RE: EMS and the NPP
Indeed Gerald, the statement that they are not required is beyond inaccurate. In fact they are required to give them out at the first reasonable opportunity after the emergency. This can include by mail as well - which is how my local government clients will be handling it with their EMT. Plus we are printing up new business cards for all EMT personnel with the webaddress of the website with the NPP on the card - the cards will be given out to every transport or patient as a backup. Plus this webaddress will be on all forms and documents. Plus copies will be at all locations, as well as a copy in the EMT vehicle. Now, was that so hard? If there is one thing true about HIPAA, it's don't guess, and argue on the side of overkill! Regards, Tim McGuinness, Ph.D. Consulting Specialist in Regulatory Privacy, Security, and Application Compliance HIPAA/FDA/CMS-HCFA/ICH/ADA Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 CA Specialist in Local Government Compliance www.localgovernmentcompliance.com [EMAIL PROTECTED] / www.timmcguinness.com / www.HIPAAhelpNETWORK.com Executive Co-Chairman for Privacy, HIPAA Conformance Certification Organization (HCCO) www.hcco.us === IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - youre use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -Original Message- From: Gerald E. DeLoss [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 8:23 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: EMS and the NPP What specific section of the rule do you base this on? I disagree. Jud Gerald Jud E. DeLoss, Esq. Barnwell Whaley Patterson Helms, LLC 885 Island Park Drive Post Office Drawer H (29402) Charleston, SC 29492 Telephone (843) 577-7700 Direct (843) 329-5313 Facsimile (843) 577-7708 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] The information contained in this message may be privileged and/or confidential and protected from disclosure. If the reader of this message is not the intended recipient or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete all copies of the material. -Original Message- From: William Gateland [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 8:05 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: EMS and the NPP Forget all this talk about layered notice or full notice. The EMS does not have to carry NPP's or give them out per the rule. Bodhitaro1 --- Dee Warrington [EMAIL PROTECTED] wrote: Spencer, Donald is correct. Members/patients must receive the whole document -- even if covered entities choose to create a layered notice. It is simply an executive summary for the members/patients. Dee Warrington Director, HIPAA and Regulatory Compliance OAO HealthCare Solutions, Inc. 20955 Warner Center Lane Woodland Hills, CA 91367 (818) 598-6606 Fax: (818) 598-3270 [EMAIL PROTECTED] -Original Message- From: Ribelin, Donald [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 8:55 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: EMS and the NPP Spencer, this is not how I read this provision. I believe you must provide the entire NPP, not just part of it. IMHO, the layer is simply a bulleted cover sheet that is meant to assist the patient in better understanding their rights. Donald L. Ribelin HIPAA Project Manager Firsthealth of the Carolinas (910) 215-2668 [EMAIL PROTECTED] -Original Message- From: Spencer Hall [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 10:33 AM To: WEDI SNIP Privacy Workgroup List
RE: to sign or not to sign
Ian, Jim, I currently am working with 9 software authors/dealers and have advised on the subject of business associate agreements. There are a couple of very different flavors I have put together. If you're interested, e-mail me off list and I'll send you a couple samples I have put together for them to send to their clients. On the subject of appropriateness of a vendor initiating, I think provider opinion will vary -- some medical providers on this list have clearly expressed their desire not to receive these. I think the ones who are happy to receive these agreements are the ones who do not participate on lists like this. One advantage the vendor has is in a clear understanding of their business and operations which allows crafting an appropriately worded allowed uses and disclosures clause. Here is one for a practice management vendor who offers EDI software and clearinghouse services: Business Associate is authorized to use protected health information for the purposes of computer system training, software support, support for the proper use and operation of EDI software, EDI clearinghouse support, data format conversion, and troubleshooting the operation of computerized practice management system. Business Associate may access all information in the computerized practice management and transmitted to the EDI clearinghouse for the purposes of verifying proper use, operation and function of the software. Gary Pritts Eagle Consulting Group HIPAA Strategies, Compliance and Education ?xml:namespace prefix = st1 ns = urn:schemas-microsoft-com:office:smarttags /1568 Northland Ave. / Lakewood, OH 44107 (216) 228-7959 voice (216) 233-4960 cell (216) 228-6272 fax E-mail: [EMAIL PROTECTED] -Original Message- From: Ian Leedom [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 12:23 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: to sign or not to sign I also represent a software vendor in a similar situation. Our take has been that we must have Business Agreements (BA) with the CE's simply because we have access to PHI. It also means that at some level, we need to know who has in fact accessed things and when. I think that the fact that you have access to a DB which has PHI in it is enough to trigger all of the privacy rule in HIPAA . My problem, and I'd love to hear from others about this, is what sort of BA we should in fact have. We have enough clients that if we send every agreement from every client to our corporate attorneys then we'll be bankrupt before April. And you're right that some clients want indemnification for things which are THEIR business and for us to keep data even after a business contract has ended. If anyone has any to add to this, I for one would love to hear it. Ian Leedom Psyche Systems 321 Fortune Blvd. Milford, MA 01757 Tel: (508) 473-1500 x341 Compliments humbly accepted. Flames cheerfully ignored. -Original Message- From: Jim Randolph [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 11:39 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: to sign or not to sign Let me carry this a step further. We are a software vendor that has received BACs, TPAs and Chain of Trust agreements from different customers. As a vendor to this particular customer base we are exposed to PHI but never manipulate it in any way. Our support personnel do review setup configurations, billing problems or DB issues; but don't do anything to PHI. Attorneys and consultants are advising our customers so differently that no matter what, we end up being the evil vendor. Some of the BACs we receive are rather ridiculous, like requiring us to assume financial liability if our customer has any HIPAA problems in the future. The question for the group is: What is required in this scenario a BAC, TPA or COT? Jim Randolph The Echo Group -Original Message- From: Traci Winter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 3:49 PM To: WEDI SNIP Privacy Workgroup List Subject: to sign or not to sign OK so the next question is do we sign these BACs or just put them in the round file. Your answers reflected what my impression was, but I wanted reinforcement. Thanks, Traci Winter --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent
RE: who holds the power?
Look at section 164.504 (e)(2)(i) Establish the permitted and required uses and disclosures of such information by the business associate. Vendors are not required by law to have a BAA, you as a provider are. I think the agreement should come from the entity that is responsible for the patient information. Leslie Harpe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 7:50 AM To: WEDI SNIP Privacy Workgroup List Subject: who holds the power? I understand the desire of a vendor not to sort through hundreds of BAA's from different CEs but I also know that the CE does not want to deal with hundreds of different BAA's from different BAs either. So, is it simply a matter of who blinks first? That is, if the CE insists you sign my agreement but the BA refuses, then must the CE sever their relationship with the BA? Or vice versa? It seems like we have stubborn CEs that only want their BAA signed and we have stubborn BAs that only want their BAA signed. So what happens when the two shall meet?? Does the rule state who has the upper hand here or does it simply state, Work it out or find a different partner As a small provider (20 physician office), do we just roll over an accept what the big vendor wants? It seems like we have to accept their BAA if no competition exists or if we do not want the hassle of finding a different BA. I think I got this right. I just wanted confirmation that we must accept the BA's version of the BAA when they present it as a take it or leave it proposition since we do not have the resources to look for a different BA (in many circumstances). --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: who holds the power?
I strongly agree with Leslie. Donald L. Ribelin HIPAA Project Manager Firsthealth of the Carolinas (910) 215-2668 [EMAIL PROTECTED] -Original Message- From: Harpe, Leslie [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 9:44 AM To: WEDI SNIP Privacy Workgroup List Subject:RE: who holds the power? Look at section 164.504 (e)(2)(i) Establish the permitted and required uses and disclosures of such information by the business associate. Vendors are not required by law to have a BAA, you as a provider are. I think the agreement should come from the entity that is responsible for the patient information. Leslie Harpe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 7:50 AM To: WEDI SNIP Privacy Workgroup List Subject: who holds the power? I understand the desire of a vendor not to sort through hundreds of BAA's from different CEs but I also know that the CE does not want to deal with hundreds of different BAA's from different BAs either. So, is it simply a matter of who blinks first? That is, if the CE insists you sign my agreement but the BA refuses, then must the CE sever their relationship with the BA? Or vice versa? It seems like we have stubborn CEs that only want their BAA signed and we have stubborn BAs that only want their BAA signed. So what happens when the two shall meet?? Does the rule state who has the upper hand here or does it simply state, Work it out or find a different partner As a small provider (20 physician office), do we just roll over an accept what the big vendor wants? It seems like we have to accept their BAA if no competition exists or if we do not want the hassle of finding a different BA. I think I got this right. I just wanted confirmation that we must accept the BA's version of the BAA when they present it as a take it or leave it proposition since we do not have the resources to look for a different BA (in many circumstances). --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address
RE: who holds the power?
