Chris, You bring up an excellent point! I'm used to thinking about a major organizational environment. When I read the HIPAA regs, I do so with the "reasonableness" requirement in mind. Obviously, major systems revisions for smaller entities with limited resources don't sound "reasonable". In such scenarios, I like your suggestion. Additionally, its seems that by the definition of minimum necessary, in small provider offices everybody may indeed need the info to do their job given the business need for staff flexibility.
You make another point regarding disclosures to payers. Your point may be true given today's contracts. However, I've sensed that in the provider community, many of the requests for data on the payer side are seen as "stalling techniques", so I would expect the whole data access clause in payer contracts will receive increasing attention as contracts come up for renewal... I would suspect leading provider organizations will soon begin defining standard min. necessary disclosures for payers (i.e. InterQual data sets for everyone, and anything above that requires approval from Medical Director or something alike). As far as standard BA agreements, my understanding is that HHS will publish a boilerplate that we can incorporate and not get stuck on in negotiating contracts (something to the effect of "this verbiage is mandated by law, so let's move on to the next clause"). We are moving forward with our inventory and analysis of current 3rd party relationships, and are incorporating "preliminary" BA addendums, with the caveat that when the final language comes from HHS, that will prevail a. Albert Oriol, CHE, CISSP The Children's Hospital, Denver (303) 861 6094 "All things should be as simple as possible, but no simpler" -- Albert Einstein -----Original Message----- From: Christopher J. Feahr, OD [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 25, 2002 5:55 PM To: Oriol, Albert; [EMAIL PROTECTED] Subject: Re: Denver Conference and Minimum Necessary Albert, Are you also recommending this approach for small providers? In a small medical practice, staff roles overlap and shift unpredictably, with the result that all staff and doctors pretty much require access to all PHI. If a small practice uses role-based access, it is more likely to involve general ledger and payroll records than patient data. When it comes to PHI, however, I'm not sure I see the need to distinguish between "private", "confidential", etc. Other than psychotherapy notes and situations in which a particular patient has a special handling request (for his own PHI), what other categories of health information would require special labeling/handling? I would imagine that every payor is going to get every bit of PHI it asks for... without any "min. necess." analysis on the part of the provider. Having this tracking ability wired into the doctors system (which would entail a major revision to most practice management systems) would seem to be to for the purpose of logging or preventing illegal disclosures. For the small provider, however, this approach even looks like "overkill" for tracking "minimum necessary" requirements with Business Associates. I suppose the doctor's system would need the ability to track disclosures to at least the level of granularity with which the PHI is described in the BA agreement... but how granular does that description have to be? Are there sample BA Agreements posted somewhere, designed for the needs of small medical practices? (e.g., for software vendors, practice management consultants, collection services, newsletter services, custodial services, etc.). Since the scope of the services (and the PHI they might need to support them) might vary, it would be nice to keep the BA Agreements as vague/general as possible, so that contract management doesn't become a major pain for the doctors. To accommodate special PHI-handling requests from individual patients, I think the small provider's best option might be to simply record a plain English description of the special request in the medical record, and then flag that patient's whole account as "special handling required", causing all disclosures to be manually reviewed, logged, and "signed off on" by a staff member. Are physicians getting many of these special handling requests today? I would imagine this will be a rare occurance. Thanks, Chris At 11:07 AM 5/20/02 -0600, Oriol, Albert wrote: >Last week I participated in the P&P's Roundtable at WEDI's meeting in >Denver. At one point the panel was asked about how to create/document >minimum necessary for disclosures outside the organization. Apparently we >missed the "outside the organization" part of the question. After the >meeting I run into the person who actually asked the question (sorry, I >never did catch your name), and was informed that we hadn't fully answered >it, so in this follow-up I'll take a shot from the provider point of view >and would ask the other panel members to do the same from their side of the >fence. > >My recommendation would be the following: > >First, you'd create a data classification policy. This policy would define >categories (i.e. public, internal-use-only, private and confidential). Then >you'd create some data management guidelines to help you define how to use, >disclose and overall manage (dispose of, store, protect, etc) information >depending on the category. Then you'd have to assign a label to the various >information in your organization (you could do this as granular as you felt >appropriate). This would be a good first effort. > >Should you want to take it one step further (I'd recommend it), the next >step would be to create a minimum necessary matrix. On your horizontal axis >for instance you'd list your roles (anywhere from your doctors & nurses >--internal disclosures-- to your external ones --billing people, the patient >him/herself, a lawyer, insurance case managers, etc.). On the vertical axis >you'd want to define information chunks (you could get as granular as each >field of data if you have that capability, or try to designate categories if >your systems are not as sophisticated). In discussions with Joan Boyle, I >believe the P&P's group will soon begin assembling a sample matrix. If your >organization has an electronic medical record, chances are you'd go through >this exercise anyway in defining you access control lists. You'd do this >internally for your own staff, but why not think ahead and try to define >roles for your medical staff's billing people? or for insurance UR nurses? >or for the patients themselves? If you look ahead into the future, why have >to support both electronic an paper requests for info? Why not assume that >at some point (once you have deployed appropriate security measures) you'll >be able to make this info available to everyone in electronic form? (worst >case you'd translate the minimum necessary from a user profile to a canned >report so that in a paper world, all you'd have to do is hit the print >button). > >So for instance, let's say you classify a medical record as 'private', but >psychotherapy notes (which require higher protection) would be classified as >'confidential'. As such, you'd give your docs access to everything below >confidential (unless they're the psych provider or there's an authorization >in place granting them that access) for patients with whom they have a >relationship (direct--i.e. being the attending doc--, or indirect--i.e. >being the attending's supervisor). Note that in an EMR scenario you'd want >to give them override/break-the-glass access to be able to access records of >patients w/o a relationship (for safety reasons) but you'd want such an >action to tickle an audit report. OK, this was internal, I admit. > >Now, an external disclosure: You will have to define the designated record >set that you'll make available to patients, so that's a fairly straight >forward role to define in your matrix. Obviously they'll have access to all >'private' info, but not necessarily all 'confidential' info (i.e. some >research or Q/A data may be proprietary). > >Another external disclosure would encompass personal representatives (i.e. >parents of minors). You'd have to provide 'private' info but pull >'confidential data' such as pregnancy or STD info for which the patient >consented to treatment (assuming your state law grants this). > >Another hairy external disclosure would encompass your payers. You'll just >follow the same exercise, but because you have contractual obligations with >payers (you'll provide certain info at their request in order to get a claim >approved or a procedure authorized), you'll have to designate a data set >that meets those requirements so that you can make available to insurers. >Also, you'd want to break the roles/disclosures down (so a medical director >for instance gets a different set of data than a nurse case manager). In >any case this portion is what in my opinion will be the most challenging, >as you'll have different contractual requirements depending on the payer, so >you might have to re-negotiate some of your contracts so that all fit one >organizational standard or make this matrix payer-specific, which I would >advise against). > >Finally, you'd also want to institute a process to evaluate requests for >more info or for groups you haven't thought of a priori on a case by case >basis under which you'd evaluate need for info vs. risk to privacy. I'd >recommend a Privacy Committee or InfoSec Council that can go through this >requests say on a monthly basis, as well as an expedited process that you >could use when required (i.e. your Privacy Officer's recommendation). > >Anyway, hope this addressed the question that was pending from last week. > > >a. >Albert Oriol, CHE, CISSP >The Children's Hospital, Denver >(303) 861 6094 > > >"All things should be as simple as possible, but no simpler" -- >Albert Einstein > > >CONFIDENTIALITY NOTICE: The information contained in this message is legally >privileged and confidential information intended only for the use of the >individual or entity named above. If the reader of this message is not the >intended recipient, or the employee or agent responsible to deliver it to >the intended recipient, you are hereby notified that any release, >dissemination, distribution, or copying of this communication is strictly >prohibited. If you have received this communication in error, please notify >the author immediately by replying to this message and delete the original >message. >Thank you. > > > >********************************************************************** >To be removed from this list, go to: >http://snip.wedi.org/unsubscribe.cfm?list=privacy >and enter your email address. Christopher J. Feahr, OD http://visiondatastandard.org [EMAIL PROTECTED] Cell/Pager: 707-529-2268 CONFIDENTIALITY NOTICE: The information contained in this message is legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
