I am not trying to pass the buck here..but I would appreciate some
clarification..I thought the REQUESTOR was responsible for ONLY
requesting the minimum necessary they need to do their job......
now I know reasonabless(?) standards tell me that when a request comes
in..we should review it...but isn't the privacy onus on the requestor?
MIMI
Mimi Hart
Research Analyst, HIPAA
Iowa Health System
319-369-7767 (phone)
319-369-8365 (fax)
319-490-0637 (pager)
[EMAIL PROTECTED]
>>> "Oriol, Albert" <[EMAIL PROTECTED]> 05/20/02 05:35PM >>>
Yes Dave, that's another good example. It's hairy though, as the way
the
final rule now reads would categorize JCAHO as a BA. That would mean
you'd
want an agreement in place prior to releasing the data. Hopefully the
change
proposed by JCAHO will get through. Regardless, and assuming whatever
is
necessary to release the data is present, organizations would still
have to
agree with accrediting bodies on what would constitute minimum
necessary:
how deep could they go into the data? Obviously not all accrediting
bodies
need access to the same, so would we need different data sets for
different
accrediting organizations? this gets hairier when you deal with
research
data etc.
a.
Albert Oriol, CHE, CISSP
The Children's Hospital, Denver
(303) 861 6094
"All things should be as simple as possible, but no simpler"
--
Albert Einstein
-----Original Message-----
From: David Frenkel [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 20, 2002 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: Denver Conference and Minimum Necessary
Albert,
You might also include accreditation issues as talked about in this
email newsletter from JACHO:
JCAHO supports changes to the Privacy Rule that permit health care
organizations to disclose individually identifiable health information
to accreditors without first obtaining the patient's written HIPAA
consent.
See the complete commentary:
http://www.jcaho.org/govt/hipaa_comments.html
Regards,
David Frenkel
Business Development
GEFEG USA
Global Leader in Ecommerce Tools
www.gefeg.com
425-260-5030
-----Original Message-----
From: Oriol, Albert [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 20, 2002 10:08 AM
To: [EMAIL PROTECTED]
Subject: Denver Conference and Minimum Necessary
Last week I participated in the P&P's Roundtable at WEDI's meeting in
Denver. At one point the panel was asked about how to create/document
minimum necessary for disclosures outside the organization. Apparently
we
missed the "outside the organization" part of the question. After the
meeting I run into the person who actually asked the question (sorry,
I
never did catch your name), and was informed that we hadn't fully
answered
it, so in this follow-up I'll take a shot from the provider point of
view
and would ask the other panel members to do the same from their side
of
the
fence.
My recommendation would be the following:
First, you'd create a data classification policy. This policy would
define
categories (i.e. public, internal-use-only, private and confidential).
Then
you'd create some data management guidelines to help you define how to
use,
disclose and overall manage (dispose of, store, protect, etc)
information
depending on the category. Then you'd have to assign a label to the
various
information in your organization (you could do this as granular as you
felt
appropriate). This would be a good first effort.
Should you want to take it one step further (I'd recommend it), the
next
step would be to create a minimum necessary matrix. On your horizontal
axis
for instance you'd list your roles (anywhere from your doctors &
nurses
--internal disclosures-- to your external ones --billing people, the
patient
him/herself, a lawyer, insurance case managers, etc.). On the
vertical
axis
you'd want to define information chunks (you could get as granular as
each
field of data if you have that capability, or try to designate
categories if
your systems are not as sophisticated). In discussions with Joan
Boyle,
I
believe the P&P's group will soon begin assembling a sample matrix. If
your
organization has an electronic medical record, chances are you'd go
through
this exercise anyway in defining you access control lists. You'd do
this
internally for your own staff, but why not think ahead and try to
define
roles for your medical staff's billing people? or for insurance UR
nurses?
or for the patients themselves? If you look ahead into the future, why
have
to support both electronic an paper requests for info? Why not assume
that
at some point (once you have deployed appropriate security measures)
you'll
be able to make this info available to everyone in electronic form?
(worst
case you'd translate the minimum necessary from a user profile to a
canned
report so that in a paper world, all you'd have to do is hit the print
button).
So for instance, let's say you classify a medical record as 'private',
but
psychotherapy notes (which require higher protection) would be
classified as
'confidential'. As such, you'd give your docs access to everything
below
confidential (unless they're the psych provider or there's an
authorization
in place granting them that access) for patients with whom they have a
relationship (direct--i.e. being the attending doc--, or
indirect--i.e.
being the attending's supervisor). Note that in an EMR scenario you'd
want
to give them override/break-the-glass access to be able to access
records of
patients w/o a relationship (for safety reasons) but you'd want such
an
action to tickle an audit report. OK, this was internal, I admit.
Now, an external disclosure: You will have to define the designated
record
set that you'll make available to patients, so that's a fairly
straight
forward role to define in your matrix. Obviously they'll have access
to
all
'private' info, but not necessarily all 'confidential' info (i.e. some
research or Q/A data may be proprietary).
Another external disclosure would encompass personal representatives
(i.e.
parents of minors). You'd have to provide 'private' info but pull
'confidential data' such as pregnancy or STD info for which the
patient
consented to treatment (assuming your state law grants this).
Another hairy external disclosure would encompass your payers. You'll
just
follow the same exercise, but because you have contractual obligations
with
payers (you'll provide certain info at their request in order to get a
claim
approved or a procedure authorized), you'll have to designate a data
set
that meets those requirements so that you can make available to
insurers.
Also, you'd want to break the roles/disclosures down (so a medical
director
for instance gets a different set of data than a nurse case manager).
In
any case this portion is what in my opinion will be the most
challenging,
as you'll have different contractual requirements depending on the
payer, so
you might have to re-negotiate some of your contracts so that all fit
one
organizational standard or make this matrix payer-specific, which I
would
advise against).
Finally, you'd also want to institute a process to evaluate requests
for
more info or for groups you haven't thought of a priori on a case by
case
basis under which you'd evaluate need for info vs. risk to privacy.
I'd
recommend a Privacy Committee or InfoSec Council that can go through
this
requests say on a monthly basis, as well as an expedited process that
you
could use when required (i.e. your Privacy Officer's recommendation).
Anyway, hope this addressed the question that was pending from last
week.
a.
Albert Oriol, CHE, CISSP
The Children's Hospital, Denver
(303) 861 6094
"All things should be as simple as possible, but no simpler"
--
Albert Einstein
CONFIDENTIALITY NOTICE: The information contained in this message is
legally
privileged and confidential information intended only for the use of
the
individual or entity named above. If the reader of this message is
not
the
intended recipient, or the employee or agent responsible to deliver it
to
the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is
strictly
prohibited. If you have received this communication in error, please
notify
the author immediately by replying to this message and delete the
original
message.
Thank you.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
CONFIDENTIALITY NOTICE: The information contained in this message is
legally
privileged and confidential information intended only for the use of
the
individual or entity named above. If the reader of this message is not
the
intended recipient, or the employee or agent responsible to deliver it
to
the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is
strictly
prohibited. If you have received this communication in error, please
notify
the author immediately by replying to this message and delete the
original
message.
Thank you.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
