RE: Contract Between Anesthesia Group and Hospital

2003-03-26 Thread Clay, Roy III (NO)
Title: RE: Contract Between Anesthesia Group and Hospital





As persons involved directly in the treatment of the patient, you do not need a business associate agreement. However, you may wish to include some language in the contract which declares that the relationship between your group and the hospital is an organized health care arrangement (OHCA) and specify which Notice of Privacy Practices will be given to the patient (usually the hospital's). 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 26, 2003 8:13 AM
To: WEDI SNIP Privacy Workgroup List
Subject: Contract Between Anesthesia Group and Hospital



We are an Anesthesia Group Practice that has contracts with facilities 
(hospitals)
that we provide anesthesia services for. Do we need to have a separate 
Privacy Notice Issued and Acknowledgment signed or can we just have a 
Business Associates by adding this language to our existing contract?


Surely this is something that is coming up a lot with outside Labs, 
Radiology, Physical Therapists that are not facility employees and that do 
their own billing based on information that they receive from the facility.


Thank in advance for any information or experience with this matter.





Daryl Ewing, CPC
RPK Anesthesia, P.A.
[EMAIL PROTECTED]


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]

If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




RE: BA v Trading Partner Agreements

2003-03-20 Thread Clay, Roy III (NO)
Title: RE: BA v Trading Partner Agreements





Trading partner agreements are used between covered entities (usually a health care and an insurance plan or a clearinghouse) to govern the exchange of covered transactions. A business associate agreement is between a covered entity (like a health care provider) and a non-covered entity (like a computer services company) which is providing a service which requires that the non-covered entity receive protected health information in order to perform the service. 

Roy G. Clay, III
Interim Compliance Officer
Louisiana State University Health Sciences Center - New Orleans 
Phone: (504) 568-2350
Fax: (504) 568-2346
Email: [EMAIL PROTECTED]
CONFIDENTIAL AND PRIVILEGED
This message and any attachments are privileged information. If you are not the intended recipient and have received this message in error, please inform the sender and delete the contents without opening, copying, distributing or forwarding.




-Original Message-
From: Jonathan May [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 20, 2003 12:44 PM
To: WEDI SNIP Privacy Workgroup List
Subject: BA v Trading Partner Agreements




Can anyone offer a simple clarification of the difference between and when 
to use a Business Associate Agreement and a Trading Partner Agreement?


Many thanks.





_
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]

If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




RE: Internet Pagers Privacy

2003-03-06 Thread Clay, Roy III (NO)
Title: RE: Internet Pagers  Privacy





If all that is sent is the patient's name and address, that should be fine. If there is additional information that would allow someone to infer some about the patient's health status, something like:

To: HIV On Call Nurse.
Call patient John Doe at 555-.


That would be considered PHI. However, I am pretty sure the paging company would be considered a pass-through similar in nature to the phone company one leases network lines from. 

-Original Message-
From: Paul Weber [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 05, 2003 1:51 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Internet Pagers  Privacy



I'm looking for some input on a scenario that was recently presented. To wit...


What are the ramifications relative to HIPAA Privacy where communications containing PHI to alphanumeric pagers held by remote nursing staff are initiated via internet e-mail?

For example, a patient coordinator sends an e-mail containing PHI (say patient name  address) to a nurse's pager or cell phone screen through a third party such as ATT, Skypage, Arch Wireless, etc.

Thoughts?


Thank you in advance,
Paul Weber
[EMAIL PROTECTED]
-- 
__
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]

If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




RE: Another thread on Security/Privacy question

2003-03-04 Thread Clay, Roy III (NO)
Title: RE: Another thread on Security/Privacy question





Noel,
Based upon that interpretation, health care providers (or their banks) need to add all the credit card companies and banks that issue credit cards to their BA agreement list if they are to accept credit card payment for copays. Providers (or their banks) would also need to have BAA's with all the banks whose checks they accept for payment for the provision of health care to an individual. These checks must be presented to the bank it was written from in order to receive payment. Otherwise all providers must only accept cash for deductibles and copays. 

I don't think this impact on commerce was the intention of the regulation. Rather, the definition of individually identifiable health information refers to the itemized bill which references CPT codes that identify the procedures which, in turn, identify the health condition of the individual. This is the threat to privacy. 

