RE: is this practice O.K.?
I would also add to Dale's email that, unlike Dr. Fairley's initial situation in which providers are sending PHI to non-treating pharmacies (i.e., they have no relationship to the patient at the time of the disclosure), in the case that John is describing, it would appear that the appropriateness of the disclosure would depend upon the "facts" of the case. That is, is disclosure to a particular person likely to provide information that would be used in treatment; if not then a court would wonder why the disclosure. If the information is to be used for treatment and there is an established process that supports this disclosure/use then an attorney has a better argument that the disclosure is properly "for treatment purposes." Thus, apart from the answer to the question coming from a court case, an entity wants to set up for the possibility by identifying these situations and, if warranted, establishing a policy for its response. This process reduces the risk of uncertainty in litigation at the very least (it may not be the right answer, but does provide a clear standard that can be brought to the court if necessary) Moya T. Davenport Gray, Esq. 1283 Honokahua Street Honolulu, Hawaii 96825 808-396-6731 808-381-3732 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Sunday, November 02, 2003 4:55 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: is this practice O.K.?Sounds like some undue stress on a question that probably cannot be answered out of court. The regulatory language provides for no end of possible interpretations and we can only guess at what the courts will decide -- and they get the advantage of a specific set of circumstances (and, I think dice or chicken bones to aid in the decision).If the situation is viewed as a balance between the harm done and the benefit gained, it may be possible to make an educated guess. For example, searches are, by definition, an invasion of privacy. To search without prior approval from a judge, you need some urgent factor to outweigh the violation -- immediate risk to life, etc. There is a long list of court cases weighing the harm against the claimed urgency. That has not cleared up things much, but there are some useful clues.Would it make sense to look at why the release of PHI is happening? What weighs against infringing on the patient's rights? If it is simply a matter of gaining identification, that would not seem terribly urgent. If the harm (release of information without permission) was to prevent the spread of some life threatening virus that would seem to justify doing things that simply identifying a suitable payer would not.In short, if the patient is comatose (which sounds stable to the nonmedical folk), why wouldn't you ask a judge? They have the power to make decisions on behalf of people not able to decide for themselves. It is also much harder to get in serious hot water if you can claim you did it "because the judge said it was OK."I have broken similar rules when I believed the circumstances warranted it and would do so again, but I can't claim it was wise -- simply a strong wish to see the person upright again -- even if in court.Dale K. Howe, PhDGrand Rapids, MI, USA ---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreement
Re: is this practice O.K.?
Sounds like some undue stress on a question that probably cannot be answered out of court. The regulatory language provides for no end of possible interpretations and we can only guess at what the courts will decide -- and they get the advantage of a specific set of circumstances (and, I think dice or chicken bones to aid in the decision). If the situation is viewed as a balance between the harm done and the benefit gained, it may be possible to make an educated guess. For example, searches are, by definition, an invasion of privacy. To search without prior approval from a judge, you need some urgent factor to outweigh the violation -- immediate risk to life, etc. There is a long list of court cases weighing the harm against the claimed urgency. That has not cleared up things much, but there are some useful clues. Would it make sense to look at why the release of PHI is happening? What weighs against infringing on the patient's rights? If it is simply a matter of gaining identification, that would not seem terribly urgent. If the harm (release of information without permission) was to prevent the spread of some life threatening virus that would seem to justify doing things that simply identifying a suitable payer would not. In short, if the patient is comatose (which sounds stable to the nonmedical folk), why wouldn't you ask a judge? They have the power to make decisions on behalf of people not able to decide for themselves. It is also much harder to get in serious hot water if you can claim you did it "because the judge said it was OK." I have broken similar rules when I believed the circumstances warranted it and would do so again, but I can't claim it was wise -- simply a strong wish to see the person upright again -- even if in court. Dale K. Howe, PhD Grand Rapids, MI, USA --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: is this practice O.K.?
