RE: 10 Days to go, don't bother opening if you don't want a good laugh
Title: Message I'm sorry, but helpful as these suggestions have been they don't go far enough. If you want to eliminate your HIPAA risks altogether, you're just going to have to get rid of your patients. You can't have individually identifiable health information if you don't have individuals! John R. Christiansen Preston | Gates | Ellis LLP (Direct: 206.370.8118 (Cell: 206.628.9125 Reader Advisory Notice: Internet email is inherently insecure. Message content may be subject to alteration, and email addresses may incorrectly identify the sender. If you wish to confirm the content of this message and/or the identity of the sender please contact me at one of the phone numbers given above. Secure messaging is available upon request and recommended for confidential or other sensitive communications. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, April 04, 2003 10:00 AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: 10 Days to go, don't bother opening if you don't want a good laugh You might also wanting to consider eliminating the collection of PHI entirely and having the patients pay in cash in advance for treatment in complete annonimity. Joanne Marquez Director of Medical Informatics Beech Street Corporation 25500 Commercentre Lake Forest, CA 92630 (Tel) 949-639-3819 (Fax) 949-458-5323 [EMAIL PROTECTED] -Original Message-From: Schmidt, Lee M [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 9:41 AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: 10 Days to go, don't bother opening if you don't want a good laughImportance: High While all these suggestions seem to effectively accomplish the goal of Privacy, the effort one has to put forth is extremely taxing and costly. We've found it much more efficient and cost-effective to go on the premise that we can release PHI to anyone, in any format, at any time. We just have to "Eliminate" them afterward. Lee -Original Message-From: Hromatka, Valerie [mailto:[EMAIL PROTECTED]Sent: Friday, April 04, 2003 10:52 AMTo: WEDI SNIP Privacy Workgroup ListSubject: 10 Days to go, don't bother opening if you don't want a good laugh Jim: We were doing as you are, but found triple locking the patient records in an underground bomb-proof facility no fewer than 50 miles from a paved road to be a bit troublesome. We resorted to implanting a small chip in each patient and found that to work very well. However, several patients complained that they were setting off car alarms as they walked by, three found that garage doors were springing open in the neighborhoods as they drove home, and five patients found that they couldn't get out of their yards with invisible fences. Thus, we have finally concluded that in order to be HIPAA compliant our best course of action is to not provide anesthesia to any patients. David David,The Feds will waive the 50 mile rule if you place your PHI in resealable 55 gallon drums and sink them to the bottom of 40 pool while you are not using them. When you purge old PHI it must be sent to Yucca Mt. The down side is that members of your office staff must have their diving certificates before the 14th.Nick Sheena, We are thumb printing all patients onto the anesthesia record and the billing sheet so that we can verify that the billing sheet information matches the anesthesia record for that patient. In pre-op or Pre-Admission Testing, the CRNA and / or MDA is taking a digital recording of each patient's voice and encoding it onto a magnetic strip embedded into our new billing sheet. When our account representative calls the patient's home, they ask for the patient by name and hit the F10 button on their keyboard and our billing software records and displays the patient's encoded voice (previously transferred from the billing sheet) and compares it to the digital readout of the person the account representative is speaking to. When there is a match, the software flashes "Match" three times. At this point the account representative continues the conversation with the patient. The billing software automatically comments that the conversation with the patient was digitally matched. Jim Valerie Hromatka System Administrator Privacy Officer Western Washington Medical Group 3207 Wetmore Ave Everett, WA 98201 wwmedgroup.com 425-259-4041 425-252-6642 ---The WEDI SNIP listserv to which you are subscribed is not moderated. The
Email and HIPAA
For those looking into email issues specifically, please see HealthyEmail, www.healthyemail.org . It's a nonprofit, I'm on the board, and the point of the exercise is to get policy and procedural tools out to support the clinical (principally physician practice) use of email. The other advisors are heavy hitters in this area (Bill Braithwaite, Danny Sands who was principal author of the AMIA email guidelines, Paul Tang, etc.), and we have posted a non-proprietary primer addressing HIPAA and other risks (I am generally more concerned about those "other risks," by the way), patient communications documents, etc. Disclosure: It's a nonprofit principally supported by a secure messaging vendor which is a client of mine. Well, does anybody know of a health system, governmental agency or academic body who's going to pay for any major new initiative these days? And this way I know who they're listening to for advice. You can judge the merits of their solution for yourself, if you like, or ping me off list for info. The HealthyEmail documentation itself is not tied to the vendor, and is designed to support any clinical use of email. Interested party or not, my take is that if there is reasonably affordable/reasonably easy to use encryption available, the "addressable specification" security rule analysis indicates it should be used if you send ePHI over the Internet with any frequency. John R. Christiansen Preston | Gates | Ellis LLP 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 *Direct: 206.370.8118 *Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 4:43 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: New to this list, have two questions. We have been wrestling with this question of e-mail security here too. I am with a large integrated delivery system in New Mexico. Our position, however, is that we will not stop the e-mail until we can agree on a workable technical security approach. We will continue as we have been, while we simultaneously working on a technical security approach (I won't say solution, because there does not appear to be a great "solution" at this time.) We believe it is too risky from a patient care standpoint to completely stop all e-mail, for a couple of reasons: 1) Most of our clinical units use e-mail to communicate with other providers and with patients themselves regarding treatment and care management 2) There have not been any reported problems with security related to this so far (I understand that this doesn't mean there is no risk). Therefore in comparing the benefits and risks to the patient, we felt it was better to continue using e-mail for now. 3) We feel that the advantages of e-mail outweigh the security risks; specifically we see those advantages as: * speed, * written documentation of the communication, and * the fact that both parties don't have to be in communication at the same time (like the phone would require) 4) The best alternative to e-mail would be fax - but that really is not much safer than e-mail from a technical standpoint, and in many cases travels over the same lines. We don't feel like we are buying much in terms of additional security by forcing everyone to use fax. Also, many patients do not have home fax machines. We are currently working on developing a "secure server" approach. We feel that encryption is not realistic since the technology is not standard enough, nor easily usable by clinicians or patients. We see our biggest challenge with any technical approach, is not the technology, but getting our clinicians and administrative staff to adopt it. Most of our planning will be focused on piloting and adoption strategies for this type of technology, from a very practical standpoint. Is any body else seeing the adoption challenges of e-mail security technology? Julie Fulcher HIPAA Project Manager Presbyterian Healthcare Services Albuquerque, New Mexico 87125- (505) 923-6397 [EMAIL PROTECTED] -Original Message- From: Doug Webb [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 1:45 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: New to this list, have two questions. Gregory, Just to amplify on Judith's remarks, You are exposed to the risk NOW, not when the final Security Rule fully kicks in. You are accepting a huge risk anytime you expose PHI to the Internet. Remenber that any of the millions of computers
