RE: is this practice O.K.?

2003-11-02 Thread Moya Gray



I would also add to Dale's email that, unlike Dr. Fairley's 
initial situation in which providers are sending PHI to non-treating pharmacies 
(i.e., they have no relationship to the patient at the time of the disclosure), 
in the case that John is describing, it would appear that the appropriateness of 
the disclosure would depend upon the "facts" of the case.  

 
That is, is disclosure to a particular person likely to provide 
information that would be used in treatment;  if not then a court would 
wonder why the disclosure.  
 
If the information is to be used for treatment and there is an 
established process that supports this disclosure/use then an 
attorney has a better argument that the disclosure is properly "for 
treatment purposes."
 
Thus, apart from the answer to the question coming from a court 
case, an entity wants to set up for the possibility by identifying these 
situations and, if warranted, establishing a policy for its response.  This 
process reduces the risk of uncertainty in litigation at the very least (it may 
not be the right answer, but does provide a clear standard that can be brought 
to the court if necessary)
 

Moya T. Davenport Gray, Esq.
1283 Honokahua Street
Honolulu, Hawaii 96825
808-396-6731
808-381-3732

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]Sent: Sunday, November 02, 2003 4:55 
  PMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: is 
  this practice O.K.?Sounds like some undue stress on a 
  question that probably cannot be answered out of court. The regulatory 
  language provides for no end of possible interpretations and we can only guess 
  at what the courts will decide -- and they get the advantage of a specific set 
  of circumstances (and, I think dice or chicken bones to aid in the 
  decision).If the situation is viewed as a balance between the harm 
  done and the benefit gained, it may be possible to make an educated guess. For 
  example, searches are, by definition, an invasion of privacy. To search 
  without prior approval from a judge, you need some urgent factor to outweigh 
  the violation -- immediate risk to life, etc. There is a long list of court 
  cases weighing the harm against the claimed urgency. That has not cleared up 
  things much, but there are some useful clues.Would it make sense to 
  look at why the release of PHI is happening? What weighs against infringing on 
  the patient's rights? If it is simply a matter of gaining identification, that 
  would not seem terribly urgent. If the harm (release of information without 
  permission) was to prevent the spread of some life threatening virus that 
  would seem to justify doing things that simply identifying a suitable payer 
  would not.In short, if the patient is comatose (which sounds stable to 
  the nonmedical folk), why wouldn't you ask a judge? They have the power to 
  make decisions on behalf of people not able to decide for themselves. It is 
  also much harder to get in serious hot water if you can claim you did it 
  "because the judge said it was OK."I have broken similar rules when I 
  believed the circumstances warranted it and would do so again, but I can't 
  claim it was wise -- simply a strong wish to see the person upright again -- 
  even if in court.Dale K. Howe, PhDGrand Rapids, MI, USA 
  ---The WEDI SNIP listserv to which you are subscribed is not moderated. 
  The discussions on this listserv therefore represent the views of the 
  individual participants, and do not necessarily represent the views of the 
  WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. These listservs should not be used for 
  commercial marketing purposes or discussion of specific vendor products and 
  services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To 
  unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org or send a blank email to 
  [EMAIL PROTECTED]If you need to unsubscribe but 
  your current email address is not the same as the address subscribed to the 
  list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreement

Re: is this practice O.K.?

2003-11-02 Thread DKHGRMI
Sounds like some undue stress on a question that probably cannot be answered out of court. The regulatory language provides for no end of possible interpretations and we can only guess at what the courts will decide -- and they get the advantage of a specific set of circumstances (and, I think dice or chicken bones to aid in the decision).

If the situation is viewed as a balance between the harm done and the benefit gained, it may be possible to make an educated guess. For example, searches are, by definition, an invasion of privacy. To search without prior approval from a judge, you need some urgent factor to outweigh the violation -- immediate risk to life, etc. There is a long list of court cases weighing the harm against the claimed urgency. That has not cleared up things much, but there are some useful clues.

Would it make sense to look at why the release of PHI is happening? What weighs against infringing on the patient's rights? If it is simply a matter of gaining identification, that would not seem terribly urgent. If the harm (release of information without permission) was to prevent the spread of some life threatening virus that would seem to justify doing things that simply identifying a suitable payer would not.

In short, if the patient is comatose (which sounds stable to the nonmedical folk), why wouldn't you ask a judge? They have the power to make decisions on behalf of people not able to decide for themselves. It is also much harder to get in serious hot water if you can claim you did it "because the judge said it was OK."

I have broken similar rules when I believed the circumstances warranted it and would do so again, but I can't claim it was wise -- simply a strong wish to see the person upright again -- even if in court.

Dale K. Howe, PhD
Grand Rapids, MI, USA
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




RE: is this practice O.K.?

2003-11-02 Thread Cody, John (OFT)
Matt:

I'm about to leave the office.  I asked you to take this off-line, Matt, but you 
didn't, you posted to the group again.  At the risk of alienating the list members I 
will respond to your posting to the group as a whole one more time.  Forgive me, list 
members, but I would really appreciate a serious answer to my question instead of 
tangents, so I am just trying to dispense with the tangents.  Here goes...

Matt, please re-read my earlier posts.  I referred to using media resources in order 
to reach out to the COMMUNITY, to involve the community in treatment.  Why are you 
getting hung up on the tangential "media" portion of the question?  Would it be easier 
to conceptualize if we forget about the media and refer to a smaller community?  Okay, 
let's say instead that a hospital or physician knows that one of the members of an 
association or a club knows the comatose person, and distributes a photo to the group. 
 No media is involved, okay?  All we are talking about is a physician disclosing PHI 
to a non-physician third party for the purposes of treatment, what that means, and 
whether and to what extent HIPAA allows that.

Also, if you will please re-read my posts, you will see that I already referred to 
that spare language concerning medical ethics, which doesn't answer the question:  I 
said "There are a few references to AMA ethical materials in the Preamble...".  So I 
already saw that section, and found that it didn't help, right?  Okay.

I saw all of those excerpts which you are citing.  I found none of them answered the 
question I asked.  That's why I asked the question of the listserve.

Matt, you say below "We believe ... that you would be hard-pressed to stretch the term
"third party".  Okay, again, thank you, thank you, I do understand what it is that you 
believe.  But no, sorry, with all due respect, repeating it again and again doesn't 
help me, thanks.  Yours is one opinion.  I appreciate having heard it.  But now I 
would like to hear the thoughts of others.

What do others believe?  Are there physicians on the list who believe that their 
disclosure of PHI to non-physicians can constitute "treatment" under HIPAA?  In what 
situations?  Could the concept extend so far as to disclosing PHI to a community of 
third parties?  Thanks, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the policies, 
practices or opinions of my employer or anyone else.  Nothing herein constitutes legal 
advice - if you need legal advice, please consult your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 8:58 PM
To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List'
Subject: RE: is this practice O.K.?


John,

Perhaps this will help.  HHS provides these additional clarifications in the
"Treatment Q&A section of the Preamble to the (initial) Privacy rules:

"Comment:  Some commenters advocated for a narrow interpretation of
treatment that applies only to the individual who is the subject of the
information.  Other commenters asserted that treatment should be broadly
defined when activities are conducted by health care providers to improve or
maintain the health of the patient.  A broad interpretation may raise
concerns about potential misuse of information, but too limited an
interpretation will limit beneficial activities and further contribute to
problems in patient compliance and medical errors.
 
Response:  We find the commenters' arguments for a broad definition of
treatment persuasive.  Today, health care providers consult with one
another, share information about their experience with particular therapies,
seek advise about how to handle unique or challenging cases, and engage in a
variety of other discussions that help them maintain and improve the quality
of care they provide.  Quality of care improves when providers exchange
information about treatment successes and failures.  These activities
require sharing of protected health information.  We do not intend this rule
to interfere with these important activities.  We therefore define treatment
broadly and allow use and disclosure of protected health information about
one individual for the treatment of another individual.

Under this definition, only health care providers or a health care provider
working with a third party can perform treatment activities.  In this way,
we temper the breadth of the definition by limiting the scope of information
sharing.  The various codes of professional ethics also help assure that
information sharing among providers for treatment purposes will be
appropriate."

"Comment:  Many commenters were concerned that the definition of treatment
would not permit Third Party Administrators (TPAs) to be involved with
disease management programs without obtaining authorization.  T

RE: is this practice O.K.?

2003-11-02 Thread Matthew Rosenblum
John,

Perhaps this will help.  HHS provides these additional clarifications in the
"Treatment Q&A section of the Preamble to the (initial) Privacy rules:

"Comment:  Some commenters advocated for a narrow interpretation of
treatment that applies only to the individual who is the subject of the
information.  Other commenters asserted that treatment should be broadly
defined when activities are conducted by health care providers to improve or
maintain the health of the patient.  A broad interpretation may raise
concerns about potential misuse of information, but too limited an
interpretation will limit beneficial activities and further contribute to
problems in patient compliance and medical errors.
 
Response:  We find the commenters’ arguments for a broad definition of
treatment persuasive.  Today, health care providers consult with one
another, share information about their experience with particular therapies,
seek advise about how to handle unique or challenging cases, and engage in a
variety of other discussions that help them maintain and improve the quality
of care they provide.  Quality of care improves when providers exchange
information about treatment successes and failures.  These activities
require sharing of protected health information.  We do not intend this rule
to interfere with these important activities.  We therefore define treatment
broadly and allow use and disclosure of protected health information about
one individual for the treatment of another individual.

Under this definition, only health care providers or a health care provider
working with a third party can perform treatment activities.  In this way,
we temper the breadth of the definition by limiting the scope of information
sharing.  The various codes of professional ethics also help assure that
information sharing among providers for treatment purposes will be
appropriate."

"Comment:  Many commenters were concerned that the definition of treatment
would not permit Third Party Administrators (TPAs) to be involved with
disease management programs without obtaining authorization.  They asserted
that while the proposed definition of treatment included disease management
conducted by health care providers it did not recognize the role of
employers and TPAs in the current disease management process.

Response: Covered entities disclose protected health information to other
persons, including TPAs, that they hire to perform services for them or on
their behalf.  If a covered entity hires a TPA to perform the disease
management activities included in the rule’s definitions of treatment and
health care operations that disclosure will not require authorization.  The
relationship between the covered entity and the TPA may be subject to the
business associate requirements of §§ 164.502 and 164.504.  Disclosures by
covered entities to plan sponsors, including employers, for the purpose of
plan administration are addressed in § 164.504."

Again, we believe that within these clarifying scenarios and examples
utilized by HHS (above), that you would be hard-pressed to stretch the term
"third party" to include the media.  Though, in an exception circumstance,
such as an emergency, a case may be made for that type of disclosure.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:44 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Clarified it?  They removed the limiting language -- they EXPANDED it,
didn't they? :-)

Thanks for your thoughts, Matt, much appreciated.  What do others think?
Thanks, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the
policies, practices or opinions of my employer or anyone else.  Nothing
herein constitutes lega

RE: is this practice O.K.?

2003-11-02 Thread Cody, John (OFT)
Matt:

None of that gets to the issue -- that DHHS removed a limitation on the definition of 
"third parties."  So thanks, but, sorry, those excerpts don't add to the issue, none 
of that helps.

I'm going to chime out now ... and FYI I am out of the office for the next few days so 
I won't be back to the list until mid-week ... but Matt, if you would like to discuss 
your thoughts further, may I suggest we take OUR discussion off line, okay?  Thanks.

Otherwise, other list members, I look forward to reading *your* thoughts midweek.  
Thanks again to all, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the policies, 
practices or opinions of my employer or anyone else.  Nothing herein constitutes legal 
advice - if you need legal advice, please consult your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 7:02 PM
To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List'
Subject: RE: is this practice O.K.?


John,

HHS made the modification, and then explained how come:

"Specifically, we modify the proposed definition of "treatment" to include
the management of health care and related services.  Under the definition,
the provision, coordination, or management of health care or related
services may be undertaken by one or more health care providers.
'Treatment' includes coordination or management by a health care provider
with a third party and consultation between health care providers.  The term
also includes referral by a health care provider of a patient to another
health care provider."