Perhaps there will be a further amendment to the regs to address this in the same way the information about incidental disclosure was added to address fears that overhearing a doctor's conversation in the hall would result in a HIPAA violation. 

Whichever way you choose to interpret the regs, you will need to be consistent across all operations. If you require a BAA for you collection agency and don't require one for your other methods of managing accounts receivables, you will need to expain why those operations are different than the collection agency. I don't see how you can. 

Roy G. Clay III
Interim Compliance Officer
Louisiana State University Health Sciences Center 
New Orleans Campus
Phone: (504) 568-4367
Fax: (504) 568-6378
Email: [EMAIL PROTECTED]


-Original Message-
From: Noel Chang [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 03, 2003 11:24 PM
To: Clay,Roy III (NO); WEDI SNIP Privacy Workgroup List
Subject: RE: Another thread on Security/Privacy question



Roy,


I disagree with your conclusion that your collection agency is not a BA, even 
if all you give them is a name and an amount.


The definition of PHI draws on the definition of Individually Identifiable 
Health Information which is defined in section 160.103. That definition says 
that IIHI is information that is created or received by a health care 
provider and relates to the past, present, or future payment for the 
provision of health care to an individual and that identifies the 
individual.


Whether your collection agency realizes it or not, you (the covered entity) 
clearly know that you are releasing information that you 1) created or 
received, 2) pertains to the past payment for the provision of health care to 
an individual, and 3) it identifies the individual by giving their name. 
Thus YOU are releasing PHI to your BA, even if your BA doesn't realize it is 
PHI. Althoug one could reasonably argue that the BA ought to assume the data 
you are giving them pertains to payment for health care services because you 
are a health care provider and they are a collection agency. You don't need 
much more information than that to fill in the blanks. And HIPAA does 
require that the blanks be filled in! HIPAA does say the PHI has to specify 
exactly what procedure the payment was for, or when the payment was due. 
Just that it pertains to payment for services.


Noel Chang


--
Open WebMail Project (http://openwebmail.org)



-- Original Message ---
From: Clay, Roy III (NO) [EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Mon, 3 Mar 2003 08:42:10 -0600 
Subject: RE: Another thread on Security/Privacy question


 The name and the credit card number are not PHI under HIPAA. It does 
 not become PHI until some health information is added. If the information
 contains CPT codes, for example, then you would either need to 
 include that information in the Notice of Privacy Practices or 
 obtain an authorization at the time of swiping the card. 
 
 One of the questions we had to answer was if the collection agency 
 we used to collect bad debt was a busness associate. We found that 
 all they needed was the guarantor's contact information and an 
 amount. No health information was needed for them to perform their 
 task. Therefore they were not a business associate. 
 
 Roy G. Clay III
 Interim Compliance Officer
 Louisiana State University Health Sciences Center
 New Orleans Campus
 Phone: (504) 568-4367
 Fax:  (504) 568-6378
 Email: [EMAIL PROTECTED]
 
 -Original Message-
 From: Christine Hudnall [mailto:[EMAIL PROTECTED]]
 Sent: Friday, February 28, 2003 2:36 PM
 To: WEDI SNIP Privacy Workgroup List
 Subject: Another thread on Security/Privacy question
 
 I'm sending this out again, if someone could please help us. Thanks.
 
 Christine
 
 What about the card swipes that we use when a patient makes a
 payment on their account using their credit card. Yes, we only
 swipe the card and put in the last four digits of the number

RE: Another thread on Security/Privacy question

2003-03-04 Thread Clay, Roy III (NO)
alth care 
  provider and they are a collection agency. You don't need much more 
  information than that to fill in the blanks. And HIPAA does require that 
  the blanks be filled in! HIPAA does say the PHI has to specify exactly 
  what procedure the payment was for, or when the payment was due. 
  Just that it pertains to payment for services.Noel 
  Chang--Open WebMail Project (http://openwebmail.org)-- Original Message ---From: 
  "Clay, Roy III (NO)" [EMAIL PROTECTED]To: "WEDI SNIP Privacy 
  Workgroup List" [EMAIL PROTECTED]Sent: Mon, 3 Mar 2003 
  08:42:10 -0600 Subject: RE: Another thread on Security/Privacy 
  questionThe name and the credit card number are not PHI under 
  HIPAA. It does not become PHI until some health information is added. If 
  the information contains CPT codes, for example, then you would either 
  need to include that information in the Notice of Privacy Practices or 
  obtain an authorization at the time of swiping the card.   
  One of the questions we had to answer was if the collection agencywe 
  used to collect bad debt was a busness associate. We found thatall 
  they needed was the guarantor's contact information and anamount. No 
  health information was needed for them to perform theirtask. 
  Therefore they were not a business associate.  Roy G. Clay 
  III Interim Compliance Officer Louisiana State University 
  Health Sciences Center New Orleans Campus 
  Phone: (504) 568-4367 Fax: 
   (504) 568-6378 Email: 
  [EMAIL PROTECTED]  -Original Message- From: 
  Christine Hudnall [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 2:36 
  PM To: WEDI SNIP Privacy Workgroup List Subject: Another 
  thread on Security/Privacy question  I'm sending this out 
  again, if someone could please help us. Thanks.  
  Christine  What about the card swipes that we use when a 
  patient makes a payment on their account using their credit 
  card. Yes, we only swipe the card and put in the last four 
  digits of the number, but the patient name (or whoever owns the card) 
  prints out on the receipt.  Is that considered PHI, 
  even though we are not sending them the name, but they print it from 
  their records?  If so, do we need to have an agreement with 
  the company that we use the card swipe from?  And as 
  for eligibility, i.e., Medicaid. We use ROVR, which is through 
  Consultec (if I remember correctly). Is an agreement needed with 
  them?  And how would I check for security for their 
  program? Is that something they would need to do and put in 
  writing?  Sorry for all the questions, just, my co-worker and 
  I are trying to go down list of all possibilities that we need to 
  check on.  Thanks,  Christine 
   
  
  
  
  This outbound message has been scanned for viruses. 
  ---The WEDI SNIP listserv to which you are subscribed is not 
  moderated. The discussions on this listserv therefore represent the views of 
  the individual participants, and do not necessarily represent the views of the 
  WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. These listservs should not be used for 
  commercial marketing purposes or discussion of specific vendor products and 
  services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe 
  from this list, go to the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org or send a blank email to 
  [EMAIL PROTECTED]If you need to unsubscribe but 
  your current email address is not the same as the address subscribed to the 
  list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




RE: Any HIPAA Humor tools out there?

2003-01-30 Thread Clay, Roy III (NO)



Don't forget Alan Goldberg's 
HIPAA-ginity!

HIPAA-ginity - that exemption 
from HIPAA regulations that vanishes when a healthcare provider succumbs to the 
temptation of electronic billing. 

  -Original Message-From: Ron Moore 
  [mailto:[EMAIL PROTECTED]]Sent: Thursday, January 30, 2003 1:41 
  PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Any 
  HIPAA Humor tools out there?
  HIPAA - ectomy - the removal of individually identifiable 
  health information from heatlh records
  
  HIPAA - glycemia - low level understanding of HIPAA 
  regulation
  
  HIPAA - phobia - morbid fear of HIPAA 
regulation
  
  HIPAA - thermia - the unexplained chill that is running down 
  the back of anyone associated with HIPAA
  
  HIPAA - thetical - Supposition that all covered entities 
  will be compliant by April 14, 2003
  
  HIPAA - notic - the "deer in the headlight" feeling privacy 
  officers experience / especially as April 14, 2003 
  approaches
  
  
  
  
  
  This outbound message has been scanned for viruses. 
  ---The WEDI SNIP listserv to which you are subscribed is not 
  moderated. The discussions on this listserv therefore represent the views of 
  the individual participants, and do not necessarily represent the views of the 
  WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. These listservs should not be used for 
  commercial marketing purposes or discussion of specific vendor products and 
  services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe 
  from this list, go to the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org or send a blank email to 
  [EMAIL PROTECTED]If you need to unsubscribe but 
  your current email address is not the same as the address subscribed to the 
  list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




RE: Here is a good Privacy Issue that will cause problems

2003-01-16 Thread Clay, Roy III (NO)
Title: RE: Here is a good Privacy Issue that will cause problems





I would argue that releasing information that a patient has been restricted to one pharmacy is not a disclosure under HIPAA. A disclosure must contain a person's identifying information and information on their health status. I don't see how a pharmacy restriction would be considered information about health status other than such a restriction would imply abuse of some sort. But that would be like the information that you are in the hospital would imply that you were sick. 