I strongly agree also. If there is no BAA in place, or not a well written one in place, it is the CE who will be audited and suffer the consequences under HIPAA and the OCR. we will also suffer the consequences in the press if one of our vendors has a huge faux-pas with PHI that the CE has given them without a BA in place. The CE will be held accountable. -Original Message- From: Ribelin, Donald [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 10:06 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: who holds the power? I strongly agree with Leslie. Donald L. Ribelin HIPAA Project Manager Firsthealth of the Carolinas (910) 215-2668 [EMAIL PROTECTED] -Original Message- From: Harpe, Leslie [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 9:44 AM To: WEDI SNIP Privacy Workgroup List Subject:RE: who holds the power? Look at section 164.504 (e)(2)(i) Establish the permitted and required uses and disclosures of such information by the business associate. Vendors are not required by law to have a BAA, you as a provider are. I think the agreement should come from the entity that is responsible for the patient information. Leslie Harpe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 7:50 AM To: WEDI SNIP Privacy Workgroup List Subject: who holds the power? I understand the desire of a vendor not to sort through hundreds of BAA's from different CEs but I also know that the CE does not want to deal with hundreds of different BAA's from different BAs either. So, is it simply a matter of who blinks first? That is, if the CE insists you sign my agreement but the BA refuses, then must the CE sever their relationship with the BA? Or vice versa? It seems like we have stubborn CEs that only want their BAA signed and we have stubborn BAs that only want their BAA signed. So what happens when the two shall meet?? Does the rule state who has the upper hand here or does it simply state, Work it out or find a different partner As a small provider (20 physician office), do we just roll over an accept what the big vendor wants? It seems like we have to accept their BAA if no competition exists or if we do not want the hassle of finding a different BA. I think I got this right. I just wanted confirmation that we must accept the BA's version of the BAA when they present it as a take it or leave it proposition since we do not have the resources to look for a different BA (in many circumstances). --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at
NPP and illiterate population
I know our NPP is supposed to be easy to read and understand, but one of our committee members brought up an interesting thought. What do we do with our illiterate population and our patients who are legally blind. In the area we service this a definite issue. Should we put the NPP on an audio cassette so the patients whom are unable to read it can listen to it? Opinions appreciated. Traci Winter Hospitals Home Health Care, Inc. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Is HIPAA Individually Liable?
I apologize if this is listed somewhere real obvious, but I was wondering if there was a definite answer as to who's liable when HIPAA has been violated? In a hospital situation, if HIPAA's violated and jail time and fines are distributed who gets that fun time? Is it the CEO, the Privacy Officer, the employee who violated the rule, all of the above, etc? Thank you! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Is HIPAA Individually Liable?
I would like to add to this question . . . I have been to several HIPAA workshops, each taught by a different attorney or team of attorneys. One group will tell you that the entity can't be sued for damages if a HIPAA violation occurs . . . . that sanctions from the OCR is punishment enough for the covered entity and that patients may not expect damages. Others have said that plaintiff's attorneys are circling like buzzards and buying the back covers of telephone books all over America with the big question . . HAS YOUR MEDICAL PRIVACY BEEN VIOLATED? I havent' gotten a straight answer yet! And now I hear that THIPAA - the Texas version of HIPAA that goes in to effect in 9/03 not only allows the entity to be sued, but the individual can be held personally liable. I am a patient advocate and believe in the fundamental principals of protecting health information, but this is really getting out of hand. Patricia Conroe wrote: I apologize if this is listed somewhere real obvious, but I was wondering if there was a definite answer as to who's liable when HIPAA has been violated? In a hospital situation, if HIPAA's violated and jail time and fines are distributed who gets that fun time? Is it the CEO, the Privacy Officer, the employee who violated the rule, all of the above, etc? Thank you! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org begin:vcard n:Jones;Nancy tel;work:Nacogdoches Memorial Hospital x-mozilla-html:FALSE org:Nacogdoches Memorial Hospital adr:;;1204 N. Mound Street;Nacogdoches;Texas;75961; version:2.1 email;internet:[EMAIL PROTECTED] title:Director of Compliance fn:Nancy Jones end:vcard --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Is HIPAA Individually Liable?
The Privacy Rule does not provide a private right of action, it only provides for the civil and criminal penalties to be imposed by the government. However, a clever plaintiff's attorney could craft an argument that the violation of the HIPAA Privacy Rule is evidence that the Covered Entity was negligent (negligence per se) by violating the Rule. This would be a way in which an attorney could sue for damages. As a disclaimer, I do not represent plaintiffs, I represent Covered Entities, so there might be other crafty arguments of which I am not aware. Jud DeLoss Gerald Jud E. DeLoss, Esq. Barnwell Whaley Patterson Helms, LLC 885 Island Park Drive Post Office Drawer H (29402) Charleston, SC 29492 Telephone (843) 577-7700 Direct (843) 329-5313 Facsimile (843) 577-7708 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] The information contained in this message may be privileged and/or confidential and protected from disclosure. If the reader of this message is not the intended recipient or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete all copies of the material. -Original Message- From: Nancy Jones [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 12:40 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: Is HIPAA Individually Liable? I would like to add to this question . . . I have been to several HIPAA workshops, each taught by a different attorney or team of attorneys. One group will tell you that the entity can't be sued for damages if a HIPAA violation occurs . . . . that sanctions from the OCR is punishment enough for the covered entity and that patients may not expect damages. Others have said that plaintiff's attorneys are circling like buzzards and buying the back covers of telephone books all over America with the big question . . HAS YOUR MEDICAL PRIVACY BEEN VIOLATED? I havent' gotten a straight answer yet! And now I hear that THIPAA - the Texas version of HIPAA that goes in to effect in 9/03 not only allows the entity to be sued, but the individual can be held personally liable. I am a patient advocate and believe in the fundamental principals of protecting health information, but this is really getting out of hand. Patricia Conroe wrote: I apologize if this is listed somewhere real obvious, but I was wondering if there was a definite answer as to who's liable when HIPAA has been violated? In a hospital situation, if HIPAA's violated and jail time and fines are distributed who gets that fun time? Is it the CEO, the Privacy Officer, the employee who violated the rule, all of the above, etc? Thank you! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Is HIPAA Individually Liable?
Here's what I believe is the real deal: 1. The HIPAA law and regulations do not give the individual any statutory rights. This means that an individual who feels his/her individual privacy rights have been violated cannot bring suit in Federal Court. The recourse open to an individual under HIPAA is to file a complaint with the OCR which should then investigate. OCR could then refer to the Department of Justice would could bring suit against the violator. 2. HIPAA does not take away any individual's statutory rights under state law. These, of course, vary by state. Lawyers out there - did I get this right? Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com -Original Message- From: Nancy Jones [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:40 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: Is HIPAA Individually Liable? I would like to add to this question . . . I have been to several HIPAA workshops, each taught by a different attorney or team of attorneys. One group will tell you that the entity can't be sued for damages if a HIPAA violation occurs . . . . that sanctions from the OCR is punishment enough for the covered entity and that patients may not expect damages. Others have said that plaintiff's attorneys are circling like buzzards and buying the back covers of telephone books all over America with the big question . . HAS YOUR MEDICAL PRIVACY BEEN VIOLATED? I havent' gotten a straight answer yet! And now I hear that THIPAA - the Texas version of HIPAA that goes in to effect in 9/03 not only allows the entity to be sued, but the individual can be held personally liable. I am a patient advocate and believe in the fundamental principals of protecting health information, but this is really getting out of hand. Patricia Conroe wrote: I apologize if this is listed somewhere real obvious, but I was wondering if there was a definite answer as to who's liable when HIPAA has been violated? In a hospital situation, if HIPAA's violated and jail time and fines are distributed who gets that fun time? Is it the CEO, the Privacy Officer, the employee who violated the rule, all of the above, etc? Thank you! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Is HIPAA Individually Liable?
Depends upon the nature of the violation. The organization will be liable for its actions, and individuals for theirs. Generally, it will be individuals who will be held to the criminal sanctions for their actions. However civil liability also accrues to all parties. Expect the litigators to go after everyone associated. Should I say Have a Nice Day at this point? This is very scary, and very serious. Those that are just now trying to justify their compliance approach are lost. There is no time left for a total do-it-yourself approach for most entities. Seek help fast. If you don't know how to find help or how to qualify them, feel free to contact me. You can also turn to the HIPAA Professional Directory at www.HIPAAexperts.us Regards, Tim McGuinness, Ph.D. Consulting Specialist in Regulatory Privacy, Security, and Application Compliance HIPAA/FDA/CMS-HCFA/ICH/ADA Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 CA Specialist in Local Government Compliance www.localgovernmentcompliance.com http://www.localgovernmentcompliance.com/ [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.timmcguinness.com http://www.timmcguinness.com/ / www.HIPAAhelpNETWORK.com http://www.hipaahelpnetwork.com/ / www.McGuinnessDesigns.com http://www.mcguinnessdesigns.com/ Executive Co-Chairman for Privacy, HIPAA Conformance Certification Organization (HCCO) www.hcco.us http://www.hcco.us/ __ Office: 727-787-9801 Cell: 305-753-4149 / 240-525-1149 Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - MSN Instant Messenger: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (do not send email to hotmail account) __ === IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -Original Message- From: Patricia Conroe [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:54 AM To: WEDI SNIP Privacy Workgroup List Subject: Is HIPAA Individually Liable? I apologize if this is listed somewhere real obvious, but I was wondering if there was a definite answer as to who's liable when HIPAA has been violated? In a hospital situation, if HIPAA's violated and jail time and fines are distributed who gets that fun time? Is it the CEO, the Privacy Officer, the employee who violated the rule, all of the above, etc? Thank you! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to
RE: Is HIPAA Individually Liable?