"Treatment refers to activities undertaken on behalf of a single patient,
not a population. Activities are considered treatment only if delivered by a
health care provider or a health care provider working with another party.
Activities of health plans are not considered to be treatment.  Many
services, such as a refill reminder communication or nursing assistance
provided through a telephone service, are considered treatment activities if
performed by or on behalf of a health care provider, such as a pharmacist,
but are regarded as health care operations if done on behalf of a different
type of entity, such as a health plan."

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:44 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Clarified it?  They removed the limiting language -- they EXPANDED it,
didn't they? :-)

Thanks for your thoughts, Matt, much appreciated.  What do others think?
Thanks, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the
policies, practices or opinions of my employer or anyone else.  Nothing
herein constitutes legal advice - if you need legal advice, please consult
your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:39 PM
To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List'
Subject: RE: is this practice O.K.?


John,

You are quite right that the proposed rule was modified, and that is why we
included BOTH versions in our second response to you.  Our point is, that
based on that modification, HHS clarifies what it intends as the "third
party".

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of th

RE: is this practice O.K.?

2003-11-02 Thread Matthew Rosenblum
John,

HHS made the modification, and then explained how come:

"Specifically, we modify the proposed definition of “treatment” to include
the management of health care and related services.  Under the definition,
the provision, coordination, or management of health care or related
services may be undertaken by one or more health care providers.
'Treatment' includes coordination or management by a health care provider
with a third party and consultation between health care providers.  The term
also includes referral by a health care provider of a patient to another
health care provider."

"Treatment refers to activities undertaken on behalf of a single patient,
not a population. Activities are considered treatment only if delivered by a
health care provider or a health care provider working with another party.
Activities of health plans are not considered to be treatment.  Many
services, such as a refill reminder communication or nursing assistance
provided through a telephone service, are considered treatment activities if
performed by or on behalf of a health care provider, such as a pharmacist,
but are regarded as health care operations if done on behalf of a different
type of entity, such as a health plan."

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:44 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Clarified it?  They removed the limiting language -- they EXPANDED it,
didn't they? :-)

Thanks for your thoughts, Matt, much appreciated.  What do others think?
Thanks, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the
policies, practices or opinions of my employer or anyone else.  Nothing
herein constitutes legal advice - if you need legal advice, please consult
your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:39 PM
To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List'
Subject: RE: is this practice O.K.?


John,

You are quite right that the proposed rule was modified, and that is why we
included BOTH versions in our second response to you.  Our point is, that
based on that modification, HHS clarifies what it intends as the "third
party".

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:29 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Matt:

With all due respect, each time you have responded on this thread you have
cited small excerpts which support your position, but have failed to cite
the additional language following your excerpt which calls your position
in

RE: is this practice O.K.?

2003-11-02 Thread Cody, John (OFT)
Clarified it?  They removed the limiting language -- they EXPANDED it, didn't they? :-)

Thanks for your thoughts, Matt, much appreciated.  What do others think?  Thanks, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the policies, 
practices or opinions of my employer or anyone else.  Nothing herein constitutes legal 
advice - if you need legal advice, please consult your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:39 PM
To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List'
Subject: RE: is this practice O.K.?


John,

You are quite right that the proposed rule was modified, and that is why we
included BOTH versions in our second response to you.  Our point is, that
based on that modification, HHS clarifies what it intends as the "third
party".

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:29 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Matt:

With all due respect, each time you have responded on this thread you have
cited small excerpts which support your position, but have failed to cite
the additional language following your excerpt which calls your position
into question.

The first time, you pulled this language from the definition of "treatment"
in the final rule --

"consultation between health care providers [i.e., physicians and
pharmacists] relating to a patient" 

-- without citing the follow-up language which is included in the
definition:

"INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE
PROVIDER WITH A
THIRD PARTY".

And now this time, you have now pulled some language from the final rule
preamble --

"THE PROPOSED RULE defined 'treatment' as the provision of health care by
... health
care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE
INDIVIDUAL..."

-- without acknowledging that the language in the paragraphs which
immediately follow the language you excerpted notes that the proposed rule's
definition which you are citing, Matt, WAS MODIFIED:

"Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include
the management of health care and related services"

If the list members will go back to the 1999 proposed HIPAA rule's
definition of "treatment", you can see just exactly which language in the
definition of "treatment" was modified.  See at
http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions under section
164.504 at page 60053; the proposed rule's definition of "treatment" was:

"Treatment means the provision of health care by, or the coordination of
health care (including health care management of the individual through risk
assessment, case management, and disease management) among, health care
providers; the referral of a patient from one provider to another; OR THE
COORDINATION OF HEALTH CARE OR OTHER
SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE
HEALTH PLAN OR THE INDIVIDUAL." (emphasis added)

In the final rule, under section 164.501 at page 82805 (see
http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment
was changed to:

"Treatment means the provision, coordination, or management of
health care and related services by one or more health care providers,
including the coordination or management of health care by a health
care provider WITH A THIRD PARTY; consultation between health care
providers relating to a patient; or the referral of a patient for
health care from one health care provider to another." (emphasis added)

[This final definition was not changed in the August 2002 Privacy Rule
modification (see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is
t

RE: is this practice O.K.?

2003-11-02 Thread Matthew Rosenblum
John,

You are quite right that the proposed rule was modified, and that is why we
included BOTH versions in our second response to you.  Our point is, that
based on that modification, HHS clarifies what it intends as the "third
party".

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:29 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Matt:

With all due respect, each time you have responded on this thread you have
cited small excerpts which support your position, but have failed to cite
the additional language following your excerpt which calls your position
into question.

The first time, you pulled this language from the definition of "treatment"
in the final rule --

"consultation between health care providers [i.e., physicians and
pharmacists] relating to a patient" 

-- without citing the follow-up language which is included in the
definition:

"INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE
PROVIDER WITH A
THIRD PARTY".

And now this time, you have now pulled some language from the final rule
preamble --

"THE PROPOSED RULE defined 'treatment' as the provision of health care by
... health
care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE
INDIVIDUAL..."