-Original Message-
From: Drexler, Deborah (EHS) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 15, 2003 3:58 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: Here is a good Privacy Issue that will cause problems



The issue here is whether a covered entity which has information that an individual is drug seeking can disclose it to someone else, in an effort to curb the abuse. Depending on who is disclosing the PHI to whom, you can probably argue that the disclosure is authorized because it is either T, or P, or O. 

Here is an example of one way it could work. A payer realizes it has paid for several prescriptions for the same narcotic in a week, each written by a different prescriber. This is an indication of drug abuse. The payer deals with this problem by putting the individual on a restricted pharmacy list -- the individual can now get his prescriptions filled at only one particular pharmacy (pharmacy A). Pharmacy A is instructed by the payer that if they are asked to fill duplicate prescriptions, they they are to contact the prescriber to validate the prescription. Otherwise the pharmacist won't get paid. In this case, you could argue that the disclosure from pharmacist to provider is either for the individual's treatment, or the pharmacists' payment. 

In the same hypothetical situation, when the same individual goes to Pharmacy B in an attempt to get her illicit prescription, the Pharmacist B looks up the person's eligibility and sees that the individual has been restricted to Pharmacy A. Pharmacist B now knows that he won't get paid if he fills this prescription, and so he doesn't. There is a dislcosure here -- the payer disclosed to Pharmacy B the fact that the individual has been restricted to Pharmacy A (and implicitly a drug seeker) -- but this is a disclosure that will likely be deemed to be part of the payer's operations. 

In the situation you describe, Rebekah, it seems that the pharmacy (somehow) got information that the individual is a drug seeker, and is disclosing that fact to providers. I'd argue here that the disclosure from pharmacist to providers is part of the treatment of the individual. 

As you can see, none of these arguments is completely obvious. So is there a HIPAA problem? Maybe. 


There's another problem, as well. A drug seeker can easily evade detection by going to different pharmacies, different doctors, and not seeking insurance reimbursement. But there's a way to fix both the detection proglem and the HIPAA problem -- and I think I read that more than one state is either doing this or planning to do this: the state can *require* pharmacists to report all prescritpions to a central database, and the state can monitor that database to identify drug seekers. 

A bit Big Brother-ish? You might think so. But doing it this way solves not only the detection problem but the HIPAA problem as well -- as long as the state promulgates a regulation *requiring* pharmacists to disclose to a central database, and another *requiring* the state to disclose suspected drug seekers to providers. As we all know, HIPAA has no effect on state laws or regulations requiring disclosure of PHI. 


Deborah L. Drexler, Esq.
HIPAA Program Consultant
Executive Office Health Human Services
One Ashburton Place
Boston MA 02108
617-727-7600
[EMAIL PROTECTED]



-Original Message-
From: Mimi Hart [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 15, 2003 4:17 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: Here is a good Privacy Issue that will cause problems



My gut feeling tells me huge issue...I don't know if there is
something in public health law that would state that it is being done in
the best interests of the patient and is therefore okay.hopefully
one of the lawyers on the group will weigh in. MIMI


Mimi Hart Ó¿Õ*
Research Analyst, HIPAA
Iowa Health System
319-369-7767 (phone)
319-369-8365 (fax)
319-490-0637 (pager)
[EMAIL PROTECTED]


 Rebekah Savoie [EMAIL PROTECTED] 01/15/03 02:53PM 
Today, a clinic that I work with received a letter from a local
pharmacy
about a patient that was a Drug Seeker as we call them. Over the
course of 30 days he had been to several doctors and several
pharmacies
and received over 350 total pills all a controlled substance.


What happens to the pharmacy's ability to do these types of things
under Privacy? 


Clearly, pharmacist were