Preface: I am not a lawyer.
While I agree that faxes "ARE indisputably an electronic form of communication", I am not of the opinion that providers that submit UB-92s or HCFA-1500s via fax are conducting an electronic transaction as defined by HIPAA. Therefore, IMHO, a provider who sends only paper via standard mail and/or fax would not be a covered entity.
Alternate opinions are encouraged.
Cecil Bohannan
Principal Consultant
Keane, Inc.
"Benjamin W. Tartaglia" <[EMAIL PROTECTED]>
03/19/2002 09:07 AM
Dear Bill,
I assume (perhaps incorrectly) that your information is based on vendor
information as most user information is.
Please take these comments in the positive manner for which they are
intended.
These comments exclude, purely mechanical Facsimile machines such as the
older manufacturing products and the local pantographs which are mechanical
and relied on levers to reproduce copies (otherwise known as facsimiles)and
whose use was made widely known by Benjamin Franklin.
Faxes, (today's office machines), ARE indisputably an electronic form of
communication. They use codecs to change writing and images into digital
transmissions and back again. Most faxes sold today are digital faxes.
If they are not electronic at some point, how are they transmitted? last
time I looked they are transmitted over analog and digital lines over
microwave, fiber optics and cellular, not to mention LANs, MANs and WANs.
They are not being carried via carrier pigeons.
Once they are in electronic format they can be encrypted and subject to
security codes.
There are internet services which allow you to send a document created on
your computer, through their system which is then delivered to your fax
machine or via voice synthesis. Voice synthesis is electronic. You can
also scan a document and have it delivered via fax.
Faxes do not have to be sent via "forced delivery", (and sit on your desk)
that is... printed out at the destination. They can be stored
electronically in the destination fax machine, at a central fax store and
forward location or on the internet for retrieval on demand by the cognizant
addressee using a security code. They can be accessed using security codes.
Yes, faxes can be sent to wrong "addresses".... so can emails. I receive
misdirected emails all the time due to one transposed character or due to
the use of .net instead of .com. I once got a divorce negotiation.
I suggest you call in a few vendors and see which applications faxes are
good for and to discuss the range of available faxes. Your current vendor
may be inexperienced, in fear of losing an account or just plain
incompetent.
All the best
Ben Tartaglia
Benjamin W. Tartaglia, MBA, BSIM, CSP
Director, Client Services
BWT Associates, HealthCare Consultants
HIPAA, JCAHO, Telemedicine, Contingency Planning, Telecommunications,
Telephone Fraud & Abuse, Training Programs, Policy & Procedures, Management
Audits.
PO# 4515, Shrewsbury, MA 01545
Phone: 508-845-6000
EMail: [EMAIL PROTECTED]
-----Original Message-----
From: Bill Bernath [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 19, 2002 7:46 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Covered entities
Got to disagree here folks - a fax is not an electronic transmission. It
cannot be decoded or encrypted. The net effect of a fax is the same as
leaving an letter delivered through the USPS face up on your desk. - b
Bill Bernath
Blue Cross Blue Shield of North Carolina
Privacy Office
(919) 765-7006
[EMAIL PROTECTED]
>>> "Hopper, Gene" <[EMAIL PROTECTED]> 03/18/02 05:56PM >>>
I would think that if it is the intent of HHS to prevent the unauthorized
disclosure of personal health information, faxes would be covered.
Faxes are certainly an electronic method of transmitting data, and the most
insecure one available at that. How do you know where the fax went (e.g.:
transposed numbers, wrong fax numbers used) or who picked the fax up,
whether or not the fax is in an unsecured area. Generally speaking all the
security features (receipting, access authorizations, etc.) built into other
forms of electronic transmissions (even e-mail, for crying out loud) are
missing.
Some folks are saying for faxes to be secure you must call the people you
are faxing to, verify the fax number, tell them you are sending a fax, fax
the document, and finally call them back to ensure that it has arrived and
the authorized person has the fax in hand (I guess you send out search
parties if they don't)
-----Original Message-----
From: Donna Kinney [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 18, 2002 1:57 PM
To: 'Leah Hole-Curry'; '[EMAIL PROTECTED]'
Subject: RE: Covered entities
My only question in this regard is about faxes. Does the rule contain
specic language which makes it clear that faxes are not "electronic form" or
does faxing a claim or an EOB or an attachment automatically make you a
covered entity?
-----Original Message-----
From: Leah Hole-Curry [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 18, 2002 11:34 AM
To: [EMAIL PROTECTED]
Subject: Re: Covered entities
Noel and Max,
You are both correct.
The definition of a covered entity related to providers is as follows
(at 160.103): Covered Entity means:... a health care provider who
transmits any health information in electronic form in connection with a
transaction covered by this subchapter.
This definition is in Part 160 of the regulation - the general
regulatory provisions. Unless HHS changes this part of the regulation,
providers that don't transmit standard transactions by electronic means
(or have someone do it on their behalf) are not covered by any of the
administrative simplification regulations - transactions, privacy, etc.
The risk for such providers, who are bound to be a very small minority,
is that if health information is not kept private, and it damages an
individual, the individual may sue under general state law and use HIPAA
as an industry standard of care that the provider failed to follow.
Whether this will hold result in liability is an open question.
Leah Hole-Curry
Fox Systems, Inc.
602-708-1045
>>> "Max Bumbalough" <[EMAIL PROTECTED]> 03/18/02 10:25 AM >>>
Noel,
I asked that question at the SNIP Conference in Chicago early last year
and
was told that if a healthcare provider does NOT electronically transmit
any
of the covered transactions, then they will not have to comply with the
Privacy & Security Regulations.
However, a HC Provider will not be excluded from complying with the
Privacy
& Security rules by merely using a billing service/company to transmit
electronic transmissions.
Has anyone else heard anything different?
Max Bumbalough
HIPAA Consultant
GovConnect, Inc.
(800)565-4873 x230
[EMAIL PROTECTED]
>From: Noel Chang <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Covered entities
>Date: Mon, 18 Mar 2002 10:44:45 -0600
>
>Has anyone seen any further clarification from DHHS on who must comply
>with the Privacy Rule?
>
>The way I interpret the final rule published in December of 2000, and
>the guidelines published in July of 2001, the only health care
providers
>that must comply are those who electronically conduct one or more of
the
>ten covered transactions. I have encountered a specialist who does not
>accept any insurance, they are a cash only operation. As such they do
>not file any claims or deal with eligibility, etc. By my reading they
>would appear to not be a covered entity and therefore are not required
>to comply with the Privacy Rule.
>
>I keep seeing information from various sources (not DHHS or OCR,
>however) that make very broad statements such as "HIPAA applies to
>everyone" or "there are no HIPPAA free records". I can understand what
>they mean by these statements in certain context but I think they are a
>little too broad and misleading. Does anyone else agree that a
doctor's
>office who is not electronically conducting a covered transaction is
>therefore not a covered entity for the purposes of the Privacy Rule?
If
>you do not agree, can you cite where is the requirement that such an
>office comply with the Privacy Rule?
>
>Thanks,
>
>Noel Chang
>
>
>**********************************************************************
>To be removed from this list, go to:
>http://snip.wedi.org/unsubscribe.cfm?list=privacy
>and enter your email address.
_________________________________________________________________
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?listand enter your email address.
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