-- without acknowledging that the language in the paragraphs which
immediately follow the language you excerpted notes that the proposed rule's
definition which you are citing, Matt, WAS MODIFIED:

"Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include
the management of health care and related services"

If the list members will go back to the 1999 proposed HIPAA rule's
definition of "treatment", you can see just exactly which language in the
definition of "treatment" was modified.  See at
http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions under section
164.504 at page 60053; the proposed rule's definition of "treatment" was:

"Treatment means the provision of health care by, or the coordination of
health care (including health care management of the individual through risk
assessment, case management, and disease management) among, health care
providers; the referral of a patient from one provider to another; OR THE
COORDINATION OF HEALTH CARE OR OTHER
SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE
HEALTH PLAN OR THE INDIVIDUAL." (emphasis added)

In the final rule, under section 164.501 at page 82805 (see
http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment
was changed to:

"Treatment means the provision, coordination, or management of
health care and related services by one or more health care providers,
including the coordination or management of health care by a health
care provider WITH A THIRD PARTY; consultation between health care
providers relating to a patient; or the referral of a patient for
health care from one health care provider to another." (emphasis added)

[This final definition was not changed in the August 2002 Privacy Rule
modification (see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is
the current definition].

The list members will see that some of the exact language which was removed
from the proposed rule's definition is the very qualifying language at the
end of the definition that limited the "third parties" to only those "third
parties" who were "authorized by the health plan or the individual"!

So, in the final rule, as the sentences immediately following the one which
you cited make clear, Matt, DHHS TOOK OUT THE LIMITATION THAT YOU ARE
RELYING UPON.  The limitation on third parties, to only those who were
"authorized by the health plan or the individual", no longer exists.  The
excerpt you emphasized actually undermines your position rather than
supporting it, given that the final rule's preamble was pointing out that
that exce

RE: is this practice O.K.?

2003-11-02 Thread Cody, John (OFT)
Matt:

With all due respect, each time you have responded on this thread you have cited small 
excerpts which support your position, but have failed to cite the additional language 
following your excerpt which calls your position into question.

The first time, you pulled this language from the definition of "treatment" in the 
final rule --

"consultation between health care providers [i.e., physicians and pharmacists] 
relating to a patient" 

-- without citing the follow-up language which is included in the definition:

"INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER 
WITH A
THIRD PARTY".

And now this time, you have now pulled some language from the final rule preamble --

"THE PROPOSED RULE defined 'treatment' as the provision of health care by ... health
care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL..."

-- without acknowledging that the language in the paragraphs which immediately follow 
the language you excerpted notes that the proposed rule's definition which you are 
citing, Matt, WAS MODIFIED:

"Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include the 
management of health care and related services"

If the list members will go back to the 1999 proposed HIPAA rule's definition of 
"treatment", you can see just exactly which language in the definition of "treatment" 
was modified.  See at http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions 
under section 164.504 at page 60053; the proposed rule's definition of "treatment" was:

"Treatment means the provision of health care by, or the coordination of health care 
(including health care management of the individual through risk assessment, case 
management, and disease management) among, health care providers; the referral of a 
patient from one provider to another; OR THE COORDINATION OF HEALTH CARE OR OTHER
SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN 
OR THE INDIVIDUAL." (emphasis added)

In the final rule, under section 164.501 at page 82805 (see 
http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment was 
changed to:

"Treatment means the provision, coordination, or management of
health care and related services by one or more health care providers,
including the coordination or management of health care by a health
care provider WITH A THIRD PARTY; consultation between health care
providers relating to a patient; or the referral of a patient for
health care from one health care provider to another." (emphasis added)

[This final definition was not changed in the August 2002 Privacy Rule modification 
(see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is the current 
definition].

The list members will see that some of the exact language which was removed from the 
proposed rule's definition is the very qualifying language at the end of the 
definition that limited the "third parties" to only those "third parties" who were 
"authorized by the health plan or the individual"!

So, in the final rule, as the sentences immediately following the one which you cited 
make clear, Matt, DHHS TOOK OUT THE LIMITATION THAT YOU ARE RELYING UPON.  The 
limitation on third parties, to only those who were "authorized by the health plan or 
the individual", no longer exists.  The excerpt you emphasized actually undermines 
your position rather than supporting it, given that the final rule's preamble was 
pointing out that that excerpt is obsolete.

I appreciate your perspective, Matt.  But I'm not really asking for incomplete 
language excerpts which falsely describe the current regulatory language and which 
appear to support a particular preconceived opinion on this issue.

Instead, I'm suggesting that the language which made it into the final Rule, that 
"treatment" can mean the sharing of PHI from providers to some entities called "third 
parties" (unqualified, undefined), is subject to multiple interpretations, and I'm 
curious as to whether physicians or providers or others ever believe that sharing PHI 
with a community can sometimes constitute "treatment".  We know what you think now, 
Matt, thanks, and I really do appreciate knowing your viewpoint.  But let's hear from 
some others now, thanks.

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the policies, 
practices or opinions of my employer or anyone else.  Nothing herein constitutes legal 
advice - if you need legal advice, please consult your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 5:19 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?


John,

We believe that HHS is clear in the use of the term "third party" in its
definition of "treatment".  The following 

RE: is this practice O.K.?

2003-11-02 Thread Moya Gray
In states where this tyep of sharing is required by law, a CE doesn't have a
problem;  in those states where the sharing isn't authorized, the CE should
assess its risk under all possible laws (state and federal) that impact this
disclosure.  I would venture to guess that there are instances in which it
is inappropriate to share that data and for which there is a risk of
liability.

Moya T. D. Gray, J.D.
1283 Honokahua Street
Honolulu, Hawaii  96825
808-381-3732
808-396-6731
[EMAIL PROTECTED]  


-Original Message-
From: Paula Cook [mailto:[EMAIL PROTECTED]
Sent: Sunday, November 02, 2003 12:01 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?


Better yet, when the MD makes the original "deal" with the patient..part of
the deal should be written that the patient is informed that other
pharmacies will be notified that such drugs may only be prescribed by doctor
X. Then you have permission to disclose to the other pharmacies.  Paula

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED]
Sent: Sunday, November 02, 2003 1:46 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?


Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the
Privacy Rule is as follows:

"Treatment means the provision, coordination, or management of health care
and related services by one or more health care providers, INCLUDING THE
COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A
THIRD PARTY; consultation between health care
providers relating to a patient; or the referral of a patient for health
care from one health care provider to another." (emphasis added)  What the
emphasized phrase means is the question.

I don't see all that much in the Privacy Rule Preamble discussing what
"treatment" means in the first place, much less what this "coordination or
management...with a third party" means.  Is the "third party" language mere
surplusage, or does it refer to non-providers?  (FWIW, IMO it is the
latter).

There are a few references to AMA ethical materials in the Preamble, and a
few other sections (see for example the Privacy Rule preamble at pages 82625
to 82626), where DHHS says that it intends the term "treatment" itself to be
defined very broadly, albeit limited to "treatment's" performance by only
physicians and medical providers (and not, for example, by health plans),
and also, limited to treatment of an individual.

In other words:

WHO DOES IT?  "Treatment" must be performed by a provider.
WHO IS IT DONE TO?  "Treatment" must also concern the medical care provided
to an individual, and not to a community.

But once the above limitations are imposed, all bets are off.  In terms of
...

WHAT IS IT?  "Treatment" can be just about any type of health care and...
WHO ELSE CAN THE PROVIDER PERFORM IT WITH?  I think the Rule says that, as
long as the above qualifications are met, a physician or provider can
perform "treatment" with anybody else (a "third party").

So, noting the reference to "coordination or management of health care by a
health care provider with a third party", I am wondering, can that "third
party" be read as broadly as to include the community at large?  

I wonder if the physicians or medical providers on the list can give
examples or otherwise expand upon, in their experience, what this
coordination with a third party might entail?  For example, if a physician
believed that enlisting the community's help in identifying a comatose
patient was essential for performing treatment on that patient, would that
be the physician's "coordination or management of health care ... with a
third party"?  Thanks again, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the
policies, practices or opinions of my employer or anyone else.  Nothing
herein constitutes legal advice - if you need legal advice, please consult
your own attorney.]

-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 12:48 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

John,

Clearly, HIPAA allows a health care provider to disclose PHI to any other
health care provider for the purposes of "treatment", and the
HIPAA-definition includes "consultation between health care providers [i.e.,
physicians and pharmacists] relating to a patient".  As most pharmacists are
CEs, they would be mandated to comply with the HIPAA rules.

The general scenario to which you refer (below) is not so clearly defined by
HIPAA: the photo of a comatose patient disclosed to the general public
through mass media in order to "identify" the individual might (or might
not) apply to a "treatment" or "public health" emergency.  For example, if
the need-to-identify is intertwined with a "public health" emergency,
possibly HIPAA 

RE: is this practice O.K.?

2003-11-02 Thread Matthew Rosenblum
John,

We believe that HHS is clear in the use of the term "third party" in its
definition of "treatment".  The following guidance is provided in the
Preamble to the (initial) Privacy rules:

"The proposed rule defined 'treatment' as the provision of health care by,
or the coordination of health care (including health care management of the
individual through risk assessment, case management, and disease management)
among, health care providers; the referral of a patient from one provider to
another; or the coordination of health care or other services among health
care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE
INDIVIDUAL." (The emphasis is mine).

"Under the definition [of treatment], the provision, coordination, or
management of health care or related services may be undertaken by one or
more health care providers.  'Treatment' includes coordination or management
by a health care provider with a third party and consultation between health
care providers.  The term also includes referral by a health care provider
of a patient to another health care provider."

"Treatment refers to activities undertaken on behalf of a single patient,
not a population. Activities are considered treatment only if delivered by a
health care provider or a health care provider working with another party.
Activities of health plans are not considered to be treatment.  Many
services, such as a refill reminder communication or nursing assistance
provided through a telephone service, are considered treatment activities if
performed by or on behalf of a health care provider, such as a pharmacist,
but are regarded as health care operations if done on behalf of a different
type of entity, such as a health plan."

Within this context of HHS intentions (above), a "third party" might be a
"therapy aide" or "clinical coordinator", but we do not currently see how
the term "third party" may be stretched to include "mass media".  Be this as
it may, we do welcome an opportunity to vet this important topic.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 2:46 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the
Privacy Rule is as follows:

"Treatment means the provision, coordination, or management of health care
and related services by one or more health care providers, INCLUDING THE
COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A
THIRD PARTY; consultation between health care
providers relating to a patient; or the referral of a patient for health
care from one health care provider to another." (emphasis added)  What the
emphasized phrase means is the question.

I don't see all that much in the Privacy Rule Preamble discussing what
"treatment" means in the first place, much less what this "coordination or
management...with a third party" means.  Is the "third party" language mere
surplusage, or does it refer to non-providers?  (FWIW, IMO it is the
latter).

There are a few references to AMA ethical materials in the Preamble, and a
few other sections (see for example the Privacy Rule preamble at pages 82625
to 82626), where DHHS says that it intends the term "treatment" itself to be
defined very broadly, albeit limited to "treatment's" performance by only
physicians and medical providers (and not, for example, by health plans),
and also, limited to treatment of an individual.

In other words:

WHO DOES IT?  "Treatment" must be performed by a provider.
WHO IS IT DONE TO?  "Treatment" must also concern the medical care provided
to an individual, and not to a community.

But once the above limitations are imposed, all bets are off.  In terms of
...

WHAT IS IT?  "Treatment" can be just about any type of health care and...
WHO ELSE CAN THE PROVIDER PERFORM 

RE: is this practice O.K.?

2003-11-02 Thread Paula Cook
Better yet, when the MD makes the original "deal" with the patient..part of
the deal should be written that the patient is informed that other
pharmacies will be notified that such drugs may only be prescribed by doctor
X. Then you have permission to disclose to the other pharmacies.  Paula

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED]
Sent: Sunday, November 02, 2003 1:46 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?


Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the
Privacy Rule is as follows:

"Treatment means the provision, coordination, or management of health care
and related services by one or more health care providers, INCLUDING THE
COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A
THIRD PARTY; consultation between health care
providers relating to a patient; or the referral of a patient for health
care from one health care provider to another." (emphasis added)  What the
emphasized phrase means is the question.

I don't see all that much in the Privacy Rule Preamble discussing what
"treatment" means in the first place, much less what this "coordination or
management...with a third party" means.  Is the "third party" language mere
surplusage, or does it refer to non-providers?  (FWIW, IMO it is the
latter).

There are a few references to AMA ethical materials in the Preamble, and a
few other sections (see for example the Privacy Rule preamble at pages 82625
to 82626), where DHHS says that it intends the term "treatment" itself to be
defined very broadly, albeit limited to "treatment's" performance by only
physicians and medical providers (and not, for example, by health plans),
and also, limited to treatment of an individual.

In other words:

WHO DOES IT?  "Treatment" must be performed by a provider.
WHO IS IT DONE TO?  "Treatment" must also concern the medical care provided
to an individual, and not to a community.

But once the above limitations are imposed, all bets are off.  In terms of
...

WHAT IS IT?  "Treatment" can be just about any type of health care and...
WHO ELSE CAN THE PROVIDER PERFORM IT WITH?  I think the Rule says that, as
long as the above qualifications are met, a physician or provider can
perform "treatment" with anybody else (a "third party").

So, noting the reference to "coordination or management of health care by a
health care provider with a third party", I am wondering, can that "third
party" be read as broadly as to include the community at large?  

I wonder if the physicians or medical providers on the list can give
examples or otherwise expand upon, in their experience, what this
coordination with a third party might entail?  For example, if a physician
believed that enlisting the community's help in identifying a comatose
patient was essential for performing treatment on that patient, would that
be the physician's "coordination or management of health care ... with a
third party"?  Thanks again, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the
policies, practices or opinions of my employer or anyone else.  Nothing
herein constitutes legal advice - if you need legal advice, please consult
your own attorney.]

-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 12:48 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

John,

Clearly, HIPAA allows a health care provider to disclose PHI to any other
health care provider for the purposes of "treatment", and the
HIPAA-definition includes "consultation between health care providers [i.e.,
physicians and pharmacists] relating to a patient".  As most pharmacists are
CEs, they would be mandated to comply with the HIPAA rules.

The general scenario to which you refer (below) is not so clearly defined by
HIPAA: the photo of a comatose patient disclosed to the general public
through mass media in order to "identify" the individual might (or might
not) apply to a "treatment" or "public health" emergency.  For example, if
the need-to-identify is intertwined with a "public health" emergency,
possibly HIPAA would allow the disclosure of the photo by the provider to a
public health authority.  But in that case, it would be public health
authority (and not the provider) that makes the photo available to the
media.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confident

RE: is this practice O.K.?

2003-11-02 Thread Paula Cook
Hello,
This scenario reminds me of the old "bounced-check list" that retail
shops used to keep (maybe they still do). Sounds like you are sharing this
information for treatment purposes in advance of the customer's possible
visit...an interesting situation.  Your actions sound reasonable, for the
good of the patient, the physician, the pharmacy and the commmunity BUT...to
distribute the name before they ever present themselves there as a
shoppper...that sounds like too much information to be sharing.  Sounds like
the buyer could nail you for something. I believe that INTERNALLY, a
pharmacy network may openly share such data base information but it does
sound like a stretch to broadcast his/her name to all pharmacies-no matter
how good your intentions are.  If there is a crime involved or something of
course then the authorities can alert all pharmacies.
If you are really set on going externally with your suspicions, why
don't you arrange an understanding with other pharmacies... that they might
get anonymous calls with unofficial "alerts" about certain customers who may
be abusing the system.  Alert the pharmacies then and see how it goes.  It's
passing the buck to your partners but it is one way of warning them and
protecting yourself also.  Your intentions are reasonable and your
motivation sound. 
Paula Cook
Riverview Association

  
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 31, 2003 2:54 PM
To: WEDI SNIP Privacy Workgroup List
Subject: is this practice O.K.?


The practice that I am going to describe is quite common in our community
but I am not sure it is acceptable.  I wanted the opinion of the experts on
this list.

Occassionally, we run into a problem with a patient who seems to be doctor
hopping and getting multiple prescriptions for narcotics.  In order for the
patient's principle physician to keep a close watch on the patient's use of
narcotics and to avoid abuse/misuse of narcotics, the physician makes a deal
with the patient.  The deal is "ALL prescriptions for narcotics must be
funneled through one doctor-the primary care physician."  The patient
usually agrees but then (and here is where I am not sure if we are
infringing on privacy)we can send an "Alert" to all the area pharmacies to
alert them that this deal occurred and if the patient shows up at one of the
area pharmacies with a narcotic prescription from someone other than the
primary care physician, the patient is told that they have an order that
they can not fill the prescription unless it comes from the designated
doctor.  

Is this practice acceptable?  Do we need the patient's consent to notify all
heighborhood pharmacies?  Is verbal consent acceptable?  Can the information
be sent to the pharmacies without the patient's specific consent  (that is,
the patient consented to the arrangement that one doctor fills all narcotic
prescriptions but the patient did not consent to the information being sent
to all area pharmacies? )

Thank you
Rich Fairley, M.D.

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current 

RE: is this practice O.K.?

2003-11-02 Thread Cody, John (OFT)
Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the Privacy Rule 
is as follows:

"Treatment means the provision, coordination, or management of health care and related 
services by one or more health care providers, INCLUDING THE COORDINATION OR 
MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY; consultation 
between health care
providers relating to a patient; or the referral of a patient for health care from one 
health care provider to another." (emphasis added)  What the emphasized phrase means 
is the question.

I don't see all that much in the Privacy Rule Preamble discussing what "treatment" 
means in the first place, much less what this "coordination or management...with a 
third party" means.  Is the "third party" language mere surplusage, or does it refer 
to non-providers?  (FWIW, IMO it is the latter).

There are a few references to AMA ethical materials in the Preamble, and a few other 
sections (see for example the Privacy Rule preamble at pages 82625 to 82626), where 
DHHS says that it intends the term "treatment" itself to be defined very broadly, 
albeit limited to "treatment's" performance by only physicians and medical providers 
(and not, for example, by health plans), and also, limited to treatment of an 
individual.