RE: NPP in Other Languages
Folks - The "plain language" requirement for the NPP incorporates regulatory requirements that include translation into other languages if they are a material element of the population you serve. I did the research well over a year ago so don't recall the citations, and don't have time to dig it up just now, but I believe it was available via an OCR webpage. There are criteria for determining what languages you need to include, and this would apply to any CE, not just an employer plan. John R. Christiansen Preston | Gates | Ellis LLP 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 *Direct: 206.370.8118 *Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. -Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 1:53 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: NPP in Other Languages It strikes me as an attorney who represents ERISA governed health plans that the NPP can be considered a material modification to the health plan under the U.S. Labor Department's (DOL) rules. DOL, in contrast to HHS, has very specific rules on distributing a summary plan description or a summary of material modifications to a plan participant, i.e., hand delivery, first class mail (second or third class only if return and forwarding postage is guaranteed and address correction is requested), or electronic delivery under certain circumstances and on when you need to translate such plan documents into another language. If your covered entity is governed by ERISA, I suggest that you apply these rules. If you covered entity is not governed by ERISA, you still may find the guidance helpful. I have quoted the foreign language and mailing guidance below. Best regards, Dave Ermer 29 C.F.R. §2520.102-2 Style and Format of SPD: (c) Foreign languages. In the case of either-- (1) A plan that covers fewer than 100 participants at the beginning of a plan year, and in which 25 percent or more of all plan participants are literate only in the same non-English language, or (2) A plan which covers 100 or more participants at the beginning of the plan year, and in which the lesser of (i) 500 or more participants, or (ii) 10% or more of all plan participants are literate only in the same non-English language, so that a summary plan description in English would fail to inform these participants adequately of their rights and obligations under the plan, the plan administrator for such plan shall provide these participants with an English-language summary plan description which prominently displays a notice, in the non-English language common to these participants, offering them assistance. The assistance provided need not involve written materials, but shall be given in the non-English language common to these participants and shall be calculated to provide them with a reasonable opportunity to become informed as to their rights and obligations under the plan. The notice offering assistance contained in the summary plan description shall clearly set forth in the non-English language common to such participants offering them assistance. The assistance provided need not involve written materials, but shall be given in the non-English language common to these participants and shall be calculated to provide them with a reasonable opportunity to become informed as to their rights and obligations under the plan. The notice offering assistance contained in the summary plan description shall clearly set forth in the non- English language common to such participants the procedures they must follow in order to obtain such assistance. Example. Employer A maintains a pension plan which covers 1000 participants. At the beginning of a plan year five hundred of Employer A's covered employees are literate only in Spanish, 101 are literate only in Vietnamese, and the remaining 399 are literate in English. Each of the 1000 employees receives a summary plan description in English, containing an assistance notice in both Spanish and Vietnamese stating the following: ``This booklet contains a summary in English of your plan rights and benefits under Employer A Pension Plan. If you have difficulty understanding any part of this booklet, contact Mr. John Doe, the plan administrator, at his office in Room 123, 456 Main St., Anywhere City, State 20001. Office hours are from 8:30 A.M. to 5:00 P.M. Monday through Friday. You may also call the plan administrator's office at (202) 555- 2345 for assistance.'' 29 C.F
RE: Security Requirements
Not that knowing that is much help in figuring out what you need to do . . . John R. Christiansen Preston | Gates | Ellis LLP 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 (Direct: 206.370.8118 (Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. -Original Message-From: KERBER, JEFF [mailto:[EMAIL PROTECTED]Sent: Thursday, March 13, 2003 10:32 AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Security Requirements Yes, that's exactly how to read that. -Original Message-From: Daryn Thompson [mailto:[EMAIL PROTECTED]Sent: Thursday, March 13, 2003 12:18 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Security Requirements In the final security document, you have standards. Some standards have implementation specifications and others do not. On the standards that do have them, they are REQUIRED or ADDRESSABLE. On the ones that do not have specifications, are they Required? Daryn Thompson Network/I.S. Coordinator (801) 468-2123 ---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org ---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately and delete the material from any computer. Do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form
Preliminary Impressions of the Final Security Rule
Overall, I think I like it. HHS seems to have done a pretty good job of integrating it with the Privacy Rule, conceptually, in use of terminology, and in terms of reorganizing the codification (which won't really become helpful until it they are together in the Code of Federal Regulations). A number of redundancies have been eliminated, as have some unclear concepts and terms. There is what seems to be a useful new structure to the rules, which are now organized according to "standard" (which states a requirement in generalized terms) and "implementation specifications" (which identify what you do to meet a standard). Implementation specifications are then broken down into "required" and "addressable" specifications. A "required" specification is just what is says: Implement as stated. For example, risk analysis and risk management are required; so is security incident (now a defined term) response. (Note: the final rule continues the "technology-neutral" stance of the draft, so there are no required technology specifications) An "addressable" specification, on the other hand, is one where you must make a decision: Address the specification specifically, implement an alternative which covers the same general concept identified in the standard, do a combination of both, or do nothing. The decision what to do, however, must be reasonable based upon a risk assessment, and if an alternative solution is adopted or the decision is to do nothing, the basis for the decision must be documented. Thus, for example, the access authorization standard is implemented by addressable standards, allowing it to be "scaled" to the organization. This approach was implicit in the draft rule, but it was not clear how it applied or whether it applied to all standards. I think it will prove a helpful clarification. The general areas which must be addressed remain the same; covered entities (the term is now used in the rule) must address standards in the areas of administrative, physical and technical safeguards. However, a number of redundancies have been eliminated, and several useful definitions have been added or clarified. For example, chain of trust agreement requirements have been folded into business associate contracting. One point worth noting is that the draft rule required a risk assessment as the starting point for security determinations, but did not particularly emphasize it. It seems to me that there is more emphasis on risk assessment in the final rule, in that it is tied expressly in as the basis for making "addressable specification" choices. This is very much a process-oriented rule; I don't see safe harbors, but I do see a framework requiring informed, reasonable, appropriate and documented decision-making. The preamble repeatedly emphasizes that this shouldn't pose substantial financial or administrative hardship, assuming you've been reasonable about security already - but I'm not sure how valid that assumption always is. Finally, it's now official: electronic signatures are on a separate track, though apparently a rule is going to be published. John R. Christiansen Preston | Gates | Ellis LLP PLEASE NOTE OUR NEW ADDRESS AND PHONE NUMBERS EFFECTIVE TUESDAY, JANUARY 21: 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 *Direct: 206.370.8118 *Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Busy week on the privacy litigation front
First the Saskatchewan and TriWest class actions, now this. Women win suit over medical records By The Associated Press Friday February 07, 2003; 11:00 AM MORGANTOWN -- A jury has awarded $2.3 million to three women whose mental health treatment records were not kept private by West Virginia University Medical Corp., also called University Health Associates. Wednesday's verdict in the negligence case went to three women identified in Monongalia Circuit Court only by their initials. The corporation's doctors are all members of the faculty of the WVU School of Medicine. A former records clerk, Timothy Poniewasz, was fired in July 1999 in connection with one woman's complaint to Charles Russell Manley, then administrator of the medical school's Department of Behavioral Medicine, that her records had been disclosed by Poniewasz. Corporation attorneys said the women presented a strong case against Poniewasz during the seven-day trial, but didn't prove that University Health Associates was negligent. Jurors disagreed. After less than two hours of deliberation they awarded $766,200 to one woman, $762,000 to another and $750,000 to the third. The awards did not include punitive damages, which Circuit Judge Russell Clawges had disallowed. <> John R. Christiansen Preston | Gates | Ellis LLP PLEASE NOTE OUR NEW ADDRESS AND PHONE NUMBERS EFFECTIVE TUESDAY, JANUARY 21: 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 *Direct: 206.370.8118 *Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
NEW US Important Privacy Law Development
On Tuesday I flagged a Canadian class action for privacy violation by theft of hard drive and noted the same sort of incident had happened to TriWest in the U.S. I thought the Canadian case was the first of these. Guess not. Guess who else got sued? Lawsuit accuses TriWest Healthcare of negligence By Dennis Wagner The Arizona Republic Jan. 30, 2003 TriWest Healthcare Alliance has been hit with a class-action lawsuit for negligence by customers whose identity information was stolen last month in a heist of computer data from the Phoenix-based defense contractor The lawsuit was filed in the U.S. District Court for Arizona by Tucson attorneys David Karnas and Gary Bellovin on behalf of Lt. Col. Michael Stollenwerk and Andrea DeGatica, both of Virginia. <> See http://www.arizonarepublic.com/arizona/articles/0130triwest30.html John R. Christiansen Preston | Gates | Ellis LLP PLEASE NOTE OUR NEW ADDRESS AND PHONE NUMBERS EFFECTIVE TUESDAY, JANUARY 21: 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 *Direct: 206.370.8118 *Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: HIPAA EDI
This would be covered by the general HIPAA civil penalties provision, $100/violation to $25K annual max per "type of violation," on a no-fault basis, presumably enforced via the OCR in a non-adversarial "we're here to help" fashion. However, I was recently persuaded that it would also be possible to bring criminal charges for knowing disclosure of PHI in a regulated transaction without using the required codes and/or format. I would hope that would not be a case any prosecutor would want to bring but I think it is logically possible and therefore a matter of prosecutorial discretion. As my sainted Irish mother used to say, oy vay. John R. Christiansen Preston | Gates | Ellis LLP PLEASE NOTE OUR NEW ADDRESS AND PHONE NUMBERS EFFECTIVE TUESDAY, JANUARY 21: 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 *Direct: 206.370.8118 *Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. -Original Message- From: Sherry Lynn Burke [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 4:58 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA EDI I am trying to locate penalties for failure to comply with the EDI standards but am not having any luck. Advice? -Original Message- From: Boyle, Joan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 8:20 PM To: WEDI SNIP Privacy Workgroup List Subject: WEDI SNIP Privacy Policies and Procedures Workgroup Conference Ca ll - Correction of Time Importance: High Please note that our regular workgroup conference call will begin at 3:30 pm EST. The discussion of Security Safeguards for Privacy will begin at 4 pm EST. All other information is correct. Anyone wishing to discuss workgroup issues such as plans for future calls and for reviewing our existing documents in light of the 12/2002 Privacy Guidance and the final Security Rule (when published), please join us at 3:30 pm EST. Joan Joan Boyle HIPAA Compliance Manager The TriZetto Group, Inc. Voice: 970-627-1675 Fax: 970-627-1677 [EMAIL PROTECTED] *** Confidentiality Notice *** This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org * Scanned by net.work.Maryland Antivirus Service ... the Backbone of eMaryland, the Digital State. * * Scanned by net.work.Maryland Antivirus Service ... the Backbone of eMaryland, the Digital State. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMA
RE: Any HIPAA Humor tools out there?
Who's doing this? << Can you guess what law schools are promoting courses in successful litigation under HIPAA regulations? We have at least one here in Florida I am aware of.>> Please let me know, I'd love to see the curriculum and figure out the holes in it, perhaps work up articles to help judges reject HIPAA claims. Something like this would be counter-productive and would require creative lawyering to develop strong private claims (or is the training is for prosecutors or OCR investigators?) By the way, this is one attorney who co-presented about two dozen half-day state medical association sponsored trainings for docs, including a thick compliance manual, for compensation that basically covered expenses, i.e. pro bono. And no, I don't get a lot of work from docs - a little from time to time, not much, doctors don't trust lawyers and don't want to spend money on them (and get mad at us when they mess up legal matters trying to do it themselves and it costs them more to fix the problems they caused!) - not my client base, but a profession I respect and felt needed the help since nobody else was stepping up to the plate. Just a thought to keep lawyer slamming in perspective. John R. Christiansen Preston | Gates | Ellis LLP PLEASE NOTE OUR NEW ADDRESS AND PHONE NUMBERS EFFECTIVE TUESDAY, JANUARY 21: 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 (Direct: 206.370.8118 (Cell: 206.683.9125 * [EMAIL PROTECTED] Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, content may be modified or corrupted, and headers or signatures may incorrectly identify the sender. If you wish to confirm this message or the identity of the sender, please contact me using a communications channel other than a "reply" to this e-mail. Secure electronic messaging is available and recommended for confidential or sensitive communications. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Here is a good Privacy Issue that will cause problems
