RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
Matt- I'll take a stab at answering your question. Please remember that in an effort to keep it relatively brief, this is a fairly simplistic, high-level overview. Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other Drugs)regs), disclosure within a program is allowed on a need-to-know basis without the consent of the patient. This internal disclosure is limited to personnel having a need for the information in connection with their duties which arise out of the provision of diagnosis, treatment, or referral for treatment. In practice, I think this is very close to, if not the same as, the HIPAA use definition. Although the AOD regs do not require a formal minimum necessary analysis, the concept of only disclosing the minimum amount of information necessary to accomplish the purpose for making the disclosure is clearly embedded in the regs. It is the disclosure to external entities where, especially with the adoption of the August, 2002, HIPAA changes, a wide gap remains between the two sets of regs. While HIPAA allows treatment providers to disclose PHI for treatment and payment (even another provider's payment) without the patient's written consent, the AOD regs absolutely prohibit such disclosures related to payment, and disclosures for treatment (except for medical emergencies) require that a written agreement be in place and that the services which the external provider render be something different than what the primary provider is providing. This written agreement is known in the AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A QSOA is akin to a BA agreement, though much shorter and less complicated, charachteristics which are, unfortunately, soon to be a thing of the past. While a QSOA can be used in limited circumstances for treatment (the biggest problem is that we cannot have one with another AOD provider), its most common use is for operations, just as the HIPAA BA agreement will be used (e.g., we have a QSOA with our auditor, or outside attorneys, the company which prints and sends out our bills, the lab which analyzes the urine specimens we collect, etc.). But, if we want to be able to bill an insurance company or any other third party payer, we have to have the patient's written consent (in fact, we cannot even call to get pre-authorization without written consent; how's that for customer friendly?). If we want to refer the patient to another health care provider, of whatever type, or consult with another provider (like their primary care provider) who has seen the patient, we must have the patient's written consent unless the situation fits within the pretty narrow exception where a QSOA can be used and we have (or can get) one in place (the logistics and pain of trying to get a QSOA with all of those providers, which make doing so pretty impracticle). The requirements in the AOD regs for a valid written consent are very similar to those for a HIPAA authorization: who is disclosing the information, to whom is the information being disclosed, what information is being disclosed and why is it being disclosed, there must be a reasonble, identifiable expiration date, the patient must be able to revoke the consent at any time (one specific exception here for persons referred by an element of the criminal justice system where treatment is a part of the disposition), the name of the patient, the patient's signature and the date of the signature. The remaining situations where disclosure can be made without written patient consent under the AOD regs are very limited. I'll list only a few of the major differences between the HIPAA and AOD regs. There is no general exception for otherwise required by law. I've forgotten exactly when the exception for allowing a child abuse report to be filed if required by state law was added, sometime around 1990, I think, but that used to be quite a problem and even now the exception is very limited. There are no exceptions for reporting any other kind of abuse. The HIPAA law enforcement exception. There are provisions for disclosure in response to a court order, but it requires a very specific order after following very specific procedures. I hope this has been helpful. Let me know if you have any other questions. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 18, 2003 5:02 PM To: Darrell Rishel; 'WEDI SNIP Privacy Workgroup List' Subject: RE: HIPAA privacy and people Darrell, Thank you for sharing your thoughts. And now that you brought it up, how would you compare the 42 CFR consent with the (voluntary) HIPAA-consent and the HIPAA-authorization. In my mind, the 42 CFR allows a more generalized use and disclosure for TPO, and consequently is more equivalent to the (voluntary) HIPAA-consent,
RE: When to have the patient sign an authorization
Jill, I'm not sure how a provider could have them sign an authorization when they arrive unless they already knew they would need one for a specific event. The regs say the authorization must be for a specific event or time period. I'm not sure you can get away with a blanket authorization. Deborah Deborah Campbell Compliance Coordinator Dominion Dental Services, Inc. 115 South Union Street, Suite 300 Alexandria, Virginia 22314 Phn: (703) 518-5000 ext. 3035 Fax: (703) 518-8849 Toll Free: 888-518-5338 Email: [EMAIL PROTECTED] *** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. * -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Monday, January 20, 2003 1:20 PMTo: WEDI SNIP Privacy Workgroup ListSubject: When to have the patient sign an authorizationHow are providers in particular handling the singing of authorizations? Are practices having patients sign it when they first come in, for future disclosures, or as the specific situations arise (i.e., they later decide their atty. should see the medical records and sign an applicable authorization).Thanks as always for your input.Jill Rubin, Esq.(617)388-2404[EMAIL PROTECTED] ---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
Darrell, Thank you very much for this wonderful comparison of the HIPAA regulations to the signed-consent aspects of the AOD regulations (42 CFR part 2). This is very helpful to many of us who work in SAMHSA-funded programs. Best regards, Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 19, 2003 4:43 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy) Matt- I'll take a stab at answering your question. Please remember that in an effort to keep it relatively brief, this is a fairly simplistic, high-level overview. Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other Drugs)regs), disclosure within a program is allowed on a need-to-know basis without the consent of the patient. This internal disclosure is limited to personnel having a need for the information in connection with their duties which arise out of the provision of diagnosis, treatment, or referral for treatment. In practice, I think this is very close to, if not the same as, the HIPAA use definition. Although the AOD regs do not require a formal minimum necessary analysis, the concept of only disclosing the minimum amount of information necessary to accomplish the purpose for making the disclosure is clearly embedded in the regs. It is the disclosure to external entities where, especially with the adoption of the August, 2002, HIPAA changes, a wide gap remains between the two sets of regs. While HIPAA allows treatment providers to disclose PHI for treatment and payment (even another provider's payment) without the patient's written consent, the AOD regs absolutely prohibit such disclosures related to payment, and disclosures for treatment (except for medical emergencies) require that a written agreement be in place and that the services which the external provider render be something different than what the primary provider is providing. This written agreement is known in the AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A QSOA is akin to a BA agreement, though much shorter and less complicated, charachteristics which are, unfortunately, soon to be a thing of the past. While a QSOA can be used in limited circumstances for treatment (the biggest problem is that we cannot have one with another AOD provider), its most common use is for operations, just as the HIPAA BA agreement will be used (e.g., we have a QSOA with our auditor, or outside attorneys, the company which prints and sends out our bills, the lab which analyzes the urine specimens we collect, etc.). But, if we want to be able to bill an insurance company or any other third party payer, we have to have the patient's written consent (in fact, we cannot even call to get pre-authorization without written consent; how's that for customer friendly?). If we want to refer the patient to another health care provider, of whatever type, or consult with another provider (like their primary care provider) who has seen the patient, we must have the patient's written consent unless the situation fits within the pretty narrow exception where a QSOA can be used and we have (or can get) one in place (the logistics and pain of trying to get a QSOA with all of those providers, which make doing so pretty impracticle). The requirements in the AOD regs for a valid written consent are very similar to those for a HIPAA authorization: who is disclosing the information, to whom is the information being disclosed, what information is being disclosed and why is it being disclosed, there must be a reasonble, identifiable expiration date, the patient must be able to revoke the consent at any time (one specific exception here for persons referred by an element of the criminal justice system where treatment is a part of the disposition), the name of the patient, the patient's signature and the date of
RE: When to have the patient sign an authorization
-Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 1:20 PM To: WEDI SNIP Privacy Workgroup List Subject:When to have the patient sign an authorization How are providers in particular handling the singing of authorizations? Are practices having patients sign it when they first come in, for future disclosures, or as the specific situations arise (i.e., they later decide their atty. should see the medical records and sign an applicable authorization). Thanks as always for your input. Jill Rubin, Esq. (617)388-2404 [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Employee Termination Procedure
In the situation you describe, it's pretty clear if you're the provider, you are at risk since you're responsible to mitigate this type of situation: I would: A: Consult your policy and procedure manual regarding termination before the employee is terminated. Document the steps taken upon termination. If you didn't follow you're policy, you're at risk. B: Consult your policy and procedure for lost or stolen patient records. Mine includes notifying law enforcement and mandates the report the alleged theft of medical information. In some states, that is a felony. Again, you followed your policy. C: If you're a CE, have the patient notify you in writing as per your policy and direct it to your Privacy Officer. If your conversations are verbal, make copious notes. In your reply, You should direct the patient to contact law enforcement with their complaint of harassment. Both items you mentioned mean little as the employee has already left. The release and theft have already occurred. What did you do to mitigate it and when it happened, did you follow your policies and state laws if applicable after you became aware of this release/theft. I would consult my attorney if this came to pass about the notification process to the ex-employee when legal action reaches the court level. You certainly could sue the ex-employee but damage control is certainly in order. Out of this, you certainly could gain confidence in your patient depending on how you handle it. Chris Brancato -Original Message- From: Anurag Sinha [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 5:04 PM To: WEDI SNIP Privacy Workgroup List Subject: Employee Termination Procedure Hi All, I have 2 questions on employee termination. 1. If the employee is terminated but has deliberately taken patient information with them and starts using or harrassing them, what should the provider or the CE supposed to do. Should they :- (a) call the law enforcement or (b) should they just issue a warning to the ex-employee (c) inform the affected patients etc. 2. Is it advisable to get a sign-off from such an employee before they leave stating that they would not use the information after termination? thanks, Anurag Sinha HIPAA Privacy Project Manager Youngsoft, Inc. (www.youngsoft.com) Main : (248)675-1200 Fax : (248)668-8238 This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. -Original Message- From: Ribelin, Donald [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 2:44 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: When to have the patient sign an authorization § 164.508 Uses and disclosures for which an authorization is required... ...(c) Implementation specifications: Core elements and requirements. (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. The statement at the request of the individual is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement end of the research study, none, or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. Donald L. Ribelin HIPAA Project Manager Firsthealth of the Carolinas (910) 215-2668 [EMAIL PROTECTED] -Original Message- From: Rachel Foerster [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 2:34 PM To: WEDI SNIP Privacy Workgroup List Subject:RE: When to have the patient sign an authorization I believe that HIPAA requires any authorization to expire either on a specific date or at a specific event. An event expiration could in fact, be upon the individual's demise.
RE: When to have the patient sign an authorization
I believe that HIPAA requires any authorization to expire either on a specific date or at a specific event. An event expiration could in fact, be upon the individual's demise. Unfortunately I don't have a specific cite from the rag on this. Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com -Original Message- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 1:25 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: When to have the patient sign an authorization I do not believe that HIPAA mandates that an authorization can only be valid for 60 days. Such a limitation might be a part of state law, or an organization's own standard. I think that if you can foresee the need for the disclosure when the patient is admitted, then you can have it signed at that time. If the need does not become apparent until later, then you have the patient sign it then. In either case, of course, the authorization has to meet all off the other HIPAA (and other applicable) requirements. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. -Original Message- From: Klayer Geni [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 11:59 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: When to have the patient sign an authorization As the need arises. The authorization is only valid for 60 days. -Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 1:20 PM To: WEDI SNIP Privacy Workgroup List Subject:When to have the patient sign an authorization How are providers in particular handling the singing of authorizations? Are practices having patients sign it when they first come in, for future disclosures, or as the specific situations arise (i.e., they later decide their atty. should see the medical records and sign an applicable authorization). Thanks as always for your input. Jill Rubin, Esq. (617)388-2404 [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional