RE: developing pictures

2003-04-03 Thread Darrell Rishel
For the non-medical pictures, I'd suggest you invest in a digital camera
and just print them in-house. Much quicker and probably cheaper in the long
run since you don't have to buy film. You can get a pretty decent digital
camera (certainly good enough for this kind of thing) for a couple hundred
bucks at most. 

Darrell Rishel, J.D.
Director of Information Services
Arapahoe House, Inc. 
This message is not legal advice. 

-Original Message-
From: Oriol, Albert [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2003 7:17 PM
To: WEDI SNIP Privacy Workgroup List
Subject: developing pictures


Here's a good one I had not heard to date.  We often take photos. Most of
the ones that are taken for medical reasons require quality developing and
thus are developed in-house or taken to a top notch shop (with whom, I'd
think if needed we could have a BA agreement in place) -- Question, what do
you all think, assuming the pictures will show identifying information? 
 
The other situation is that of pictures taken for projects for our kids, or
for some newsletter. We're a kid's hospital and for instance we might want
to have kids build something with their picture to give mom for mother's
day. These types of pictures most likely just get developed at whatever
pharmacy happens to be on the way of a nurse's or other professional's way
home.  How should we handle those?  Take all our pictures to the place(s) we
have BA's in place and only there? 
 
a.

 




CONFIDENTIALITY NOTICE: The information contained in this message is legally
priveleged and confidential information intended for the use of the
individual or entity named above. If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to
the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify
the author immediately by replying to this message and delete the original
message. Thank you. ---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org 


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


RE: business associate questions

2003-04-01 Thread Darrell Rishel
If your law firm provides any services to any entity in healthcare, I
strongly suggest you start getting familiar with HIPAA...in a hurry. Legal
services is one of the types of messages specifically mentioned in the
section of the regulation addressing business associates. Whether a law firm
providing services to a health care entity is a Business Associate or that
health care entity will depend essentially on two things: (1) is the health
care entity a covered entity under HIPAA, and (2) does the law firm
receive protected health information in the course of performing those
services. If the answer to both of those questions is yes, then you need to
have a Business Associate Agreement with the health care entity.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc.

This message is not legal advice.


 -Original Message-
 From: Jason Cantos [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, April 01, 2003 11:24 AM
 To: WEDI SNIP Privacy Workgroup List
 Subject: business associate questions
 
 
 I work in a small law firm.  A couple of our clients asked us to sign 
 business associate agreements.  These business associate 
 agreements require 
 the law firm to adopt HIPAA specific policies and procedures. 
  Are there any 
 business associates (law firms specifically) that are doing this?
 
 On an unrelated matter, the provider of our dental insurance 
 asked us to 
 sign a business associate agreement, with us as the business 
 associate--I 
 just don't see how we are a business associate in this situation.
 
 Thanks so much for your help.
 
 
 
 
 
 _
 
 
 
 ---
 The WEDI SNIP listserv to which you are subscribed is not 
 moderated. The discussions on this listserv therefore 
 represent the views of the individual participants, and do 
 not necessarily represent the views of the WEDI Board of 
 Directors nor WEDI SNIP. If you wish to receive an official 
 opinion, post your question to the WEDI SNIP Issues Database 
 at http://snip.wedi.org/tracking/.   These listservs should 
 not be used for commercial marketing purposes or discussion 
 of specific vendor products and services.  They also are not 
 intended to be used as a forum for personal disagreements or 
 unprofessional communication at any time.
 
 You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
 To unsubscribe from this list, go to the 
 Subscribe/Unsubscribe form at http://subscribe.wedi.org or 
 send a blank email to [EMAIL PROTECTED]
 If you need to unsubscribe but your current email address is 
 not the same as the address subscribed to the list, please 
 use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org


RE: I need a Heads Up on Who Is Preparing BAA's

2003-01-31 Thread Darrell Rishel
Accreditation is one of the specific qualifying services listed in the
definition of Business Associate in Sec. 160.103.

Darrell Rishel, J.D.
Director of Information Services
Arapahoe House, Inc.

This message is not legal advice or a binding signature.


-Original Message-
From: Nancy Jones [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 31, 2003 9:59 AM
To: WEDI SNIP Privacy Workgroup List
Subject: I need a Heads Up on Who Is Preparing BAA's


I work for one of those hospitals that feels strongly that we will not sign
a BAA prepared by one of our business associates (except JCAHO, who is not
giving a provider much choice - Chaps my HIPAAbuttamus - I have always held
to the interpretation that accreditors are not BA's).