One last word on this: 1. Notification of law enforcement would be appropriate and permitted if the pharmacist had the basis for a good faith belief a crime had occurred or was occurring on his premises, as when somebody tries to pass a false prescription slip. 2. It would also be permitted to provide the information to law enforcement in response to legal process, such as a subpoena. 3. It would also be permissible to provide the information to any other health care provider who had a professional relationship to the individual, as long as the pharmacist's professional judgment indicated it would be relevant to the individual's treatment. So, for example, he could call the doctor whose name was on the prescription slip, to advise of his concerns about drug misuse (clearly relevant to patient care); he could also contact other pharmacists who had been filling prescriptions for the individual, for the same reason. Finally, people who are addicted to drugs often have related defensive personality traits, which can cause them to deny any facts indicating they have the problem, and this means that they may in some cases try to obfuscate the issue by attacking the party who brings it up. In this context, then, I would be concerned to be sure of my legal basis for disclosing information before doing so, to avoid leaving an opening for a claim intended to divert attention. It's worth remembering that some people who have drugs not only suffer from denial, they also have significant public reputations to protect and deep pockets to retain lawyers and investigators. -Original Message-From: Patricia Hamby [mailto:[EMAIL PROTECTED]]Sent: Tuesday, January 21, 2003 7:34 AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems Want to be sure I understand. Notification of law enforcement only is your conclusion? Any clarification will be appreciated. Thank you. Patricia Hamby HIPAA Compliance Project Manager XANTUS Healthplan of Tennessee, Inc. (615) 463-1612, Office (615) 279-1301, Facsimile http://www.xantushealthplan.com/hipaa/page3.html -Original Message-From: Christiansen, John (SEA) [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 5:49 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems The magnitude of the crime does not trigger a change in legal treatment. 45 CFR 164.512(f)(5) permits CEs to disclose PHI to law enforcement if the CE "believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity," and sub (6) permits providers to disclose PHI to law enforcement under certain conditions when providing health care in an emergency. So sub (5) would provide coverage for a report to the copes if e.g. a pharmacist were handed a prescription slip with a forged signature (assuming he had reason to believe it was forged), but still wouldn't allow for the kind of letter to other pharmacists described in the original example, even if he had received such a forgery. While narcotics are given heightened scrutiny under a number of legal regime, the wrath of the law comes down only for their illegal possession or distribution. If you succeed in getting a prescription, your possession is legal. If you succeed in getting multiple prescriptions and the pharmacist filling them knows it, the pharmacist may be in trouble, and certainly if the doctor writing the prescriptions knows it he might be very likely to get in trouble with both law enforcement and licensing authorities. The pharmacist may (better) know whether the drug in question is a controlled substance, but if he has a question about the validity of a given prescription his recourse should be to check with the prescribing doctor to confirm the signature, and if the pharmacist has information indicating (for example) that he just filled two other prescriptions for the same drug for the same individual from two other doctors in the last week he can properly advise the doctor (under the "treatment" exception for PHI disclosures) of this fact which is relevant to the care the doctor is providing to the individual. A decision to take the law into your own hands, as by sending a "drug seeking behavior warning" letter to others in the community, is vigilantism, and whether or not a vigilante is proven to have done the morally or practically right thing in any given situation, he is always at risk of breaking the law and having to take the consequences himself. So, if a pharmacist in this situation felt that the potential evil of the drug-seeking behavior
RE: Here is a good Privacy Issue that will cause problems
ITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message-From: Christiansen, John (SEA) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:09 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems Hate to say it, but I disagree: Under HIPAA a pharmacist's job is to establish and comply with certain policies for privacy, security and electronic claims processing. It is a pharmacist's *professional* obligation to avoid (or mitigate) harm to individuals, and HIPAA is not intended to *interfere* with this. But HIPAA says nothing about mitigation of harm or professional standards. -Original Message-From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 3:57 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems Tim, I must respectfully disagree with your fundamental analysis of this scenario. Pharmacists (chemists) have, for more than 2000 years, been part of a triad (including physicians and nurses) engaged in an on-going clinical (NOT business) practice of ensuring that the correct medications and drugs are received by the correct patients. Whenever we remove one of those clinical disciplines from the decision-making process, medication errors and mistakes are likely to increase. It is NOT the intention of HIPAA to deter a good clinical practice. Unfortunately, when unscrupulous people get hold of blank-prescriptions, innocent people may get hurt. Under HIPAA, our responsibility then becomes mitigation of the harm. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 6:00 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems In my personal opinion, this practice - violating patient privacy, in the name of detecting abuse by private businesses - which is (it appears to me) unsupported by statute (unless mandated by DEA regulation) - is contrary to both many state laws and HIPAA. I agree the practice serves a valuable community need, as well as the needs of the abusing patient (intervention). However, as it (as I see it) is NOT a law enforcement reporting issue, but rather a "home grown" solution, that business simply do out of common sense, the practice will either have to be suspended, with suspects reported to law enforcement - cutting out the Sherlock Holms detection engaged in by pharmacists in the process - or get a state statute passed to support and require the activity. After all, it appears
RE: Here is a good Privacy Issue that will cause problems
Hate to say it, but I disagree: Under HIPAA a pharmacist's job is to establish and comply with certain policies for privacy, security and electronic claims processing. It is a pharmacist's *professional* obligation to avoid (or mitigate) harm to individuals, and HIPAA is not intended to *interfere* with this. But HIPAA says nothing about mitigation of harm or professional standards. -Original Message-From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 3:57 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems Tim, I must respectfully disagree with your fundamental analysis of this scenario. Pharmacists (chemists) have, for more than 2000 years, been part of a triad (including physicians and nurses) engaged in an on-going clinical (NOT business) practice of ensuring that the correct medications and drugs are received by the correct patients. Whenever we remove one of those clinical disciplines from the decision-making process, medication errors and mistakes are likely to increase. It is NOT the intention of HIPAA to deter a good clinical practice. Unfortunately, when unscrupulous people get hold of blank-prescriptions, innocent people may get hurt. Under HIPAA, our responsibility then becomes mitigation of the harm. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 6:00 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems In my personal opinion, this practice - violating patient privacy, in the name of detecting abuse by private businesses - which is (it appears to me) unsupported by statute (unless mandated by DEA regulation) - is contrary to both many state laws and HIPAA. I agree the practice serves a valuable community need, as well as the needs of the abusing patient (intervention). However, as it (as I see it) is NOT a law enforcement reporting issue, but rather a "home grown" solution, that business simply do out of common sense, the practice will either have to be suspended, with suspects reported to law enforcement - cutting out the Sherlock Holms detection engaged in by pharmacists in the process - or get a state statute passed to support and require the activity. After all, it appears to me that what is really occurring here is abuse of privacy, and potentially serious defamation, and that a case might be made for damages if a person is placed on these distribution lists wrongly. However, as I am not an attorney I can not pass on a formal opinion. Just keep in mind that a person DOES NOT LOOSE ANY RIGHTS just because a pharmacist suspects abuse!!! It is up to statutory law enforcement of investigate, and a court to determine if a crime has been committed, NOT A CE, regardless of their practices. I am frankly amazed that we have not heard more litigation on this issue. Regards, Tim McGuinness, Ph.D.Consulting Specialist in Regulatory Privacy, Security, and Application Compliance---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also a
