---
You are currently subscribed to wedi-privacy as: archive@jab.org
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the
Traci,
It looks to me like someone's trying to cover
all bases with a shotgun approach (run it up the flagpole and see who
salutes).
My understanding is that you wouldn't need a
BAC any more than a surgeon's office needs one with a Primary Care Physician
referring a patient to them. This
Traci,
My vote's for the round file.
Any lawyers out there feel free to chime
in.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital Health Care Centers[EMAIL PROTECTED]
"This electronic
Leslie,
In general, I agree.
The vendor is attempting to reduce the load on ITS legal staff by getting its
customers to sign their version of the BAA before their cusomers write their own.
You will have to have a BAA in place with most of these entities.
It doesn't matter who originates the
Susan,
Well said.
Still another kink -- come October, you will have to file your
Medicare claims electronically, which makes the loopholes even
smaller.
IMHO, this makes just about anyoune who does "Health Care" a
CE, except for those few providers who do a strictly cash business, and
Brenda,
As Noel pointed out, not quite. They may be a CE in addition to being a BA, but,
because they perform a function (billing) for the Provider, they are a BA of the
provider. If their functionality includes anything outside of obtaining non-standard
claims information, generating
Title: RE: Recording Disclosures (was BA Agreement Questions)
I also agree with Carolyn.
An external Auditor would be a BA if (and only if) YOU hired
the firm to perform audits for YOUR business purposes, and the auditor had to
access to PHI in order to perform the audits.
Government
Rebecca,
That is precisely the point. PHI that leaves the office by any means must still be
protected to the same level as the office information, and it is much more difficult
to do, because you do not have the same control over the off-site environment.
Therefore, your policies need to be
Carolyn,
Jonathah's question was about the need for encryption on a dial-up line. For detailed
discussions, he should see the Security listserv.
Generally, though, a direct dial-in connection to a receiver's system (not via the
Internet) would be considered an acceptable risk if you trust the
Title: Message
Kathy,
The Nursing Home and Ambulance Service would both be Covered
Entities if they do any of the covered functions electronically. Business
Associates are entities who do something on behalf of a Covered
Entity.
The opinions expressed here are my own and not necessarily the
Title: DOL vs. HIPAA
Agree.
Subject to the restriction that whatever is disclosed for any
purpose be only the minimum necessary for that purpose (which applys to all
disclosures indipendant of the medium).
Remember that the great difficulty in giving out info over the
phone is making that
Robyn,
1) The term of the BA contract is as long as it itself
states.
2) Other than using another entity, I'm not sure. You
are responsible for whatever PHI they leak, unless you have that contract in
place makeing them responsible for their actons.
3) I think your list covers everything,
Jill,
I agree with Dan.
The critical question is do you do anything on behalf of a
Covered Entity that involves PHI? If this answer is "No", you do not need
a BAA.
Providing devices to non-patients isolates you from
PHI.
Providing devices to patients is acting on behalf of yourself
(I
ains. Thank you."
- Original Message -
From:
Dawn
Lenox
To: Doug Webb
Sent: Wednesday, February 26, 2003 09:37
AM
Subject: Re: medical vendors as Business
Associates
I tried to explain this to
a vendor that sent us (CE) their BA (non-CE) as a favor to usThey s
ibute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
- Original Message -
From:
Craig
Moen
To: 'Doug Webb'
Sent: Wednesday, February 26, 2003 03:28
PM
Subject: RE: medical vendors a
he
information it contains. Thank you."
- Original Message -
From:
Jo Clair
To: 'Doug Webb'
Sent: Wednesday, February 26, 2003 04:17
PM
Subject: RE: medical vendors as Business
Associates
Not all providers are CE's
(they may not do ele
Richard,
The first question is: Is what is being transmitted Protected
Healthcare Information? If not all the rest is moot. If what is
being transmitted is strictly the financial data (This merchant charged this
person this much), it probably isn't PHI, but just money.
If it is you must do
Catherine,
Just a clarification. These non-financial POS terminals would
have to use standard transactions (such as 270/271, 278, etc.) to do their job
when a standard is available.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer
f the lack of clarity of
HIPAA.
Regards,
David
Frenkel
Business
Development
GEFEG
USA
Global
Leader in Ecommerce Tools
www.gefeg.com
612-237-1966
-Original
Message-From: Doug Webb
[mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 26,
2003 4:
Title: Glacier
Likewise.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain information that is confidential
Steve,
The Court rulings in the individual case would determine which
parent(s) have access to how much PHI. There may also be State laws that
override a decree from a different State.