I continue to see warnings that BAA's will be coming our way.  We have
already received one from McKesson.  Does anyone know which companies have
sent, or are planning to send an BA agreement to providers?

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



RE: Business Associate Question

2003-01-29 Thread Darrell Rishel
In the context of using such temp agencies to provide fill-in staff, they
are in either case  members of the workforce.

Darrell Rishel, J.D.
Director of Information Services
Arapahoe House, Inc.

This message is not legal advice or a binding signature.


-Original Message-
From: Giesecke, Steve [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 29, 2003 12:42 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Business Associate Question


Would appreciate responses to the following BA classification determination:
 
With respect to Nurse staffing and other medical staffing agencies,
including home health care, my assessment is that if nurses are providing
treatment services, they (generally) are not BA's and no BAA is needed (as
with a provider - provider or plan - provider relationship; treatment
exemption applies).  If they are providing other professional or
administrative services such as UM/QM/CM ( come into contact with PHI) then
a BAA with the agencies providing them is needed.
 
Don't want to oversimplify in terms of my assumptions, however anywhere in
HIPAA you can simplify is good!
 
Thank you,
 
Steve Giesecke
Independent Consultant
Subcontractor to Sierra Systems
(360) 561-3803
 
 
 
N24Ŋlzbr顨޲ryجf׫jםN.ᤲȨ'蠶+-
y+z穭az敥دۚ'�v�wᬜz鵮)rkz瑡^宾'ͅhjh|8yh鲮
a!#H¢h୊߉Țb*'-ʋ笶*'aya!#H,j敢jǚm*pyب�$x?NzXǫ!鵢]➋[zu瑡+rzjYGx)h(쮭r,⊉
~摮^r'r攠v鮇nr顝差z瀭{㥲zz-{^ם޺ǝjƟ~z(䊝]Ơz{lࠢz�vrxjبZ+b(⹪r攠z{e摤˛
mm ᴝ⽧2jZ䠮b+᥁:.˛
m kab࠲(ᴶay+
m˛
m fi扵.n敢+yب
+   iZGj)mWv*k驊^=楤N b᮲0yبʋym䠢칻n牥r
ޞצj)ZuȬm婙u.n捥+azX^jǮay+۱
m˛
m fi景.n⁳+yب

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



RE: NPP and illiterate population

2003-01-26 Thread Darrell Rishel
Although I understand your point, I'd like to think our ethics and sense of
obligation to our patients is on a little higher plane than where the banks
and credit card companies apparantly are.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc.

This message is not legal advice or a binding signature.


 -Original Message-
 From: William J. Kammerer [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 24, 2003 4:25 PM
 To: WEDI SNIP Privacy Workgroup List
 Subject: Re: NPP and illiterate population
 
 
 Why agonize over it? Do you really believe anyone is going to 
 read these
 things? I'm literate - with full command of the English language - yet
 I've never read one of those stupid GLB privacy notices from banks and
 credit card companies, and probably would not have the 
 patience to keep
 track of all the subparts and insofar as'es.  And what's with 
 that tiny
 type they always use?
 
 William J. Kammerer
 Novannet, LLC.
 Columbus, US-OH 43221-3859
 +1 (614) 487-0320
 
 - Original Message -
 From: Jennifer Peters [EMAIL PROTECTED]
 To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
 Sent: Friday, 24 January, 2003 05:49 PM
 Subject: RE: NPP and illiterate population
 
 
 How is everyone handling a situation where a patient is literate, but
 unable to comprehend the NPP?
 
 
 -Original Message-
 From: Bentz-Miller, Judith [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 24, 2003 11:10 AM
 To: WEDI SNIP Privacy Workgroup List
 Subject: RE: NPP and illiterate population
 
 
 We will be RECORDING it as a voice mail message (our system
 handles over 12 minutes!) and having an extension, with access on both
 the local line and 800 line. We are also having a privacy (800
 number) hotline set up and both numbers will be listed on business
 cards.  Business cards will be located at each receptionist desk.
 