RE: Here is a good Privacy Issue that will cause problems
The magnitude of the crime does not trigger a change in legal treatment. 45 CFR 164.512(f)(5) permits CEs to disclose PHI to law enforcement if the CE "believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity," and sub (6) permits providers to disclose PHI to law enforcement under certain conditions when providing health care in an emergency. So sub (5) would provide coverage for a report to the copes if e.g. a pharmacist were handed a prescription slip with a forged signature (assuming he had reason to believe it was forged), but still wouldn't allow for the kind of letter to other pharmacists described in the original example, even if he had received such a forgery. While narcotics are given heightened scrutiny under a number of legal regime, the wrath of the law comes down only for their illegal possession or distribution. If you succeed in getting a prescription, your possession is legal. If you succeed in getting multiple prescriptions and the pharmacist filling them knows it, the pharmacist may be in trouble, and certainly if the doctor writing the prescriptions knows it he might be very likely to get in trouble with both law enforcement and licensing authorities. The pharmacist may (better) know whether the drug in question is a controlled substance, but if he has a question about the validity of a given prescription his recourse should be to check with the prescribing doctor to confirm the signature, and if the pharmacist has information indicating (for example) that he just filled two other prescriptions for the same drug for the same individual from two other doctors in the last week he can properly advise the doctor (under the "treatment" exception for PHI disclosures) of this fact which is relevant to the care the doctor is providing to the individual. A decision to take the law into your own hands, as by sending a "drug seeking behavior warning" letter to others in the community, is vigilantism, and whether or not a vigilante is proven to have done the morally or practically right thing in any given situation, he is always at risk of breaking the law and having to take the consequences himself. So, if a pharmacist in this situation felt that the potential evil of the drug-seeking behavior was great enough to warrant a letter to his fellow pharmacists, he should only do so with the acceptance that his action might bring consequences on him such as OCR investigation, potential criminal charges, potential civil action by the individual, and potential for disciplinary action by licensing authorities. The point is that there are ways of dealing with this, but they are being formalized with the intent of adding protections for individuals. This presents obstacles to the pursuit of potential evil-doers - bad guys always take advantage of their legal rights - but I am not sure it is a bad thing to have to make considered decisions before taking actions that might erroneously harm affect the rights or reputations of others. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 3:18 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: Re: Here is a good Privacy Issue that will cause problemsJohn:Thank you so much for your detailed reply, though I am afraid I do not concur with your answer. The point in discussion was an obvious abuse of the system; any other drug would not detain the wrath of the law BUT NARCOTICS DOES. Reference to rights was only associated with this particular crime.Sorry to disagree. Furthermore, the pharmacy of PBM is not making the judgment, the law does that. A doctor in Florida was charged with this very same example. I will look up other examples for you.Regards, RobertIn a message dated 1/16/2003 3:00:30 PM Central Standard Time, [EMAIL PROTECTED] writes: Subj: RE: Here is a good Privacy Issue that will cause problems Date: 1/16/2003 3:00:30 PM Central Standard TimeFrom: [EMAIL PROTECTED]To: [EMAIL PROTECTED]Robert - I think I need to question one of your assumptions, and your approach to this kind of problem. #1 the assumption that: is not correct, and is in fact dangerously incorrect. HIPAA does not state that principle anywhere. It does list a number of conditions under which PHI may be disclosed: for TPO, under an authorization, and under the conditions listed in 45 CFR 164.512 (uses and disclosures not for TPO for which no authorization is required). If you read that regulation you will see that subsection (a) does permit a disclosure required by law, while subsection (f) sets out the specific requirements for disclosures for law enforcement purposes. (The other exceptions in this regulation don't appear likely ever to apply to this kind of situation). If there is a law on the books requiring disclosure
RE: Here is a good Privacy Issue that will cause problems
Very true, there does seem to be a trend toward federal agencies assuming the legal discretion to suspend or eliminate rights of non-US citizens in the US, and also perhaps US citizen "combatants" as well, and at least seeming to claim that they have the authority to determine whether such individuals have certain rights without judicial (or Congressional or press or public?) oversight. I deliberately steered clear of this and issues around things like ISPs, telecom companies and homeland security - there's a whole can of worms there which will be hard enough to sort out without adding HIPAA to the mix. However, whatever you may think of federal agencies acting in such a fashion, they are at least "under color of" legal authority. A pharmacist is not, in this area, and I don't think a pharmacist's decision that an individual may be committing a crime and so is no longer entitled to privacy is likely to be given much deference. -Original Message-From: David Frenkel [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 2:36 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems John, I think there is some evolution going on in this area in regards to non-US citizens who are arrested in the US. Congress passed legislation that allows the INS to hold non-US citizens arrested of any crime without bail. The evolution appears to be that these non-US citizens whether legally or illegally in the US have not the same rights as US citizens if arrested. Then there is the case of combatants held in US custody. Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 425-260-5030 -----Original Message-----From: Christiansen, John (SEA) [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 12:55 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Here is a good Privacy Issue that will cause problems Robert - I think I need to question one of your assumptions, and your approach to this kind of problem. #1 the assumption that: is not correct, and is in fact dangerously incorrect. HIPAA does not state that principle anywhere. It does list a number of conditions under which PHI may be disclosed: for TPO, under an authorization, and under the conditions listed in 45 CFR 164.512 (uses and disclosures not for TPO for which no authorization is required). If you read that regulation you will see that subsection (a) does permit a disclosure required by law, while subsection (f) sets out the specific requirements for disclosures for law enforcement purposes. (The other exceptions in this regulation don't appear likely ever to apply to this kind of situation). If there is a law on the books requiring disclosure of drug-seeking behavior, exception (a) would apply; but I am not aware of any such laws (doesn't mean there aren't any, I just don't know of any). This is a very different approach to privacy from the assumption that "if you break the law you lose your privacy." While the U.S. Constitution does not explicitly state a privacy right (there are theories that it does so implicitly, but that's another set of questions), HIPAA does create a statutory/regulatory set of privacy obligations on the part of CEs and entitlements on the part of individuals. I frankly don't think that a pharmacist's judgment that he thinks someone has broken the law by improperly seeking drugs (by the way, *is* drug-seeking behavior a crime? or just a basis for suspicion of a crime? or are we using an alert of this kind to prevent health problems and over-prescription?) will suffice to eliminate this entitlement (as a matter of law) or relieve the pharmacist, as a CE, of his or her obligation to respect these privacy entitlements by complying with the regulations. (By the way, what if he's wrong? In addition to breach of privacy there might well be a suit for libel available.) This is not to say something can't be done to communicate about this kind of problem - we have discussed it quite a bit and there have been a number of good postings on the subject - but the way to approach a solution it is to start with the regulations and read them carefully. (Also any applicable business associate contracts; for example, in your example of the PBM, has the PBM checked to make sure any BAC it has with a CE that provided some of the PHI which describes the prescriptions written permits that kind of disclosure? There are some badly drafted documents out there, not all of which might allow for everything you would like to assume they do.) The un
