RE: Recording Disclosures (was BA Agreement Questions)

2003-02-07 Thread Shah Rakesh 
Hi Traci:

Q: Are State Regulators and other government agencies that perform audits
considered business associates?  

A: The Privacy Rule allows covered entities to disclose protected health
information to government agencies for health oversight activities and in
instances where it is required by law. Usually, CEs do not solicit audits by
government agencies as they are not performing a function or service on CE's
behalf - therefore they are not business associates. 

A Health oversight agency means an agency or authority of the United States,
a State, a territory, a political subdivision of a State or territory, or an
Indian tribe, or a person or entity acting under a grant of authority from
or contract with such public agency, including the employees or agents of
such public agency or its contractors or persons or entities to whom it has
granted authority, that is authorized by law to oversee the health care
system (whether public or private) or government programs in which health
information is necessary to determine eligibility or compliance, or to
enforce civil rights laws for which health information is relevant.

§ 164.512 Uses and disclosures for which consent, an authorization, or
opportunity to agree or object is not required. 
A covered entity may use or disclose protected health information without
the written consent or authorization of the individual as described in §§
164.506 and 164.508, respectively, or the opportunity for the individual to
agree or object as described in § 164.510, in the situations covered by this
section, subject to the applicable requirements of this section. When the
covered entity is required by this section to inform the individual of, or
when the individual may agree to, a use or disclosure permitted by this
section, the covered entity's information and the individual's agreement may
be given orally. 

(d) Standard: uses and disclosures for health oversight activities. 
(1) Permitted disclosures. A covered entity may disclose protected
health information to a health oversight agency for oversight activities
authorized by law, including audits; civil, administrative, or criminal
investigations; inspections; licensure or disciplinary actions; civil,
administrative, or criminal proceedings or actions; or other activities
necessary for appropriate oversight of: 
(i) The health care system; 
(ii) Government benefit programs for which health
information is relevant to beneficiary eligibility; 
(iii) Entities subject to government regulatory programs for
which health information is necessary for determining compliance with
program standards; or 
(iv) Entities subject to civil rights laws for which health
information is necessary for determining compliance. 

I hope this helps

> -Original Message-
> From: Matthew Rosenblum [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, February 07, 2003 1:33 PM
> To:   WEDI SNIP Privacy Workgroup List
> Cc:   'Bill MacBain'; 'Judy.Griffith'
> Subject:  RE: Recording Disclosures (was BA Agreement Questions)
> 
> Traci,
> 
>  
> 
> I tend to view (at least some of) the "audit" activities performed by the
> State as being conducted on behalf of the CE-Health Plans (e.g., Medicaid)
> as opposed to the CE-providers.  As such, those State-conducted "audit"
> activities are part of the Health Plan's "health care operations".
> Consequently, the State auditors would probably be construed as Business
> Associates of the Health Plan.
> 
>  
> 
> How do others view this?
> 
>  
> 
> I hope that this helps.
> 
>  
> 
> Your questions are always welcome.
> 
>  
> 
> Matt
> 
>  
> 
> Matthew Rosenblum
> 
> Chief Operations Officer
> 
> Privacy, Quality Management & Regulatory Affairs
> 
>  
> 
> CPI Directions, Inc.
> 
> 10 West 15th Street, Suite 1922
> 
> New York, NY 10011
>
>  
> 
> (212) 675-6367
> 
> [EMAIL PROTECTED] 
> 
>  
> 
> CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
> individual or entity to which it is addressed and may contain information
> that is privileged, confidential and exempt from disclosure under
> applicable law. If you have received this communication in error, please
> do not distribute it.  Please notify the sender by E-Mail at the address
> shown and delete the original message. Thank you.
> 
>  
> 
> AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
> individuo o la entidad a la cual se dirige y puede contener información
> privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
> usted ha recibido esta comunicación por error, por favor no lo distribuya.
> Favor notificar al remitente del E-Mail a la dirección mostrada y elimine
> el mensaje original. Gracias.
> 
>  
> 
> -Original Message-
> From: Traci.Jensen [mailto:[EMAIL PROTECTED]] 
> Sent: Thursday, February 06, 2003 11:15 AM
> To: WEDI SNIP Privacy Workgroup List
> Cc: 'Bill MacBain'; Judy.

