Rachel,
Consider how much PHI the facility has acquired from the DME
provider while offering the services specified in the BAA to the DME provider
(none!). PHI acquired by other means is not
affected by this particular BAA. The notification of breaches, and
accountable disclosures, etc. on
Diana,
With respect to Privacy, your mailer would be equivalent to a
sealed envelope IF the layout was such that no PHI were visable without breaking
one of your seals.
Now with respect to Security, it seems to be pretty weak
security. I would not recommend this as a long-term solution.
---
You are currently subscribed to wedi-privacy as: archive@jab.org
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the
addres
Chris,
That would be my take, too..
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital & Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain information that is conf
An extension to this -- how do you handle answering machines?
My gut feeling is that either a no-no (the machine more questionable than a family
member) -- the information could only be released to the patient or his/her
representative designated in a written authorizaton. Perhaps another signa
Traci,
It looks to me like someone's trying to cover
all bases with a shotgun approach (run it up the flagpole and see who
salutes) .
My understanding is that you wouldn't need a
BAC any more than a surgeon's office needs one with a Primary Care Physician
referring a patient to them. This
Traci,
My vote's for the round file.
Any lawyers out there feel free to chime
in.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital & Health Care Centers[EMAIL PROTECTED]
"This electroni
Leslie,
In general, I agree.
The vendor is attempting to reduce the load on ITS legal staff by getting its
customers to sign their version of the BAA before their cusomers write their own.
You will have to have a BAA in place with most of these entities.
It doesn't matter who originates the ag
Susan,
Well said.
Still another kink -- come October, you will have to file your
Medicare claims electronically, which makes the loopholes even
smaller.
IMHO, this makes just about anyoune who does "Health Care" a
CE, except for those few providers who do a strictly cash business, and nev
from any computer, do not deliver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
- Original Message -
From:
Mendel, Linda
R.
To: 'Doug Webb'
Sent: Monday, Febru
not an
intended recipient of the message, please notify the sender immediately,
delete the material from any computer, do not deliver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
- Original
The Billing Companies won't need to ensure any BAAs are in place unless someone out
there acts on behalf of the Billing Company rather than on behalf of the Covered
Entity (Provider) [CUSTOMER!]
Their Customers will need BAAs in place with the following:
* The Billing Company
* A Collection
Brenda,
As Noel pointed out, not quite. They may be a CE in addition to being a BA, but,
because they perform a function (billing) for the Provider, they are a BA of the
provider. If their functionality includes anything outside of obtaining non-standard
claims information, generating standard
> William J. Kammerer
> Novannet, LLC.
> Columbus, US-OH 43221-3859
> +1 (614) 487-0320
>
> - Original Message -
> From: "Doug Webb" <[EMAIL PROTECTED]>
> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> Cc: <[EMAIL
Title: RE: Recording Disclosures (was BA Agreement Questions)
I also agree with Carolyn.
An external Auditor would be a BA if (and only if) YOU hired
the firm to perform audits for YOUR business purposes, and the auditor had to
access to PHI in order to perform the audits.
Government overs
Noel,
Quite so.
As you said, quite a few emails seem to overlook that the Authorization to do a
certian disclosure and the actual disclosure are two separate actions and need to be
addressed independantly.
Don't forget that the acknowledgment of receipt of your NPP is not an Authorization
for
on.
>
> Molly Shek, MS, RHIA
>
>
>
>
> -Original Message-
> From: Doug Webb [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 14, 2003 8:47 AM
> To: WEDI SNIP Privacy Workgroup List
> Subject: Re: NPP and accounting for disclosures - was Medicare
d recipient of the message,
please notify the sender immediately, delete the material from any computer, do not
deliver, distribute, or copy this message, and do not disclose its contents or take
action in reliance on the information it contains. Thank you."
- Original Message
Rebecca,
That is precisely the point. PHI that leaves the office by any means must still be
protected to the same level as the office information, and it is much more difficult
to do, because you do not have the same control over the off-site environment.
Therefore, your policies need to be con
Carolyn,
Jonathah's question was about the need for encryption on a dial-up line. For detailed
discussions, he should see the Security listserv.
Generally, though, a direct dial-in connection to a receiver's system (not via the
Internet) would be considered an acceptable risk if you trust the r
Robin,
Your office definiately is a Covered Entity.
That one electronic transaction that the billing service does
on your behalf makes you so. (Incidenteally, if you ever do an on-line
check of eligibility or claim status, those actions would also make you a
CE).
This means that you need
Title: Message
Kathy,
The Nursing Home and Ambulance Service would both be Covered
Entities if they do any of the covered functions electronically. Business
Associates are entities who do something on behalf of a Covered
Entity.
The opinions expressed here are my own and not necessarily th
Title: DOL vs. HIPAA
Agree.
Subject to the restriction that whatever is disclosed for any
purpose be only the minimum necessary for that purpose (which applys to all
disclosures indipendant of the medium).
Remember that the great difficulty in giving out info over the
phone is making that w
Beth,
The new Security reg does indicate that MOUs take the place of
BAAs if both are government entities. If one of the partys is, and one
isn't, I don't know.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle C
Robyn,
1) The term of the BA contract is as long as it itself
states.
