Yes Dave, that's another good example. It's hairy though, as the way the final rule now reads would categorize JCAHO as a BA. That would mean you'd want an agreement in place prior to releasing the data. Hopefully the change proposed by JCAHO will get through. Regardless, and assuming whatever is necessary to release the data is present, organizations would still have to agree with accrediting bodies on what would constitute minimum necessary: how deep could they go into the data? Obviously not all accrediting bodies need access to the same, so would we need different data sets for different accrediting organizations? this gets hairier when you deal with research data etc.
a. Albert Oriol, CHE, CISSP The Children's Hospital, Denver (303) 861 6094 "All things should be as simple as possible, but no simpler" -- Albert Einstein -----Original Message----- From: David Frenkel [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 12:00 PM To: [EMAIL PROTECTED] Subject: RE: Denver Conference and Minimum Necessary Albert, You might also include accreditation issues as talked about in this email newsletter from JACHO: JCAHO supports changes to the Privacy Rule that permit health care organizations to disclose individually identifiable health information to accreditors without first obtaining the patient's written HIPAA consent. See the complete commentary: http://www.jcaho.org/govt/hipaa_comments.html Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 425-260-5030 -----Original Message----- From: Oriol, Albert [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 10:08 AM To: [EMAIL PROTECTED] Subject: Denver Conference and Minimum Necessary Last week I participated in the P&P's Roundtable at WEDI's meeting in Denver. At one point the panel was asked about how to create/document minimum necessary for disclosures outside the organization. Apparently we missed the "outside the organization" part of the question. After the meeting I run into the person who actually asked the question (sorry, I never did catch your name), and was informed that we hadn't fully answered it, so in this follow-up I'll take a shot from the provider point of view and would ask the other panel members to do the same from their side of the fence. My recommendation would be the following: First, you'd create a data classification policy. This policy would define categories (i.e. public, internal-use-only, private and confidential). Then you'd create some data management guidelines to help you define how to use, disclose and overall manage (dispose of, store, protect, etc) information depending on the category. Then you'd have to assign a label to the various information in your organization (you could do this as granular as you felt appropriate). This would be a good first effort. Should you want to take it one step further (I'd recommend it), the next step would be to create a minimum necessary matrix. On your horizontal axis for instance you'd list your roles (anywhere from your doctors & nurses --internal disclosures-- to your external ones --billing people, the patient him/herself, a lawyer, insurance case managers, etc.). On the vertical axis you'd want to define information chunks (you could get as granular as each field of data if you have that capability, or try to designate categories if your systems are not as sophisticated). In discussions with Joan Boyle, I believe the P&P's group will soon begin assembling a sample matrix. If your organization has an electronic medical record, chances are you'd go through this exercise anyway in defining you access control lists. You'd do this internally for your own staff, but why not think ahead and try to define roles for your medical staff's billing people? or for insurance UR nurses? or for the patients themselves? If you look ahead into the future, why have to support both electronic an paper requests for info? Why not assume that at some point (once you have deployed appropriate security measures) you'll be able to make this info available to everyone in electronic form? (worst case you'd translate the minimum necessary from a user profile to a canned report so that in a paper world, all you'd have to do is hit the print button). So for instance, let's say you classify a medical record as 'private', but psychotherapy notes (which require higher protection) would be classified as 'confidential'. As such, you'd give your docs access to everything below confidential (unless they're the psych provider or there's an authorization in place granting them that access) for patients with whom they have a relationship (direct--i.e. being the attending doc--, or indirect--i.e. being the attending's supervisor). Note that in an EMR scenario you'd want to give them override/break-the-glass access to be able to access records of patients w/o a relationship (for safety reasons) but you'd want such an action to tickle an audit report. OK, this was internal, I admit. Now, an external disclosure: You will have to define the designated record set that you'll make available to patients, so that's a fairly straight forward role to define in your matrix. Obviously they'll have access to all 'private' info, but not necessarily all 'confidential' info (i.e. some research or Q/A data may be proprietary). Another external disclosure would encompass personal representatives (i.e. parents of minors). You'd have to provide 'private' info but pull 'confidential data' such as pregnancy or STD info for which the patient consented to treatment (assuming your state law grants this). Another hairy external disclosure would encompass your payers. You'll just follow the same exercise, but because you have contractual obligations with payers (you'll provide certain info at their request in order to get a claim approved or a procedure authorized), you'll have to designate a data set that meets those requirements so that you can make available to insurers. Also, you'd want to break the roles/disclosures down (so a medical director for instance gets a different set of data than a nurse case manager). In any case this portion is what in my opinion will be the most challenging, as you'll have different contractual requirements depending on the payer, so you might have to re-negotiate some of your contracts so that all fit one organizational standard or make this matrix payer-specific, which I would advise against). Finally, you'd also want to institute a process to evaluate requests for more info or for groups you haven't thought of a priori on a case by case basis under which you'd evaluate need for info vs. risk to privacy. I'd recommend a Privacy Committee or InfoSec Council that can go through this requests say on a monthly basis, as well as an expedited process that you could use when required (i.e. your Privacy Officer's recommendation). Anyway, hope this addressed the question that was pending from last week. a. Albert Oriol, CHE, CISSP The Children's Hospital, Denver (303) 861 6094 "All things should be as simple as possible, but no simpler" -- Albert Einstein CONFIDENTIALITY NOTICE: The information contained in this message is legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. CONFIDENTIALITY NOTICE: The information contained in this message is legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