RE: Here is a good Privacy Issue that will cause problems
Robert - I think I need to question one of your assumptions, and your approach to this kind of problem. #1 the assumption that: is not correct, and is in fact dangerously incorrect. HIPAA does not state that principle anywhere. It does list a number of conditions under which PHI may be disclosed: for TPO, under an authorization, and under the conditions listed in 45 CFR 164.512 (uses and disclosures not for TPO for which no authorization is required). If you read that regulation you will see that subsection (a) does permit a disclosure required by law, while subsection (f) sets out the specific requirements for disclosures for law enforcement purposes. (The other exceptions in this regulation don't appear likely ever to apply to this kind of situation). If there is a law on the books requiring disclosure of drug-seeking behavior, exception (a) would apply; but I am not aware of any such laws (doesn't mean there aren't any, I just don't know of any). This is a very different approach to privacy from the assumption that "if you break the law you lose your privacy." While the U.S. Constitution does not explicitly state a privacy right (there are theories that it does so implicitly, but that's another set of questions), HIPAA does create a statutory/regulatory set of privacy obligations on the part of CEs and entitlements on the part of individuals. I frankly don't think that a pharmacist's judgment that he thinks someone has broken the law by improperly seeking drugs (by the way, *is* drug-seeking behavior a crime? or just a basis for suspicion of a crime? or are we using an alert of this kind to prevent health problems and over-prescription?) will suffice to eliminate this entitlement (as a matter of law) or relieve the pharmacist, as a CE, of his or her obligation to respect these privacy entitlements by complying with the regulations. (By the way, what if he's wrong? In addition to breach of privacy there might well be a suit for libel available.) This is not to say something can't be done to communicate about this kind of problem - we have discussed it quite a bit and there have been a number of good postings on the subject - but the way to approach a solution it is to start with the regulations and read them carefully. (Also any applicable business associate contracts; for example, in your example of the PBM, has the PBM checked to make sure any BAC it has with a CE that provided some of the PHI which describes the prescriptions written permits that kind of disclosure? There are some badly drafted documents out there, not all of which might allow for everything you would like to assume they do.) The underlying point being that with HIPAA coming into effect decisions like these have to be made in a more formal way, with actual reference to regs and contracts and not in reliance on what you assume should be the right result. John R. Christiansen Preston | Gates | Ellis LLP 701 Fifth Avenue, Seattle, Washington 98104 (Direct: 206.613.7118 - (Cell: 206.683.9125 * [EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 16, 2003 12:05 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: Here is a good Privacy Issue that will cause problemsYes and no. First, they are breaking the law when they doctor-shop for narcotics. Secondly, who is responsible for report this to law enforcement? The question comes up, how did you know the individual went to different pharmacies? were you told by the same chain of pharmacies? Usually it will be tracked by the PBM when multiple pharmacies are being used. That's why our organization wants to control narcotics OTC. Oxeycontin is usually a long term medication for severe pain and should be provided mail (where there are systems in place to catch this kind of misuse). It is a red flag when narcotics are being prescribe OTC. With regard to what should happen; the PBM should write letters to all physicians that prescribe this narcotic to the individual in question, making them aware of the manufacturers protocol and the total number of pills being prescribed -- this is done as a matter of post utilization review for OTC drugs.The question is who has the responsibility to report this to the authorities?I believe under your scenario, the individual has lost the right to privacy once they break the law.Please correct me if I am wrong in my assumptions.Thanks, RobertRobert Blinch-EdwardsExecutive DirectorHealthcare Sarasota, Inc.1991 Main Street, Suite 148Sarasota, FL 34236Tel: 941-917-7995Fax: 941-917-1930email: [EMAIL PROTECTED]Web: www.hcsrq.comIn a message dated 1/15/2003 3:43:15 PM Central Standard Time, [EMAIL PROTECTED] writes: Subj: Here is a good Privacy Issue that will cause problems Date: 1/15/2003 3:43:15 PM Central Standard TimeFrom: [EMAIL PROTECTED]To: [EMAIL
RE: Here is a good Privacy Issue that will cause problems
This was a very big issue in one small city where I spoke on HIPAA a couple
of years ago, because the chief of police () had recently been busted
for drug-seeking behavior - everybody wanted to know how it would play out
under HIPAA.
If I read this question right, what happened here was that one pharmacy sent
another a letter including PHI ("Joe Doaks is trying to buy lots of
controlled substances"), without patient authorization. So, is there an
applicable exception?
You might be able to argue that the treatment exception applies: Both
pharmacies are providing health care to (filling prescriptions for) Joe,
possible misuse of drugs is a legitimate consideration in providing care
(due to potential for drug interactions and overdosing), so it would be
legitimate to say that this is a permitted disclosure from one provider to
another for treatment purposes. However, if Joe finds out this kind of
communication is going on, he may not take it well, and may disagree. Given
the personalities of many drug abusers, he probably will. This is the kind
of scenario that leads to OCR complaints and lawsuits. If your drug seeker
has deep pockets and a reputation to protect - numerous celebrities come
immediately to mind - a lawsuit might even be likely. So, if I were a
pharmacy, I might very much want OCR guidance stating that this kind of
pharmacy-to-pharmacy communication is permitted under the treatment
exception; I don't want it a gray area.
Disclosures to law enforcement have their own exception. However, in
discussions with in the small city referenced above, it became clear that a
lot of people simply gave out information to the plainclothes investigators
based on the investigators' oral representation of their authority - no
subpoena, no warrant, no letter, no badge or ID check, in some cases over
the phone (without a verifying callback procedure). This is highly risky - I
think you probably ought to be able to get the benefit of the law
enforcement exception without having checked authority, but the regs specify
what you are permitted to rely upon and that you have to have "reasonable
safeguards" against unauthorized access, which authority verification would
seem to be. So you may be at risk in disclosing without checking even if the
recipient turns out to be telling the truth about his law enforcement
authority. And if he's not what he says he is - if, as by anecdote happened
to a couple of organizations discussed at the presentation, he (or she) is
actually an ex-spouse, or parent - then you're in real hot water. (I would
hope not criminal charges, but under the wrong facts I bet an aggressive
prosecutor could make a case.) And if HIPAA isn't enough, in Washington
state unauthorized disclosure of patient information is actionable medical
malpractice, too.
