RE: Unlocked charts
Title: Message Cindi, I have to disagree with you. The definition of a Business Associate is someone that "performs certain funtions or activities that involve the use of disclosure of protected health informatin on behalf of [my emphasis], or provides services to, a covered entity." A janitorial crew does not in any way use PHI to perform their job functions. A repairman (e.g. computer tech) might use PHI in order to recover or fix a problem, thus could be a business associate. However, privacy and security rules require a covered entity to take reasonable precautions to avoid improper disclosure. So, for a janitorial crew, that could mean keeping your files either in locked cabinets or behind locked doors, and keeping your desks clean. Our agency has a large records room with open shelving, so we lock the doors and the cleaning crew is never allowed in the room. Dennis Hare Quality Assurance Spec./Privacy Officer Central Missouri Regional Center (573) 882-9835 Fax - (573) 884-4294 email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. The designated recipients are prohibited from redisclosing this information to any other party without authorization and are required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited by federal or state law. If you have received this communication in error, please notify me immediately by telephone at (573) 882-9835, and destroy all copies of this communication and any attachments. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 1:43 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Unlocked charts Cindy, The key work here is incidential. I don't feel this would be an incidential disclosure since you know the cleaning folks will have access to PHI. See text below from another list about the topc. Date 1/16/03 "...yesterday during a conference call with 2,000 plus conferees, Linda Sanchez of DHHS clarified the incidental disclosure concept in a way that I thought made sense and which I hadn't seen discussed in the regulatory preambles or the recent OCR Guidance document. In the context of someone coming in to your facility to do repairs on machinery, for example, she said in sum or substance that if you know that a repairperson *WILL* have access to PHI as part of her/his job to repair something, then that is not an incidental disclosure, and must be addressed in a Business Associate Contract". Cindi Bowman Quality and Compliance Coordinator Catawba County Health Department 828-695-5847 -Original Message-From: Rupe, Cindy [mailto:[EMAIL PROTECTED]Sent: Friday, March 07, 2003 12:48 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Unlocked charts The OCR guidance states that a BA is not required: With persons or organizations (e.g. janitorial sercie or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. Thanks, Cindy Cindy Rupe, RHIA, CPHQ HIPAA Coord/Consultant Billings Area IHS 406-247-7161 [EMAIL PROTECTED] HIPAA Ready, HIPAA Compliant, and HIPAA Aware -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, March 07, 2003 10:15 AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Unlocked charts This was brought up in San Diego by the folks from OCR. One of them said her owned doctor accused her of being "one of those people who are making us put locks on our file cabinets." She stated that the requirement is to keep the PHI private. If the file cabinet is in a patient area, it might be wise to lock it. If it is out of a public area, the location may be all that is needed to keep it private. *The cleaning company should sign a BAA. Joanne Marquez Senior Director Beech Street Corporation Account Services (949) 672-1519 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2003 7:06 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Unlocked chartsThis has probably been covered before, but for those of us still
RE: Unlocked charts
Title: Message Cindi, I don't see a harm in doing a BAA with a janitorial company, but I also don't really see the need for it. A repair person having access to PHI to do their job (such as a computer or copier repairman) is different than a janitor who should not have access to it to do his/her job because his/her job does not inherently involve using PHI. Maybe a fine point that an organization wouldn't want to run the risk on, however. I suspect a lot of organizations are going to go overboard to play it safe "just in case". Dennis Hare Quality Assurance Spec./Privacy Officer Central Missouri Regional Center (573) 882-9835 Fax - (573) 884-4294 email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. The designated recipients are prohibited from redisclosing this information to any other party without authorization and are required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited by federal or state law. If you have received this communication in error, please notify me immediately by telephone at (573) 882-9835, and destroy all copies of this communication and any attachments. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:54 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: Unlocked charts Dennis, I am not sure where your disagreement exists with me since I did not say they are a business associate. It was a DHHS member that said "if you know that a repairperson *WILL* have access to PHI as part of her/his job to repair something, then that is not an incidental disclosure, and must be addressed in a Business Associate Contract". Given that, I don't see where a BAA would cause harm, as suggested by the DHHS member. For example in our situation, where an outside janitorial service has unsupervised access to all our medical records when they clean after hours. We have an open filing system so there is no way to lock or secure the records. What would be the harm for us to follow DHHS and have a BAA in place? Cindi -Original Message-From: Hare, Dennis [mailto:[EMAIL PROTECTED]Sent: Friday, March 07, 2003 4:45 PMTo: Cindi Bowman; WEDI SNIP Privacy Workgroup ListSubject: RE: Unlocked charts Cindi, I have to disagree with you. The definition of a Business Associate is someone that "performs certain funtions or activities that involve the use of disclosure of protected health informatin on behalf of [my emphasis], or provides services to, a covered entity." A janitorial crew does not in any way use PHI to perform their job functions. A repairman (e.g. computer tech) might use PHI in order to recover or fix a problem, thus could be a business associate. However, privacy and security rules require a covered entity to take reasonable precautions to avoid improper disclosure. So, for a janitorial crew, that could mean keeping your files either in locked cabinets or behind locked doors, and keeping your desks clean. Our agency has a large records room with open shelving, so we lock the doors and the cleaning crew is never allowed in the room. Dennis Hare Quality Assurance Spec./Privacy Officer Central Missouri Regional Center (573) 882-9835 Fax - (573) 884-4294 email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. The designated recipients are prohibited from redisclosing this information to any other party without authorization and are required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited by federal or state law. If you have received this communication in error, please notify me immediately by telephone at (573) 882-9835, and destroy all copies of this communication and any attachments. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 1:43 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Unlocked char
RE: NPP
Title: Message Health Plans are not required to get your acknowledgment signature. They only need to provide you with a copy of the NPP. See page 109 of the OCR HIPAA Privacy Guidance. Dennis Hare Quality Assurance Spec./Privacy Officer Central Missouri Regional Center (573) 882-9835 Fax - (573) 884-4294 email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. The designated recipients are prohibited from redisclosing this information to any other party without authorization and are required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited by federal or state law. If you have received this communication in error, please notify me immediately by telephone at (573) 882-9835, and destroy all copies of this communication and any attachments. -Original Message-From: Traci Winter [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 1:19 PMTo: WEDI SNIP Privacy Workgroup ListSubject: NPP Interesting occurrence just took place.. I just received a NPP from Guardian Life Insurance Co. It was put in my inter-office mailbox by our HR staff person. There is no acknowledgement form for me to sign.. Do they think by having my employer distribute them that they are not required to make a good faith effort to get an acknowledgement signed? Just seems a little off to me. Does anyone else find this a little lacking? Traci Winter Hospitals Home Health Care, Inc. Fulton, NY---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: PHI In Mail
Title: Message How about shredding it. Dennis Hare Quality Assurance Spec./Privacy Officer Central Missouri Regional Center (573) 882-9835 Fax - (573) 884-4294 email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. The designated recipients are prohibited from redisclosing this information to any other party without authorization and are required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited by federal or state law. If you have received this communication in error, please notify me immediately by telephone at (573) 882-9835, and destroy all copies of this communication and any attachments. -Original Message-From: Schmidt, Lee M [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 8:34 AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: PHI In MailImportance: High Is there a HIPAA requirement on how to dispose of returned mail that contains PHI? If not, how do folks within this workgroup plan on disposing of it? Thanks, Lee M. Schmidt Magellan Behavioral Health HIPAA / I.T. Project Manager, Claims Applications Local: (314) 387-5445 Toll Free (St. Louis): 1-800-450-7281 ext: 75445 New Cell: (314) 960-0964 Fax: 314-387-5655 or 314-292-1120 (Electronic)E-Mail: [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org <>
RE: HIPAA privacy and telephone
Title: Message Please read the following from the OCR Frequently Asked Questions list at http://www.hhs.gov/ocr/hipaa/privacy.html: May physician's offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients' homes? A: Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back. A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3). Dennis Hare Quality Assurance Spec./Privacy Officer Central Missouri Regional Center (573) 882-9835 Fax - (573) 884-4294 email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. The designated recipients are prohibited from redisclosing this information to any other party without authorization and are required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited by federal or state law. If you have received this communication in error, please notify me immediately by telephone at (573) 882-9835, and destroy all copies of this communication and any attachments. -Original Message-From: Clay, Roy III (NO) [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 3:09 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: HIPAA privacy and telephone My feeling is that unless you have authorization from the patient, anything other than giving the results directly to the patient is not allowed. You wish you can have an opt-in question on the order of "Do we have your permission to leave medical information with your spouse?(Y/N) These responses would have to be tracked and adhered to. -Original Message- From: Doug Webb [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 8:51 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: HIPAA privacy and telephone An extension to this -- how do you handle answering machines? My gut feeling is that either a no-no (the machine more questionable than a family member) -- the information could only be released to the patient or his/her representative designated in a written authorizaton. Perhaps another signature on your main consent/authorization form to allow these types of communications is what's needed??? The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital & Health Care Centers [EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." - Original Message - From: <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Thursday, January 16, 2003 04:04 PM Subject: HIPAA privacy and telephone > I would like the lists opinion on this topic. > > Patient comes to the office to have their potassium checked because they are on a diuretic. Later, the physician's nurse calls the patien