Re: developing pictures
Interesting question. I'd back up and first reconsider are the pictures in and of themselves PHI? If the picture includes enough of an individual's face then I guess it is possible that someone could identify the subject of the picture if they recognized them by their face. But just a person's identity by itself is not PHI. There has to be something else disclosed that involves the past, present, or future, medical condition, treatment, etc. Even if the picture does show the patient's face, does the person developing the picture know they are developing picutres from a health care provider and that they are specifically developing pictures of a patient? The same goes for the pictures that are developed at the local pharmacy by the nursing staff. How does anyone know that the pictures being developed are of patients and not the nurse's children or nieces and nephews? This is similar to a question I asked this list serv a while ago about pictures of patients on the walls of doctor's offices. I have a few clients who have treated atheletes or astronauts and they have been given pictures by these patients to hang on their office walls. Some of the picture have nothing other than the patient's signature/autograph. Others have inscirptions such as Dear Doctor Smith, thanks for the excellent care. If the picture only has an autograph or signature, I think it is OK. People might assume from the picture that the photograph is of a patient but how do they know it is not just a friend or in the case of atheletes, maybe the doctor is just a fan? If the picture has an inscription like the one I cited above, that specifically recognizes the doctor-patient relationship, then I think it crosses the line and becomes a disclosure of PHI. Those pictures should come down or have the patient sign an authorization. Noel Chang Integral Practice Solutions -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Oriol, Albert [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Thu, 3 Apr 2003 19:17:19 -0700 Subject: developing pictures Here's a good one I had not heard to date. We often take photos. Most of the ones that are taken for medical reasons require quality developing and thus are developed in-house or taken to a top notch shop (with whom, I'd think if needed we could have a BA agreement in place) -- Question, what do you all think, assuming the pictures will show identifying information? The other situation is that of pictures taken for projects for our kids, or for some newsletter. We're a kid's hospital and for instance we might want to have kids build something with their picture to give mom for mother's day. These types of pictures most likely just get developed at whatever pharmacy happens to be on the way of a nurse's or other professional's way home. How should we handle those? Take all our pictures to the place(s) we have BA's in place and only there? a. DISCLAIMER: CONFIDENTIALITY NOTICE: The information contained in this message is legally privileged and confidential information intended for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent
Re: Business associates
Sounds to me like you should treat them as a member of your workforce, which I believe would obviate the need for a BAA. Noel Chang Integral Practice Solutions -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Traci Winter [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Wed, 26 Mar 2003 10:47:59 -0500 Subject: Business associates I keep going around and around on this topic. We have a few contracts with outside agencies that provide us will supplemental nursing/home health aide services. We provide them with the pertinent info about a patient and they provide services to the patient under our control supervision. The forms and documentation completed are those provided by our agency and are submitted to our agency within a week of services. I can't come to a definite decision on whether we need to generate a HIPAA compliant BAC/BAA or not. Input appreciated, thanks in advance. Traci Winter Hospitals Home Health Care, Inc. Fulton, NY 13069 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Minimum necessary
I am not a transactions expert but aren't eligibility inquiry and the response both covered transactions? If yes, all covered transactions are exempt from the minimum necessary standard. Here is an excerpt from the December OCR Guidance to that effect: Q: Doesnt the HIPAA Privacy Rules minimum necessary standard conflict with the HIPAA transactions standards? A: No, because the Privacy Rule exempts from the minimum necessary standard any uses or disclosures that are required for compliance with the applicable requirements of the transactions standards, including disclosures of all data elements that are required or situationally required in those transactions. See 45 CFR 164.502(b)(2)(vi). However, covered entities have significant discretion as to the information included in the transactions as optional data elements. Therefore, the minimum necessary standard does apply to the optional data elements. The transactions standard adopted for the outpatient pharmacy sector is an example of a standard that uses optional data elements. The health plan, or payer, currently specifies which of the optional data elements are needed for payment of its particular pharmacy claims. The health plan or its business associates must apply the minimum necessary standard when requesting this information. In this example, a pharmacist may reasonably rely on the health plans request for information as the minimum necessary for the intended disclosure. For example, as part of a routine protocol, the name of the individual may be requested by the payer as the minimum necessary to validate the identity of the claimant or for drug interaction or other patient safety reasons. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Jonathan Fox [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Wed, 05 Mar 2003 14:04:29 -0500 Subject: Minimum necessary Now that Privacy is right around the corner, a lot of people are re-examining some of the Transactions work that has been done. Here is a question that has privacy (minimum necessary) implications. A provider performs an eligibility inquiry with their local HMO. The HMO responds with yes the member is eligible and here is a list of their benefits. Clearly, the minimum requirements of the functionality of the transaction have been met, but how far can a payer go in giving additional information (COB, HIC number, Group Number, Plan Number, etc, before you cross the minimum necessary (privacy) line. Certainly, many of these pieces of information are not needed to get a claim paid by that payer. Is it the responsibility of the payer and/or is it within their right to divulge information about other policies they may have. This is not a question about transaction functionality, as the transaction clearly accommodates this data, but there seems to be a slight contradiction with the minimum necessary clause of the Privacy rule. Thoughts please??? Jonathan Fox Independent Health --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe
Re: Medicare audits: operations?