I agree with Rachel and note that many state laws do indeed give individuals the right to sue for alleged medical privacy violations. Further, in the Commonwealth of Virginia, the federal courts have determined that HIPAA's Privacy Rule, having been crafted by the federal agency charged with responsibility for regulating health care, represents a general standard for medical privacy. As a result the courts in that state (commonwealth) have generally adopted the Privacy Rule as a statewide medical privacy standard regardless of the compliance deadlines in HIPAA or its own limiting definitions. There are likely no shortage of creative legal theories that would allow an individual to file a private lawsuit. These could include: negligence theories, breach of contract (similar to lawsuits when individuals believe their informed consent for treatment was violated in some way), invasion of privacy or breach of confidentiality or other crafty fox theories that could permit a state attorney general or plaintiff's attorney to bring a private suit. As an aside, the Federal Trade Commission also regards certain types of breaches of privacy as unfair and deceptive trade practices under Section 5 of the Federal Trade Commission Act (which is similar to many state consumer protection statutes) -- many may recall the Eli Lilly enforcement action last year under this statute. Leslie C. Bender, Esquire 1922 Greenspring Drive, Suite 7 Timonium, Maryland 21093 Phone: 410-453-4125 Facsimile: 410-453-4126 www.roiWebEd.com -Original Message- From: Rachel Foerster [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 1:26 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Is HIPAA Individually Liable? Here's what I believe is the real deal: 1. The HIPAA law and regulations do not give the individual any statutory rights. This means that an individual who feels his/her individual privacy rights have been violated cannot bring suit in Federal Court. The recourse open to an individual under HIPAA is to file a complaint with the OCR which should then investigate. OCR could then refer to the Department of Justice would could bring suit against the violator. 2. HIPAA does not take away any individual's statutory rights under state law. These, of course, vary by state. Lawyers out there - did I get this right? Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com -Original Message- From: Nancy Jones [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:40 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: Is HIPAA Individually Liable? I would like to add to this question . . . I have been to several HIPAA workshops, each taught by a different attorney or team of attorneys. One group will tell you that the entity can't be sued for damages if a HIPAA violation occurs . . . . that sanctions from the OCR is punishment enough for the covered entity and that patients may not expect damages. Others have said that plaintiff's attorneys are circling like buzzards and buying the back covers of telephone books all over America with the big question . . HAS YOUR MEDICAL PRIVACY BEEN VIOLATED? I havent' gotten a straight answer yet! And now I hear that THIPAA - the Texas version of HIPAA that goes in to effect in 9/03 not only allows the entity to be sued, but the individual can be held personally liable. I am a patient advocate and believe in the fundamental principals of protecting health information, but this is really getting out of hand. Patricia Conroe wrote: I apologize if this is listed somewhere real obvious, but I was wondering if there was a definite answer as to who's liable when HIPAA has been violated? In a hospital situation, if HIPAA's violated and jail time and fines are distributed who gets that fun time? Is it the CEO, the Privacy Officer, the employee who violated the rule, all of the above, etc? Thank you! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the
Assignment of benefits and HIPAA
How are covered entities handling assignment of benefits and HIPAA? I assume that current assignment of benefits forms authorizing the covered entity to receive payment from the health insurance carrier are acceptable under HIPAA as they fall under payment but what abouut assignment of benefits forms authorizing the attorney to make payments to the covered entity? Is a separate authorization needed or is this covered under payment? Thanks again for your input! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: NPP and illiterate population
We will be RECORDING it as a voice mail message (our system handles over 12 minutes!) and having an extension, with access on both the local line and 800 line. We are also having a privacy (800 number) hotline set up and both numbers will be listed on business cards. Business cards will be located at each receptionist desk. -Original Message-From: Traci Winter [mailto:[EMAIL PROTECTED]]Sent: Friday, January 24, 2003 10:38 AMTo: WEDI SNIP Privacy Workgroup ListSubject: NPP and illiterate population I know our NPP is supposed to be easy to read and understand, but one of our committee members brought up an interesting thought. What do we do with our illiterate population and our patients who are legally blind. In the area we service this a definite issue. Should we put the NPP on an audio cassette so the patients whom are unable to read it can listen to it? Opinions appreciated. Traci Winter Hospitals Home Health Care, Inc.---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Off the Shelf/Home Grown Apps containing PHI