Matt: I'm about to leave the office. I asked you to take this off-line, Matt, but you didn't, you posted to the group again. At the risk of alienating the list members I will respond to your posting to the group as a whole one more time. Forgive me, list members, but I would really appreciate a serious answer to my question instead of tangents, so I am just trying to dispense with the tangents. Here goes... Matt, please re-read my earlier posts. I referred to using media resources in order to reach out to the COMMUNITY, to involve the community in treatment. Why are you getting hung up on the tangential "media" portion of the question? Would it be easier to conceptualize if we forget about the media and refer to a smaller community? Okay, let's say instead that a hospital or physician knows that one of the members of an association or a club knows the comatose person, and distributes a photo to the group. No media is involved, okay? All we are talking about is a physician disclosing PHI to a non-physician third party for the purposes of treatment, what that means, and whether and to what extent HIPAA allows that. Also, if you will please re-read my posts, you will see that I already referred to that spare language concerning medical ethics, which doesn't answer the question: I said "There are a few references to AMA ethical materials in the Preamble...". So I already saw that section, and found that it didn't help, right? Okay. I saw all of those excerpts which you are citing. I found none of them answered the question I asked. That's why I asked the question of the listserve. Matt, you say below "We believe ... that you would be hard-pressed to stretch the term "third party". Okay, again, thank you, thank you, I do understand what it is that you believe. But no, sorry, with all due respect, repeating it again and again doesn't help me, thanks. Yours is one opinion. I appreciate having heard it. But now I would like to hear the thoughts of others. What do others believe? Are there physicians on the list who believe that their disclosure of PHI to non-physicians can constitute "treatment" under HIPAA? In what situations? Could the concept extend so far as to disclosing PHI to a community of third parties? Thanks, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 8:58 PM To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List' Subject: RE: is this practice O.K.? John, Perhaps this will help. HHS provides these additional clarifications in the "Treatment Q&A section of the Preamble to the (initial) Privacy rules: "Comment: Some commenters advocated for a narrow interpretation of treatment that applies only to the individual who is the subject of the information. Other commenters asserted that treatment should be broadly defined when activities are conducted by health care providers to improve or maintain the health of the patient. A broad interpretation may raise concerns about potential misuse of information, but too limited an interpretation will limit beneficial activities and further contribute to problems in patient compliance and medical errors. Response: We find the commenters' arguments for a broad definition of treatment persuasive. Today, health care providers consult with one another, share information about their experience with particular therapies, seek advise about how to handle unique or challenging cases, and engage in a variety of other discussions that help them maintain and improve the quality of care they provide. Quality of care improves when providers exchange information about treatment successes and failures. These activities require sharing of protected health information. We do not intend this rule to interfere with these important activities. We therefore define treatment broadly and allow use and disclosure of protected health information about one individual for the treatment of another individual. Under this definition, only health care providers or a health care provider working with a third party can perform treatment activities. In this way, we temper the breadth of the definition by limiting the scope of information sharing. The various codes of professional ethics also help assure that information sharing among providers for treatment purposes will be appropriate." "Comment: Many commenters were concerned that the definition of treatment would not permit Third Party Administrators (TPAs) to be involved with disease management programs without obtaining authorization. T
RE: is this practice O.K.?
John, Perhaps this will help. HHS provides these additional clarifications in the "Treatment Q&A section of the Preamble to the (initial) Privacy rules: "Comment: Some commenters advocated for a narrow interpretation of treatment that applies only to the individual who is the subject of the information. Other commenters asserted that treatment should be broadly defined when activities are conducted by health care providers to improve or maintain the health of the patient. A broad interpretation may raise concerns about potential misuse of information, but too limited an interpretation will limit beneficial activities and further contribute to problems in patient compliance and medical errors. Response: We find the commenters arguments for a broad definition of treatment persuasive. Today, health care providers consult with one another, share information about their experience with particular therapies, seek advise about how to handle unique or challenging cases, and engage in a variety of other discussions that help them maintain and improve the quality of care they provide. Quality of care improves when providers exchange information about treatment successes and failures. These activities require sharing of protected health information. We do not intend this rule to interfere with these important activities. We therefore define treatment broadly and allow use and disclosure of protected health information about one individual for the treatment of another individual. Under this definition, only health care providers or a health care provider working with a third party can perform treatment activities. In this way, we temper the breadth of the definition by limiting the scope of information sharing. The various codes of professional ethics also help assure that information sharing among providers for treatment purposes will be appropriate." "Comment: Many commenters were concerned that the definition of treatment would not permit Third Party Administrators (TPAs) to be involved with disease management programs without obtaining authorization. They asserted that while the proposed definition of treatment included disease management conducted by health care providers it did not recognize the role of employers and TPAs in the current disease management process. Response: Covered entities disclose protected health information to other persons, including TPAs, that they hire to perform services for them or on their behalf. If a covered entity hires a TPA to perform the disease management activities included in the rules definitions of treatment and health care operations that disclosure will not require authorization. The relationship between the covered entity and the TPA may be subject to the business associate requirements of §§ 164.502 and 164.504. Disclosures by covered entities to plan sponsors, including employers, for the purpose of plan administration are addressed in § 164.504." Again, we believe that within these clarifying scenarios and examples utilized by HHS (above), that you would be hard-pressed to stretch the term "third party" to include the media. Though, in an exception circumstance, such as an emergency, a case may be made for that type of disclosure. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:44 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Clarified it? They removed the limiting language -- they EXPANDED it, didn't they? :-) Thanks for your thoughts, Matt, much appreciated. What do others think? Thanks, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes lega
RE: is this practice O.K.?
