistical analysis as you noted under 164.514(b)(1), but this is only good for a health plan for a period of time. When the SS# was first issued, it was also not reasonably available. When an employee has been with a plan for many years and has been showing that number to umpteen providers as well as HR reps, is it still not reasonably available? Please see the comments on 82709 "The risks of disclosure increase as the number of external resources increases.." That is essentially what happened with the SS# to the point where it is considered identified. Research reports, identifiers and the underlying records are much more likely to remain de-identified. I guess the point I was trying to get across is that the New# is PHI at some point, just as much as the SS#. A health plan or its business associate needs to evaluate how it will protect it. >>> "Clay III, Roy G. (MCLNO)" <[EMAIL PROTECTED]> 02/05/02 05:33PM >>> I have to disagree with both of you. Although what you say is correct in terms of the language in 164.514(b)(2), HHS gives you and alternative in 164.514(b)(1) where you can develop your own method of de-identifying the data and document by statistical analysis that the method is effective. For example, you could follow the procedure in 164.514(b)(2) except that you add a key field that allows you to index the data against a database of identifying information. That means that 164.514(b)(2) can not be the basis of your information being de-identified. But then you document that access to the database with the linking index to the identifiable information is restricted to only those who were identified in the patient's consent to disclose and that can be considered de-identified since the identifying information is not "reasonably available" as defined in 164.514(b)(1)(i). -----Original Message----- From: Dennis Melamed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 3:00 PM To: David Blasi; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Obtaining social security numbers Mr. Blasi's point is right on target. If you create another number which identifies a patient, you have not de-identified the data. This activity falls under the omnibus provision (section R) of the safe harbor for de-identified data. Simply substituting another number for the SSN is not enough. Even if you bury the key so no one can convert that number, you have still created an identifiable number and thus do not have de-identified data. That's straight from senior HHS officials. There is no equivocation on this point. The SSN has its own problems above and beyond those mentioned in earlier emails. Also remember that the HIPAA Privacy Rule does not have to be implemented until April 2003. Of course, these people may be referring to some other state or federal law. But I'm not aware of how the federal Privacy Act would affect you. That governs federal agencies and their contractors, not the private sector. Dennis Melamed Editor Health Information Privacy Alert (202) 296-3069 -----Original Message----- From: David Blasi [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 1:41 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Obtaining social security numbers I agree that each plan can make a business decision to move away from the SS#, but I don't see how that helps you avoid any responsibilities under the privacy rule. You are just creating another identifier that could be used to identify an individual and their health information. If you put your proprietary number on the ID card which then gets matched up against clinical information for billing purposes and all subsequent claims information (EOB's), how is that new identification number not PHI? PHI can be many things beyond SS#. It can be a URL, ISP, etc. I'd consult with your counsel to make sure you aren't making an incorrect assumption that you can avoid certain responsibilities just by not using a SS#. >>> "Beth Kranda" <[EMAIL PROTECTED]> 02/05/02 12:40PM >>> While I agree with David that the use of an SSN simplifies COB, I have also taken the position of eliminating the SSN as ID number. In the definition of Payment and in section 164.514 on de-identification, the SSN is referenced as an element that is considered PHI. Some have interpreted this to mean it is then protected, and taken that further to imply that, if the ID card has the SSN on it, it is then considered PHI and subject to the same type of protection requirements as the clinical record. Not sure if this is true, but certainly, reporting is easier if you have a unique identifier that is not the SSN with which to tie de-identified information back to a member. As for the HEDIS problem, this simply means your company needs a "person ID" to tie a person's health history together across systems and across enrollment records. While convenient, it is not necessary to use the SSN to accomplish this. This is one of those decisions that needs to be driven by the legal and business issues. My guess is that the "Privacy Act" this patient cited is state based or some other provacy legislation, not HIPAA. Most of the general public is still not aware of HIPAA's rules. All of the Health Plans I have talked to in Indiana are moving away from the SSN. -- M. Beth Kranda Sr. Project Consultant and Privacy Director OASYS t- (317) 614-2139 f- (317) 614-2001 e- [EMAIL PROTECTED] info- www.oasys.com David Blasi wrote: > Don't see this as a HIPAA Privacy Rule requirement. In fact, until > there is an alternative individual identifier, each plan or provider > assigning a proprietary number to identify an individual creates even > more confusion than we currently have. Especially in COB situations. > But, are you in California? California recently passed SB 168 regarding > the use of SS#'s. However, the law does allow use of SS# for "internal > verification or administrative purposes." This is what most plans or > providers use the SS# for anyway. What it will require is for a plan or > provider to take a look at notifications sent or ID cards used. Have > your counsel take a look at this bill or similar bills proposed in other > states. Essentially, you can prepare a response that states you are > permitted to use SS# in certain limited situations, such as eligibility > and claims payment. > > >>> "Waterhouse, Melissa" <[EMAIL PROTECTED]> 02/05/02 09:33AM > >>> > Recently, we have been experiencing resistance from members when we > request > their social security number and the numbers of their dependents. > Several > letters from employees quote The Privacy Act. We are considering not > requiring dependents socials but this could negatively impact HEDIS > numbers > since SSN's are the only way to track continuous enrollment. > > I am wondering if other health plans are also experiencing this and if > they > decided to not require social security numbers or have moved to using > another identifier. > > Thank you, > Melissa Waterhouse > SummaCare Health Plan > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