Re: Covered Entity or not

2003-02-07 Thread Zon Owen 



Susan,
 
I would argue that it is the health plan's and the 
patient's benefits that are being coordinated, and not the provider's.  If 
the health plan chooses to do this in its own behalf and/or in behalf of its 
members, the provider is not a direct party to it, and the provider's HIPAA 
coveredness is not affected.
 
This does raise the issue of whether or not 
provider/plan agreements are ever worded in such a way as to make the plan a BA 
and/or a clearinghouse for this purpose.  But I will have to leave that one 
for the legally trained among us.
 
Marcallee,
 
Any thoughts on this one from a COB and CH 
expert?
 
- Zon Owen -

  
  -Original 
  Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 05, 2003 2:46 
  PMTo: WEDI SNIP Privacy 
  Workgroup ListSubject: 
  Covered Entity or not
   
  Patricia, Matt, & 
  Zon,I agree with you that when a claim is sent to insurance company A 
  and the claim is then processed and converted into electronic form and paid by 
  Insurance company A, the provider may not be a covered entity based on that. 
  (Except in Texas- my understanding is Texas legislated that any claim, whether 
  on paper or electronic format, makes you a covered entity.)  However, 
  when that claim is a forwarded to insurance company B, all bets are 
  off.I reviewed the definition of a clearinghouse as stated by CMS and 
  my understanding, as meager as it may be, is that any time an insurance 
  company forwards a claim to a 2nd insurance carrier for processing, it is 
  acting as a clearinghouse.  Nowhere in the definition of clearinghouse 
  does it rule out insurance companies of any kind. The point I was 
  trying to make is, as an example, Medicare acts like a clearinghouse when it 
  forwards a claim, whether submitted to them on paper or electronically, to the 
  2nd insurance carrier for payment.  Does it not? Any insurance carrier 
  that forwards information, in electronic form, to a 2nd insurance carrier for 
  processing of the claim, makes the provider a covered entity.  The 
  provider is waiting for 2nd insurance carrier to process the claim and receive 
  payment.  Medicare is not the only insurance carrier that forwards claims 
  to a 2nd insurance carrier; it was just the most common example I could think 
  of at this time that most offices could relate too.  "ASCA does 
  NOT say that all CE-providers submitting Medicare claims must do so 
  electronically.  There are allowances for smaller providers, and there 
  are many of those."  ASCA however does require an approved waiver from 
  the Secretary of HHS to send paper claims.  I am patiently waiting for 
  the waivers to be posted somewhere so I can get them out to my clients that 
  want to continue submitting claims on paper.  I am sure that since the 
  Secretary of HHS must approve them, he will get right on it.  Have I 
  missed the application somewhere?  Since there is a deadline of months 
  between date of service and when a claim is submitted in order to be paid, 
  when and where I get the waiver approved is an issue.I made no 
  reference to a claim being faxed to any insurance carrier in my earlier 
  example.  Just as a side note, according to conversation I had with a 
  regional head of OCR, fax to fax is not a covered transaction but fax to 
  computer is a covered transaction.  The data is converted to electronic 
  format by the receiver and/ or same applies to a computer generated fax.  
  It is our understanding, the reason why, whether or not a computer is involved 
  is an issue, is because of electronic theft, hacking, and recent theft of hard 
  drives from institutions like Tricare in the Southwest where hundreds of 
  thousands of military personnel and dependent personal information was 
  stolen.I still believe that all physicians should consider themselves 
  covered entities and operate in that manner.  With so many state 
  legislatures and now case law approving HIPAA as "Standard of Care", (recent 
  examples have been shared through Wedi Snip list serve), it makes business 
  sense (cents) to be prepared.  I have clients that do electronic claims 
  submission and they did not think they were a covered entity.  Boy did 
  they have an eye opening experience.  Now consider how many physicians 
  out there, who may or may not realize things they are doing are considered 
  covered transactions.  That number scares me.  These doctors are not 
  getting the right information nor do they believe it affects them. 
  Thanks,Susan BowesProfessional Procedures & 
  ControlPractice Consulting Firm for the Small 
  Practitioner
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your questi