That sounds like an audit that the provider would be doing for their own operations. Why would Medicare be interested in a provider's Bad Debt account? If you are performing an audit for your own operations then I think we can safely say you are within TPO and any disclosure would not have to be accounted for. Of course, if the audit is for your own purposes, why are you disclosing the audit information to anyone outside the provider's office (unless you are using a business associate to perform the audit for you). Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Beth Cole [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Fri, 14 Feb 2003 09:52:11 -0600 Subject: Re: Medicare audits: operations? I just got a bit more information regarding the specific audit we're talking about. It isn't the generalized Medicare audit. Instead, it is the cost report audit (my understanding is that it has to do with the accounts that have Medicare as the primary payor but whose balance after payment has gone to a bad debt status. I'm not generally involved in things financial, so I'm not really sure). Does that make a difference in people's opinions? Beth Halterman, Anita wrote: I have been thinking about this issue for some time now and this is my two cents for what it is worth (I am not an attorney). Sorry Chris I don't agree with your take on this. In order for this activity to be a part of your health care operations, the activity would have to fall under the definition of Health care operations as follows: Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions: (1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; (2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of §164.514(g) [disclosures relating to underwriting] are met, if applicable; (4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and (6) Business management and general administrative activities of the entity, including, but not limited to: (i) Management activities relating to implementation of and compliance with the requirements of this subchapter; (ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer. (iii) Resolution of internal grievances; (iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and (v) Consistent with the applicable requirements of §164.514 [/Other requirements relating to the uses and disclosures of protected health information/], creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. I highlighted in red the sections above in the definition that I believe are important to review. If a covered entity is being audited, I believe
Re: BA Agreement Questions
Is the audit being done at your request or are you required to submit to the audit by the state? If you are initiating the audit then I'd say you should have a BA agreement. If the audit is being imposed on you by the state then I'd say no BA is required. If the billing infomation you submit to the schools/nursing homes/welfare departments are for services you delivered to them, I don't see why a BA agreement would be necessary. You are making a disclosure to obtain payment. Such disclosures are specifically permitted, even if the disclosure is to the financially responsible party who is not the same person as the subject of the PHI. BA agreements are only necessary when you have a third party performing a covered function on your behalf. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Teri Baskett [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Tue, 4 Feb 2003 17:42:31 -0500 Subject: BA Agreement Questions I've met with my CFO and our Purchasing Mgr and we've figured out most of our vendor list. But we had a couple of questions I hoped someone could help with: 1. What do we do about auditors that come on-site to review records for payment/compliance. If i read this right, if the auditor is a govt agency (Medicaid or Medicare) then we don't need an agreement. But our state contracts with another company to audit our state contract funds. Do we have to have the BA with that company for that? 2. We have service contract agreements with several schools/nursing homes/welfare depts. In addition to the treatment piece, we also (of course) submit bills that include patient identifiers (name, SSN, address). Do we need BA's for those relationships? Teri Baskett Information Officer LifeSpring Mental Health Services --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Covered Entity or Not
Charles, The definition of a covered entity entails more than just filing electronic claims. There are several covered transactions and if you conduct any of them electronically then you are a CE and must comply with HIPAA. For a complete list of covered transactions refer to the Transaction and Code Set Standards. I would also note that the definition of conducting a transaction electronically is often debated. I know HHS has indicated in the preamble to the Privacy Rule that a fax does not count as electronic transmission. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Fri, 31 Jan 2003 10:57:47 -0500 Subject: Covered Entity or Not At a meeting yesterday of our parent organization's privacy officers we had a discussion I'd appreciate some feedback on. One of the organizations is a long-term care/retirement facility that indicated they do not bill electronically. Therefore they are not a covered entity. However, after further discussion they indicated they do in fact send via fax and/or email individual identifiable health information to other covered entities (ie hospitals, referral agencies, and referring agencies). Some contended because they did not use EDI, they didn't really need to comply, others indicated they were because they do send PHI via electronic media. Can anyone provide an insight? Thanks. Charles. Charles R. Carnahan, M.Div., M.B.A. Chief Operating Officer CAB Health and Recovery Services, Inc. 111 Middleton Road Danvers, MA 01923 Phone: 978-739-7600 FAX: 978-750-3620 www.cabhealth.org * --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: NPP revisions
Yes, it is not necessary. You only have to obtain written acknowledgment of an individual's receipt of your NPP one time (on the first service delivery after the compliance date). After that, if you subsequently revise your NPP you only need to post the revised notice in your facility, and make it available to people on request. There is no need to track which version of the NPP they received, nor is there a requirement to obtain another acknowledgment if you issue a later revision of your NPP. I believe this has been clarified on the CMS web site thorugh their FAQ's, and in the December guidance issued by OCR. I'm sure I could cite you the exact source if you have trouble convincing your other committee members. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Traci Winter [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Wed, 29 Jan 2003 14:26:30 -0500 Subject: NPP revisions 164.520 [c][2][iv] Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph [c][2][iii] of this section, if applicable. I just want to run this by everyone, in our HIPAA committee meeting today we have decided to provide a NPP and get a signed acknowledgement of receipt with each admission to home care services, even if the patient was previously receiving services from our agency. The reasoning is, with the rapid turnover of our patients it would be extremely difficult to track which edition of our NPP a patient had received, and since our patients sometimes are re- admitted to our services years down the road it would allow us to make sure we had documentation that the NPP had been given. We may put a section on our acknowledgement form for the patient to check/sign if they are refusing a copy due to previous receipt. I think this should cover us pretty well... any cons to the plan? Traci Winter Hospitals Home Health Care, Inc. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: clergy disclosure policy
In fact, section 164.514(h)(1) which establishes the requirements to verify the identity and the authority of a person requesting PHI specifically exempts disclosures under section 164.510 (the section that permits disclsoure for facility directories and notification purposes) from that requirement. So I don't think you have to worry about documenting the validity of this person's claim that he is a member of the clergy. If you reasonably believe that he is a member of the clergy, based on whatever information you have, then I think you could defend your position as long as you did not know in fact that he was not a member of the clergy. Section 164.510(a)(1)(ii) specifies that facility directory information may be disclosed to members of the clergy or to individuals that ask for the patient by name. Therefore, if you believe he is a member of the clergy then I think you could disclose the directory to him. Note, however, that this is all up to your discretion. The rule does not establish any rights of the clergy to access this information, it only permits you to make such disclosures if you so wish. If a member of the clergy who had no recognized affiliation or relationship with my facility was asking for disclosure, the safer course of action may be to deny access. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Beth Cole [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Tue, 28 Jan 2003 08:59:45 -0600 Subject: clergy disclosure policy We have decided to limit information disclosure by denomination, as specified in the OCR December, 2002 guidance, along with having an opt-in policy for people who wish to be visited by a member of the clergy. However, we ran into a problem. We have in our area the State of Kansas Chaplain of the American Legion, who travels throughout the state visiting hospitalized veterans. He is requesting to see the entire directory. When we told him that we could not do that, he appealed to the hospital CEO. He does not carry any identification that shows denominational affiliation. He has a hand-written card that says State Chaplain of American Legion. Neither the Privacy Officer nor I are comfortable providing the entire facility directory to anyone. Does anyone have suggestions for how to deal with this? Beth -- Beth Cole Information Services Support Specialist Newman Regional Health Emporia, Kansas --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Is patient email address PHI?
