Re: HIPAA privacy and telephone

2003-01-17 Thread Leah Hole-Curry
The OCR guidance at http://www.hhs.gov/ocr/hipaa/privacy.html under
incidental disclosures indicates that leaving information with family
members or on an answering machine or mailing information is allowed,
but also cautions that professional judgment should be used to assure
that the information is limited to what is necessary and assure that its
in the interests of the patient.  

Regards, lhc

Leah Hole-Curry, JD
FOX Systems, Inc.
602.708.1045 
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
 Doug Webb [EMAIL PROTECTED] 01/17/03 06:38 AM 
An extension to this -- how do you handle answering machines?

My gut feeling is that either a no-no (the machine more questionable
than a family member) -- the information could only be released to the
patient or his/her representative designated in a written authorizaton. 
Perhaps another signature on your main consent/authorization form to
allow these types of communications is what's needed???

The opinions expressed here are my own and not necessarily the opinion
of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital  Health Care Centers
[EMAIL PROTECTED]

This electronic message may contain information that is confidential
and/or legally privileged. It is intended only for the use of the
individual(s) and entity(s)  named as recipients in the message. If you
are not an intended recipient of the message, please notify the sender
immediately,  delete the material from any computer, do not deliver,
distribute, or copy this message, and do not disclose its contents or
take action in reliance on the information it contains. Thank you.



- Original Message - 
From: [EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Thursday, January 16, 2003 04:04 PM
Subject: HIPAA privacy and telephone


 I would like the lists opinion on this topic.
 
 Patient comes to the office to have their potassium checked because
they are on a diuretic.  Later, the physician's nurse calls the patient
at home with results but the patient is not home.  Spouse answers the
phone.  Can you tell the spouse that the potassium was fine and that
he/she should tell the spouse to continue the same dose of diuretic and
potassium supplement?  If you say no, this type of disclosure is not
allowed, would it matter that we put a statment in our Notice of
Privacy Practices that stated  (in the section on Payment, treatment and
 health care operations) On occasion, we call test results to your home
and leave the results with a family member if you are not present. 
Now, obviously, we would not do this with a HIV result but it seems like
such a waste of everyone's time to play phone tag to accommodate the one
patient in a million that is actually upset because you told the spouse
what the potassium result was.  Thank you.
 
 Rich Fairley, 
 Dubuque, IA


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe

Re: What does it mean to have a separate authorization?

2003-01-17 Thread Leah Hole-Curry
I have always considered this to mean that you did not necessarily need
separate types of forms, but that certain authorizations must be limited
to single purposes.  

However, if only one authorization form is created, it has to be
designed carefully to meet all the different types of situations
applicable to your business.  I suspect that entities will find a
generic form will work for most disclosures, but that certain
disclosures, if applicable (like where you are allowed to condition
treatment/enrollment or where, in research, it is combined with other
information) would need a special form because the language will be
different from the general circumstances where you cannot condition
treatment or where it is combined with other types of
permission/information.

lhc


Leah Hole-Curry, JD
FOX Systems, Inc.
602.708.1045 
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
 [EMAIL PROTECTED] 01/17/03 06:40 AM 
I realized that I may be confused over what it means to have a separate 
authorization. The privacy rules clearly state that a separate
authorization 
is needed for psychotherapy disclosures, that you cannot combine an 
authorization for psychotherapy with an authorization for most other 
disclosures. I assumed that meant you actually had to draft a separate
form 
for psychotherapy disclosures but someone recently pointed out to me
that it 
meant you could use the same authorizations for all disclosures, as long
you 
when you used it for disclosures for psychotherapy, it was just used for
that 
purpose

Thoughts?

Also, the rules state that you cannot combine authorizations where the
entity 
can condition treatment upon its signing (like disclosures to a third
party) 
with disclosures that cannot be conditioned. I assumed that you again
had to 
draft separate disclosures forms but am I mistaken?


Jill Rubin, Esq.
(617)388-2404
[EMAIL PROTECTED]


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



RE: HIPAA EDI

2003-01-30 Thread Leah Hole-Curry
42 U.S.C. Section 1320d-5  (General Penalty for Failure to comply with
Requirements and Standards)

The pre-codified version is on HHS' website at:
http://aspe.hhs.gov/admnsimp/pl104191.htm


Leah Hole-Curry, JD
FOX Systems, Inc.
602.708.1045 
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
 Sherry Lynn Burke [EMAIL PROTECTED] 01/30/03 04:56 AM 
I am trying to locate penalties for failure to comply with the EDI
standards but am not having any luck.  Advice?

-Original Message-
From: Boyle, Joan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 28, 2003 8:20 PM
To: WEDI SNIP Privacy Workgroup List
Subject: WEDI SNIP Privacy Policies and Procedures Workgroup Conference
Ca ll - Correction of Time
Importance: High


Please note that our regular workgroup conference call will begin at
3:30 pm
EST.  The discussion of Security Safeguards for Privacy will begin at 4
pm
EST.  All other information is correct.  

Anyone wishing to discuss workgroup issues such as plans for future
calls
and for reviewing our existing documents in light of the 12/2002 Privacy
Guidance and the final Security Rule (when published), please join us at
3:30 pm EST.

Joan
Joan Boyle
HIPAA Compliance Manager
The TriZetto Group, Inc.
Voice:  970-627-1675
Fax: 970-627-1677
[EMAIL PROTECTED]

*** Confidentiality Notice ***
This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and is
protected
by law. If you are not the intended recipient, you should delete this
message and are hereby notified that any disclosure, copying, or
distribution of this message, or the taking of any action based on it,
is
strictly prohibited.




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


*
Scanned by net.work.Maryland Antivirus Service ...
the Backbone of eMaryland, the Digital State.
*


*
Scanned by net.work.Maryland Antivirus Service ...
the Backbone of eMaryland, the Digital State.

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services

Re: Covered Entity or Not

2003-01-31 Thread Leah Hole-Curry
The answer is in the covered entity definition found at 160.103
Covered entity means...A health care provider who transmits any health
information in electronic form in connection with a transaction covered
by this subchapter

So the transmission must be in connection with a standard transaction
(e.g. claims, eligibility, encounter, claims status, referal
certification and authorization, etc.)

Regards, lhc
Leah Hole-Curry, JD
FOX Systems, Inc.
602.708.1045 
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
 [EMAIL PROTECTED] 01/31/03 08:59 AM 
At a meeting yesterday of our parent organization's privacy officers we
had
a discussion I'd appreciate some feedback on.  One of the organizations
is
a long-term care/retirement facility that indicated they do not bill
electronically.  Therefore they are not a covered entity.  However,
after
further discussion they indicated they do in fact send via fax and/or
email
individual identifiable health information to other covered entities (ie
hospitals, referral agencies, and referring agencies).  Some contended
because they did not use EDI, they didn't really need to comply, others
indicated they were because they do send PHI via electronic media.

Can anyone provide an insight?

Thanks.

Charles.




Charles R. Carnahan, M.Div., M.B.A.


Chief Operating Officer


CAB Health and Recovery Services, Inc.


111 Middleton Road


Danvers, MA 01923


Phone: 978-739-7600


FAX: 978-750-3620


www.cabhealth.org


*



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



Re: Disclosures - NPP and tracking

2003-02-17 Thread Leah Hole-Curry
Teri,

I also agree - these are separate requirements that are not mutually
exclusive.  A covered entity must meet all requirements, relevant to a
particular use or disclosure:  

A covered entity must have a notice of privacy practices which lists
relevant disclosures and examples, among other things.  164.520

A covered entity Must use and disclose information only in accordance
with its Notice.  164.502(i)

A covered entity must ALSO have satisfactory assurances (generally in
the form of the BA Contract) in place with its business associates. 
164.502(e)

A covered entity must ALSO obtain authorization when making disclosures
that require an authorization (e.g. marketing communications).  164.508

A covered entity must ALSO track disclosures that are required to be
accounted for to the individual (e.g. disclosures to public health
authority). 164.528

A covered entity may ALSO get a consent for certain disclosures if it
chooses to do so (e.g. for treatment, payment, and operations). 164.506.