NEW US Important Privacy Law Development

2003-02-07 Thread Christiansen, John (SEA) 
On Tuesday I flagged a Canadian class action for privacy violation by theft
of hard drive and noted the same sort of incident had happened to TriWest in
the U.S. I thought the Canadian case was the first of these. Guess not.
Guess who else got sued?
Lawsuit accuses TriWest Healthcare of negligence 
By Dennis Wagner
The Arizona Republic
Jan. 30, 2003
TriWest Healthcare Alliance has been hit with a class-action lawsuit for
negligence by customers whose identity information was stolen last month in
a heist of computer data from the Phoenix-based defense contractor
The lawsuit was filed in the U.S. District Court for Arizona by Tucson
attorneys David Karnas and Gary Bellovin on behalf of Lt. Col. Michael
Stollenwerk and Andrea DeGatica, both of Virginia. 
<>
See http://www.arizonarepublic.com/arizona/articles/0130triwest30.html

John R. Christiansen
Preston | Gates | Ellis LLP
PLEASE NOTE OUR NEW ADDRESS AND PHONE NUMBERS EFFECTIVE TUESDAY, JANUARY 21:
925 Fourth Avenue, Suite 2900
Seattle, Washington 98104
*Direct: 206.370.8118 *Cell: 206.683.9125
* [EMAIL PROTECTED]
Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be
accessible to unauthorized viewers, content may be modified or corrupted,
and headers or signatures may incorrectly identify the sender. If you wish
to confirm this message or the identity of the sender, please contact me
using a communications channel other than a "reply" to this e-mail. Secure
electronic messaging is available and recommended for confidential or
sensitive communications.

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

RE: Recording Disclosures (was BA Agreement Questions)

2003-02-07 Thread Price, Carolyn 
Title: RE: Recording Disclosures (was BA Agreement Questions)



IMHO, 
the audits are being performed on behalf of the State, under federal guidelines, 
and the auditors are NOT business associates.  Their audits are on behalf 
of the State and Federal governments (i.e. Medicaid), NOT on behalf of the 
health plans, believe me. Sorry, but I respectfully 
disagree.
Carolyn Price

  -Original Message-From: Matthew Rosenblum 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, February 07, 2003 1:33 
  PMTo: WEDI SNIP Privacy Workgroup ListCc: 'Bill 
  MacBain'; 'Judy.Griffith'Subject: RE: Recording Disclosures (was BA 
  Agreement Questions)
  
  Traci,
   
  I tend to view (at 
  least some of) the "audit" activities performed by the State as being 
  conducted on behalf of the CE-Health Plans (e.g., Medicaid) as opposed to the 
  CE-providers.  As such, those State-conducted "audit" activities are part 
  of the Health Plan's "health care operations".  Consequently, the State 
  auditors would probably be construed as Business Associates of the Health 
  Plan.
   
  How do others view 
  this?
  
   
  I hope that this 
  helps.
   
  Your questions are 
  always welcome.
   
  Matt
   
  Matthew 
  Rosenblum
  Chief Operations 
  Officer
  Privacy, Quality 
  Management & Regulatory Affairs
   
  CPI 
  Directions, Inc.
  10 West 15th Street, 
  Suite 1922
  New 
  York, NY 
  10011
   
  (212) 
  675-6367
  [EMAIL PROTECTED]
   
  CONFIDENTIALITY 
  NOTICE: This E-Mail is intended only for the use of the individual or entity 
  to which it is addressed and may contain information that is privileged, 
  confidential and exempt from disclosure under applicable law. If you have 
  received this communication in error, please do not distribute it.  
  Please notify the sender by E-Mail at the address shown and delete the 
  original message. Thank you.
   
  AVISO 
  DEL CONFIDENCIALIDAD: Este email es solamente para el uso 
  del 
  individuo o la entidad a la cual se dirige y puede contener información 
  privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted 
  ha recibido esta comunicación por error, por favor no lo distribuya.  
  Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el 
  mensaje original. Gracias.
   
  -Original 
  Message-From: 
  Traci.Jensen [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 06, 2003 11:15 
  AMTo: WEDI SNIP Privacy 
  Workgroup ListCc: 'Bill 
  MacBain'; Judy.GriffithSubject: RE: Recording Disclosures (was 
  BA Agreement Questions)
   
  I would like to introduce myself, as I am new to this 
  listserv.  I am the HIPAA Privacy Project Manager for a health plan in 
  Illinois.  Even though I am new to this listserv, several of your names 
  are familar from the HIPAAlive listserv.
  Noel, I want to be clear I understand your 
  response.  Are you saying that it is your opinion that audits performed 
  by a State agency or someone on their behalf falls under disclosing 
  information for our own activities related to "Conducting or arranging for 
  medical review, legal services, and auditing functions, including fraud and 
  abuse detection and compliance programs"?  
  I am not convinced that we could constitute audits 
  being performed by a State agency as part of our own health care 
  operation.  I believe this is something that we would have to track and 
  provide an accounting for because it is "required by law" and the disclosures 
  are made for "health oversight activities".
  Also, it is more than likely that the State agency 
  requiring the audit is not a covered entity so the sharing PHI for "certain 
  health care operations" wouldn't apply, and they would not be considered a 
  business associate as they are not doing something on our behalf. 
  
  However, I would like to be convinced that this would 
  fall under our health care operations, because currently our system does not 
  have a way to track disclosures made on multiple members, without manually 
  documenting in each member record.
  I do agree in that I don't think by mentioning the 
  possibility of a type of disclsoure in your NPP a covered entity can relieve 
  themselves of the obligations to track and account for such disclosures.  
  
  I welcome everyone's opinion. 
  Traci Jensen Compliance Programs Manager/HIPAA Project 
  Manager Health 
  Alliance Medical Plans, Inc. 
   
  -Original Message- From: Noel Chang [mailto:[EMAIL PROTECTED]] 
  Sent: Wednesday, February 05, 
  2003 8:37 AM To: 
  WEDI SNIP Privacy Workgroup List Subject: Re: Recording Disclosures (was BA Agreement 
  Questions) 
   
  Under the definition of "health care operations", 
  found in section 164.501, item (4) of that definition includes, "Conducting or 
  arranging for medical review, legal services, and auditing functions, 
  including fraud and abuse detection and compliance programs". 
  I would take this to mean that the audit is part of

RE: authorizations clarification

2003-02-07 Thread Matthew Rosenblum 









Traci,

 

To which NYS State regulation
are you referring that requires such an authorization?  Please advise?

 



Your questions are always welcome.

 

Matt

 

Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management &
Regulatory Affairs

http://www.CPIdirections.com

 

CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011

 

(212) 675-6367

[EMAIL PROTECTED]

 

CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it.  Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.

 

AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.

 



-Original Message-
From: Traci Winter
[mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, February 05, 2003
1:21 PM
To: WEDI SNIP Privacy Workgroup
List
Subject: authorizations
clarification

 



Want
some opinions on this issue. 





NY
requires an authorization for release of information for treatment/payment
purposes. It is included as a bundled portion of our admission packet. Since
this authorization is required by state law is it ok for it to remain bundled
and to have a separate authorization for use when HIPAA applies
to the disclosure/request for information?





 





Thanks
to all,





Traci
Winter





Hospitals
Home Health Care, Inc.





 



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

RE: Recording Disclosures (was BA Agreement Questions)

2003-02-07 Thread Matthew Rosenblum 
Title: RE: Recording Disclosures (was BA Agreement Questions)









Traci,

 

I tend to view (at least some of) the “audit”
activities performed by the State as being conducted on behalf of the CE-Health
Plans (e.g., Medicaid) as opposed to the CE-providers.  As such, those State-conducted
“audit” activities are part of the Health Plan’s “health
care operations”.  Consequently, the State auditors would probably be
construed as Business Associates of the Health Plan.

 

How do others view this?



 

I hope that this helps.

 

Your questions are always welcome.

 

Matt

 

Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management &
Regulatory Affairs

 

CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011

 

(212) 675-6367

[EMAIL PROTECTED]

 

CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it.  Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.

 

AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.

 



-Original Message-
From: Traci.Jensen
[mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 06, 2003
11:15 AM
To: WEDI SNIP Privacy Workgroup
List
Cc: 'Bill MacBain'; Judy.Griffith
Subject: RE: Recording Disclosures
(was BA Agreement Questions)

 

I would like to introduce myself, as I am new to this
listserv.  I am the HIPAA Privacy Project Manager for a health plan in
Illinois.  Even though I am new to this listserv, several of your names
are familar from the HIPAAlive listserv.

Noel, I want to be clear I understand your
response.  Are you saying that it is your opinion that audits performed by
a State agency or someone on their behalf falls under disclosing information
for our own activities related to "Conducting or arranging for medical
review, legal services, and auditing functions, including fraud and abuse
detection and compliance programs"?  

I am not convinced that we could constitute audits
being performed by a State agency as part of our own health care
operation.  I believe this is something that we would have to track and
provide an accounting for because it is "required by law" and the
disclosures are made for "health oversight activities".

Also, it is more than likely that the State agency
requiring the audit is not a covered entity so the sharing PHI for
"certain health care operations" wouldn't apply, and they would not
be considered a business associate as they are not doing something on our
behalf. 

However, I would like to be convinced that this would
fall under our health care operations, because currently our system does not
have a way to track disclosures made on multiple members, without manually
documenting in each member record.

I do agree in that I don't think by mentioning the
possibility of a type of disclsoure in your NPP a covered entity can relieve
themselves of the obligations to track and account for such disclosures.  

I welcome everyone's opinion. 

Traci Jensen 
Compliance Programs Manager/HIPAA
Project Manager 
Health Alliance Medical Plans, Inc.


 

-Original Message- 
From: Noel Chang [mailto:[EMAIL PROTECTED]]

Sent: Wednesday, February 05, 2003
8:37 AM 
To: WEDI SNIP Privacy Workgroup
List 
Subject: Re: Recording Disclosures
(was BA Agreement Questions) 

 

Under the definition of "health care
operations", found in section 164.501, 
item (4) of that definition
includes, "Conducting or arranging for medical 
review, legal services, and
auditing functions, including fraud and abuse 
detection and compliance
programs". 

I would take this to mean that the audit is part of
TPO, and there for not a 
disclosure that needs to be
accounted for. 

As a footnote, I'm not sure I agree with your
implication that by mentioning 
the possibility of a type of
disclsoure in your NPP you can relieve yourself 
of the obligations to account for
such disclosures.  The disclosures that 
should and should not be accounted
for are ennumerated clearly in section 
164.528(a)(1).  I am not aware
of any relief from these requirements through 
your NPP. 

Noel Chang 

-- 
Open WebMail Project (http://openwebmail.org)


 

-- Original Message --- 
From: "Jim Moores"
<[EMAIL PROTECTED]> 
To: "WEDI SNIP Privacy
Workgroup List" <[EMAIL PROTECTED]> 
Sent: Wed, 05 Feb 2003 08:11:02
-0500 
Subject: Recording Disclosures (was
BA Agreement Questions) 

> Hi All, 
> 
>   I agree with

Research Scenario

2003-02-07 Thread Chris Graff 



This is a tough one.
 
I am currently consulting for a public health department and I 
am looking for advice on this particular scenario.
 
An IRB, we'll say IRB1, granted research rights to a 
program within our department.  She, being the researcher, has ongoing 
research that is being performed on the demographics of certain deceased 
subjects.  The research involves interviews with the families, of which she 
is very close to.  
 
Another IRB ,we'll say IRB2, is asking her to promote research 
for another study to persons that she has already contacted or will contact in 
the future under her current research.  IRB2 is from a separate covered 
entity of which we have no business associate agreement with.
 
The researcher feels uncomfortable giving out the names and 
addresses to IRB2, but she is willing to contact the individuals, or their 
families, involved in the research personally, either face-to-face or over the 
phone.  
 
Now for the question, if she lets these individuals know about 
this other research opportunity personally, by maybe dropping off information in 
regards to the research  itself, is she violating any type of marketing 
rules as dictated by the privacy rule?  Or, is this a violation of the use 
of research, even though the public health department will in no way receive 
remuneration in regards to this act she will perform?
 
My personal opinion is that she in no way will violate HIPAA 
regulation, however, I will also have to review state law to ensure that she is 
not violating any "informed consent" issues.  Do any of you have an 
opinion?
 
 
 
Thank you,
 
Chris GraffProject ManagerOmni Resources
 
 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Are commercial insurance clearinghouses considered a BA?

2003-02-07 Thread William J. Kammerer 
Who is doing what for whom?  If Aetna were serving as a Third Party
Administrator for some Health Plan, then it would be a business
associate of that plan.

William J. Kammerer
Novannet, LLC.
Columbus, US-OH 43221-3859
+1 (614) 487-0320

- Original Message -
From: <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Friday, 07 February, 2003 11:50 AM
Subject: Are commercial insurance clearinghouses considered a BA?



Are Commercial insurance clearinghouses, like Aetna, etc., considered
Business associates? My understanding was that they were not but I just
wanted to be sure...

Thanks.

Jill Rubin, Esq.
[EMAIL PROTECTED]


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

Discarded computer had confidential medical information

2003-02-07 Thread Miller, Bobby 
Discarded computer had confidential medical information 

http://www.nola.com/newsflash/topstory/index.ssf?/newsflash/get_story.ssf?/c
gi-free/getstory_ssf.cgi?a0741_BC_ComputerSecurity&&news&newsflash-topstory

By CHARLES WOLFE
The Associated Press
2/6/03 5:34 PM

FRANKFORT, Ky. (AP) -- A state computer put up for sale as surplus 
contained confidential files naming thousands of people with AIDS and 
other sexually transmitted diseases, the state auditor said Thursday. 

"This is significant data. It's a lot of information with lots of 
names and things like (the numbers of) sexual partners of those who 
are diagnosed with AIDS," Auditor Ed Hatchett said. "It's a terrible 
security breach." 

The computer, which had been awaiting sale at the state's 
surplus-property office, never left state custody, Hatchett said. 

It was one of eight computers the auditor's office had randomly 
selected from a consignment that was being offered to state agencies 
and nonprofit groups. Hatchett's office, which routinely conducts such 
checks, paid $25 each for the computers, which would have been offered 
to the public if they had gone unsold. 

Health Services Secretary Marcia Morgan said the computer, used from 
1995 to 1999, came from an agency she oversees involved with 
counseling on sexually transmitted diseases and HIV, the virus that 
causes AIDS. 

Morgan said the computer's hard drive was thought to have been wiped 
clean when it was shipped off for sale late last year. She has ordered 
an internal investigation into the breach. 

B.J. Bellamy, the auditor's chief information officer, said the hard 
drive appeared to contain several thousand individual files. Sex 
partners of the individuals are counted but not named, he said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

Are commercial insurance clearinghouses considered a BA?

2003-02-07 Thread JillGWlaw 

Are Commercial insurance clearinghouses, like Aetna, etc., considered Business associates? My understanding was that they were not but I just wanted to be sure...

Thanks.

Jill Rubin, Esq.
[EMAIL PROTECTED]
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Email communications

2003-02-07 Thread Sean Steele 
Mike,

I think we're all agree that the legal risks are not entirely known, nor 
the standard HHS will use to determine "reasonableness". You have zeroed 
in on the key salient point: oversight. You can't reasonably do it, and 
your users won't regulate their own activity without assistance.

We've seen hundreds of CEs in your position, and the switching cost is 
the real problem. Going from workstation-installed encryption with no 
PHI filter to server-based encryption with a PHI filter -- if it comes 
down to having to make that migration -- is incredibly expensive. Even 
with a workstation-based system, messages will be unavailable to the 
rest of your infrastructure (archiving, anti-virus, anti-spam) in a 
"clear text" format.

I hope this helps.

--
Sean Steele
National Account Manager, Tovaris
[EMAIL PROTECTED]
v 202.270.8672

Michael O'Gorman wrote:

This may have been addressed and I missed it.  As a health plan/TPA:

Would this solution cover our legal risk for HIPAA:

An email encryption software that we install on each computer that the 
users HAVE to choose to encrypt when they feel necessary.  If we give 
them the software solution, but they choose not to encrypt or they 
forget to encrypt and PHI still goes out unsecure, and there is no 
"smart server" in the background watching for PHI content to remedy when 
the users neglect to encrypt, are we compliant?  Have we taken 
reasonable measures?

OR

Do we have to have a server that watches email content in addition to 
allowing the users to choose to encrypt, and when it sees PHI, it 
encrypts for them making their oversight a non-issue.

Thanks

Mike O'Gorman
HPS Paradigm
912-350-6710

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The 
discussions on this listserv therefore represent the views of the 
individual participants, and do not necessarily represent the views of 
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an 
official opinion, post your question to the WEDI SNIP Issues Database at 
http://snip.wedi.org/tracking/. These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products 
and services. They also are not intended to be used as a forum for 
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the 
same as the address subscribed to the list, please use the 
Subscribe/Unsubscribe form at http://subscribe.wedi.org



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org