2) Other than using another entity, I'm not sure. You
are responsible for whatever PHI they leak, unless you have that contract in
place makeing them responsible for their actons.
3) I think your list covers everything, bu
Kristen,
As near as I can tell, no BAA is needed.
The Parmacist is a Covered Entity acting on his own
bahalf.
As long as you're not told the content of the bags, I don't
believe that you're even exposed to any PHI, even for the purposes of
payment.
The opinions expressed here are my own an
Vikas,
The Dietician would be performing Treatment duties, and thus
be a Covered Entity if he does any electronic transactions that have HIPAA
standards.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company o
Jill,
I agree with Dan.
The critical question is do you do anything on behalf of a
Covered Entity that involves PHI? If this answer is "No", you do not need
a BAA.
Providing devices to non-patients isolates you from
PHI.
Providing devices to patients is acting on behalf of yourself
(I
information it contains. Thank you."
- Original Message -
From:
Dawn
Lenox
To: Doug Webb
Sent: Wednesday, February 26, 2003 09:37
AM
Subject: Re: medical vendors as Business
Associates
I tried to explain this to
a vendor that sent us (CE) their BA (n
Thank you."
- Original Message -
From:
Vicki Schaff
To: Doug Webb
Sent: Wednesday, February 26, 2003 10:53
AM
Subject: Re: medical vendors as Business
Associates
Consider the vendor who supplies a new
medical device to a healthcare facility (CE) and
cial position is of your facility on this? Thanks.
Regards,
David
Frenkel
Business
Development
GEFEG
USA
Global
Leader in Ecommerce Tools
612-237-1966
-Original
Message-From: Doug Webb
[mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 26, 2003
t deliver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
- Original Message -
From:
Craig
Moen
To: 'Doug Webb'
Sent: Wednesday, February 26, 2003 03:28
PM
Subject
inal
Message-From: Doug Webb
[mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 26,
2003 2:53
PMTo: David Frenkel; WEDI SNIP Privacy
Workgroup ListSubject: Re:
medical vendors as Business Associates
David,
They do, but I'm not directly involved,
so I
in reliance on the
information it contains. Thank you."
- Original Message -
From:
Jo Clair
To: 'Doug Webb'
Sent: Wednesday, February 26, 2003 04:17
PM
Subject: RE: medical vendors as Business
Associates
Not all providers are CE's
(
Richard,
The first question is: Is what is being transmitted Protected
Healthcare Information? If not all the rest is moot. If what is
being transmitted is strictly the financial data (This merchant charged this
person this much), it probably isn't PHI, but just money.
If it is you must d
Catherine,
Just a clarification. These non-financial POS terminals would
have to use standard transactions (such as 270/271, 278, etc.) to do their job
when a standard is available.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer Sys
Richard,
http://www.wpc-edi.com
has all the Implimentation Guides and Addenda available for
download.
The big thing is that if there is a 004010-series IG for what
you're doing, you have to use it, and any provider who uses one of your
terminals is a Covered Entity, and subject to the ful
te the cost of the lack of clarity of
HIPAA.
Regards,
David
Frenkel
Business
Development
GEFEG
USA
Global
Leader in Ecommerce Tools
www.gefeg.com
612-237-1966
-Original
Message-----From: Doug Webb
[mailto:[EMAIL PROTECTED]] Sent: Wednesday, Februa
Title: Glacier
Likewise.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital & Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain information that is confidential
an
Steve,
The Court rulings in the individual case would determine which
parent(s) have access to how much PHI. There may also be State laws that
override a decree from a different State.
In general, the custodial parent has primary responsibility
for the child's healthcare, but in Family Cou
Chistine,
I'll give it a shot.
My comments are below your questions.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital & Health Care Centers[EMAIL PROTECTED]
"This electronic message may
Jill,
I think that the question revolves around who was responsible
for generating and maintaining the original report
(i.e., who has the master, and who has a copy).
If the Physical Therapist maintains his/her own records, the
therapist's copy is probably the master, and thus must be where
Patricia,
Your NPP should state that PHI will not be used for these
purposes. A opt out isn't necessary when nobody,s in.
To clarify things for your patients, you may wish to mention
that the foundation uses independantly-generated lists that contain no
PHI.
The opinions expressed here a
Teri,
In theory, yes. In practice, they're the 800-pound
gorilla.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital & Health Care Centers[EMAIL PROTECTED]
"This electronic message may c
Mimi,
Not only yours! If this is naive, then so am
I.
William's point was that the exaunt content-based filters DO
NOT WORK, either because they are mis-configured, or are inappropriate to be
used on healthcare-related conversations.
Encryption and E-signing need to be established on a
Dee,
Yes, only the codes on the list may be
used on a Complient claim. This applies now. CMS stated in the
Federal Register that they won't enforce until October.
You can get the list from
WPC.
http://www.wpc-edi.com/ClaimAdjustment_40.asp
Also, the Remark codes are
at
http://www.wpc-e
One further thought on Noel's ideas.
If there is a requirement that each member of an OHCA have its
own Privacy Officer, I don't believe that this Privacy Officer has to be a
unique individual for each member, so that the same person could be the Privacy
Officer for the group. I think that
I think that since this is a total opt-in, if your sign-up
form had the company clearly identified, and spaces for address, it would no
more be PHI than the same form in a supermarket (which I have seen, even filled
out a few when my daughter was on the way [15 years ago]).
It gets a litt
Donald,
I agree with your opinion that you don't have to ask, but a
check-off line in the sign-in form would be nice. It would also document
that the option had indeed been offered, and since, in this game, documentation
is everything, that would be a Good Thing.
The opinions expressed her
Daryn,
Yes.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital & Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain information that is confidential
and/or legally
Amen, Cindi!
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital & Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain information that is confidential
and/or legally
IMHO,
Yes, it is a violation, but not yours. The client
who accessed the web site is guilty of the violation unless the proper
protection is taken to blank the screen at the client's site. You might
offer a process to blank the web screen after it has been displayed for a
certain interval
Gregory,
You make a good point.
If the Patient is accessing his/her own data, you are not
respnsible for what he/she does with it.
If it's a CE or BA of a CE accessing Patient data, the CE is
responsible for ensuring Privacy. Offering a process to make the CE's task
easier might make goo
Craig,
I agree with your position. I think that a signed
document needs at least one full signature. Having that full signature and
date, I would think that initials other places should be OK (they work for the
money people).
The opinions expressed here are my own and not necessarily the
Daniel,
1) Billing Services are Business Associates of
Providers. Because of what they do, if they work with standard
transactions, they may also be considered a Covered Entity Clearinghouse
(converting [highly] non-standard data to standard transactions, and vice
versa).
2) An entity tha
Jonathan,
A Trading Partner Agreement is a general contract between two
entities who do business with each other.
A Busininess Associate Agreement is a Trading Partner
Agreement that specificly includes wording to protect any Protected Healthcare
Information that may be exchanged, and that
Title: RE: New to this list, have two questions.
Deborah,
I agree.
Your short answer to 2) was "No". I'll add
another two roles (only one of which has a "Yes answer).
If what they're discussing is actively participating in a
Treatment Plan, then the Case Manager would be a potential Covered
Daryl,
The TCS standard applies to electronic claims only.
Paper claims are not affected Because the payer's systems will have
to work with the data content of Complient claims, the paper claim will probably
have to be modified by each payer to contain the data they need. This
means busin
Title: RE: New to this list, have two questions.
Gregory,
Just to amplify on Judith's remarks,
You are exposed to the risk NOW, not when the final Security
Rule fully kicks in.
You are accepting a huge risk anytime you expose PHI to the
Internet. Remenber that any of the millions of computers
from any computer, do not deliver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
- Original Message -
From:
Gregory Park
To: Doug Webb
Sent: Monday, March 24, 2003 03:22
PM
Noel,
I don't know of anything that requires financial and medical
info to be separated (or merged). I believe that the regs are silent on
this issue. Both types of information are PHI. They would both
be part of the Designated Record Set for the practice.
If the records are electronic
Leslie,
To build on what Leah said, I think that what you have in your
NPP is OK, but possibly goes into unnecessary detail (Don't kill any more
trees!).
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company o
Dan,
I had overlooked Leslie's mention of requiring authorization
after it hits Medical Records.
I agree with you that authorization is not necessary for
sending medical info for Treatment purposes to another Physician. I would
think that the older the information, the more questions I w
Gregory,
Your client is wrong. Accounting for Every disclosure if
definately not required by the Privacy or Security regs. Most transactions
involving the Treatment of Patients and obtaining Payment are explicitly
excluded from the need to report them (in very great detail as to what is
ex
ce on the
information it contains. Thank you."
- Original Message -
From:
Bentz-Miller,
Judith
To: 'Doug Webb'
Sent: Thursday, March 27, 2003 02:03
PM
Subject: RE: NPP and Disclosure
Doug,
What about releasing the incorrect information? Faxing the wrong
Title: Message
Gregory
There is a difference between compound authorizations (one
authorization for several things, which is prohibited) and several
authorizations on the same piece of paper (which is OK, just so long as each one
has an indication that it was individually considered). To mak
Marcus,
The Covered Entity is the one taking the risk here, not
you. You do not have responsibility for the PHI until it enters your
system.
Some hungry lawyer may try to put some responsibility on your
door, since you did not not refuse to accept unencrypted information. I
don't think t
Noel,
I agree with the thrust of the earlier thread on this list --
the additional inscription makes it PHI.
I just had a thought, though. Could the autographed
picture itself be a kind of authorization for use? I know it's not on a
document that has the proper words, but could the intent
Leslie,
Thank you for a timely and
well-written analysis.
So many bad things happen when
HIPAA is mis-read to restrict information exchange it really isn't
restrict.
The "may" in the regulations
also opens a can of worms, but it has to be emphasized that if the release that
HIPAA says may
iver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
- Original Message -----
From:
Wellons, David L
To: 'Doug Webb' ; WEDI SNIP Privacy Workgroup List
Sent: Thurs
Catherine,
You have to give them an opportunity to opt out.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital & Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain i
71 matches
Mail list logo