Does anyone have an educational document they are willing to share that explains to all those NON IT system admins/developers of homegrown apps (Access Databases, Excel Spreadsheets, etc.) containing PHI what their responsibilities are and some helpful tips on how to secure their information? I know someone on one of the listserves said their corporate policy was that no one was allowed to keep PHI on such beasts, but I am sure many organizations are in the bind of eventually hoping to do away with all of those that are already in use, but not having enough staff to even begin tackling replacing/doing away with them. Thanks MIMI Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] * This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. * --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: NPP and illiterate population
Title: Message How is everyone handling a situation where a patient is literate, but unable to comprehend the NPP? -Original Message-From: Bentz-Miller, Judith [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:10 AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: NPP and illiterate population We will be RECORDING it as a voice mail message (our system handles over 12 minutes!) and having an extension, with access on both the local line and 800 line. We are also having a privacy (800 number) hotline set up and both numbers will be listed on business cards. Business cards will be located at each receptionist desk. -Original Message-From: Traci Winter [mailto:[EMAIL PROTECTED]]Sent: Friday, January 24, 2003 10:38 AMTo: WEDI SNIP Privacy Workgroup ListSubject: NPP and illiterate population I know our NPP is supposed to be easy to read and understand, but one of our committee members brought up an interesting thought. What do we do with our illiterate population and our patients who are legally blind. In the area we service this a definite issue. Should we put the NPP on an audio cassette so the patients whom are unable to read it can listen to it? Opinions appreciated. Traci Winter Hospitals Home Health Care, Inc.---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org ---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: NPP and illiterate population
Why agonize over it? Do you really believe anyone is going to read these things? I'm literate - with full command of the English language - yet I've never read one of those stupid GLB privacy notices from banks and credit card companies, and probably would not have the patience to keep track of all the subparts and insofar as'es. And what's with that tiny type they always use? William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 - Original Message - From: Jennifer Peters [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Friday, 24 January, 2003 05:49 PM Subject: RE: NPP and illiterate population How is everyone handling a situation where a patient is literate, but unable to comprehend the NPP? -Original Message- From: Bentz-Miller, Judith [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:10 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: NPP and illiterate population We will be RECORDING it as a voice mail message (our system handles over 12 minutes!) and having an extension, with access on both the local line and 800 line. We are also having a privacy (800 number) hotline set up and both numbers will be listed on business cards. Business cards will be located at each receptionist desk. -Original Message- From: Traci Winter [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 10:38 AM To: WEDI SNIP Privacy Workgroup List Subject: NPP and illiterate population I know our NPP is supposed to be easy to read and understand, but one of our committee members brought up an interesting thought. What do we do with our illiterate population and our patients who are legally blind. In the area we service this a definite issue. Should we put the NPP on an audio cassette so the patients whom are unable to read it can listen to it? Opinions appreciated. Traci Winter Hospitals Home Health Care, Inc. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: NPP and illiterate population
Good point. -Original Message- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 6:25 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: NPP and illiterate population Why agonize over it? Do you really believe anyone is going to read these things? I'm literate - with full command of the English language - yet I've never read one of those stupid GLB privacy notices from banks and credit card companies, and probably would not have the patience to keep track of all the subparts and insofar as'es. And what's with that tiny type they always use? William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 - Original Message - From: Jennifer Peters [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Friday, 24 January, 2003 05:49 PM Subject: RE: NPP and illiterate population How is everyone handling a situation where a patient is literate, but unable to comprehend the NPP? -Original Message- From: Bentz-Miller, Judith [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:10 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: NPP and illiterate population We will be RECORDING it as a voice mail message (our system handles over 12 minutes!) and having an extension, with access on both the local line and 800 line. We are also having a privacy (800 number) hotline set up and both numbers will be listed on business cards. Business cards will be located at each receptionist desk. -Original Message- From: Traci Winter [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 10:38 AM To: WEDI SNIP Privacy Workgroup List Subject: NPP and illiterate population I know our NPP is supposed to be easy to read and understand, but one of our committee members brought up an interesting thought. What do we do with our illiterate population and our patients who are legally blind. In the area we service this a definite issue. Should we put the NPP on an audio cassette so the patients whom are unable to read it can listen to it? Opinions appreciated. Traci Winter Hospitals Home Health Care, Inc. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: NPP and illiterate population
Title: Message Folks, this isn't really a HIPAA issue. It's a Civil Rights issue. Also it may be a state law issue. The answer in general is, and it is many times scalable to the size of the organization, you have to address the issue, or be subject to the civil liability that will come with it. My suggestion is address it in the same way as your other authorizations and consents. You can also handle it by reading it into your voice mail system, and assigning it an extension, as a prerecorded version for your patients. There are always ways to address these issues. However, you should also address this to a competent labor attorney. As always be careful who you listen to. Regards, Tim McGuinness, Ph.D.Consulting Specialist in Regulatory Privacy, Security, and Application ComplianceHIPAA/FDA/CMS-HCFA/ICH/ADA Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 CASpecialist in Local Government Compliance www.localgovernmentcompliance.com [EMAIL PROTECTED] / www.timmcguinness.com /www.HIPAAhelpNETWORK.com / www.McGuinnessDesigns.com Executive Co-Chairman for Privacy,HIPAA Conformance Certification Organization (HCCO)www.hcco.us __ Office: 727-787-9801 Cell: 305-753-4149/240-525-1149Alt Email: [EMAIL PROTECTED]-MSN Instant Messenger:[EMAIL PROTECTED] (do not send email to hotmail account)__ === IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - youre use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -Original Message-From: Jennifer Peters [mailto:[EMAIL PROTECTED]]Sent: Friday, January 24, 2003 5:49 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: NPP and illiterate population How is everyone handling a situation where a patient is literate, but unable to comprehend the NPP? -Original Message-From: Bentz-Miller, Judith [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:10 AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: NPP and illiterate population We will be RECORDING it as a voice mail message (our system handles over 12 minutes!) and having an extension, with access on both the local line and 800 line. We are also having a privacy (800 number) hotline set up and both numbers will be listed on business cards. Business cards will be located at each receptionist desk. -Original Message-From: Traci Winter [mailto:[EMAIL PROTECTED]]Sent: Friday, January 24, 2003 10:38 AMTo: WEDI SNIP Privacy Workgroup ListSubject: NPP and illiterate population I know our NPP is supposed to be easy to read and understand, but one of our committee members brought up an interesting thought. What do we do with our illiterate population and our patients who are legally blind. In the area we service this a definite issue. Should we put the NPP on an audio cassette so the patients whom are unable to read it can listen to it? Opinions appreciated. Traci Winter Hospitals Home Health Care, Inc.---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not
Accounting for disclosures
The NMEH HIT sub workgroup intends to discuss accounting for disclosures during the next HIT call. During our last call the topic came up for discussion and I offered to post an email to a couple of listservs to generate some discussion regarding this topic. How have CE's been dealing with HIPAA's accounting requirements? Do CE's have tools that they would be willing to share that might make it easier for those who are still struggling with this subject to use to assist them with sorting this requirement out? Are CE's approaching the accounting requirements by using paper tracking systems or through the use of electronic tracking systems? If anyone has best practices that they would be willing to share about how to address these issues, please share them. Thank you, Anita Halterman HIPAA Integration and Transition (HIT) Co-Chair, Health Policy Analyst HIPAA Privacy and Security Coordinator State of Alaska, Department of Health and Social Services, Division of Medical Assistance, 4501 Business Park Blvd., Suite 24 Anchorage, AK 99503-7167 (907)334-2431 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: EMS and the NPP
Check out Aug 14, 02 Final Rule, pg 53242 where it talks about ambulance services. --- Gerald E. DeLoss [EMAIL PROTECTED] wrote: What specific section of the rule do you base this on? I disagree. Jud Gerald Jud E. DeLoss, Esq. Barnwell Whaley Patterson Helms, LLC 885 Island Park Drive Post Office Drawer H (29402) Charleston, SC 29492 Telephone (843) 577-7700 Direct (843) 329-5313 Facsimile (843) 577-7708 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] The information contained in this message may be privileged and/or confidential and protected from disclosure. If the reader of this message is not the intended recipient or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete all copies of the material. -Original Message- From: William Gateland [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 8:05 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: EMS and the NPP Forget all this talk about layered notice or full notice. The EMS does not have to carry NPP's or give them out per the rule. Bodhitaro1 --- Dee Warrington [EMAIL PROTECTED] wrote: Spencer, Donald is correct. Members/patients must receive the whole document -- even if covered entities choose to create a layered notice. It is simply an executive summary for the members/patients. Dee Warrington Director, HIPAA and Regulatory Compliance OAO HealthCare Solutions, Inc. 20955 Warner Center Lane Woodland Hills, CA 91367 (818) 598-6606 Fax: (818) 598-3270 [EMAIL PROTECTED] -Original Message- From: Ribelin, Donald [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 8:55 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: EMS and the NPP Spencer, this is not how I read this provision. I believe you must provide the entire NPP, not just part of it. IMHO, the layer is simply a bulleted cover sheet that is meant to assist the patient in better understanding their rights. Donald L. Ribelin HIPAA Project Manager Firsthealth of the Carolinas (910) 215-2668 [EMAIL PROTECTED] -Original