David - I fully agree. The direction I was taking was Section 160.102 and the definition of a covered entity. If you are a "health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter."
If you are doing everything on paper and not transmitting info in connection with a transaction you listed below, then you do not meet the definition of a covered entity and HIPAA does not apply. However, in this scenario, if you are not a covered entity, then does that make you a Business Associate? If this is so, then a physician office doing everything on paper would not be able to exchanged information for PHI without an authorization or BAC, etc........... Thoughts?? Dan Kelsey Data Projects Coordinator Indiana State Medical Association (317) 261-2060 (317) 261-2222 fax -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, May 10, 2002 9:14 AM To: Dan Kelsey Subject: RE: minimal compliance? I think it is important for us, as professionals, to distinguish our terminology with regards to HIPAA. For the record, the following are HIPAA Transactions. Electronic Transactions 1173(a)(1) � Health claims � Encounter information � Enrollment or disenrollment in a health care plan � Eligibility for a health care plan � Health care payment remittance � Premiums � Report of injury � Claim status � Referral information A provider would invoke HIPAA if a provider is sending/receiving protected health information (PHI) to satisfy a HIPAA Transaction, as outlined above. Also, if a provider contracts a third party to conduct such operations, the provider is still covered by HIPAA. David Sweigert, CISSP David Sweigert, M.S., CISSP State IT Security Policy Officer Office of Statewide IT Policy Computer Services Division http://www.ohio.gov/itp ----- Forwarded by David Sweigert/CSD/DAS/OHIO on 05/10/2002 10:08 AM ----- "Isbitts, Mark" <Mark.Isbitts@tri To: Dan Kelsey <[EMAIL PROTECTED]>, "'Casteel, Rebekah K.'" zetto.com> <[EMAIL PROTECTED]>, [EMAIL PROTECTED] cc: 05/10/2002 08:02 Subject: RE: minimal compliance? AM In addition to Dan's points, you must first define what you are (covered entity vs. business associate). Assuming your organization has determined that you are a covered entity, there is really no way to avoid HIPAA altogether. However, by de-identifying information that is disclosed, you can reduce the exposure since this is not considered IIHI. (Section 164.514 (a) of the Privacy Rule) Another area to consider is the use of clearinghouse or ASP to handle some of the technical issues such as EDI translation and code sets. You will probably still have Privacy and Security issues, but it certainly minimizes your HIPAA effort. Your point about dropping Medicare and/or Medicaid may hold true but any organization (whether CE or BA) must always considered the business implications and issues when developing their HIPAA compliance plan. This will certainly be the case, as Dan points out, with providers deciding to revert back to paper which could be a costly business decision moving forward. Just some thoughts. Mark Isbitts Mark Isbitts Manager - Consulting The TriZetto Group 10 Glenlake Parkway Suite 400 Atlanta, GA 30328 770-225-3054 - office 404-395-2497 - mobile -----Original Message----- From: Dan Kelsey [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 08, 2002 10:38 AM To: 'Casteel, Rebekah K.'; [EMAIL PROTECTED] Subject: RE: minimal compliance? Rebekah, The only way I am aware of to minimize compliance is to submit all claims via paper and not conduct any electronic transactions. However, when I talk to physician offices that are 100% paper, I encourage them to not ignore HIPAA because everyone else will be doing things they are not, and patients will begin to wonder why. Another point I mention is when the physician is negotiating a new contractor with a health care payer, the payer might require the electronic submission claims as a condition of participation. If the physician signs the contract, then he/she will need to become HIPAA compliant in a VERY short period of time. So, why not go ahead and do the work now. Hope this helps, Dan Kelsey Data Projects Coordinator Indiana State Medical Association (317) 261-2060 (317) 261-2222 fax -----Original Message----- From: Casteel, Rebekah K. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 08, 2002 9:23 AM To: [EMAIL PROTECTED] Subject: minimal compliance? I apologize if this question has been asked and answered before. Has anyone found a way to minimize compliance with HIPAA? For example, by not participating in Medicare (the ASCA requires electronic submission of Medicare claims by 2003), Medicaid or submitting claims information to any other third party payor? I know it seems extreme ... any help is appreciated. Thanks. Rebekah Casteel Greenebaum Doll & McDonald, PLLC 3300 National City Tower 101 S.5th St Louisville, KY 40202 (502) 587-3670 (502) 588-1310 (fax) [EMAIL PROTECTED] -----Original Message----- From: Nita Sutton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 3:59 PM To: Jan Root; [EMAIL PROTECTED] Subject: RE: Transmitting Patient Information via Internet (Email) That's hard to say, considering the escalating dependence on electronic data and the impending need to secure it. Individual owners of digital information, whether under federal regulation or otherwise, will have to detemine the balance between security and convenience. I suspect that only the solutions that prove the most secure, with the highest usability and broad compatibility will become the standard, be adopted by the masses and consequently occupy the highly sought space on the typical hard drive. Nita A. Sutton / Marketing Manager / Infraworks Corporation / www.infraworks.com 6207 Bee Cave Road / Austin / Texas / 78746 512-744-4215 / 800-308-5825 / Fax 801-991-9394 -----Original Message----- From: Jan Root [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 2:00 PM To: Nita Sutton Cc: [EMAIL PROTECTED] Subject: Re: Transmitting Patient Information via Internet (Email) Interesting solution. My only question is how many of these types of products will everyone have to manage in order to send/receive secure attachments? If I need InTether to get your attachments and 4 or 5 or 10 other proprietary solutions to get my other email partner's attachments is that really going to work? Adobe won out in their market because the Feds went with them. Perhaps something like that will happen with securing email attachments. The question is not (so much) does the app work; rather it's how many different solutions do I have to deal with in order to get my work done? Jan Root ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=ivacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ________________________ This message has been sent from a law firm and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Thank you. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