In general, the custodial parent has primary responsibility
for the child's healthcare, but in Family
Chistine,
I'll give it a shot.
My comments are below your questions.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital Health Care Centers[EMAIL PROTECTED]
"This electronic message may
Jill,
I think that the question revolves around who was responsible
for generating and maintaining the original report
(i.e., who has the master, and who has a copy).
If the Physical Therapist maintains his/her own records, the
therapist's copy is probably the master, and thus must be where
Patricia,
Your NPP should state that PHI will not be used for these
purposes. A opt out isn't necessary whennobody,s in.
To clarify things for your patients, you may wish to mention
that the foundation uses independantly-generated lists that contain no
PHI.
The opinions expressed here are
Dee,
Yes, only the codes on the list may be
used on a Complient claim. This applies now. CMS stated in the
Federal Register that they won't enforce until October.
You can get the list from
WPC.
http://www.wpc-edi.com/ClaimAdjustment_40.asp
Also, the Remark codes are
at
I think that since this is a total opt-in, if your sign-up
form had the company clearly identified, and spaces for address, it would no
more be PHI than the same form in a supermarket (which I have seen, even filled
out a few when my daughter was on the way [15 years ago]).
It gets a
Donald,
I agree with your opinion that you don't have to ask, but a
check-off line in the sign-in form would be nice. It would also document
that the option had indeed been offered, and since, in this game, documentation
is everything, that would be a Good Thing.
The opinions expressed here
Daryn,
Yes.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain information that is confidential
and/or legally
Amen, Cindi!
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain information that is confidential
and/or legally
Gregory,
You make a good point.
If the Patient is accessing his/her own data, you are not
respnsible for what he/she does with it.
If it's a CE or BA of a CE accessing Patient data, the CE is
responsible for ensuring Privacy. Offering a process to make the CE's task
easier might make good
Daniel,
1) Billing Services are Business Associates of
Providers. Because of what they do, if they work with standard
transactions, they may also be considered a Covered Entity Clearinghouse
(converting [highly] non-standard data to standard transactions, and vice
versa).
2) An entity that
Jonathan,
A Trading Partner Agreement is a general contract between two
entities who do business with each other.
A Busininess Associate Agreement is a Trading Partner
Agreement that specificly includes wording to protect any Protected Healthcare
Information that may be exchanged, and that
Title: RE: New to this list, have two questions.
Gregory,
Just to amplify on Judith's remarks,
You are exposed to the risk NOW, not when the final Security
Rule fully kicks in.
You are accepting a huge risk anytime you expose PHI to the
Internet. Remenber that any of the millions of computers
puter, do not deliver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
- Original Message -
From:
Gregory Park
To: Doug Webb
Sent: Monday, March 24, 2003 03:22
PM
Subjec
Leslie,
To build on what Leah said, I think that what you have in your
NPP is OK, but possibly goes into unnecessary detail (Don't kill any more
trees!).
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of
Gregory,
Your client is wrong. Accounting for Every disclosure if
definately not required by the Privacy or Security regs. Most transactions
involving the Treatment of Patients and obtaining Payment are explicitly
excluded from the need to report them (in very great detail as to what is
Title: Message
Gregory
There is a difference between compound authorizations (one
authorization for several things, which is prohibited) and several
authorizations on the same piece of paper (which is OK, just so long as each one
has an indication that it was individually considered). To
Marcus,
The Covered Entity is the one taking the risk here, not
you. You do not have responsibility for the PHI until it enters your
system.
Some hungry lawyer may try to put some responsibility on your
door, since you did not not refuse to accept unencrypted information. I
don't think the
Noel,
I agree with the thrust of the earlier thread on this list --
the additional inscription makes it PHI.
I just had a thought, though. Could the autographed
picture itself be a kind of authorization for use? I know it's not on a
document that has the proper words, but could the intent
Rachel,
Consider how much PHI the facility has acquired from the DME
provider while offering the services specified in the BAA to the DME provider
(none!). PHI acquired by other means is not
affected by this particular BAA. The notification of breaches, and
accountable disclosures, etc.
Diana,
With respect to Privacy, your mailer would be equivalent to a
sealed envelope IF the layout was such that no PHI were visable without breaking
one of your seals.
Now with respect to Security, it seems to be pretty weak
security. I would not recommend this as a long-term solution.
41 matches
Mail list logo