Message- From: Spencer Hall [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 10:33 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: EMS and the NPP The recent guidance allows for a layered NPP - you can provide your customers with a shot form and then provide the long form if it is requested. Spencer D. Hall Health Information Security Officer St. Vincent's (904) 308-7029 [EMAIL PROTECTED] Ribelin, Donald [EMAIL PROTECTED] 01/23/03 07:56AM Chris, thanks for the feedback. Biggest problem, our NPP is five pages (front and back) long. Attaching it becomes an issue secondary to its bulk. Good point about 911 calls. We are less worried about them. Donald L. Ribelin HIPAA Project Manager Firsthealth of the Carolinas (910) 215-2668 [EMAIL PROTECTED] -Original Message- From: Chris Brancato [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 10:20 AM To: Ribelin, Donald; WEDI SNIP Privacy Workgroup List Subject: RE: EMS and the NPP Don, I consult with some of the nations largest Fire/EMS departments for HIPAA. I advise several different ways. Non-transports require a treat and release signature from a patient. A copy of NPP can be printed on the back or separately, but they should make a reasonable attempt to provide the NPP. What you don't say is how they are activated. If they are activated via 911, this is an emergency response, not requiring an NPP as the call is emergency, not routine, in nature. I also advise departments that do the billing to include the NPP in the billing statement, just like the Credit Card companies do. Hope that helps. Chris Brancato -Original Message- From: Ribelin, Donald [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 21, 2003 8:03 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: EMS and the NPP An interesting question from our EMS HIPAA rep yesterday: When EMS treats and transports an accident victim to another hospital (one not part of our enterprise), should we give them a copy of our NPP? One of the underlying issues centers on our management of EMS in several counties. While most of the patients involved end up at FirstHealth facilities (where they would receive a copy of the NPP once their condition allowed), a significant minority are transported to other hospitals. On first look my response is that the receiving facility would be responsible for providing the patient with
HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
Darrell Vicki, Thank you very much for your discussions and insights. And, Yes, Darrell, I would appreciate the contact information for The Legal Action Center. Thanks again. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 9:40 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy) You are absolutely correct that there is much in HIPAA than what is in 42 C.F.R. Part 2. Isn't it nice that SAMHSA et al are being so timely with their assistance? The Legal Action Center, a well-known, well-respected non-profit based in New York that has done a lot of work in interpreting 42 C.F.R. Part 2, is also supposed to be coming out with a cross-walk supplement, but if people are not already working on this, well ... If anyone is interested, I can give you contact information for the Legal Action Center. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. -Original Message- From: Vicki Hohner [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 12:13 PM To: Darrell Rishel; [EMAIL PROTECTED] Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Alcohol and Drug Patient Privacy) I have been doing a lot of work with substance abuse programs and HIPAA, and while not deeply familar with 42 CFR protections we have identified that there are limited areas of overlap with HIPAA privacy. Many subject to 42 CFR mistakenly believe that the fact that they comply with this law, which is more stringent in its use and disclosure requirements, means they are exempt from complying with HIPAA. However, note that there are only a few overlaps between the two: primarily with uses and disclosures/minimum necessary, authorizations, and some limited parts of individual rights. This leaves a lot more under HIPAA that is not addressed in 42 CFR--all the policies and procedures, the privacy officer, business associate terms, the notice of privacy practices, and accounting of disclosures, to name a few. Note also that the definitions of what information is protected is broader under HIPAA than under 42 CFR. My understanding is that the feds (SAMHSA/CSAT) are working on a comparison matrix between the two--no idea when that may be available. Vicki Hohner FOX Systems, Inc. 360-970-6856 360-352-4584 Information transmitted is confidential and may be proprietary to FOX Systems, Inc. It is intended only for the person or entity to which it is addressed. Anyone else is prohibited from disclosing, copying, or disseminating the contents or attachments. If you receive this in error, please notify sender immediately, or us at www.foxsys.com and delete from your system. Darrell Rishel [EMAIL PROTECTED] 01/20/03 08:57 AM Matt- I'll take a stab at answering your question. Please remember that in an effort to keep it relatively brief, this is a fairly simplistic, high-level overview. Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other Drugs)regs), disclosure within a program is allowed on a need-to-know basis without the consent of the patient. This internal disclosure is limited to personnel having a need for the information in connection with their duties which arise out of the provision of diagnosis, treatment, or referral for treatment. In practice, I think this is very close to, if not the same as, the HIPAA use definition. Although the AOD regs do not require a formal minimum necessary analysis, the concept of only disclosing the minimum amount of information necessary to accomplish the purpose for making the disclosure is clearly embedded in the regs. It is the disclosure to external entities where,