In other words:

WHO DOES IT?  "Treatment" must be performed by a provider.
WHO IS IT DONE TO?  "Treatment" must also concern the medical care provided to an 
individual, and not to a community.

But once the above limitations are imposed, all bets are off.  In terms of ...

WHAT IS IT?  "Treatment" can be just about any type of health care and...
WHO ELSE CAN THE PROVIDER PERFORM IT WITH?  I think the Rule says that, as long as the 
above qualifications are met, a physician or provider can perform "treatment" with 
anybody else (a "third party").

So, noting the reference to "coordination or management of health care by a health 
care provider with a third party", I am wondering, can that "third party" be read as 
broadly as to include the community at large?  

I wonder if the physicians or medical providers on the list can give examples or 
otherwise expand upon, in their experience, what this coordination with a third party 
might entail?  For example, if a physician believed that enlisting the community's 
help in identifying a comatose patient was essential for performing treatment on that 
patient, would that be the physician's "coordination or management of health care ... 
with a third party"?  Thanks again, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the policies, 
practices or opinions of my employer or anyone else.  Nothing herein constitutes legal 
advice - if you need legal advice, please consult your own attorney.]

-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 12:48 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

John,

Clearly, HIPAA allows a health care provider to disclose PHI to any other
health care provider for the purposes of "treatment", and the
HIPAA-definition includes "consultation between health care providers [i.e.,
physicians and pharmacists] relating to a patient".  As most pharmacists are
CEs, they would be mandated to comply with the HIPAA rules.

The general scenario to which you refer (below) is not so clearly defined by
HIPAA: the photo of a comatose patient disclosed to the general public
through mass media in order to "identify" the individual might (or might
not) apply to a "treatment" or "public health" emergency.  For example, if
the need-to-identify is intertwined with a "public health" emergency,
possibly HIPAA would allow the disclosure of the photo by the provider to a
public health authority.  But in that case, it would be public health
authority (and not the provider) that makes the photo available to the
media.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha re

RE: is this practice O.K.?

2003-11-02 Thread Matthew Rosenblum
John,

Clearly, HIPAA allows a health care provider to disclose PHI to any other
health care provider for the purposes of "treatment", and the
HIPAA-definition includes "consultation between health care providers [i.e.,
physicians and pharmacists] relating to a patient".  As most pharmacists are
CEs, they would be mandated to comply with the HIPAA rules.

The general scenario to which you refer (below) is not so clearly defined by
HIPAA: the photo of a comatose patient disclosed to the general public
through mass media in order to "identify" the individual might (or might
not) apply to a "treatment" or "public health" emergency.  For example, if
the need-to-identify is intertwined with a "public health" emergency,
possibly HIPAA would allow the disclosure of the photo by the provider to a
public health authority.  But in that case, it would be public health
authority (and not the provider) that makes the photo available to the
media.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 11:18 AM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Matt:

That is an interesting perspective, and one which I have wondered about
myself.  But I wonder how far the concept can be stretched under the HIPAA
Privacy Rule.  For example, one of the listserves a few months ago (I think
it was a different one than this one) was discussing the situation where an
unidentified comatose patient is brought to the hospital and the hospital
believes the only way to identify the patient is through a photo disclosed
to the mass media.  The discussion took various twists and turns, but one
thing which I privately pondered at the time was whether there is such a
thing as "community" treatment.  Under the principle you embrace below,
would the hospital's media disclosure also constitute "treatment"?  If not,
why not?  Is the distinction that in Dr. Fairley's example, the disclosure
is to other providers, while in the hospital's scenario, the disclosure is
made to a wider audience than providers?  Where in the HIPAA Privacy Rule is
that distinction defined?  Thanks for your thoughts, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the
policies, practices or opinions of my employer or anyone else.  Nothing
herein constitutes legal advice - if you need legal advice, please consult
your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2003 5:12 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?


Dear Dr. Fairley,

What a great question!  We believe that HIPAA allows this practice and in
doing so, provides patient with privacy protections.

For nearly 2000 years physicians, nurses, and pharmacists (chemists) have
comprised the "treatment" triad.  And especially when treating substance
abuse and addiction, it does take a community to provide a safe and
therapeutic environment: whenever we remove a member of the treatment
community from the process, errors and mistakes may increase and disease
resolution may decrease.  Within this context, the scenario that you
describe (below) fits well within the bounds of sharing PHI for treatment
purposes, and the involved providers will be beholden to the related HIPAA
rules.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addresse

RE: is this practice O.K.?

2003-11-02 Thread Cody, John (OFT)
Matt:

That is an interesting perspective, and one which I have wondered about myself.  But I 
wonder how far the concept can be stretched under the HIPAA Privacy Rule.  For 
example, one of the listserves a few months ago (I think it was a different one than 
this one) was discussing the situation where an unidentified comatose patient is 
brought to the hospital and the hospital believes the only way to identify the patient 
is through a photo disclosed to the mass media.  The discussion took various twists 
and turns, but one thing which I privately pondered at the time was whether there is 
such a thing as "community" treatment.  Under the principle you embrace below, would 
the hospital's media disclosure also constitute "treatment"?  If not, why not?  Is the 
distinction that in Dr. Fairley's example, the disclosure is to other providers, while 
in the hospital's scenario, the disclosure is made to a wider audience than providers? 
 Where in the HIPAA Privacy Rule is that distinction defined?  Thanks for your 
thoughts, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the policies, 
practices or opinions of my employer or anyone else.  Nothing herein constitutes legal 
advice - if you need legal advice, please consult your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2003 5:12 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?


Dear Dr. Fairley,

What a great question!  We believe that HIPAA allows this practice and in
doing so, provides patient with privacy protections.

For nearly 2000 years physicians, nurses, and pharmacists (chemists) have
comprised the "treatment" triad.  And especially when treating substance
abuse and addiction, it does take a community to provide a safe and
therapeutic environment: whenever we remove a member of the treatment
community from the process, errors and mistakes may increase and disease
resolution may decrease.  Within this context, the scenario that you
describe (below) fits well within the bounds of sharing PHI for treatment
purposes, and the involved providers will be beholden to the related HIPAA
rules.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2003 3:54 PM
To: WEDI SNIP Privacy Workgroup List
Subject: is this practice O.K.?