So: Read the rules; trust, but verify (authority); lobby for clarity; and
when in doubt, don't disclose.
John R. Christiansen
Preston | Gates | Ellis LLP
701 Fifth Avenue, Seattle, Washington 98104
*Direct: 206.613.7118 - *Cell: 206.683.9125
* [EMAIL PROTECTED]
Notice: Internet e-mail is inherently insecure. Unencrypted e-mail may be
accessible to unauthorized viewers, content may be modified or corrupted,
and headers or signatures may incorrectly identify the sender. If you wish
to confirm this message or the identity of the sender, please contact me
using a communications channel other than a "reply" to this e-mail. Secure
electronic messaging is available and recommended for confidential or
sensitive communications.
-Original Message-
From: Bentz-Miller, Judith [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 15, 2003 1:15 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: Here is a good Privacy Issue that will cause problems
This is a huge issue in my area, because we actually have a "hotline" set up
in the county and I don't think we can keep it around. I am lucky enough to
be invited to a meeting with a state police detectives, physicians, and
pharmacists next week regarding HIPAA and I am sure it will come up. I will
report to the group my findings then.
I do think this is more of a common occurrence than we think it is. Make
sure you ask the right questions with your groups.
Judith Bentz-Miller
Privacy Officer
Arnett Clinic
765-448-8843
-Original Message-
From: Rebekah Savoie [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 15, 2003 3:53 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Here is a good Privacy Issue that will cause problems
Today, a clinic that I work with received a letter from a local pharmacy
about a patient that was a "Drug Seeker" as we call them. Over the
course of 30 days he had been to several doctors and several pharmacies
and received over 350 total pills all a controlled substance.
What happens to the pharmacy's ability to do these types of things
under Privacy?
Clearly, pharmacist were communicated information back and forth to
each other and to physicians on t
RE: general question- help to get started!
I can send you a copy of a presentation I did on employer compliance obligations as plan sponsors, etc., if you like but we should do so off-list. Let me know. From: John R. Christiansen Preston | Gates | Ellis LLP 701 Fifth Avenue, Seattle, Washington 98104 *Direct: 206.613.7118 - *Cell: 206.799.9388 * [EMAIL PROTECTED] Reader Beware: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, e-mail content may have been modified or corrupted, and e-mail headers or signatures may incorrectly identify the sender. If you wish to confirm the contents of this message or identity of the sender, or wish to arrange for more secure communication please contact me using a communications channel other than a "reply" to this e-mail. Thank you. -Original Message- From: Susan Butters [mailto:sbutters@;psd.k12.co.us] Sent: Friday, October 25, 2002 1:45 PM To: WEDI SNIP Privacy Workgroup List Subject: general question- help to get started! I hope that I have got the right group of people to ask- but here it goes! I apologize in advance if I don't. Any help would be appreicated. I am new to the HIPAA compliance project and am working with a school district that is self funded for health benefits and also has an internal EAP. Unique I think in the way that we are a plan sponsor and also a provider. Any insight or suggestions on the best resources to follow to get started and to follow? -- Susan Butters HIPAA Compliance Specialist Poudre School District, Ft. Collins, CO [EMAIL PROTECTED] 970-490-3545 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@jab.org To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: HIPAA-related privacy question (I think)
--- You are currently subscribed to wedi-privacy as: archive@jab.org To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- U.S. v. Sutherland, U.S. District Ct. for Western District of VA Case No. 1:00CR0052, in a pretrial ruling quashing a medical records subpoena. You should be able to find it easily via e.g. Google. -Original Message- From: Serfass, Stephen A. [mailto:Stephen.Serfass@;dbr.com] Sent: Wednesday, October 23, 2002 4:45 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- John: Will you please provide me with a citation for the caselaw you refer to below? Thanks! Steve -Original Message- From: Christiansen, John (SEA) [mailto:JohnC@;prestongates.com] Sent: Tuesday, October 22, 2002 4:54 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The problem with the definition of "Covered Entity" is jurisdictional. HIPAA is only incidentally a privacy law, and was primarily intended (in the section we are concerned about) with mandating the use of electronic data interchange (EDI) for claims transactions. Since plans basically exist only in order to conduct the processing and payment of claims, and clearinghouses exist only to process and transmit them, they are squarely within HIPAA's jurisdiction. But providers "only incidentally" participate in claims transactions (i.e., they exist to provide health care, payment is a secondary attribute), so HHS has jurisdiction to reach them only to the extent they actually do participate in electronic transactions. Another example of the implications of this problem is the BAC, for example, which is a "work-around" to deal with the fact that CEs need to be able to work with NCEs using PHI on their behalf, but HHS doesn't have jurisdiction over NCEs so has to reach them indirectly, by requiring CEs to have contracts which make NCEs protect PHI too. As to whether or not the Privacy Rule becomes the generalized standard of care, there is already caselaw in which a federal court applied the rule as a matter of public policy even though it is not technically effective. However, the more important consideration in the "CE or NCE" question is, can I be criminally prosecuted if I am implicated in a misuse/unauthorized disclosure of PHI? If I'm an NCE I probably can't, but if I'm a CE I can. So even if the same standard were to apply to both CEs (under HIPAA) and NCEs (by public policy) the penal consequences of a breach could be crucially different. -Original Message- From: Sparma, Deborah, nashccon [mailto:Deborah.Sparma.nashccon@;acs-inc.com] Sent: Tuesday, October 22, 2002 1:37 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- I appreciate the clarifications. However, my next question becomes this the definition of Health Care information in the rule is as follows: Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. If
RE: HIPAA-related privacy question (I think)
--- You are currently subscribed to wedi-privacy as: archive@jab.org To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The problem with the definition of "Covered Entity" is jurisdictional. HIPAA is only incidentally a privacy law, and was primarily intended (in the section we are concerned about) with mandating the use of electronic data interchange (EDI) for claims transactions. Since plans basically exist only in order to conduct the processing and payment of claims, and clearinghouses exist only to process and transmit them, they are squarely within HIPAA's jurisdiction. But providers "only incidentally" participate in claims transactions (i.e., they exist to provide health care, payment is a secondary attribute), so HHS has jurisdiction to reach them only to the extent they actually do participate in electronic transactions. Another example of the implications of this problem is the BAC, for example, which is a "work-around" to deal with the fact that CEs need to be able to work with NCEs using PHI on their behalf, but HHS doesn't have jurisdiction over NCEs so has to reach them indirectly, by requiring CEs to have contracts which make NCEs protect PHI too. As to whether or not the Privacy Rule becomes the generalized standard of care, there is already caselaw in which a federal court applied the rule as a matter of public policy even though it is not technically effective. However, the more important consideration in the "CE or NCE" question is, can I be criminally prosecuted if I am implicated in a misuse/unauthorized disclosure of PHI? If I'm an NCE I probably can't, but if I'm a CE I can. So even if the same standard were to apply to both CEs (under HIPAA) and NCEs (by public policy) the penal consequences of a breach could be crucially different. -Original Message- From: Sparma, Deborah, nashccon [mailto:Deborah.Sparma.nashccon@;acs-inc.com] Sent: Tuesday, October 22, 2002 1:37 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- I appreciate the clarifications. However, my next question becomes this the definition of Health Care information in the rule is as follows: Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. If health care information can be in ANY form and covered under the privacy rule, then why is it only providers who submit electronic transaction that are covered entities. Wouldn't the providers choose NOT to conduct an electronic transaction still have Health Care information as defined in the rule? Are you telling me there are totally exempt of this privacy rule because they are not conducting an electronic transaction, BUT they have health information in any form? Deborah -Original Message- From: Sadauskas, Thomas, CON, OASD(HA)/TMA [mailto:Thomas.Sadauskas@;tma.osd.mil] Sent: Tuesday, October 22, 2002 2:13 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- Deborah, I'm afraid you're incorrect about that. The rules and HIPAA legislation exempt health care providers who do NOT engage in any of the HIPAA covered transactions. Double check the definition of a covered entity for health care providers. That's a very small subset of the total of providers. Such providers may have a hard time come April 2003 when their patients ask why they're not being given an NPP and the provider says I'm not required to follow HIPAA privacy rules because I'm not a covered enti
RE: HIPAA-related privacy question (I think)
--- You are currently subscribed to wedi-privacy as: archive@jab.org To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- Privacy is specifically bound to transactions for providers.See Privacy Rule sec. 160.102(a)(3), and definition of "Covered Entity" at 160.103. -Original Message- From: Sparma, Deborah, nashccon [mailto:Deborah.Sparma.nashccon@;acs-inc.com] Sent: Tuesday, October 22, 2002 12:43 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- Question, How does choosing to not to do a HIPAA transaction make the provider a non-covered entity? The fact that the provider is a health care provider makes him a covered entity whether or not he chooses to do a HIPAA transaction doesn't matter. Privacy isn't bound to HIPAA transactions. Deborah Sparma Datatek Consulting Group -Original Message- From: Jan Root [mailto:janroot@;uhin.com] Sent: Tuesday, October 22, 2002 1:18 PM To: WEDI SNIP Privacy Workgroup List Subject: HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- Here's an issue I'd like people to think about and perhaps share what they (payers and providers alike) might do. I think it is a non-HIPAA issue, but it seems quite closely related to privacy and liability. I'm not an expert on privacy so I might have taken a mis-step somewhere in my chain of thought: all comments or corrections are welcome! The setting: 1. The provider elects not to do HIPAA transactions and thus is a non-covered entity. 2. The provider sends paper claims to a payer. 3. The payer sends a paper EOB to the provider. The payer is disclosing PHI to a non-covered entity (the provider). 4. Covered entites are allowed to disclose PHI for TPO to 'health care providers' Issue: Because the provider is a non-covered entity (NCE), and, hence, is not subject to the Privacy Rule, are payers going to include in their NCE provider-payer contracts some kind of stipulation that the NCE provider protect PHI? (I don't think you can use a business associate contact to do this: The provider cannot be a business associate because they are not performing any of the payer's covered entity functions, yes?.) Are payers, in essence, going to say to their NCE provider contingency "Hey, you need to protect this information to the same level I do (i.e., as if you were a covered entity)"? I would assume that payers would like providers to share some of the risk of handling PHI. If the provider is a covered entity, then HIPAA covers that. If the provider is not a covered entity, then what? Stray thought: Probably one of the major differences for CE and NCE providers is that if there were a breech of privacy involving a NCE provider the matter would not go to the Secretary of HHS (assuming it got that far). Instead it would go to a state (?) court and state laws would apply, both state privacy laws and state contract violation laws (?). Mostly I'm interested in hearing in how payers are going to handle their non-covered-entity providers from a liability perspective. It seems like all payers who allow submission of paper claims, will be faced with this question. Maybe I'm all wet and there's no issue here at all! I don't know if there are any NCE providers on this list serve (??) but if there are, from the provider perspective, are NCE providers going to be willing sign payer-provider contracts that sitpulate that they protect PHI (and are subject to fines if they don't)? Thanks in advance for your thoughts. Jan Root, Ph.D. UHIN Standards Manager --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
RE: HIPAA-related privacy question (I think)
--- You are currently subscribed to wedi-privacy as: archive@jab.org To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- Jan has identified a problem which has come up for me, too, in a somewhat different variant: < The setting: 1. The provider elects not to do HIPAA transactions and thus is a non-covered entity. Issue: Because the provider is a non-covered entity (NCE), and, hence, is not subject to the Privacy Rule, are payers going to include in their NCE provider-payer contracts some kind of stipulation that the NCE provider protect PHI? (I don't think you can use a business associate contact to do this: The provider cannot be a business associate because they are not performing any of the payer's covered entity functions, yes?.) > #1 I think it is correct that the provider is not a business associate in this scenario. #2 Sec. .530(c) of the privacy rule requires CEs to implement "safeguards" to protect PHI. BACs are required under secs. .502(e)/.504e) as "satisfactory assurance" that the BA "will appropriately safeguard" PHI. So, shouldn't a CE (payer in Jan's scenario) get something equivalent to a BAC for any use/disclosure of PHI by a NCE (provider in Jan's scenario), if the payer is responsible for the protection of the PHI which is in the NCE's control, even if they are not technically BAs? Where else could this come up? E.g. plan NCQA accreditation audits of provider records by third party auditors - they aren't BAs of the providers, but can the providers afford to simply count on the auditors' ethics and their contracts with other parties? I wouldn't recommend it, and when it came up for a client I didn't - we required a separate agreement between the auditors and my client. This same issue is also currently coming up in an occupational medicine context, so this is clearly a "live one." From: John R. Christiansen Preston | Gates | Ellis LLP 701 Fifth Avenue, Seattle, Washington 98104 *Direct: 206.613.7118 - *Cell: 206.799.9388 * [EMAIL PROTECTED] Reader Beware: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, e-mail content may have been modified or corrupted, and e-mail headers or signatures may incorrectly identify the sender. If you wish to confirm the contents of this message or identity of the sender, or wish to arrange for more secure communication please contact me using a communications channel other than a "reply" to this e-mail. Thank you. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