Matt: None of that gets to the issue -- that DHHS removed a limitation on the definition of "third parties." So thanks, but, sorry, those excerpts don't add to the issue, none of that helps. I'm going to chime out now ... and FYI I am out of the office for the next few days so I won't be back to the list until mid-week ... but Matt, if you would like to discuss your thoughts further, may I suggest we take OUR discussion off line, okay? Thanks. Otherwise, other list members, I look forward to reading *your* thoughts midweek. Thanks again to all, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 7:02 PM To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List' Subject: RE: is this practice O.K.? John, HHS made the modification, and then explained how come: "Specifically, we modify the proposed definition of "treatment" to include the management of health care and related services. Under the definition, the provision, coordination, or management of health care or related services may be undertaken by one or more health care providers. 'Treatment' includes coordination or management by a health care provider with a third party and consultation between health care providers. The term also includes referral by a health care provider of a patient to another health care provider." "Treatment refers to activities undertaken on behalf of a single patient, not a population. Activities are considered treatment only if delivered by a health care provider or a health care provider working with another party. Activities of health plans are not considered to be treatment. Many services, such as a refill reminder communication or nursing assistance provided through a telephone service, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity, such as a health plan." I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:44 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Clarified it? They removed the limiting language -- they EXPANDED it, didn't they? :-) Thanks for your thoughts, Matt, much appreciated. What do others think? Thanks, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:39 PM To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List' Subject: RE: is this practice O.K.? John, You are quite right that the proposed rule was modified, and that is why we included BOTH versions in our second response to you. Our point is, that based on that modification, HHS clarifies what it intends as the "third party". I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of th
RE: is this practice O.K.?
John, HHS made the modification, and then explained how come: "Specifically, we modify the proposed definition of treatment to include the management of health care and related services. Under the definition, the provision, coordination, or management of health care or related services may be undertaken by one or more health care providers. 'Treatment' includes coordination or management by a health care provider with a third party and consultation between health care providers. The term also includes referral by a health care provider of a patient to another health care provider." "Treatment refers to activities undertaken on behalf of a single patient, not a population. Activities are considered treatment only if delivered by a health care provider or a health care provider working with another party. Activities of health plans are not considered to be treatment. Many services, such as a refill reminder communication or nursing assistance provided through a telephone service, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity, such as a health plan." I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:44 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Clarified it? They removed the limiting language -- they EXPANDED it, didn't they? :-) Thanks for your thoughts, Matt, much appreciated. What do others think? Thanks, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:39 PM To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List' Subject: RE: is this practice O.K.? John, You are quite right that the proposed rule was modified, and that is why we included BOTH versions in our second response to you. Our point is, that based on that modification, HHS clarifies what it intends as the "third party". I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:29 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Matt: With all due respect, each time you have responded on this thread you have cited small excerpts which support your position, but have failed to cite the additional language following your excerpt which calls your position in
RE: is this practice O.K.?
Clarified it? They removed the limiting language -- they EXPANDED it, didn't they? :-) Thanks for your thoughts, Matt, much appreciated. What do others think? Thanks, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:39 PM To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List' Subject: RE: is this practice O.K.? John, You are quite right that the proposed rule was modified, and that is why we included BOTH versions in our second response to you. Our point is, that based on that modification, HHS clarifies what it intends as the "third party". I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:29 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Matt: With all due respect, each time you have responded on this thread you have cited small excerpts which support your position, but have failed to cite the additional language following your excerpt which calls your position into question. The first time, you pulled this language from the definition of "treatment" in the final rule -- "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient" -- without citing the follow-up language which is included in the definition: "INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY". And now this time, you have now pulled some language from the final rule preamble -- "THE PROPOSED RULE defined 'treatment' as the provision of health care by ... health care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL..." -- without acknowledging that the language in the paragraphs which immediately follow the language you excerpted notes that the proposed rule's definition which you are citing, Matt, WAS MODIFIED: "Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include the management of health care and related services" If the list members will go back to the 1999 proposed HIPAA rule's definition of "treatment", you can see just exactly which language in the definition of "treatment" was modified. See at http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions under section 164.504 at page 60053; the proposed rule's definition of "treatment" was: "Treatment means the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; OR THE COORDINATION OF HEALTH CARE OR OTHER SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL." (emphasis added) In the final rule, under section 164.501 at page 82805 (see http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment was changed to: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) [This final definition was not changed in the August 2002 Privacy Rule modification (see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is t
RE: is this practice O.K.?
