Re: Self insured health plans NPP

2003-03-13 Thread David Blasi
Without going into a lot of discussion about the difference between the
plan sponsor and plan administrator activities, the plan administrator
is responsible for this.  If you are also the plan administrator, than
you have both responsibilities.   Your SPD should state who is the plan
administrator for easy reference.  

 [EMAIL PROTECTED] 03/13/03 07:40AM 
We are an acute care hospital providing health insurance to our
employees
as a self-insured plan.  As the plan sponsor we are required to amend
our
group health plan document to comply with HIPAA.  Are we also
responsible
for drafting and providing to our employees a Notice of Privacy
Practice,
or is that the responsibility of the health plan?

Bonnie R Millman
Privacy Coordinator
Bayhealth Medical Center
640 South State Street
Dover, Delaware  19901

302-744-6728



__
CONFIDENTIALITY NOTICE:  The information contained in this e-mail
message
and any attachment(s) is intended only for
 the confidential use of the intended recipient(s) named above.  This
e-mail message and any attachment(s) may contain
confidential health information or other confidential information that
is
legally privileged and exempt from disclosure under
applicable law.  If the reader of this e-mail message is not the
intended
recipient or the employee agent responsible for
 delivering it to the intended recipient, you should be aware that any
dissemination, distribution, copying or action taken in
 reliance on the content of this e-mail message or any attachment(s)
is
strictly prohibited.  If this e-mail has been received
 in error, please notify us immediately via e-mail at
[EMAIL PROTECTED] and delete or otherwise destroy the
original message, any attachment(s) and copies.  Thank you for your
cooperation.


---
The WEDI SNIP listserv to which you are subscribed is not moderated.
The discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED] 
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED] 
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org 



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


Pharmacy and NPP

2003-03-13 Thread Ken Kupetsky
We issue prescriptions to our employees and their families at the hospital pharmacy. 
Do we need to list the pharmacy as a separate entity in our NPP or not? There seems to 
be debate on how they should be categorized.



Ken Kupetsky
CIO/Chief Privacy Officer
Burke Rehabilitation Hospital
Office - 914-597-2202



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


RE: Pharmacy and NPP

2003-03-13 Thread Bentz-Miller, Judith
Ken,
I think you need to analyze how the pharmacy is legally set up at your
hospital.  We also have a pharmacy on-site, and while we treat it as any
other department internally, it legally is a separate company.  We
documented an Affiliated Covered Entity (ACE) between the two and listed
this in our NPP (along with two other companies.)  

Hope this helps
Judith

Judith Bentz-Miller
Privacy Officer
Arnett Clinic
765-448-8843


  

-Original Message-
From: Ken Kupetsky [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 13, 2003 8:33 AM
To: WEDI SNIP Privacy Workgroup List
Subject: Pharmacy and NPP


We issue prescriptions to our employees and their families at the hospital
pharmacy. Do we need to list the pharmacy as a separate entity in our NPP or
not? There seems to be debate on how they should be categorized.



Ken Kupetsky
CIO/Chief Privacy Officer
Burke Rehabilitation Hospital
Office - 914-597-2202



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


Re: Facility Directory

2003-03-13 Thread Doug Webb



Donald,
I agree with your opinion that you don't have to ask, but a 
check-off line in the sign-in form would be nice. It would also document 
that the option had indeed been offered, and since, in this game, documentation 
is everything, that would be a Good Thing.

The opinions expressed here are my own and not necessarily the opinion of 
LCMH.

Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital  Health Care Centers[EMAIL PROTECTED]

"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s) named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately, 
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."



  - Original Message - 
  From: 
  Ribelin, Donald 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 13, 2003 06:41 
  AM
  Subject: RE: Facility Directory
  
  
  As I 
  read it, there is no requirement to ask, just to inform and this is done via 
  your Notice of Privacy Practice. 
  Should the patient ask for clarification you would be obliged to assist 
  them in understanding their rights but I do not think you have to ask the 
  patient if they want to opt out.
  
  Donald L. Ribelin
  HIPAA Project Manager
  Firsthealth of the 
  Carolinas
  (910) 215-2668
  [EMAIL PROTECTED]
  
  -Original 
  Message-From: Cindy 
  Stroud [mailto:[EMAIL PROTECTED]Sent: Wednesday, March 12, 2003 7:54 
  PMTo: WEDI SNIP Privacy 
  Workgroup ListSubject: 
  Facility Directory
  
  For 
  some reason I have been under the assumption that when a patient registers we, 
  an acute care hospital, need to explain the right to opt-out of the facility 
  directory. Is this something we need to explain verbally or is the fact 
  thatexplanation in the NPP is sufficient? I really appreciate any 
  feedback
  Cindy
  ---The WEDI 
  SNIP listserv to which you are subscribed is not moderated. The discussions on 
  this listserv therefore represent the views of the individual participants, 
  and do not necessarily represent the views of the WEDI Board of Directors nor 
  WEDI SNIP. If you wish to receive an official opinion, post your question to 
  the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These 
  listservs should not be used for commercial marketing purposes or discussion 
  of specific vendor products and services. They also are not intended to be 
  used as a forum for personal disagreements or unprofessional communication at 
  any time.You are currently subscribed to wedi-privacy as: 
  [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org ---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services. They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the 

RE: Facility Directory

2003-03-13 Thread Ribelin, Donald
Doug, while I agree it would be nice; I tend to doubt this will be the
common practice.  Asking every admission if they want to opt-out of the
facility directory would be costly.  We (providers) are already concerned
about the costs (in time and money) we will incur secondary to the
distribution of and documentation of receipt of our NPP's.  This process
will also require that we obtain a written aknowledgement of receipt of the
NPP.  If we add an addtional process, even one that seems to require only a
couple minutes of the registration staff's time, the impact will be out of
proportion to the value.  This is especially true when said process is not
required (at least I hope my interpretation of this is correct).   

Donald

 -Original Message-
 From: Doug Webb [SMTP:[EMAIL PROTECTED]
 Sent: Thursday, March 13, 2003 9:18 AM
 To:   Ribelin, Donald; WEDI SNIP Privacy Workgroup List
 Subject:  Re: Facility Directory
 
 Donald,
 I agree with your opinion that you don't have to ask, but a check-off line
 in the sign-in form would be nice.  It would also document that the option
 had indeed been offered, and since, in this game, documentation is
 everything, that would be a Good Thing.
  
 The opinions expressed here are my own and not necessarily the opinion of
 LCMH.
  
 Douglas M. Webb
 Computer System Engineer
 Little Company of Mary Hospital  Health Care Centers
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
  
 This electronic message may contain information that is confidential
 and/or legally privileged. It is intended only for the use of the
 individual(s) and entity(s)  named as recipients in the message. If you
 are not an intended recipient of the message, please notify the sender
 immediately,  delete the material from any computer, do not deliver,
 distribute, or copy this message, and do not disclose its contents or take
 action in reliance on the information it contains. Thank you.
  
 
  
   - Original Message - 
   From: Ribelin, Donald mailto:[EMAIL PROTECTED] 
   To: WEDI SNIP Privacy Workgroup List
 mailto:[EMAIL PROTECTED] 
   Sent: Thursday, March 13, 2003 06:41 AM
   Subject: RE: Facility Directory
 
   As I read it, there is no requirement to ask, just to inform and
 this is done via your Notice of Privacy Practice.  Should the patient ask
 for clarification you would be obliged to assist them in understanding
 their rights but I do not think you have to ask the patient if they want
 to opt out.

   Donald L. Ribelin
   HIPAA Project Manager
   Firsthealth of the Carolinas
   (910) 215-2668
   [EMAIL PROTECTED]

   -Original Message-
   From: Cindy Stroud [mailto:[EMAIL PROTECTED]
   Sent: Wednesday, March 12, 2003 7:54 PM
   To: WEDI SNIP Privacy Workgroup List
   Subject: Facility Directory

   For some reason I have been under the assumption that when a patient
 registers we, an acute care hospital, need to explain the right to opt-out
 of the facility directory. Is this something we need to explain verbally
 or is the fact that explanation in the NPP is sufficient? I really
 appreciate any feedback
   Cindy
   ---
   The WEDI SNIP listserv to which you are subscribed is not moderated.
 The discussions on this listserv therefore represent the views of the
 individual participants, and do not necessarily represent the views of the
 WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official
 opinion, post your question to the WEDI SNIP Issues Database at
 http://snip.wedi.org/tracking/. These listservs should not be used for
 commercial marketing purposes or discussion of specific vendor products
 and services. They also are not intended to be used as a forum for
 personal disagreements or unprofessional communication at any time.
   
   You are currently subscribed to wedi-privacy as:
 [EMAIL PROTECTED]
   To unsubscribe from this list, go to the Subscribe/Unsubscribe form
 at http://subscribe.wedi.org or send a blank email to
 [EMAIL PROTECTED]
   If you need to unsubscribe but your current email address is not the
 same as the address subscribed to the list, please use the
 Subscribe/Unsubscribe form at http://subscribe.wedi.org 
   ---
   The WEDI SNIP listserv to which you are subscribed is not moderated.
 The discussions on this listserv therefore represent the views of the
 individual participants, and do not necessarily represent the views of the
 WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official
 opinion, post your question to the WEDI SNIP Issues Database at
 http://snip.wedi.org/tracking/. These listservs should not be used for
 commercial marketing purposes or discussion of specific vendor products
 and services. They also are not intended to be used as a forum for
 personal disagreements or unprofessional communication at any time.
   
   You are currently subscribed to 

policy dev for clearinghouse

2003-03-13 Thread rachelmcass
Another clearinghouse question

164.506 (c)(4) states that (paraphrased):

'A covered entity may disclose protected health information to another
covered entity for health care operations of the entity that receives the
information, if both covered entities has or had a relationship with the
individual who is the subject of the protected health information being
requested, the protected health information pertains to such relationship,
and the disclosure is for quality related healthcare operations or for the
purpose of healthcare fraud and abuse detection or compliance.'

My question is as follows:

For this purpose, would a health care clearinghouse be considered to have a
relationship with the individual who is the subject of the protected
health information?  For instance, in developing policies and procedures for
a clearinghouse, would one interpret this provision to permit the
clearinghouse to disclose information it has on an individual to other
covered entities (who have a relationship with the individual) for the
reasons listed?

I ask this question for the purpose of policy development.  Its obvious to
me that the clearinghouse would be permitted to exchange information with
the entity from which it originally received the information, but what about
other covered entities?  (Covered Provider A gives the information to the
clearinghouse; if Covered Provider B or Insurance C has a relationship with
the individual, would the clearinghouse disclose the individual's
information to Covered Provider B or Insurance C for the reasons listed in
this reference?)

Is this even a concern, or a possibility that this situation would arise?

Thanks,

Rachel M.
[EMAIL PROTECTED]

IMPORTANT NOTICE: This e-mail, including attachments, may be confidential or
privileged communication intended for the exclusive use of the person or
entity to which it is addressed.  If the reader of this e-mail is not the
intended recipient, the reader is hereby notified that any dissemination,
distribution or copying of this e-mail is strictly prohibited.  If you think
that you have received this e-mail in error, please advise the sender by
reply e-mail of the error and then delete this e-mail immediately.


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


Disclosure records vs. record retention

2003-03-13 Thread Gerry Friberg
We are a covered entity as a clearinghouse.  We are also a business
associate to medical providers.

The rules require keeping records of disclosures outside of TPO for six
years.  At termination of business associate agreement the rules require
return or destruction of all PHI if feasible.  How can we give an accounting
of disclosures if we destroy all PHI?


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


RE: Facility Directory

2003-03-13 Thread Rupe, Cindy



"164.510 - Uses and disclusres requiring an opportunity 
for the indiviudal to agree or to object " . The citation even says that 
"the entity may orally inform the individual ofand obtain 
the individual's oral agreement or objection to a use or disclusire permitted by 
this section". In the Preamble it states three conditions under which a 
patient can be listed in the directory, 1. the NPP is given; 2. they give the 
patient a meaningful opportunity to opt out of the directory or to 
restrictall or some of the uses and disclosures in the directory; 3. pt. 
does not object to being in the directory. (this is on page 82521of the 
Dec 28, 2000 Fed Reg) Seems to me (IMHO)that this is part of the 
dialog registration will have to have with the patient, not just the patient 
reading the NPP. Thanks Cindy


Cindy Rupe, RHIA, CPHQ HIPAA Coord/Consultant 406-247-7161 [EMAIL PROTECTED] 
HIPAA Ready, HIPAA 
Compliant, and HIPAA Aware 

  -Original Message-From: KERBER, JEFF 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, March 13, 2003 7:59 
  AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: 
  Facility Directory
  In 
  reading the other responses to this, I'm shocked admissions isn't already 
  doing this in most facilities. In the many discussions I have had with other 
  hospitals the question on this has never been do we have to even tell them of 
  the option. The question has always been how will this change what we ask (ie, 
  clergy). Most hospitals do this as part of JCAHO standards R.1.3.1, 
  R.1.3.2, R.1.3.1, R.1.3.6.1and R.1.3.6.1.1
  
  That 
  said... while you aren't required to tell them when they are admitted. 
  Shouldn't you? Think about it. How many patients are going to sit and read 
  your 3-8 page NPP and let you know they want to opt-out of the directory? This 
  is a question of doing the right thing.
  
-Original Message-From: Cindy Stroud 
[mailto:[EMAIL PROTECTED]Sent: Wednesday, March 12, 2003 
6:54 PMTo: WEDI SNIP Privacy Workgroup ListSubject: 
Facility Directory
For some reason I have been under the 
assumption that when a patient registers we, an acute care hospital, need to 
explain the right to opt-out of the facility directory. Is this something we 
need to explain verbally or is the fact thatexplanation in the NPP is 
sufficient? I really appreciate any feedback
Cindy---The WEDI SNIP listserv 
to which you are subscribed is not moderated. The discussions on this 
listserv therefore represent the views of the individual participants, and 
do not necessarily represent the views of the WEDI Board of Directors nor 
WEDI SNIP. If you wish to receive an official opinion, post your question to 
the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These 
listservs should not be used for commercial marketing purposes or discussion 
of specific vendor products and services. They also are not intended to be 
used as a forum for personal disagreements or unprofessional communication 
at any time.You are currently subscribed to wedi-privacy as: 
[EMAIL PROTECTED]To unsubscribe from this list, go to the 
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
email to [EMAIL PROTECTED]If you need to 
unsubscribe but your current email address is not the same as the address 
subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org ---The WEDI SNIP listserv to which 
  you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should 
  not be used for commercial marketing purposes or discussion of specific vendor 
  products and services. They also are not intended to be used as a forum for 
  personal disagreements or unprofessional communication at any time.You 
  are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To 
  unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org or send a blank email to 
  [EMAIL PROTECTED]If you need to unsubscribe but 
  your current email address is not the same as the address subscribed to the 
  list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  
  "This electronic message may contain information 
  that is confidential and/or legally privileged. It is intended only for the 
  use of the individual(s) and entity named as recipients in the message. If you 
  are not an intended recipient of the message, please notify the sender 
  immediately and delete the material from any computer. Do not deliver, 
  distribute, or copy this message, and do not disclose its contents or take 
 

Security Requirements

2003-03-13 Thread Daryn Thompson








In the final security document, you have standards. Some standards have implementation
specifications and others do not. On the
standards that do have them, they are REQUIRED or ADDRESSABLE. On the ones that do not have specifications,
are they Required?



Daryn Thompson 

Network/I.S. Coordinator

(801) 468-2123






---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org






Clergy?

2003-03-13 Thread JillGWlaw
I understand that you do have to ask a patient if they wish to have the clergy receive 
their names in the directory; however, does the same requirement apply if the clergy 
member is a member of the covered entity's workforce, like a chaplain of a hospital?

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


Re: Self insured health plans NPP

2003-03-13 Thread John J. D'Amato
Hi, David and Bonnie.

It's important to keep two terms distinct:  plan administration functions
(which is a Privacy Rule term) and plan administrator (which is an ERISA
term).

The plan administrator (which, under ERISA, is the plan sponsor unless the
plan document says otherwise) has certain reporting and disclosure functions
assigned to it by ERISA.  The plan administrator may also be (but need not
be) the named fiduciary for purposes of the claims adjudication procedures
that a group health plan is required to have under ERISA.

Plan administration functions is a poorly defined term in the Privacy
Rule.  What it appears to signify is performing those functions that make a
plan a covered entity--i.e., doing things that require working with PHI.

Is the ERISA plan administrator necessarily a person who perform plan
administration functions?

No.  So long as the ERISA plan administrator is not also the named fiduciary
for purposes of claims administration, it does not necessarily perform plan
administration functions on account of the jobs assigned to it by ERISA.
That is because the jobs assigned to it under ERISA may be performed on the
basis of summary health information received and used for plan design
purposes (permitted under the Privacy Rule) or eligibility and enrollment
information (also permitted under the Privacy Rule).

An ERISA plan administrator will perform plan administration functions,
however, where it is also the named fiduciary for claims adjudication
purposes, i.e., the person who has to receive all the PHI relevant to making
claims decisions.

In addition, where a plan is self-insured, the plan sponsor will ALWAYS be
assigned the full gamut of responsibilities under the Privacy Rule, without
regard to whether the plan sponsor contracts those functions out to a third
party.

Thus, for example, if you are a self-insured plan and you contract out
EVERYTHING to a third party administrator (TPA), you are not spared ANY of
the requirements of the Privacy Rule.  You must still prepare and distribute
an NPP to your participants and satisfy all of the Privacy Rule's
administrative requirements.

In the case of the self-insured group health plan maintained by your
hospital for its employees, all of the provisions of the Privacy Rule will
apply.

 However, your hospital and the group health plan may (and probably do) have
different compliance dates.  The compliance date for health care providers
is the first date of service after April 14, 2003.  The compliance date for
health plans (including group health plans) is April 14, 2003 for large
plans and April 14, 2004 for small plans.  A large plan is one that has
receipts (i.e., pays premiums in the case of an insured plan or provides
benefits in the case of a self-insured plan) of $5,000,000 or more annually.
A small plan is one that has annual receipts of less than $5,000,000.

Hope this helps.

John D'Amato
redHIPAA.com (coming soon)

- Original Message -
From: David Blasi [EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Thursday, March 13, 2003 3:51 AM
Subject: Re: Self insured health plans  NPP


 Without going into a lot of discussion about the difference between the
 plan sponsor and plan administrator activities, the plan administrator
 is responsible for this.  If you are also the plan administrator, than
 you have both responsibilities.   Your SPD should state who is the plan
 administrator for easy reference.

  [EMAIL PROTECTED] 03/13/03 07:40AM 
 We are an acute care hospital providing health insurance to our
 employees
 as a self-insured plan.  As the plan sponsor we are required to amend
 our
 group health plan document to comply with HIPAA.  Are we also
 responsible
 for drafting and providing to our employees a Notice of Privacy
 Practice,
 or is that the responsibility of the health plan?

 Bonnie R Millman
 Privacy Coordinator
 Bayhealth Medical Center
 640 South State Street
 Dover, Delaware  19901

 302-744-6728



 __
 CONFIDENTIALITY NOTICE:  The information contained in this e-mail
 message
 and any attachment(s) is intended only for
  the confidential use of the intended recipient(s) named above.  This
 e-mail message and any attachment(s) may contain
 confidential health information or other confidential information that
 is
 legally privileged and exempt from disclosure under
 applicable law.  If the reader of this e-mail message is not the
 intended
 recipient or the employee agent responsible for
  delivering it to the intended recipient, you should be aware that any
 dissemination, distribution, copying or action taken in
  reliance on the content of this e-mail message or any attachment(s)
 is
 strictly prohibited.  If this e-mail has been received
  in error, please notify us immediately via e-mail at
 [EMAIL PROTECTED] and delete or otherwise destroy the
 original message, any attachment(s) and copies.  

RE: Security Requirements

2003-03-13 Thread Christiansen, John (SEA)



Not 
that knowing that is much help in figuring out what you need to do . . 
.

John R. Christiansen Preston | Gates | 
Ellis LLP 925 
Fourth Avenue, Suite 2900 Seattle, Washington 
98104 (Direct: 206.370.8118 (Cell: 
206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail 
may be accessible to unauthorized viewers, content may be modified or corrupted, 
and headers or signatures may incorrectly identify the sender. If you wish to 
confirm this message or the identity of the sender, please contact me using a 
communications channel other than a "reply" to this e-mail. Secure electronic messaging is 
available and recommended for confidential or sensitive 
communications.

  -Original Message-From: KERBER, JEFF 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, March 13, 2003 10:32 
  AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: 
  Security Requirements
  Yes, 
  that's exactly how to read that.
  
-Original Message-From: Daryn Thompson 
[mailto:[EMAIL PROTECTED]Sent: Thursday, March 13, 2003 
12:18 PMTo: WEDI SNIP Privacy Workgroup ListSubject: 
Security Requirements

In the final security document, 
you have standards. Some 
standards have implementation specifications and others do not. On the standards that do have them, 
they are REQUIRED or ADDRESSABLE. 
On the ones that do not have specifications, are they 
Required?

Daryn 
Thompson 

Network/I.S. 
Coordinator
(801) 
468-2123
---The 
WEDI SNIP listserv to which you are subscribed is not moderated. The 
discussions on this listserv therefore represent the views of the individual 
participants, and do not necessarily represent the views of the WEDI Board 
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post 
your question to the WEDI SNIP Issues Database at 
http://snip.wedi.org/tracking/. These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and 
services. They also are not intended to be used as a forum for personal 
disagreements or unprofessional communication at any time.You are 
currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe 
from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]If you need to unsubscribe 
but your current email address is not the same as the address subscribed to 
the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org ---The WEDI SNIP listserv to which 
  you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should 
  not be used for commercial marketing purposes or discussion of specific vendor 
  products and services. They also are not intended to be used as a forum for 
  personal disagreements or unprofessional communication at any time.You 
  are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To 
  unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org or send a blank email to 
  [EMAIL PROTECTED]If you need to unsubscribe but 
  your current email address is not the same as the address subscribed to the 
  list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  
  "This electronic message may contain information 
  that is confidential and/or legally privileged. It is intended only for the 
  use of the individual(s) and entity named as recipients in the message. If you 
  are not an intended recipient of the message, please notify the sender 
  immediately and delete the material from any computer. Do not deliver, 
  distribute, or copy this message, and do not disclose its contents or take 
  action in reliance on the information it contains. Thank 
you."
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 

Filing deadline for complaints

2003-03-13 Thread Diana DeWeese
Regarding complaints filed with the Secretary of DHHS, the Privacy Rule states in 
160.306 (b)(3) that a complaint must be filed within 180 days of when the complainant 
knew or should have known.

Can a covered entity specify a shorter time frame for an individual filing a complaint 
with the covered entity - such as - within 30 days?




Diana DeWeese
Illinois Dept of Human Services
[EMAIL PROTECTED]
217-557-9103


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


A tricky BA Questions

2003-03-13 Thread Vikas Budhiraja
I have been encountered with a tricky BA question and hope someone can
provide some insight.

Insurance companies engage certain agencies to audit provider records to
verify if what the hospital billed was correct and if the insurance company
has overpaid. Since these audit agencies are engaged by the Insurance
Companies they will be the BA of the Insurance companies. However, they are
going to a provider facility to verify the records, My questions are:
1. Are they allowed to do this under the HIPAA law? If yes, what type of
relationship will they have with the provider?
2. If a payer engages an agency to audit provider records does the payer
become the BA of the provider?

Regards,
Vikas



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


Re: Security Requirements

2003-03-13 Thread Doug Webb



Daryn,
Yes.

The opinions expressed here are my own and not necessarily the opinion of 
LCMH.

Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital  Health Care Centers[EMAIL PROTECTED]

"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s) named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately, 
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."



  - Original Message - 
  From: 
  Daryn 
  Thompson 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 13, 2003 12:18 
  PM
  Subject: Security Requirements
  
  
  In the final security document, 
  you have standards. Some 
  standards have implementation specifications and others do not. On the standards that do have them, 
  they are REQUIRED or ADDRESSABLE. 
  On the ones that do not have specifications, are they 
  Required?
  
  Daryn 
  Thompson 
  
  Network/I.S. 
  Coordinator
  (801) 
  468-2123
  ---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services. They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




Re: Self insured health plans NPP

2003-03-13 Thread Sue Ryan
John,

In your explanation, you state that if you are a self-insured plan and you
contract out EVERYTHING to a third party administrator (TPA), you are not
spared ANY of the requirements of the Privacy Rule.  You must still prepare
and distribute  an NPP to your participants and satisfy all of the Privacy
Rule's
administrative requirements.

Does this apply if you have contracted out your HR function to a PEO
(Professional Employer Organ.) that includes the administratio of the
benefit plans (health  dental) and the PEO is identified as the plan
sponsor / administrator of the group health/dental plans?  Can the PEO
develop and distribute the NPP to the participants (employees)?   Thank you,
Sue

Confidentiality Notice: This email message, includng any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information.  Any unauthorized review, use, disclosure or
distribution is prohibited.  If you are not the intended recipient, please
contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of the
original message.

Sue Ryan, RN, MPS
Consultant
Hazen Group, Inc.
Phone: (315) 468-2603
Fax: (315) 487-0153
- Original Message -
From: John J. D'Amato [EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Thursday, March 13, 2003 1:48 PM
Subject: Re: Self insured health plans  NPP


 Hi, David and Bonnie.

 It's important to keep two terms distinct:  plan administration
functions
 (which is a Privacy Rule term) and plan administrator (which is an ERISA
 term).

 The plan administrator (which, under ERISA, is the plan sponsor unless the
 plan document says otherwise) has certain reporting and disclosure
functions
 assigned to it by ERISA.  The plan administrator may also be (but need not
 be) the named fiduciary for purposes of the claims adjudication procedures
 that a group health plan is required to have under ERISA.

 Plan administration functions is a poorly defined term in the Privacy
 Rule.  What it appears to signify is performing those functions that make
a
 plan a covered entity--i.e., doing things that require working with PHI.

 Is the ERISA plan administrator necessarily a person who perform plan
 administration functions?

 No.  So long as the ERISA plan administrator is not also the named
fiduciary
 for purposes of claims administration, it does not necessarily perform
plan
 administration functions on account of the jobs assigned to it by ERISA.
 That is because the jobs assigned to it under ERISA may be performed on
the
 basis of summary health information received and used for plan design
 purposes (permitted under the Privacy Rule) or eligibility and enrollment
 information (also permitted under the Privacy Rule).

 An ERISA plan administrator will perform plan administration functions,
 however, where it is also the named fiduciary for claims adjudication
 purposes, i.e., the person who has to receive all the PHI relevant to
making
 claims decisions.

 In addition, where a plan is self-insured, the plan sponsor will ALWAYS be
 assigned the full gamut of responsibilities under the Privacy Rule,
without
 regard to whether the plan sponsor contracts those functions out to a
third
 party.

 Thus, for example, if you are a self-insured plan and you contract out
 EVERYTHING to a third party administrator (TPA), you are not spared ANY
of
 the requirements of the Privacy Rule.  You must still prepare and
distribute
 an NPP to your participants and satisfy all of the Privacy Rule's
 administrative requirements.

 In the case of the self-insured group health plan maintained by your
 hospital for its employees, all of the provisions of the Privacy Rule will
 apply.

  However, your hospital and the group health plan may (and probably do)
have
 different compliance dates.  The compliance date for health care providers
 is the first date of service after April 14, 2003.  The compliance date
for
 health plans (including group health plans) is April 14, 2003 for large
 plans and April 14, 2004 for small plans.  A large plan is one that has
 receipts (i.e., pays premiums in the case of an insured plan or provides
 benefits in the case of a self-insured plan) of $5,000,000 or more
annually.
 A small plan is one that has annual receipts of less than $5,000,000.

 Hope this helps.

 John D'Amato
 redHIPAA.com (coming soon)

 - Original Message -
 From: David Blasi [EMAIL PROTECTED]
 To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
 Sent: Thursday, March 13, 2003 3:51 AM
 Subject: Re: Self insured health plans  NPP


  Without going into a lot of discussion about the difference between the
  plan sponsor and plan administrator activities, the plan administrator
  is responsible for this.  If you are also the plan administrator, than
  you have both responsibilities.   Your SPD should state who is the plan
  administrator for easy reference.
 
   [EMAIL PROTECTED] 03/13/03 07:40AM 
  We are an acute care 

PRIVACY: BA Agreements

2003-03-13 Thread Deborah Campbell
Title: PRIVACY: BA Agreements





I have drafted a BA Addendum and a BA Agreement. We will use the addendum with anyone we have a contract with. However, there are certain entities that do fee-for-service for us and do not have contracts (printing companies, lawyers, temp agencies, etc.) For these entities we will use the BA Agreement. I'm trying to make the language vague enough to work for all BA's so that as little tweaking has to be done for individual entities. But I'm having trouble with this, since we have to list the permitted and required uses and disclosures. The Addendum is easier because the original contracts say what they are using the info for. 

Is anyone willing share how they are handling this? Or does anyone have a BA Agreement (not addendum) at I could see to get an idea of how they are doing this? 

Deborah Campbell
Compliance Coordinator


Dominion Dental Services, Inc.
115 South Union Street, Suite 300
Alexandria, Virginia 22314


Phn: (703) 518-5000 ext. 3035
Fax: (703) 518-8849
Toll Free: 888-518-5338
Email: [EMAIL PROTECTED]


***
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful.

*




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




Re: Self insured health plans NPP

2003-03-13 Thread John J. D'Amato
Hi, Sue.

What I meant by my comment is that a group health plan's relationship to a
health insurance issuer and its relationship to a TPA are associated with
radically different legal responsibilities under the Privacy Rule, even
where the two relationships are functionally equivalent.  This is sometimes
disconcerting to self-insuring clients who believe that by contracting out
functions to a TPA, they ought to be relieved of responsibilities under the
Privacy Rule.

But you have raised a different fact pattern.  I take it that you are
referring to the situation in which an employer contracts with an employee
leasing or similar company.  In such a situation, the recipient of the
services of the employees (your organization) is not the employer of record,
and the leased employees receive benefits under plans sponsored and
maintained by the leasing company, not by the recipient of the services.

If that is your situation, then I would agree with you that the plan sponsor
is not your company, but the leasing company, and the Privacy Rule burdens
fall on that company and its group health plan, not on your company.  Those
burdens would include providing or maintaining an NPP (to the extent that
benefits are self-insured or the PEO receives or creates PHI beyond summary
health or enrollment information).

Nevertheless, I think you should think carefully about how the Privacy Rule
may affect your company.  Are there individuals who are employed by your
company (not the PEO) and who deal with the PEO regarding health plan
matters?  If so, then those individuals will be members of the health plan's
workforce (even though they are your employees) and will require Privacy
Rule training, etc.

In particular, if your company (or the PEO) sponsors an EAP, consider how
the flow of information works from management personnel in your company to
the EAP and back.  You will want to insure that safeguards are in place with
respect to the confidentiality of this information and to make sure that you
(or the PEO, if it is a PEO plan) obtain whatever authorizations will be
required to monitor the satisfactory completion of treatment by an
individual referred to EAP.

Out of curiosity, is the PEO requiring your company to enter into a BA
agreement with it?

Hope this helps.
John
redhipaa.com (coming soon)

 John,

 In your explanation, you state that if you are a self-insured plan and
you
 contract out EVERYTHING to a third party administrator (TPA), you are
not
 spared ANY of the requirements of the Privacy Rule.  You must still
prepare
 and distribute  an NPP to your participants and satisfy all of the Privacy
 Rule's
 administrative requirements.

 Does this apply if you have contracted out your HR function to a PEO
 (Professional Employer Organ.) that includes the administratio of the
 benefit plans (health  dental) and the PEO is identified as the plan
 sponsor / administrator of the group health/dental plans?  Can the PEO
 develop and distribute the NPP to the participants (employees)?   Thank
you,
 Sue

 Confidentiality Notice: This email message, includng any attachments, is
for
 the sole use of the intended recipient(s) and may contain confidential and
 privileged information.  Any unauthorized review, use, disclosure or
 distribution is prohibited.  If you are not the intended recipient, please
 contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of the
 original message.

 Sue Ryan, RN, MPS
 Consultant
 Hazen Group, Inc.
 Phone: (315) 468-2603
 Fax: (315) 487-0153
 - Original Message -
 From: John J. D'Amato [EMAIL PROTECTED]
 To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
 Sent: Thursday, March 13, 2003 1:48 PM
 Subject: Re: Self insured health plans  NPP


  Hi, David and Bonnie.
 
  It's important to keep two terms distinct:  plan administration
 functions
  (which is a Privacy Rule term) and plan administrator (which is an
ERISA
  term).
 
  The plan administrator (which, under ERISA, is the plan sponsor unless
the
  plan document says otherwise) has certain reporting and disclosure
 functions
  assigned to it by ERISA.  The plan administrator may also be (but need
not
  be) the named fiduciary for purposes of the claims adjudication
procedures
  that a group health plan is required to have under ERISA.
 
  Plan administration functions is a poorly defined term in the Privacy
  Rule.  What it appears to signify is performing those functions that
make
 a
  plan a covered entity--i.e., doing things that require working with PHI.
 
  Is the ERISA plan administrator necessarily a person who perform plan
  administration functions?
 
  No.  So long as the ERISA plan administrator is not also the named
 fiduciary
  for purposes of claims administration, it does not necessarily perform
 plan
  administration functions on account of the jobs assigned to it by ERISA.
  That is because the jobs assigned to it under ERISA may be performed on
 the
  basis of summary health information received 

Re: Self insured health plans NPP

2003-03-13 Thread John J. D'Amato



Hi, John.

The way I read the Privacy Rule, a plan sponsor 
that self-insures will always bear the ultimate responsibility for complying 
with the Privacy Rule and will not be treated as functionally equivalent to a 
plan sponsor that insures benefits, even if the self-insuring plan sponsor 
contracts out all functions involving PHI.

Nevertheless, I agree with you that conduct matters 
under the Privacy Rule. All other things being equal, the actual 
compliance burdens of a plan sponsor that contracts out functions will be 
considerably less than one that performs all administration 
in-house.

Thanks for your comments.
John

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 13, 2003 12:17 
  PM
  Subject: Re: Self insured health plans 
   NPP
  John,Thanks for the great analysis on the 
  terminology differences between ERISA and HIPAA and the HIPAA 
  implications. I agree that self-insured health plans get stuck with all 
  the HIPAA requirements, but wonder the extent to which compliance details 
  could be jobbed out to a TPA business associate.Such health plans may 
  wish to avoid preparing and training staff on extensive policies and 
  procedures when for all practical purposes they don't see or maintain PHI 
  except enrollment data in their plan sponsor roles. The preamble to the 
  revised privacy regulations gives the plan a reduced set of requirements under 
  an "insurance contract" when the carrier performs these functions. Could 
  the same guidance apply if the TPA does all the heavy 
  lifting?Following is the language from the preamble:"Group 
  health plans, to the extent they provide health benefits only through an 
  insurance contract with a health insurance issuer or HMO and do not create, 
  receive, or maintain protected health information (except for summary 
  information or enrollment and disenrollment information), are not required to 
  comply with the requirements of §§ 164.520 or 164.530, except for the 
  documentation requirements of § 164.530(j). In addition, because the group 
  health plan does not have access to protected health information, the 
  requirements of §§ 164.524, 164.526, and 164.528 are not applicable. 
  Individuals enrolled in a group health plan that provides benefits only 
  through an insurance contract with a health insurance issuer or HMO would have 
  access to all rights provided by this regulation through the health insurance 
  issuer or HMO, because they are covered entities in their own 
  right."--John---Original message---Hi, David 
  and Bonnie.It's important to keep two terms distinct: "plan 
  administration functions"(which is a Privacy Rule term) and "plan 
  administrator" (which is an ERISAterm).The plan administrator 
  (which, under ERISA, is the plan sponsor unless theplan document says 
  otherwise) has certain reporting and disclosure functionsassigned to it by 
  ERISA. The plan administrator may also be (but need notbe) the named 
  fiduciary for purposes of the claims adjudication proceduresthat a group 
  health plan is required to have under ERISA."Plan administration 
  functions" is a poorly defined term in the PrivacyRule. What it 
  appears to signify is performing those functions that make aplan a covered 
  entity--i.e., doing things that require working with PHI.Is the ERISA 
  plan administrator necessarily a person who perform planadministration 
  functions?No. So long as the ERISA plan administrator is not 
  also the named fiduciaryfor purposes of claims administration, it does not 
  necessarily perform planadministration functions on account of the jobs 
  assigned to it by ERISA.That is because the jobs assigned to it under 
  ERISA may be performed on thebasis of summary health information received 
  and used for plan designpurposes (permitted under the Privacy Rule) or 
  eligibility and enrollmentinformation (also permitted under the Privacy 
  Rule).An ERISA plan administrator will perform plan administration 
  functions,however, where it is also the named fiduciary for claims 
  adjudicationpurposes, i.e., the person who has to receive all the PHI 
  relevant to makingclaims decisions.In addition, where a plan is 
  self-insured, the plan sponsor will ALWAYS beassigned the full gamut of 
  responsibilities under the Privacy Rule, withoutregard to whether the plan 
  sponsor contracts those functions out to a thirdparty.Thus, for 
  example, if you are a self-insured plan and you contract outEVERYTHING to 
  a third party administrator ("TPA"), you are not spared ANY ofthe 
  requirements of the Privacy Rule. You must still prepare and 
  distributean NPP to your participants and satisfy all of the Privacy 
  Rule'sadministrative requirements.In the case of the self-insured 
  group health plan maintained by yourhospital for its employees, all of the 
  provisions of the Privacy Rule willapply.However, your hospital 
  

RE: Security Requirements

2003-03-13 Thread Rachel Foerster
Title: Message




Yes

Rachel 
Foerster


Rachel 
Foerster  Associates, Ltd.
Voice: 
847-872-8070
email: [EMAIL PROTECTED]
http://www.rfa-edi.com 

#
This 
transmission may be confidential or protected from disclosure and is only for 
review and use by the intended recipient. Access by anyone else is unauthorized. 
Any unauthorized reader is hereby notified that any review, use, dissemination, 
disclosure or copying of this information, or any act or omission taken in 
reliance on it, is prohibited 
and may be unlawful. If you 
received this transmission in error, please notify the sender immediately. Thank you.From: 
Daryn Thompson [mailto:[EMAIL PROTECTED] Sent: Thursday, March 
13, 2003 12:18 PMTo: WEDI SNIP Privacy Workgroup 
ListSubject: Security Requirements

  
  In the final security document, 
  you have standards. Some 
  standards have implementation specifications and others do not. On the standards that do have them, 
  they are REQUIRED or ADDRESSABLE. 
  On the ones that do not have specifications, are they 
  Required?
  
  Daryn 
  Thompson 
  
  Network/I.S. 
  Coordinator
  (801) 
  468-2123
  ---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services. They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org