It is often difficult to prove a negative - meaning that there isn't a
place in the regulation that specifically states that the requirements
are cumulative, however when you read the accompanying comments, there
isn't anything that I see that would lead you to think that you could
leave out an accounting for certain disclosures if you include the
disclosure in your notice - the comments and the regulation require you
to do both.  

In discussing a governmental entities' choices with respect to hybrid,
there is a comment and answer that touches on this, it states in part:  


Comment...Alternatively, it was suggested that a governmental hybrid
entity be permitted to include in its notice of privacy practices the
possibility that information may be shared with other divisions within
the same government entity for specific purposes... 
Response ...Additionally, the Department encourages covered entities
to develop a notice of privacy practices that is as specific as
possible, which may include, for a government hybrid entity, a statement
that information may be shared with other divisions within the
government entity as permitted by the Rule.  However, the notice of
privacy practices is not an adequate substitute for, as appropriate, a
memorandum of understanding; designation of business associate functions
as partof of a health care component; or alternatively conditioning
disclosures to such business associate functions on individuals'
authorization.  67 Fed. Reg. pages 53206, 53207.

As noted, this isn't directly on point, but it does states that the the
Notice is not a substitute for other requirements:  you need both.

Regards, lhc



Leah Hole-Curry, JD
FOX Systems, Inc.
602.708.1045 
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
 Teri Baskett [EMAIL PROTECTED] 02/17/03 10:19 AM 
I hate to weigh in here one more time, but my understanding what that we
have to provide the pt/client an accounting of all disclosures that were
not specifically covered by an authorization (initially, it was
interpreted that those had to be logged and tracked also, but that was
amended in the final regs, since the argument was made that the pt would
have knowledge of disclosures s/he had authorized in writing).  I know
another gentleman on this thread last week indicated that he planned to
track those also, just to keep the disclosure log complete and to
simplify the procedures for HIM staff; however, I do believe that
authorized disclosures are not required to be tracked.

So, our disclosure log must contain a record of all disclosures not
covered by a written authorization and those that are not a part of
treatment, payment and healthcare operations.  Regardless of everything
we list in the NPP (and it should list all these as possibilities), we
have to track these and record them, providing them for a pt when
requested.

Have I confused different parts of the regs in this interpretation?

Teri Baskett, CISO
LifeSpring Mental Health Services
[EMAIL PROTECTED]



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently

Re: section 164.514(d)(3)(iii)(B)

2003-03-25 Thread Leah Hole-Curry
Leslie,

In my opinion, while it would be good to apply some minimum necessary
principals, I don't think you are required to do so in this situation.

Because these are providers (covered or not)  using, disclosing, and
requesting the PHI for treatment.  

Under 164.502(b)(2) - min. necessary doesn't apply to disclosures to or
requests by a health care provider for treatment.

And under 164.506(c)(1) - covered entities can use/disclose PHI for its
own treatment activities and (2) for treatment activities of (another)
health care provider.

Regards, lhc

Leah Hole-Curry, JD
FOX Systems, Inc.
602.708.1045 
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
 Harpe, Leslie [EMAIL PROTECTED] 03/25/03 12:21 PM 
Your opinions on the following scenario:
A patient is seen in the ER last night.  Dr. A ordered labs.  Dr. B
calls
the lab for the results today.  Lab only knows the ordering doctor. 
Based
on the fact that Dr. B knows labs were ordered and according to section
164.514(d)(3)(iii)(B), we are going to release the lab results without
an
authorization.  We believe that this is continuum of care and we are
releasing to another covered entity. (No disclosure is required either.)
 If
each department identifies who can release the info, the minimum they
can
release for routine disclosure and develop criteria for non-routine
disclosures, this should be an acceptable practice. Page 82545 also
supports
this interpretation.  My notice also informs the patient that we will do
this as continuum of care.

Once the chart is received by medical records though, we will require an
authorization if the physician is not on record.  

I hope this is right, if not, we'd better start planting more trees to
support the tremendous mounds of paperwork.

Thanks,
Leslie Harpe
Privacy Official
South Georgia Medical Center
Valdosta, GA  31603-1727
[EMAIL PROTECTED]


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org