John, You are quite right that the proposed rule was modified, and that is why we included BOTH versions in our second response to you. Our point is, that based on that modification, HHS clarifies what it intends as the "third party". I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:29 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Matt: With all due respect, each time you have responded on this thread you have cited small excerpts which support your position, but have failed to cite the additional language following your excerpt which calls your position into question. The first time, you pulled this language from the definition of "treatment" in the final rule -- "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient" -- without citing the follow-up language which is included in the definition: "INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY". And now this time, you have now pulled some language from the final rule preamble -- "THE PROPOSED RULE defined 'treatment' as the provision of health care by ... health care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL..." -- without acknowledging that the language in the paragraphs which immediately follow the language you excerpted notes that the proposed rule's definition which you are citing, Matt, WAS MODIFIED: "Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include the management of health care and related services" If the list members will go back to the 1999 proposed HIPAA rule's definition of "treatment", you can see just exactly which language in the definition of "treatment" was modified. See at http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions under section 164.504 at page 60053; the proposed rule's definition of "treatment" was: "Treatment means the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; OR THE COORDINATION OF HEALTH CARE OR OTHER SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL." (emphasis added) In the final rule, under section 164.501 at page 82805 (see http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment was changed to: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) [This final definition was not changed in the August 2002 Privacy Rule modification (see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is the current definition]. The list members will see that some of the exact language which was removed from the proposed rule's definition is the very qualifying language at the end of the definition that limited the "third parties" to only those "third parties" who were "authorized by the health plan or the individual"! So, in the final rule, as the sentences immediately following the one which you cited make clear, Matt, DHHS TOOK OUT THE LIMITATION THAT YOU ARE RELYING UPON. The limitation on third parties, to only those who were "authorized by the health plan or the individual", no longer exists. The excerpt you emphasized actually undermines your position rather than supporting it, given that the final rule's preamble was pointing out that that exce
RE: is this practice O.K.?
Matt: With all due respect, each time you have responded on this thread you have cited small excerpts which support your position, but have failed to cite the additional language following your excerpt which calls your position into question. The first time, you pulled this language from the definition of "treatment" in the final rule -- "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient" -- without citing the follow-up language which is included in the definition: "INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY". And now this time, you have now pulled some language from the final rule preamble -- "THE PROPOSED RULE defined 'treatment' as the provision of health care by ... health care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL..." -- without acknowledging that the language in the paragraphs which immediately follow the language you excerpted notes that the proposed rule's definition which you are citing, Matt, WAS MODIFIED: "Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include the management of health care and related services" If the list members will go back to the 1999 proposed HIPAA rule's definition of "treatment", you can see just exactly which language in the definition of "treatment" was modified. See at http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions under section 164.504 at page 60053; the proposed rule's definition of "treatment" was: "Treatment means the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; OR THE COORDINATION OF HEALTH CARE OR OTHER SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL." (emphasis added) In the final rule, under section 164.501 at page 82805 (see http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment was changed to: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) [This final definition was not changed in the August 2002 Privacy Rule modification (see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is the current definition]. The list members will see that some of the exact language which was removed from the proposed rule's definition is the very qualifying language at the end of the definition that limited the "third parties" to only those "third parties" who were "authorized by the health plan or the individual"! So, in the final rule, as the sentences immediately following the one which you cited make clear, Matt, DHHS TOOK OUT THE LIMITATION THAT YOU ARE RELYING UPON. The limitation on third parties, to only those who were "authorized by the health plan or the individual", no longer exists. The excerpt you emphasized actually undermines your position rather than supporting it, given that the final rule's preamble was pointing out that that excerpt is obsolete. I appreciate your perspective, Matt. But I'm not really asking for incomplete language excerpts which falsely describe the current regulatory language and which appear to support a particular preconceived opinion on this issue. Instead, I'm suggesting that the language which made it into the final Rule, that "treatment" can mean the sharing of PHI from providers to some entities called "third parties" (unqualified, undefined), is subject to multiple interpretations, and I'm curious as to whether physicians or providers or others ever believe that sharing PHI with a community can sometimes constitute "treatment". We know what you think now, Matt, thanks, and I really do appreciate knowing your viewpoint. But let's hear from some others now, thanks. John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 5:19 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? John, We believe that HHS is clear in the use of the term "third party" in its definition of "treatment". The following
RE: is this practice O.K.?
In states where this tyep of sharing is required by law, a CE doesn't have a problem; in those states where the sharing isn't authorized, the CE should assess its risk under all possible laws (state and federal) that impact this disclosure. I would venture to guess that there are instances in which it is inappropriate to share that data and for which there is a risk of liability. Moya T. D. Gray, J.D. 1283 Honokahua Street Honolulu, Hawaii 96825 808-381-3732 808-396-6731 [EMAIL PROTECTED] -Original Message- From: Paula Cook [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 12:01 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Better yet, when the MD makes the original "deal" with the patient..part of the deal should be written that the patient is informed that other pharmacies will be notified that such drugs may only be prescribed by doctor X. Then you have permission to disclose to the other pharmacies. Paula -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 1:46 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the Privacy Rule is as follows: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) What the emphasized phrase means is the question. I don't see all that much in the Privacy Rule Preamble discussing what "treatment" means in the first place, much less what this "coordination or management...with a third party" means. Is the "third party" language mere surplusage, or does it refer to non-providers? (FWIW, IMO it is the latter). There are a few references to AMA ethical materials in the Preamble, and a few other sections (see for example the Privacy Rule preamble at pages 82625 to 82626), where DHHS says that it intends the term "treatment" itself to be defined very broadly, albeit limited to "treatment's" performance by only physicians and medical providers (and not, for example, by health plans), and also, limited to treatment of an individual. In other words: WHO DOES IT? "Treatment" must be performed by a provider. WHO IS IT DONE TO? "Treatment" must also concern the medical care provided to an individual, and not to a community. But once the above limitations are imposed, all bets are off. In terms of ... WHAT IS IT? "Treatment" can be just about any type of health care and... WHO ELSE CAN THE PROVIDER PERFORM IT WITH? I think the Rule says that, as long as the above qualifications are met, a physician or provider can perform "treatment" with anybody else (a "third party"). So, noting the reference to "coordination or management of health care by a health care provider with a third party", I am wondering, can that "third party" be read as broadly as to include the community at large? I wonder if the physicians or medical providers on the list can give examples or otherwise expand upon, in their experience, what this coordination with a third party might entail? For example, if a physician believed that enlisting the community's help in identifying a comatose patient was essential for performing treatment on that patient, would that be the physician's "coordination or management of health care ... with a third party"? Thanks again, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 12:48 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? John, Clearly, HIPAA allows a health care provider to disclose PHI to any other health care provider for the purposes of "treatment", and the HIPAA-definition includes "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient". As most pharmacists are CEs, they would be mandated to comply with the HIPAA rules. The general scenario to which you refer (below) is not so clearly defined by HIPAA: the photo of a comatose patient disclosed to the general public through mass media in order to "identify" the individual might (or might not) apply to a "treatment" or "public health" emergency. For example, if the need-to-identify is intertwined with a "public health" emergency, possibly HIPAA
RE: is this practice O.K.?
John, We believe that HHS is clear in the use of the term "third party" in its definition of "treatment". The following guidance is provided in the Preamble to the (initial) Privacy rules: "The proposed rule defined 'treatment' as the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; or the coordination of health care or other services among health care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL." (The emphasis is mine). "Under the definition [of treatment], the provision, coordination, or management of health care or related services may be undertaken by one or more health care providers. 'Treatment' includes coordination or management by a health care provider with a third party and consultation between health care providers. The term also includes referral by a health care provider of a patient to another health care provider." "Treatment refers to activities undertaken on behalf of a single patient, not a population. Activities are considered treatment only if delivered by a health care provider or a health care provider working with another party. Activities of health plans are not considered to be treatment. Many services, such as a refill reminder communication or nursing assistance provided through a telephone service, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity, such as a health plan." Within this context of HHS intentions (above), a "third party" might be a "therapy aide" or "clinical coordinator", but we do not currently see how the term "third party" may be stretched to include "mass media". Be this as it may, we do welcome an opportunity to vet this important topic. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 2:46 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the Privacy Rule is as follows: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) What the emphasized phrase means is the question. I don't see all that much in the Privacy Rule Preamble discussing what "treatment" means in the first place, much less what this "coordination or management...with a third party" means. Is the "third party" language mere surplusage, or does it refer to non-providers? (FWIW, IMO it is the latter). There are a few references to AMA ethical materials in the Preamble, and a few other sections (see for example the Privacy Rule preamble at pages 82625 to 82626), where DHHS says that it intends the term "treatment" itself to be defined very broadly, albeit limited to "treatment's" performance by only physicians and medical providers (and not, for example, by health plans), and also, limited to treatment of an individual. In other words: WHO DOES IT? "Treatment" must be performed by a provider. WHO IS IT DONE TO? "Treatment" must also concern the medical care provided to an individual, and not to a community. But once the above limitations are imposed, all bets are off. In terms of ... WHAT IS IT? "Treatment" can be just about any type of health care and... WHO ELSE CAN THE PROVIDER PERFORM
RE: is this practice O.K.?
Better yet, when the MD makes the original "deal" with the patient..part of the deal should be written that the patient is informed that other pharmacies will be notified that such drugs may only be prescribed by doctor X. Then you have permission to disclose to the other pharmacies. Paula -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 1:46 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the Privacy Rule is as follows: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) What the emphasized phrase means is the question. I don't see all that much in the Privacy Rule Preamble discussing what "treatment" means in the first place, much less what this "coordination or management...with a third party" means. Is the "third party" language mere surplusage, or does it refer to non-providers? (FWIW, IMO it is the latter). There are a few references to AMA ethical materials in the Preamble, and a few other sections (see for example the Privacy Rule preamble at pages 82625 to 82626), where DHHS says that it intends the term "treatment" itself to be defined very broadly, albeit limited to "treatment's" performance by only physicians and medical providers (and not, for example, by health plans), and also, limited to treatment of an individual. In other words: WHO DOES IT? "Treatment" must be performed by a provider. WHO IS IT DONE TO? "Treatment" must also concern the medical care provided to an individual, and not to a community. But once the above limitations are imposed, all bets are off. In terms of ... WHAT IS IT? "Treatment" can be just about any type of health care and... WHO ELSE CAN THE PROVIDER PERFORM IT WITH? I think the Rule says that, as long as the above qualifications are met, a physician or provider can perform "treatment" with anybody else (a "third party"). So, noting the reference to "coordination or management of health care by a health care provider with a third party", I am wondering, can that "third party" be read as broadly as to include the community at large? I wonder if the physicians or medical providers on the list can give examples or otherwise expand upon, in their experience, what this coordination with a third party might entail? For example, if a physician believed that enlisting the community's help in identifying a comatose patient was essential for performing treatment on that patient, would that be the physician's "coordination or management of health care ... with a third party"? Thanks again, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 12:48 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? John, Clearly, HIPAA allows a health care provider to disclose PHI to any other health care provider for the purposes of "treatment", and the HIPAA-definition includes "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient". As most pharmacists are CEs, they would be mandated to comply with the HIPAA rules. The general scenario to which you refer (below) is not so clearly defined by HIPAA: the photo of a comatose patient disclosed to the general public through mass media in order to "identify" the individual might (or might not) apply to a "treatment" or "public health" emergency. For example, if the need-to-identify is intertwined with a "public health" emergency, possibly HIPAA would allow the disclosure of the photo by the provider to a public health authority. But in that case, it would be public health authority (and not the provider) that makes the photo available to the media. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confident
RE: is this practice O.K.?
Hello, This scenario reminds me of the old "bounced-check list" that retail shops used to keep (maybe they still do). Sounds like you are sharing this information for treatment purposes in advance of the customer's possible visit...an interesting situation. Your actions sound reasonable, for the good of the patient, the physician, the pharmacy and the commmunity BUT...to distribute the name before they ever present themselves there as a shoppper...that sounds like too much information to be sharing. Sounds like the buyer could nail you for something. I believe that INTERNALLY, a pharmacy network may openly share such data base information but it does sound like a stretch to broadcast his/her name to all pharmacies-no matter how good your intentions are. If there is a crime involved or something of course then the authorities can alert all pharmacies. If you are really set on going externally with your suspicions, why don't you arrange an understanding with other pharmacies... that they might get anonymous calls with unofficial "alerts" about certain customers who may be abusing the system. Alert the pharmacies then and see how it goes. It's passing the buck to your partners but it is one way of warning them and protecting yourself also. Your intentions are reasonable and your motivation sound. Paula Cook Riverview Association -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 2:54 PM To: WEDI SNIP Privacy Workgroup List Subject: is this practice O.K.? The practice that I am going to describe is quite common in our community but I am not sure it is acceptable. I wanted the opinion of the experts on this list. Occassionally, we run into a problem with a patient who seems to be doctor hopping and getting multiple prescriptions for narcotics. In order for the patient's principle physician to keep a close watch on the patient's use of narcotics and to avoid abuse/misuse of narcotics, the physician makes a deal with the patient. The deal is "ALL prescriptions for narcotics must be funneled through one doctor-the primary care physician." The patient usually agrees but then (and here is where I am not sure if we are infringing on privacy)we can send an "Alert" to all the area pharmacies to alert them that this deal occurred and if the patient shows up at one of the area pharmacies with a narcotic prescription from someone other than the primary care physician, the patient is told that they have an order that they can not fill the prescription unless it comes from the designated doctor. Is this practice acceptable? Do we need the patient's consent to notify all heighborhood pharmacies? Is verbal consent acceptable? Can the information be sent to the pharmacies without the patient's specific consent (that is, the patient consented to the arrangement that one doctor fills all narcotic prescriptions but the patient did not consent to the information being sent to all area pharmacies? ) Thank you Rich Fairley, M.D. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current
RE: is this practice O.K.?
Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the Privacy Rule is as follows: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) What the emphasized phrase means is the question. I don't see all that much in the Privacy Rule Preamble discussing what "treatment" means in the first place, much less what this "coordination or management...with a third party" means. Is the "third party" language mere surplusage, or does it refer to non-providers? (FWIW, IMO it is the latter). There are a few references to AMA ethical materials in the Preamble, and a few other sections (see for example the Privacy Rule preamble at pages 82625 to 82626), where DHHS says that it intends the term "treatment" itself to be defined very broadly, albeit limited to "treatment's" performance by only physicians and medical providers (and not, for example, by health plans), and also, limited to treatment of an individual. In other words: WHO DOES IT? "Treatment" must be performed by a provider. WHO IS IT DONE TO? "Treatment" must also concern the medical care provided to an individual, and not to a community. But once the above limitations are imposed, all bets are off. In terms of ... WHAT IS IT? "Treatment" can be just about any type of health care and... WHO ELSE CAN THE PROVIDER PERFORM IT WITH? I think the Rule says that, as long as the above qualifications are met, a physician or provider can perform "treatment" with anybody else (a "third party"). So, noting the reference to "coordination or management of health care by a health care provider with a third party", I am wondering, can that "third party" be read as broadly as to include the community at large? I wonder if the physicians or medical providers on the list can give examples or otherwise expand upon, in their experience, what this coordination with a third party might entail? For example, if a physician believed that enlisting the community's help in identifying a comatose patient was essential for performing treatment on that patient, would that be the physician's "coordination or management of health care ... with a third party"? Thanks again, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 12:48 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? John, Clearly, HIPAA allows a health care provider to disclose PHI to any other health care provider for the purposes of "treatment", and the HIPAA-definition includes "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient". As most pharmacists are CEs, they would be mandated to comply with the HIPAA rules. The general scenario to which you refer (below) is not so clearly defined by HIPAA: the photo of a comatose patient disclosed to the general public through mass media in order to "identify" the individual might (or might not) apply to a "treatment" or "public health" emergency. For example, if the need-to-identify is intertwined with a "public health" emergency, possibly HIPAA would allow the disclosure of the photo by the provider to a public health authority. But in that case, it would be public health authority (and not the provider) that makes the photo available to the media. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha re
RE: is this practice O.K.?
John, Clearly, HIPAA allows a health care provider to disclose PHI to any other health care provider for the purposes of "treatment", and the HIPAA-definition includes "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient". As most pharmacists are CEs, they would be mandated to comply with the HIPAA rules. The general scenario to which you refer (below) is not so clearly defined by HIPAA: the photo of a comatose patient disclosed to the general public through mass media in order to "identify" the individual might (or might not) apply to a "treatment" or "public health" emergency. For example, if the need-to-identify is intertwined with a "public health" emergency, possibly HIPAA would allow the disclosure of the photo by the provider to a public health authority. But in that case, it would be public health authority (and not the provider) that makes the photo available to the media. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 11:18 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Matt: That is an interesting perspective, and one which I have wondered about myself. But I wonder how far the concept can be stretched under the HIPAA Privacy Rule. For example, one of the listserves a few months ago (I think it was a different one than this one) was discussing the situation where an unidentified comatose patient is brought to the hospital and the hospital believes the only way to identify the patient is through a photo disclosed to the mass media. The discussion took various twists and turns, but one thing which I privately pondered at the time was whether there is such a thing as "community" treatment. Under the principle you embrace below, would the hospital's media disclosure also constitute "treatment"? If not, why not? Is the distinction that in Dr. Fairley's example, the disclosure is to other providers, while in the hospital's scenario, the disclosure is made to a wider audience than providers? Where in the HIPAA Privacy Rule is that distinction defined? Thanks for your thoughts, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 5:12 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Dear Dr. Fairley, What a great question! We believe that HIPAA allows this practice and in doing so, provides patient with privacy protections. For nearly 2000 years physicians, nurses, and pharmacists (chemists) have comprised the "treatment" triad. And especially when treating substance abuse and addiction, it does take a community to provide a safe and therapeutic environment: whenever we remove a member of the treatment community from the process, errors and mistakes may increase and disease resolution may decrease. Within this context, the scenario that you describe (below) fits well within the bounds of sharing PHI for treatment purposes, and the involved providers will be beholden to the related HIPAA rules. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addresse
RE: is this practice O.K.?
Matt: That is an interesting perspective, and one which I have wondered about myself. But I wonder how far the concept can be stretched under the HIPAA Privacy Rule. For example, one of the listserves a few months ago (I think it was a different one than this one) was discussing the situation where an unidentified comatose patient is brought to the hospital and the hospital believes the only way to identify the patient is through a photo disclosed to the mass media. The discussion took various twists and turns, but one thing which I privately pondered at the time was whether there is such a thing as "community" treatment. Under the principle you embrace below, would the hospital's media disclosure also constitute "treatment"? If not, why not? Is the distinction that in Dr. Fairley's example, the disclosure is to other providers, while in the hospital's scenario, the disclosure is made to a wider audience than providers? Where in the HIPAA Privacy Rule is that distinction defined? Thanks for your thoughts, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 5:12 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Dear Dr. Fairley, What a great question! We believe that HIPAA allows this practice and in doing so, provides patient with privacy protections. For nearly 2000 years physicians, nurses, and pharmacists (chemists) have comprised the "treatment" triad. And especially when treating substance abuse and addiction, it does take a community to provide a safe and therapeutic environment: whenever we remove a member of the treatment community from the process, errors and mistakes may increase and disease resolution may decrease. Within this context, the scenario that you describe (below) fits well within the bounds of sharing PHI for treatment purposes, and the involved providers will be beholden to the related HIPAA rules. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:54 PM To: WEDI SNIP Privacy Workgroup List Subject: is this practice O.K.? The practice that I am going to describe is quite common in our community but I am not sure it is acceptable. I wanted the opinion of the experts on this list. Occassionally, we run into a problem with a patient who seems to be doctor hopping and getting multiple prescriptions for narcotics. In order for the patient's principle physician to keep a close watch on the patient's use of narcotics and to avoid abuse/misuse of narcotics, the physician makes a deal with the patient. The deal is "ALL prescriptions for narcotics must be funneled through one doctor-the primary care physician." The patient usually agrees but then (and here is where I am not sure if we are infringing on privacy)we can send an "Alert" to all the area pharmacies to alert them that this deal occurred and if the patient shows up at one of the area pharmacies with a narcotic prescription from someone other than the primary care physician, the patient is told that they have an order that they can not fill the prescription unless it comes from the designated doctor. Is this practice acceptable? Do we need the patient's consent to notify all heighborhood pharmacies? Is verbal consent acceptable? Can the information be sent to the pharmacies without the patient's specific consent (that is, the patient consented to the arrangement that one doctor fills all narcotic
Re: to listserv admin
While some of the made up names are fun and amusing, in and of themselves, and provide for some comic relief from all of the taffy pulls, and peeing contests, I find myself in full agreement with Tim. Red Baron SIERRA/Dynamix No Cell Phone I will be flying today. >>> <[EMAIL PROTECTED]> 11/01/03 02:35PM >>> I greatly value the opinions of this listserv, and am indebted to its participants. However, I am very concerned about participants who do not identify themselves, and hide behind nebulous entity names. I would like to ask the listserv admin to enforce the need for attribution, and make sure that people identify themselves by name in their postings. Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED] Alt Email: [EMAIL PROTECTED] Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance [HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security] Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization === IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
FW: Employee Access and Accounting of Disclosures
Ellen, We have re-reviewed the Preamble to the (initial) Privacy rules, and believe your assessment is correct. Apparently, HHS' intention is quite clear: "Comments: Some commenters said that the accounting provision described in the NPRM was ambiguous and created uncertainty as to whether it addresses disclosures only, as the title would indicate, or whether it includes accounting of uses. They urged that the standard address disclosures only, and not uses, which would make implementation far more practicable and less burdensome. Response: The final rule requires disclosures, not uses, to be included in an accounting." Thank you for helping us in this matter. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Ellen Rubin [mailto:[EMAIL PROTECTED] Sent: Saturday, November 01, 2003 7:36 PM To: [EMAIL PROTECTED] Subject: Re: Employee Access and Accounting of Disclosures Interesting way to look at it. Thanks for the interpretation and I'll be waiting for HHS to offer more guidance. Ellen __ Ellen Rubin, RN, BSN Privacy Coordinator Harborview Medical Center 206 731-6048 Voice 206 731-2097 Fax - Original Message - From: "Matthew Rosenblum" <[EMAIL PROTECTED]> To: "'Ellen Rubin'" <[EMAIL PROTECTED]>; "'WEDI SNIP Privacy Workgroup List'" <[EMAIL PROTECTED]> Sent: Saturday, November 01, 2003 3:23 PM Subject: RE: Employee Access and Accounting of Disclosures Ellen, This is one of those HIPAA topics where we would advise hanging a large "Proceed with Caution" sign, and where we would welcome additional guidance from HHS. Section 164.528(a)(1)(iii) of the Privacy rules --Accounting of disclosures of protected health information-- notes that HIPAA does NOT require a "use" incident to an otherwise permitted "use or disclosure" (as provided in section 164.502) to be included in an "accounting". Conversely, this leads us to believe that HHS intends for ALL "privacy breaches", whether a "use" or "disclosure" to be included in an "accounting". I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Ellen Rubin [mailto:[EMAIL PROTECTED] Sent: Saturday, November 01, 2003 3:59 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: Employee Access and Accounting of Disclosures My understanding is that this is a "use" (albeit inappropriate) and not necessary to put in the accounting log. However, if this information was then "disclosed" outside the entity, it would need to be accounted for. I asked this question a few weeks agothe piece I was interested in was whether entities are notifying their patients of this disclosure at the time of the event as well as entering in the accounting. Ellen __ Ellen Rubin, RN, BSN Privacy Officer Harborview Medical Center 206 731-6048 Voice 206 731-2097 Fax - Original Message - From: "Walter Suarez" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgro
