Application Audit Trails
I am looking for public opinion in this question, for I know that there is little specific language on this point (or is there). In regards to Application Audit Trails, to what level of audit do you expect your applications to present? For instance, do you want to know if your users have replicated the data outside of the application via printing, copying or emailing, or does the fact that you can audit that they DO have access to PHI, and have signed an internal HIPAA Privacy policy enough for you. Please let me know if you require any more clarification to this question. Greg Park Product Manager DB Technology Inc. Office: 800-760-4096 x117 Cell: 484-919-0392 PA Office: 610-397-0288 www.dbtech.com attachment: winmail.dat--- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
JCAHO BAA
On that BA thread, we just recieved a letter from JCAHO wanted us to complete their BAA form. Following previous messages, shouldn't I (since I'm the CE) be sending them our form, and we shouldn't be signing their's? Teri Baskett, CISO LifeSpring [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Fundraising Question
Our hospital foundation is responsible for fundraising. For about 5 years they have not used patient information for their fundraising. They purchase lists through other companies and they have created their own donor base based on who's donated before. They send information to the donor base because their donors and not because their patients. So, since the donors and patient's are different do we need to worry about the fundraising opt out requirement? I hope I made myself clear with what I was explaining and trying to ask. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Fundraising Question
Patricia, Your NPP should state that PHI will not be used for these purposes. A opt out isn't necessary whennobody,s in. To clarify things for your patients, you may wish to mention that the foundation uses independantly-generated lists that contain no PHI. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." - Original Message - From: Patricia Conroe To: WEDI SNIP Privacy Workgroup List Sent: Wednesday, March 05, 2003 08:58 AM Subject: Fundraising Question Our hospital foundation is responsible for fundraising. For about 5 years they have not used patient information for their fundraising. They purchase lists through other companies and they have created their own donor base based on who's donated before. They send information to the donor base because their donors and not because their patients. So, since the donors and patient's are different do we need to worry about the fundraising opt out requirement? I hope I made myself clear with what I was explaining and trying to ask.---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Fundraising Question
IMHO, if you are not going to use your patient's PHI for fundraising, do not include it in your NPP. Should you decide to change your practice, you will need to change your NPP and announce the change before your practice is changed. Donald L. Ribelin HIPAA Project Manager Firsthealth of the Carolinas (910) 215-2668 [EMAIL PROTECTED] -Original Message- From: Patricia Conroe [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 9:59 AM To: WEDI SNIP Privacy Workgroup List Subject:Fundraising Question Our hospital foundation is responsible for fundraising. For about 5 years they have not used patient information for their fundraising. They purchase lists through other companies and they have created their own donor base based on who's donated before. They send information to the donor base because their donors and not because their patients. So, since the donors and patient's are different do we need to worry about the fundraising opt out requirement? I hope I made myself clear with what I was explaining and trying to ask. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Internet Pagers Privacy
I'm looking for some input on a scenario that was recently presented. To wit... What are the ramifications relative to HIPAA Privacy where communications containing PHI to alphanumeric pagers held by remote nursing staff are initiated via internet e-mail? For example, a patient coordinator sends an e-mail containing PHI (say patient name address) to a nurse's pager or cell phone screen through a third party such as ATT, Skypage, Arch Wireless, etc. Thoughts? Thank you in advance, Paul Weber [EMAIL PROTECTED] -- __ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Minimum necessary
I am not a transactions expert but aren't eligibility inquiry and the response both covered transactions? If yes, all covered transactions are exempt from the minimum necessary standard. Here is an excerpt from the December OCR Guidance to that effect: Q: Doesnt the HIPAA Privacy Rules minimum necessary standard conflict with the HIPAA transactions standards? A: No, because the Privacy Rule exempts from the minimum necessary standard any uses or disclosures that are required for compliance with the applicable requirements of the transactions standards, including disclosures of all data elements that are required or situationally required in those transactions. See 45 CFR 164.502(b)(2)(vi). However, covered entities have significant discretion as to the information included in the transactions as optional data elements. Therefore, the minimum necessary standard does apply to the optional data elements. The transactions standard adopted for the outpatient pharmacy sector is an example of a standard that uses optional data elements. The health plan, or payer, currently specifies which of the optional data elements are needed for payment of its particular pharmacy claims. The health plan or its business associates must apply the minimum necessary standard when requesting this information. In this example, a pharmacist may reasonably rely on the health plans request for information as the minimum necessary for the intended disclosure. For example, as part of a routine protocol, the name of the individual may be requested by the payer as the minimum necessary to validate the identity of the claimant or for drug interaction or other patient safety reasons. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: Jonathan Fox [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Wed, 05 Mar 2003 14:04:29 -0500 Subject: Minimum necessary Now that Privacy is right around the corner, a lot of people are re-examining some of the Transactions work that has been done. Here is a question that has privacy (minimum necessary) implications. A provider performs an eligibility inquiry with their local HMO. The HMO responds with yes the member is eligible and here is a list of their benefits. Clearly, the minimum requirements of the functionality of the transaction have been met, but how far can a payer go in giving additional information (COB, HIC number, Group Number, Plan Number, etc, before you cross the minimum necessary (privacy) line. Certainly, many of these pieces of information are not needed to get a claim paid by that payer. Is it the responsibility of the payer and/or is it within their right to divulge information about other policies they may have. This is not a question about transaction functionality, as the transaction clearly accommodates this data, but there seems to be a slight contradiction with the minimum necessary clause of the Privacy rule. Thoughts please??? Jonathan Fox Independent Health --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe