PHI and Divorced Parents

2003-02-17 Thread Catherine Lohmeier
Can PHI concerning a minor child be release to both parents even
though they are divorced?

Excluding the circumstances of individual state law that allows minor
children to receive some medical services without notifying parents,
I say yes both parents though divorced can receive PHI about their
children as HIPAA does not designate the custodial parent as the sole
personal representative of a minor child.

Any flaws in my logic?
Catherine Lohmeier
Sr. Business Consultant
PCI: e-commerce for healthcare
ph. 402-304-1918
www.hipaasurvival.com


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



Re: Disclosures - NPP and tracking

2003-02-17 Thread Leah Hole-Curry
Teri,

I also agree - these are separate requirements that are not mutually
exclusive.  A covered entity must meet all requirements, relevant to a
particular use or disclosure:  

A covered entity must have a notice of privacy practices which lists
relevant disclosures and examples, among other things.  164.520

A covered entity Must use and disclose information only in accordance
with its Notice.  164.502(i)

A covered entity must ALSO have satisfactory assurances (generally in
the form of the BA Contract) in place with its business associates. 
164.502(e)

A covered entity must ALSO obtain authorization when making disclosures
that require an authorization (e.g. marketing communications).  164.508

A covered entity must ALSO track disclosures that are required to be
accounted for to the individual (e.g. disclosures to public health
authority). 164.528

A covered entity may ALSO get a consent for certain disclosures if it
chooses to do so (e.g. for treatment, payment, and operations). 164.506.


It is often difficult to prove a negative - meaning that there isn't a
place in the regulation that specifically states that the requirements
are cumulative, however when you read the accompanying comments, there
isn't anything that I see that would lead you to think that you could
leave out an accounting for certain disclosures if you include the
disclosure in your notice - the comments and the regulation require you
to do both.  

In discussing a governmental entities' choices with respect to hybrid,
there is a comment and answer that touches on this, it states in part:  


Comment...Alternatively, it was suggested that a governmental hybrid
entity be permitted to include in its notice of privacy practices the
possibility that information may be shared with other divisions within
the same government entity for specific purposes... 
Response ...Additionally, the Department encourages covered entities
to develop a notice of privacy practices that is as specific as
possible, which may include, for a government hybrid entity, a statement
that information may be shared with other divisions within the
government entity as permitted by the Rule.  However, the notice of
privacy practices is not an adequate substitute for, as appropriate, a
memorandum of understanding; designation of business associate functions
as partof of a health care component; or alternatively conditioning
disclosures to such business associate functions on individuals'
authorization.  67 Fed. Reg. pages 53206, 53207.

As noted, this isn't directly on point, but it does states that the the
Notice is not a substitute for other requirements:  you need both.

Regards, lhc



Leah Hole-Curry, JD
FOX Systems, Inc.
602.708.1045 
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
 Teri Baskett [EMAIL PROTECTED] 02/17/03 10:19 AM 
I hate to weigh in here one more time, but my understanding what that we
have to provide the pt/client an accounting of all disclosures that were
not specifically covered by an authorization (initially, it was
interpreted that those had to be logged and tracked also, but that was
amended in the final regs, since the argument was made that the pt would
have knowledge of disclosures s/he had authorized in writing).  I know
another gentleman on this thread last week indicated that he planned to
track those also, just to keep the disclosure log complete and to
simplify the procedures for HIM staff; however, I do believe that
authorized disclosures are not required to be tracked.

So, our disclosure log must contain a record of all disclosures not
covered by a written authorization and those that are not a part of
treatment, payment and healthcare operations.  Regardless of everything
we list in the NPP (and it should list all these as possibilities), we
have to track these and record them, providing them for a pt when
requested.

Have I confused different parts of the regs in this interpretation?

Teri Baskett, CISO
LifeSpring Mental Health Services
[EMAIL PROTECTED]



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently 

Re: Disclosures

2003-02-17 Thread David Ermer
Teri -- You are overstating the accounting for disclosures requirenment.
Under the modified final rule, the only disclosures that are subject to
the accounting for disclosure under § 164.528 are most post-4/14/03 (but
not all) disclosures that are made without an authorization under §
164.512 (e.g., disclosures to public health authorities, law enforcement
authorities, and health oversight agencies, disclosures required by law,
decedent related disclosures) and the covered entity's (or its business
associate's) erroneous disclosures. Consequently, for example,
disclosures to the individual or the individual's personal
representative or to family members under § 164.510(b) are not
accountable under § 164.528. 

The Privacy Rule includes a requirement to maintain copies of
authorizations for six years from its creation or it last effective date
whichever is later (164.508(b)(6), 164.530(j)), and I am not
discouraging the tracking of disclosure as a safeguard measure. However,
the accounting for disclosures at this point really is quite limited to
special situations that should be handled in a centralized manner. I
have copied the relevant text of § 164.528 below.  
Best regards, Dave Ermer

§ 164.528 Accounting of disclosures of
protected health information.
(a) Standard: right to an accounting of
disclosures of protected health information.
(1) An individual has a right to receive an
accounting of disclosures of protected health
information made by a covered entity in the
six years prior to the date on which the
accounting is requested, except for
disclosures:
(i) To carry out treatment, payment and
health care operations as provided in §
164.506;
(ii) To individuals of protected health
information about them as provided in §
164.502;
(iii) Incident to a use or disclosure
otherwise permitted or required by this
subpart, as provided in § 164.502;
(iv) Pursuant to an authorization as
provided in § 164.508;
(v) For the facility's directory or to
persons involved in the individual's care or
other notification purposes as provided in §
164.510;
(vi) For national security or intelligence
purposes as provided in § 164.512(k)(2);
(vii) To correctional institutions or law
enforcement officials as provided in §
164.512(k)(5);
(viii) As part of a limited data set in
accordance with § 164.514(e); or
(ix) That occurred prior to the
compliance date for the covered entity.



Gordon  Barnett
1133 21st St., NW, Suite 450
Washington, DC 20036
202-833-3400 ext 3009 (voice)
202-223-0120 (fax)
www.gordon-barnett.com
 Teri Baskett [EMAIL PROTECTED] 02/17/03 13:07 PM 
I hate to weigh in here one more time, but my understanding what that we
have to provide the pt/client an accounting of all disclosures that were
not specifically covered by an authorization (initially, it was
interpreted that those had to be logged and tracked also, but that was
amended in the final regs, since the argument was made that the pt would
have knowledge of disclosures s/he had authorized in writing).  I know
another gentleman on this thread last week indicated that he planned to
track those also, just to keep the disclosure log complete and to
simplify the procedures for HIM staff; however, I do believe that
authorized disclosures are not required to be tracked.

So, our disclosure log must contain a record of all disclosures not
covered by a written authorization and those that are not a part of
treatment, payment and healthcare operations.  Regardless of everything
we list in the NPP (and it should list all these as possibilities), we
have to track these and record them, providing them for a pt when
requested.

Have I confused different parts of the regs in this interpretation?

Teri Baskett, CISO
LifeSpring Mental Health Services
[EMAIL PROTECTED]



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not 

acknowledgement of Notice of Privacy Practices (NPP)

2003-02-17 Thread Fairley2
On April 15, 2003, we are anticipating that we simply do not have the staff available 
to supply all patients that walk in our door with our NPP.  It's hard to find someone 
to do a job like this for only 3-4 months!  We plan to hire college students to 
accomplish this task when school let outs in May.  

Nevertheless, in order to be compliant with the April 15, 2003 deadline, is it 
acceptable to mail out our NPP to scheduled patients ahead of time?  

Is the fact that we are mailing them out  (and let's say we can keep track of who got 
SENT one) sufficient in itself to meet the requirement of a Good faith effort to 
obtain acknowledgement of receipt of NPP?  That is, is simply mailing out the NPP 
adequate?   If such a plan is not adequate, what about if we included an 
acknowledgement form in the mailing and asked the patient to return the form (and we 
did NOT supply an envelop or stamp)?  Would that be enough, even if no one returns it? 

Thanks.
Rich Fairley MD
Dubuque, IA 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



Re: acknowledgement of Notice of Privacy Practices (NPP)

2003-02-17 Thread Jeanace123
Dr. Fairley,
My firm is recommending that the NPP be developed and implemented as soon as possible 
just for the reason you mention:  otherwise every patient who walks in the door on 
4/15 will need to be provided with this document, any discussion/questions, etc.  If 
you can implement this part of the Rule now, by 4/15 only new patients or those who 
haven't been in for a few months will need to be provided with your NPP.  By beginning 
sooner than 4/15 there's a secondary benefit:  by that date this may be SOP for front 
desk staff.

Unfortunately, mailing the NPP does not suffice as a good faith effort to obtain the 
individual's acknowledgement unless you use a signature-on-receipt mail service - 
which could get expensive.  If you do include an acknowledgement form (that is a good 
idea, by the way), then your staff will only have to collect them.  Some practices are 
updating their patient registration form to include a statement of acknowledgement.  
As you know, this is a good time of the year to have all patients update their 
personal  insurance info.

Jean Acevedo, LHRM, CPC, CHC
ACEVEDO CONSULTING INCORPORATED
711 Golf Court
Delray Beach, FL  33445
[EMAIL PROTECTED] 

 On April 15, 2003, we are anticipating that we simply do not have the staff 
available to supply all patients that walk in our door with our NPP.  It's hard to 
find someone to do a job like this for only 3-4 months!  We plan to hire college 
students to accomplish this task when school let outs in May.   
 
 Nevertheless, in order to be compliant with the April 15, 2003 deadline, is it 
acceptable to mail out our NPP to scheduled patients ahead of time?  
 
 Is the fact that we are mailing them out  (and let's say we can keep track of who 
got SENT one) sufficient in itself to meet the requirement of a Good faith effort to 
obtain acknowledgement of receipt of NPP?  That is, is simply mailing out the NPP 
adequate?   If such a plan is not adequate, what about if we included an 
acknowledgement form in the mailing and asked the patient to return the form (and we 
did NOT supply an envelop or stamp)?  Would that be enough, even if no one 
 returns it? 
 
 Thanks.
 Rich Fairley MD
 Dubuque, IA 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



RE: acknowledgement of Notice of Privacy Practices (NPP)

2003-02-17 Thread Patricia Hamby
Would this maybe fall under reasonable and may depend upon the size of the
CE? Great question.  Interested to see what others have to say.  

Patricia Hamby
HIPAA Compliance Project Manager
XANTUS Healthplan of Tennessee, Inc. 
(615) 463-1612, Office
(615) 279-1301, Facsimile
http://www.xantushealthplan.com/hipaa/page3.html


-Original Message-
From: Noel Chang [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 17, 2003 3:35 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: acknowledgement of Notice of Privacy Practices (NPP)


I haven't taken the time to research this enough to cite any references in 
support of my position, but my initial reaction is that just mailing the NPP

is not adequate to make a good faith effort.

The requirement is that you make a good faith effort to obtain written 
acknowledgment of their receipt of the NPP.  If all you do is mail the NPP, 
what have to done to try and document they received it?  If you have a
return 
form for the patient to send back I guess you can then argue that you did do

something to try and obtain their acknowledgment but is just a form with no 
return envelope or postage a good faith effort?  I'd say no but that is 
just my opinion.

Even if you included a return envelope and postage I don't know that I would

consider that a good faith effort.  The Rule says you have to distribute the

notice by the first delivery of service.  For the moment lets ignore 
electronic delivery of service or of the NPP.  That aside, if you only have 
to deliver the notice the first time the individual physically sets foot in 
your facility, how hard is it to get someone to hand them a couple of sheets

of paper and sign an acknowledgment?  Keep in mind the acknowledgment is
just 
that they RECEIVED the Notice.  Not that they read it, not that they 
understand it.  You can hand it to them, they can through it in the trash 
(hopefully a recycling bin so you can use it on the next patient), and you 
can still ask them to sign a statement that says they RECEIVED the Notice.

Unless you are one of the rare entities that have implemented a truly 
paperless patient record system, you have a paper chart for every patient.  
Someone in your facility is probably handling that chart when the patient 
comes in.  If the reception of patients into your facility is not
centralized 
so you cannot hand out the forms at one patient check-in desk, then perhaps 
you need to de-centralize the distribution of the NPP.  Whoever sees the 
patient needs to look at the chart and determine if the patient has received

an NPP or if they need to be given one.  One thing I am doing with some 
clients is implementing an NPP Receipt Acknowledgment form that is on a 
distinct color paper so you can immediately recognize whether or not there
is 
an acknowledgment form in the chart.  Remember you only need to get their 
acknowledgment once, even if you subsequently revise the Notice, so there is

no need to look at the acknowledgment to see when they signed it, what 
version of the NPP they were given, or anything else.  Just glance at the 
chart to see if there is a fuscia piece of paper (or whatever unique color 
you prefer).  If there isn't, ask them to sign an acknowledgment form as you

hand them a copy of your NPP.

I work only with small group practices and solo practitioners so I'm sure 
there are issues for larger players, asside from pure volume of patients, 
that I have not had to consider.  I have to admit though, I never thought
the 
requirement to distribute the NPP and obtain an acknowledgment would require

any additional resources like part time employees.

Noel Chang
Noel Chang

 

--
Open WebMail Project (http://openwebmail.org)


-- Original Message ---
From: [EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Mon, 17 Feb 2003 14:27:30 -0500
Subject: acknowledgement of Notice of Privacy Practices (NPP)

 On April 15, 2003, we are anticipating that we simply do not have 
 the staff available to supply all patients that walk in our door 
 with our NPP.  It's hard to find someone to do a job like this for 
 only 3-4 months!  We plan to hire college students to accomplish 
 this task when school let outs in May.  
 
 Nevertheless, in order to be compliant with the April 15, 2003 
 deadline, is it acceptable to mail out our NPP to scheduled patients 
 ahead of time?  
 
 Is the fact that we are mailing them out  (and let's say we can keep 
 track of who got SENT one) sufficient in itself to meet the 
 requirement of a Good faith effort to obtain acknowledgement of 
 receipt of NPP?  That is, is simply mailing out the NPP adequate?   
 If such a plan is not adequate, what about if we included an 
 acknowledgement form in the mailing and asked the patient to return 
 the form (and we did NOT supply an envelop or stamp)?  Would that be 
 enough, even if no one returns it? 
 
 Thanks.
 Rich Fairley MD
 Dubuque, IA 
 
 ---
 The WEDI SNIP 

RE: acknowledgement of Notice of Privacy Practices (NPP)

2003-02-17 Thread David Blasi
Just wanted to add for some of those who aren't knee-deep in HIPAA
that the acknowledgment requirement discussion is a health care provider
issue.  For health plans the acknowledgment requirement in 164.520(c)(2)
is not applicable.  Health plans should be able to satisfy their notice
requirement via normal first class mail; just like mailing SPD's, COBRA
notices, etc. 

 Patricia Hamby [EMAIL PROTECTED] 02/17/03 04:29PM

Would this maybe fall under reasonable and may depend upon the size
of the
CE? Great question.  Interested to see what others have to say.  

Patricia Hamby
HIPAA Compliance Project Manager
XANTUS Healthplan of Tennessee, Inc. 
(615) 463-1612, Office
(615) 279-1301, Facsimile
http://www.xantushealthplan.com/hipaa/page3.html 


-Original Message-
From: Noel Chang [mailto:[EMAIL PROTECTED]] 
Sent: Monday, February 17, 2003 3:35 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: acknowledgement of Notice of Privacy Practices (NPP)


I haven't taken the time to research this enough to cite any references
in 
support of my position, but my initial reaction is that just mailing
the NPP

is not adequate to make a good faith effort.

The requirement is that you make a good faith effort to obtain written

acknowledgment of their receipt of the NPP.  If all you do is mail the
NPP, 
what have to done to try and document they received it?  If you have a
return 
form for the patient to send back I guess you can then argue that you
did do

something to try and obtain their acknowledgment but is just a form
with no 
return envelope or postage a good faith effort?  I'd say no but that
is 
just my opinion.

Even if you included a return envelope and postage I don't know that I
would

consider that a good faith effort.  The Rule says you have to
distribute the

notice by the first delivery of service.  For the moment lets ignore 
electronic delivery of service or of the NPP.  That aside, if you only
have 
to deliver the notice the first time the individual physically sets
foot in 
your facility, how hard is it to get someone to hand them a couple of
sheets

of paper and sign an acknowledgment?  Keep in mind the acknowledgment
is
just 
that they RECEIVED the Notice.  Not that they read it, not that they 
understand it.  You can hand it to them, they can through it in the
trash 
(hopefully a recycling bin so you can use it on the next patient), and
you 
can still ask them to sign a statement that says they RECEIVED the
Notice.

Unless you are one of the rare entities that have implemented a truly 
paperless patient record system, you have a paper chart for every
patient.  
Someone in your facility is probably handling that chart when the
patient 
comes in.  If the reception of patients into your facility is not
centralized 
so you cannot hand out the forms at one patient check-in desk, then
perhaps 
you need to de-centralize the distribution of the NPP.  Whoever sees
the 
patient needs to look at the chart and determine if the patient has
received

an NPP or if they need to be given one.  One thing I am doing with some

clients is implementing an NPP Receipt Acknowledgment form that is on a

distinct color paper so you can immediately recognize whether or not
there
is 
an acknowledgment form in the chart.  Remember you only need to get
their 
acknowledgment once, even if you subsequently revise the Notice, so
there is

no need to look at the acknowledgment to see when they signed it, what

version of the NPP they were given, or anything else.  Just glance at
the 
chart to see if there is a fuscia piece of paper (or whatever unique
color 
you prefer).  If there isn't, ask them to sign an acknowledgment form
as you

hand them a copy of your NPP.

I work only with small group practices and solo practitioners so I'm
sure 
there are issues for larger players, asside from pure volume of
patients, 
that I have not had to consider.  I have to admit though, I never
thought
the 
requirement to distribute the NPP and obtain an acknowledgment would
require

any additional resources like part time employees.

Noel Chang
Noel Chang

 

--
Open WebMail Project (http://openwebmail.org)


-- Original Message ---
From: [EMAIL PROTECTED] 
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Mon, 17 Feb 2003 14:27:30 -0500
Subject: acknowledgement of Notice of Privacy Practices (NPP)

 On April 15, 2003, we are anticipating that we simply do not have 
 the staff available to supply all patients that walk in our door 
 with our NPP.  It's hard to find someone to do a job like this for 
 only 3-4 months!  We plan to hire college students to accomplish 
 this task when school let outs in May.  
 
 Nevertheless, in order to be compliant with the April 15, 2003 
 deadline, is it acceptable to mail out our NPP to scheduled patients

 ahead of time?  
 
 Is the fact that we are mailing them out  (and let's say we can keep

 track of who got SENT one) sufficient in itself to meet the 
 requirement of a