The practice that I am going to describe is quite common in our community
but I am not sure it is acceptable.  I wanted the opinion of the experts on
this list.

Occassionally, we run into a problem with a patient who seems to be doctor
hopping and getting multiple prescriptions for narcotics.  In order for the
patient's principle physician to keep a close watch on the patient's use of
narcotics and to avoid abuse/misuse of narcotics, the physician makes a deal
with the patient.  The deal is "ALL prescriptions for narcotics must be
funneled through one doctor-the primary care physician."  The patient
usually agrees but then (and here is where I am not sure if we are
infringing on privacy)we can send an "Alert" to all the area pharmacies to
alert them that this deal occurred and if the patient shows up at one of the
area pharmacies with a narcotic prescription from someone other than the
primary care physician, the patient is told that they have an order that
they can not fill the prescription unless it comes from the designated
doctor.  

Is this practice acceptable?  Do we need the patient's consent to notify all
heighborhood pharmacies?  Is verbal consent acceptable?  Can the information
be sent to the pharmacies without the patient's specific consent  (that is,
the patient consented to the arrangement that one doctor fills all narcotic

Re: to listserv admin

2003-11-02 Thread Phillip Otto
While some of the made up names are fun and amusing, in and of
themselves, and provide for some comic relief from all of the taffy
pulls,  and peeing contests, I find myself in full agreement with Tim.  


Red Baron
SIERRA/Dynamix
No Cell Phone I will be flying today.

>>> <[EMAIL PROTECTED]> 11/01/03 02:35PM >>>
I greatly value the opinions of this listserv, and am indebted to its
participants.  However, I am very concerned about participants who do
not
identify themselves, and hide behind nebulous entity names.  I would
like to
ask the listserv admin to enforce the need for attribution, and make
sure
that people identify themselves by name in their postings.

Regards,


Tim McGuinness, Ph.D.

Email: [EMAIL PROTECTED] 
Alt Email: [EMAIL PROTECTED] 
Direct Phone: 1-727-787-9801

Certified Consulting Specialist and Forensic Regulatory Examiner in
Regulatory Privacy, Security, and Application Compliance
[HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section
508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland
Security]
Founding Board Member & Executive Co-Chairman, HIPAA Conformance
Certification Organization

===

IMPORTANT LEGAL NOTICE: This communication, including any attachment,
contains information that may be confidential or privileged, and is
intended
solely for the entity or individual to whom it is addressed. If you are
not
the intended recipient, please notify the sender at once, and you
should
delete this message and are hereby notified that any disclosure,
copying, or
distribution of this message is strictly prohibited. Nothing in this
email,
including any attachment, is intended to be a legally binding
signature.

HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other
regulations and
statutes are law, and that all interpretation of law should involve
licensed
attorneys in good standing with their local Bar Association. The
forgoing is
provided for educational or discussion purposes only. The author
accepts no
responsibility for its accuracy, review, distribution, or use in any
way.
You assume responsibility for understanding this material and its
applicability and/or use. The above may need to be interpreted by your
attorney as needed to conform with federal or state law - you're use of
this
information must always be reviewed and approved by your own attorney
prior
to use, application, or implementation.


---
The WEDI SNIP listserv to which you are subscribed is not moderated.
The discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] 
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED] 
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


FW: Employee Access and Accounting of Disclosures

2003-11-02 Thread Matthew Rosenblum
Ellen,

We have re-reviewed the Preamble to the (initial) Privacy rules, and believe
your assessment is correct.  Apparently, HHS' intention is quite clear:

"Comments:  Some commenters said that the accounting provision described in
the NPRM was ambiguous and created uncertainty as to whether it addresses
disclosures only, as the title would indicate, or whether it includes
accounting of uses.  They urged that the standard address disclosures only,
and not uses, which would make implementation far more practicable and less
burdensome.

Response:  The final rule requires disclosures, not uses, to be included in
an accounting."

Thank you for helping us in this matter.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Ellen Rubin [mailto:[EMAIL PROTECTED] 
Sent: Saturday, November 01, 2003 7:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Employee Access and Accounting of Disclosures

Interesting way to look at it.  Thanks for the interpretation and I'll be
waiting for HHS to offer more guidance.  Ellen
__
Ellen Rubin, RN, BSN
Privacy Coordinator
Harborview Medical Center
206 731-6048 Voice
206 731-2097 Fax

- Original Message -
From: "Matthew Rosenblum" <[EMAIL PROTECTED]>
To: "'Ellen Rubin'" <[EMAIL PROTECTED]>; "'WEDI SNIP Privacy Workgroup
List'" <[EMAIL PROTECTED]>
Sent: Saturday, November 01, 2003 3:23 PM
Subject: RE: Employee Access and Accounting of Disclosures


Ellen,

This is one of those HIPAA topics where we would advise hanging a large
"Proceed with Caution" sign, and where we would welcome additional guidance
from HHS.

Section 164.528(a)(1)(iii) of the Privacy rules --Accounting of disclosures
of protected health information-- notes that HIPAA does NOT require a "use"
incident to an otherwise permitted "use or disclosure" (as provided in
section 164.502) to be included in an "accounting".  Conversely, this leads
us to believe that HHS intends for ALL "privacy breaches", whether a "use"
or "disclosure" to be included in an "accounting".

I hope that this helps.

Your questions are always welcome.

Matt

Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com

CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011

(212) 675-6367
[EMAIL PROTECTED]

CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.

AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.

-Original Message-
From: Ellen Rubin [mailto:[EMAIL PROTECTED]
Sent: Saturday, November 01, 2003 3:59 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: Employee Access and Accounting of Disclosures

My understanding is that this is a "use" (albeit inappropriate) and not
necessary to put in the accounting log.  However, if this information was
then "disclosed" outside the entity, it would need to be accounted for.  I
asked this question a few weeks agothe piece I was interested in was
whether entities are notifying their patients of this disclosure at the time
of the event as well as entering in the accounting.  Ellen

__
Ellen Rubin, RN, BSN
Privacy Officer
Harborview Medical Center
206 731-6048 Voice
206 731-2097 Fax


- Original Message -
From: "Walter Suarez" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgro