RE: Employee Access and Accounting of Disclosures
Ellen, This is one of those HIPAA topics where we would advise hanging a large "Proceed with Caution" sign, and where we would welcome additional guidance from HHS. Section 164.528(a)(1)(iii) of the Privacy rules --Accounting of disclosures of protected health information-- notes that HIPAA does NOT require a "use" incident to an otherwise permitted "use or disclosure" (as provided in section 164.502) to be included in an "accounting". Conversely, this leads us to believe that HHS intends for ALL "privacy breaches", whether a "use" or "disclosure" to be included in an "accounting". I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Ellen Rubin [mailto:[EMAIL PROTECTED] Sent: Saturday, November 01, 2003 3:59 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: Employee Access and Accounting of Disclosures My understanding is that this is a "use" (albeit inappropriate) and not necessary to put in the accounting log. However, if this information was then "disclosed" outside the entity, it would need to be accounted for. I asked this question a few weeks agothe piece I was interested in was whether entities are notifying their patients of this disclosure at the time of the event as well as entering in the accounting. Ellen __ Ellen Rubin, RN, BSN Privacy Officer Harborview Medical Center 206 731-6048 Voice 206 731-2097 Fax - Original Message - From: "Walter Suarez" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Saturday, November 01, 2003 5:06 AM Subject: Employee Access and Accounting of Disclosures > When an employee of a covered entity accesses PHI and it is determined that > this was done wrongly (say, violating the minimum necessary requirements for > that employee, or just plain inappropriate access someone's PHI by the > employee), would this result in the employer having to log it into the > accounting of disclosure? > > Many thanks for your comments and reactions. > > Walter. > > > Walter G. Suarez, MD, MPH > President and CEO > Midwest Center for HIPAA Education > 2850 Metro Drive, Suite 118 > Bloomington, MN 55425 > (952) 854-3401 - v > (952) 814-4805 - f > [EMAIL PROTECTED] > http://www.mche.us.com > > > > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] > If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org > --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum
Re: Employee Access and Accounting of Disclosures
My understanding is that this is a "use" (albeit inappropriate) and not necessary to put in the accounting log. However, if this information was then "disclosed" outside the entity, it would need to be accounted for. I asked this question a few weeks agothe piece I was interested in was whether entities are notifying their patients of this disclosure at the time of the event as well as entering in the accounting. Ellen __ Ellen Rubin, RN, BSN Privacy Officer Harborview Medical Center 206 731-6048 Voice 206 731-2097 Fax - Original Message - From: "Walter Suarez" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Saturday, November 01, 2003 5:06 AM Subject: Employee Access and Accounting of Disclosures > When an employee of a covered entity accesses PHI and it is determined that > this was done wrongly (say, violating the minimum necessary requirements for > that employee, or just plain inappropriate access someone's PHI by the > employee), would this result in the employer having to log it into the > accounting of disclosure? > > Many thanks for your comments and reactions. > > Walter. > > > Walter G. Suarez, MD, MPH > President and CEO > Midwest Center for HIPAA Education > 2850 Metro Drive, Suite 118 > Bloomington, MN 55425 > (952) 854-3401 - v > (952) 814-4805 - f > [EMAIL PROTECTED] > http://www.mche.us.com > > > > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] > If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org > --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
to listserv admin
I greatly value the opinions of this listserv, and am indebted to its participants. However, I am very concerned about participants who do not identify themselves, and hide behind nebulous entity names. I would like to ask the listserv admin to enforce the need for attribution, and make sure that people identify themselves by name in their postings. Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED]Alt Email: [EMAIL PROTECTED]Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance[HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security]Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization === IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you’re use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Employee Access and Accounting of Disclosures
When an employee of a covered entity accesses PHI and it is determined that this was done wrongly (say, violating the minimum necessary requirements for that employee, or just plain inappropriate access someone's PHI by the employee), would this result in the employer having to log it into the accounting of disclosure? Many thanks for your comments and reactions. Walter. Walter G. Suarez, MD, MPH President and CEO Midwest Center for HIPAA Education 2850 Metro Drive, Suite 118 Bloomington, MN 55425 (952) 854-3401 v (952) 814-4805 f [EMAIL PROTECTED] http://www.mche.us.com --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org