Raise the HIPAA antennae - new NIST security publication
HITsters, GIVESsters, and WEDI Privacy colleagues: As you know, DHHS in the final HIPAA Security Rule cited approvingly several NIST security standards and recommended that covered entities keep abreast of NIST activities. Well, NIST on 11.03.03 issued a new publication: Computer scientists at the Commerce Department's National Institute of Standards and Technology (NIST) today released an initial public draft of NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems (NIST SP 800-53), which explains recommended security controls for computer systems. The publication, which details controls that will become mandatory for most federal systems in 2005, is expected to have a wide audience beyond the federal government See: http://www.nist.gov/public_affairs/releases/compsecurityguide.htm John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: is this practice O.K.?
Thanks to everyone who answered; many good thoughts. Steve, I think your point as follows is a very good one: It seems to me that the treatment exception centers on the purpose to which the PHI will be put by the receiver, rather than on the receiver's classification as a provider. Thanks, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Steven Fowler [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 10:47 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Dr. Fairley's original post asked whether it was permissible to disclose patient PHI to providers (pharmacies) who did not have a treatment relationship with the patient. I'm not altogether sure how you would go about determining definitively which pharmacy has a direct treatment relationship with the patient in the first place, since they can have their script filled anywhere. Do you assume that the pharmacy nearest to the patient's home has the treatment relationship? Dr. Fairley refers to sending a notice to all area pharmacies alerting them they are only to accept scripts from a certain MD. What are area pharmacies? Those within a 5-mile radius of the patient's home? 25 miles? 5-mile radius of the patient's workplace (which could be 50 miles from home here in SE Florida, with lots of drug stores on the way)? Methodology notwithstanding, it would seem to me that disclosures made to control a patient's medications would be permitted as treatment, and therefore would not require patient permission. Mr. Rosenblum's response was that the disclosures are OK as treatment so long as they are to providers. Mr. Cody's response that the regulatory language seemed to suggest that treatment disclosures weren't necessarily limited to providers, since other 3rd parties (non-providers) would seem to be included in the definition of treatment. The question has been raised then whether some disclosures to non-providers could be considered as treatment-related. I think a related question would be if all disclosures to providers will be considered treatment-related. There was a situation presented on a listserv a while ago in which a patient's attorney wanted a 3rd party provider to provide PHI to another provider for purposes of a creating a second opinion. It was my understanding that the opinion of the other provider would have no effect on the patient's care, that it was just for purposes of building a legal case. Responses to this suggested a general opinion that the disclosure was permitted as treatment BECAUSE it occurred between two providers. It seems to me that the treatment exception centers on the purpose to which the PHI will be put by the receiver, rather than on the receiver's classification as a provider. Or is the assumption that all disclosures taking place between providers are treatment-related safe enough? Steven L. Fowler Compliance Officer Health Care District of Palm Beach County West Palm Beach, FL mailto:[EMAIL PROTECTED] 561-659-1270 -Original Message- From: Moya Gray [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 11:22 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? I would also add to Dale's email that, unlike Dr. Fairley's initial situation in which providers are sending PHI to non-treating pharmacies (i.e., they have no relationship to the patient at the time of the disclosure), in the case that John is describing, it would appear that the appropriateness of the disclosure would depend upon the facts of the case. That is, is disclosure to a particular person likely to provide information that would be used in treatment; if not then a court would wonder why the disclosure. If the information is to be used for treatment and there is an established process that supports this disclosure/use then an attorney has a better argument that the disclosure is properly for treatment purposes. Thus, apart from the answer to the question coming from a court case, an entity wants to set up for the possibility by identifying these situations and, if warranted, establishing a policy for its response. This process reduces the risk of uncertainty in litigation at the very least (it may not be the right answer, but does provide a clear standard that can be brought to the court if necessary) Moya T. Davenport Gray, Esq. 1283 Honokahua Street Honolulu, Hawaii 96825 808-396-6731 808-381-3732 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 4:55 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: is this practice O.K.? Sounds like some undue
RE: is this practice O.K.?
Matt: That is an interesting perspective, and one which I have wondered about myself. But I wonder how far the concept can be stretched under the HIPAA Privacy Rule. For example, one of the listserves a few months ago (I think it was a different one than this one) was discussing the situation where an unidentified comatose patient is brought to the hospital and the hospital believes the only way to identify the patient is through a photo disclosed to the mass media. The discussion took various twists and turns, but one thing which I privately pondered at the time was whether there is such a thing as community treatment. Under the principle you embrace below, would the hospital's media disclosure also constitute treatment? If not, why not? Is the distinction that in Dr. Fairley's example, the disclosure is to other providers, while in the hospital's scenario, the disclosure is made to a wider audience than providers? Where in the HIPAA Privacy Rule is that distinction defined? Thanks for your thoughts, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 5:12 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Dear Dr. Fairley, What a great question! We believe that HIPAA allows this practice and in doing so, provides patient with privacy protections. For nearly 2000 years physicians, nurses, and pharmacists (chemists) have comprised the treatment triad. And especially when treating substance abuse and addiction, it does take a community to provide a safe and therapeutic environment: whenever we remove a member of the treatment community from the process, errors and mistakes may increase and disease resolution may decrease. Within this context, the scenario that you describe (below) fits well within the bounds of sharing PHI for treatment purposes, and the involved providers will be beholden to the related HIPAA rules. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:54 PM To: WEDI SNIP Privacy Workgroup List Subject: is this practice O.K.? The practice that I am going to describe is quite common in our community but I am not sure it is acceptable. I wanted the opinion of the experts on this list. Occassionally, we run into a problem with a patient who seems to be doctor hopping and getting multiple prescriptions for narcotics. In order for the patient's principle physician to keep a close watch on the patient's use of narcotics and to avoid abuse/misuse of narcotics, the physician makes a deal with the patient. The deal is ALL prescriptions for narcotics must be funneled through one doctor-the primary care physician. The patient usually agrees but then (and here is where I am not sure if we are infringing on privacy)we can send an Alert to all the area pharmacies to alert them that this deal occurred and if the patient shows up at one of the area pharmacies with a narcotic prescription from someone other than the primary care physician, the patient is told that they have an order that they can not fill the prescription unless it comes from the designated doctor. Is this practice acceptable? Do we need the patient's consent to notify all heighborhood pharmacies? Is verbal consent acceptable? Can the information be sent to the pharmacies without the patient's specific consent (that is, the patient consented to the arrangement that one doctor fills all narcotic
RE: is this practice O.K.?
Clarified it? They removed the limiting language -- they EXPANDED it, didn't they? :-) Thanks for your thoughts, Matt, much appreciated. What do others think? Thanks, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:39 PM To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List' Subject: RE: is this practice O.K.? John, You are quite right that the proposed rule was modified, and that is why we included BOTH versions in our second response to you. Our point is, that based on that modification, HHS clarifies what it intends as the third party. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:29 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Matt: With all due respect, each time you have responded on this thread you have cited small excerpts which support your position, but have failed to cite the additional language following your excerpt which calls your position into question. The first time, you pulled this language from the definition of treatment in the final rule -- consultation between health care providers [i.e., physicians and pharmacists] relating to a patient -- without citing the follow-up language which is included in the definition: INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY. And now this time, you have now pulled some language from the final rule preamble -- THE PROPOSED RULE defined 'treatment' as the provision of health care by ... health care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL... -- without acknowledging that the language in the paragraphs which immediately follow the language you excerpted notes that the proposed rule's definition which you are citing, Matt, WAS MODIFIED: Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include the management of health care and related services If the list members will go back to the 1999 proposed HIPAA rule's definition of treatment, you can see just exactly which language in the definition of treatment was modified. See at http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions under section 164.504 at page 60053; the proposed rule's definition of treatment was: Treatment means the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; OR THE COORDINATION OF HEALTH CARE OR OTHER SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL. (emphasis added) In the final rule, under section 164.501 at page 82805 (see http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment was changed to: Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. (emphasis added) [This final definition was not changed in the August 2002 Privacy Rule modification (see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is the current definition
RE: is this practice O.K.?
Matt: None of that gets to the issue -- that DHHS removed a limitation on the definition of third parties. So thanks, but, sorry, those excerpts don't add to the issue, none of that helps. I'm going to chime out now ... and FYI I am out of the office for the next few days so I won't be back to the list until mid-week ... but Matt, if you would like to discuss your thoughts further, may I suggest we take OUR discussion off line, okay? Thanks. Otherwise, other list members, I look forward to reading *your* thoughts midweek. Thanks again to all, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 7:02 PM To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List' Subject: RE: is this practice O.K.? John, HHS made the modification, and then explained how come: Specifically, we modify the proposed definition of treatment to include the management of health care and related services. Under the definition, the provision, coordination, or management of health care or related services may be undertaken by one or more health care providers. 'Treatment' includes coordination or management by a health care provider with a third party and consultation between health care providers. The term also includes referral by a health care provider of a patient to another health care provider. Treatment refers to activities undertaken on behalf of a single patient, not a population. Activities are considered treatment only if delivered by a health care provider or a health care provider working with another party. Activities of health plans are not considered to be treatment. Many services, such as a refill reminder communication or nursing assistance provided through a telephone service, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity, such as a health plan. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:44 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Clarified it? They removed the limiting language -- they EXPANDED it, didn't they? :-) Thanks for your thoughts, Matt, much appreciated. What do others think? Thanks, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:39 PM To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List' Subject: RE: is this practice O.K.? John, You are quite right that the proposed rule was modified, and that is why we included BOTH versions in our second response to you. Our point is, that based on that modification, HHS clarifies what it intends as the third party. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use