I didn't respond to the original message because the question was not clear to me. When Susan wrote Email address is listed in the reg as an identifier that must be removed from data being disclosed was she referring to the requirement in section 164.514(b)(2)(i) that ennumerates the various identifiers that must be removed for PHI to be de-identified under the safe harbor method? If not, I'm not sure what else she meant by that statement. Susan, can you cite where else the Rule requires that email addresses be removed? If Susan was referring to 164.514 then we are talking about a disclsoure of de-identified information. Why would you be emailing an individual de- identified information about themselves? Since you are emailing the individual this would qualify as a permitted disclosure to the individual and therefore there is no need to de-identify the information in the first place! Please explain your situation better and please give specific citations as to where you think there are conflicts with the Privacy Rule. Otherwise I'm afraid I don't understand the question well enough to offer an opinion. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Tue, 28 Jan 2003 20:08:32 -0700 Subject: RE: Is patient email address PHI? I will go out on a limb with an unsubstantiated opinion because it is late Only if the email also contained health information or some indictor of health status - or - If they could infer by the name or address of the sender the health status of the recipient. Would anyone out there agree with that? -Original Message- From: Brousseau, Susan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 4:58 PM To: WEDI SNIP Privacy Workgroup List Subject: Is patient email address PHI? This seems picayune, but: Email address is listed in the reg as an identifier that must be removed from data being disclosed. If we email a patient, would addressing that email to their email address be considered a violation of HIPAA? Thank you, Susan Brousseau Business Analyst --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to leave-wedi- [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org Confidentiality Notice: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message
Re: NPP and recurrent patients
The obligations of health care providers (there are different ones for health plans) to distribute your NPP if you revise it after initially disitributing it to individuals are limited to making the revised NPP abailable to them upon request, and posting the revised notice in your facility (see section 164.520(c)(2)(iv). I would also infer from the regs. that you are obliged to post the updated version on you website, if you have one, but I cannot find an explicit statement about this. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Kelli Knuckles [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Mon, 27 Jan 2003 10:15:36 -0700 Subject: Re: NPP and recurrent patients Traci- You only have to provide your patients with the NPP once. You need to somehow track that you have provided the patient with a copy. One thing to keep in mind, however, is that if you change or update your NPP new copies need to be provided to your patients. At least that's my understanding. Kelli Knuckles Apps Analyst MCDHS Traci Winter [EMAIL PROTECTED] 01/27/03 09:37AM OK time to open another can of worms. It is not unusual for us to discharge a patient and have them return to our services multiple times. Do have to give them a copy of the NPP each time we admit them to services? Their medical records are only maintained on site for the past year and current year, after that they are sent to an off site storage facility. Should we just add a statement to the acknowledgement stating a copy of the NPP wasn't provided or was declined due to receipt at a previous time of admission. I know we had this option with our patients rights booklet we gave out at time of admission to hospital patients. Traci Winter Hospitals Home Health Care, Inc. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to leave-wedi- [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same
RE: to sign or not to sign
In the OCR guidance that was issued in December, the very last question in the section on BA's says this: Q: Is a software vendor a business associate of a covered entity? A: The mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the protected health information of the covered entity. If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity. For example, a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity. In these examples, a covered entity would be required to enter into a business associate agreement before allowing the software company access to protected health information. However, when an employee of a contractor, like a software or information technology vendor, has his or her primary duty station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a member of the covered entitys workforce, rather than as a business associate. See the definition of workforce at 45 CFR 160.103. I would say the need for a BAA then depends on the details of what you do for your customers. If you are a software retailer, like CompUSA or something like that, I'd argue no BAA is necessary. If you provide on site service and troubleshooting, or can remotely access the CE database, then I'd say you do need a BAA. I don't think a TPA is appropriate. My understanding is that this is a device from the Transaction and Code Set Standards and would only be used between parties that are conducting a covered transaction. COT agreements I believe are a creature of the long awaited Security Rule and since that is not finalized I don't think we can say if a COT is appropriate or not. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: [EMAIL PROTECTED] (Jim Randolph) To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Thu, 23 Jan 2003 11:39:07 -0500 Subject: RE: to sign or not to sign Let me carry this a step further. We are a software vendor that has received BACs, TPAs and Chain of Trust agreements from different customers. As a vendor to this particular customer base we are exposed to PHI but never manipulate it in any way. Our support personnel do review setup configurations, billing problems or DB issues; but dont do anything to PHI. Attorneys and consultants are advising our customers so differently that no matter what, we end up being the evil vendor. Some of the BACs we receive are rather ridiculous, like requiring us to assume financial liability if our customer has any HIPAA problems in the future. The question for the group is: What is required in this scenario a BAC, TPA or COT? Jim Randolph The Echo Group -Original Message- From: Traci Winter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 3:49 PM To: WEDI SNIP Privacy Workgroup List Subject: to sign or not to sign OK so the next question is do we sign these BACs or just put them in the round file. Your answers reflected what my impression was, but I wanted reinforcement. Thanks, Traci Winter --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org