 -Original Message-
 From: Traci Winter [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 24, 2003 10:38 AM
 To: WEDI SNIP Privacy Workgroup List
 Subject: NPP and illiterate population
 
 
 I know our NPP is supposed to be easy to read and
 understand, but one of our committee members brought up an interesting
 thought. What do we do with our illiterate population and our patients
 who are legally blind. In the area we service this a definite issue.
 Should we put the NPP on an audio cassette so the patients whom are
 unable to read it can listen to it?
 
 Opinions appreciated.
 
 Traci Winter
 Hospitals Home Health Care, Inc.
 
 
 ---
 The WEDI SNIP listserv to which you are subscribed is not 
 moderated. The discussions on this listserv therefore 
 represent the views of the individual participants, and do 
 not necessarily represent the views of the WEDI Board of 
 Directors nor WEDI SNIP. If you wish to receive an official 
 opinion, post your question to the WEDI SNIP Issues Database 
 at http://snip.wedi.org/tracking/.   These listservs should 
 not be used for commercial marketing purposes or discussion 
 of specific vendor products and services.  They also are not 
 intended to be used as a forum for personal disagreements or 
 unprofessional communication at any time.
 
 You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
 To unsubscribe from this list, go to the 
 Subscribe/Unsubscribe form at http://subscribe.wedi.org or 
 send a blank email to [EMAIL PROTECTED]
 If you need to unsubscribe but your current email address is 
 not the same as the address subscribed to the list, please 
 use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)

2003-01-22 Thread Darrell Rishel
You are absolutely correct that there is much in HIPAA than what is in 42
C.F.R. Part 2. Isn't it nice that SAMHSA et al are being so timely with
their assistance? The Legal Action Center, a well-known, well-respected
non-profit based in New York that has done a lot of work in interpreting 42
C.F.R. Part 2, is also supposed to be coming out with a cross-walk
supplement, but if people are not already working on this, well ... If
anyone is interested, I can give you contact information for the Legal
Action Center.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc. 
This message is not legal advice or a binding signature.


 -Original Message-
 From: Vicki Hohner [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 22, 2003 12:13 PM
 To: Darrell Rishel; [EMAIL PROTECTED]
 Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2
 (Alcohol and Drug Patient Privacy)
 
 
 I have been doing a lot of work with substance abuse programs 
 and HIPAA,
 and while not deeply familar with 42 CFR protections we have 
 identified
 that there are limited areas of overlap with HIPAA privacy. 
 Many subject
 to 42 CFR mistakenly believe that the fact that they comply with this
 law, which is more stringent in its use and disclosure requirements,
 means they are exempt from complying with HIPAA. However, note that
 there are only a few overlaps between the two: primarily with uses and
 disclosures/minimum necessary, authorizations, and some 
 limited parts of
 individual rights. This leaves a lot more under HIPAA that is not
 addressed in 42 CFR--all the policies and procedures, the privacy
 officer, business associate terms, the notice of privacy 
 practices, and
 accounting of disclosures, to name a few. Note also that the 
 definitions
 of what information is protected is broader under HIPAA than under 42
 CFR. 
 
 My understanding is that the feds (SAMHSA/CSAT) are working on a
 comparison matrix between the two--no idea when that may be 
 available.  
 
 Vicki Hohner
 FOX Systems, Inc.
 360-970-6856
 360-352-4584
 Information transmitted is confidential and may be proprietary to FOX
 Systems, Inc.  It is intended only for the person or entity 
 to which it
 is addressed.   Anyone else is prohibited from disclosing, copying, or
 disseminating the contents or attachments.  If you receive this in
 error, please notify sender immediately, or us at www.foxsys.com and
 delete from your system.
  Darrell Rishel [EMAIL PROTECTED] 01/20/03 08:57 AM 
 Matt-
 
 I'll take a stab at answering your question. Please remember 
 that in an
 effort to keep it relatively brief, this is a fairly simplistic,
 high-level
 overview.
 
 Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and
 Other
 Drugs)regs), disclosure within a program is allowed on a 
 need-to-know
 basis  without the consent of the patient. This internal 
 disclosure is
 limited to personnel having a need for the information in connection
 with
 their duties which arise out of the provision of diagnosis, treatment,
 or
 referral for treatment. In practice, I think this is very 
 close to, if
 not
 the same as, the HIPAA use definition. Although the AOD regs do not
 require a formal minimum necessary analysis, the concept of only
 disclosing
 the minimum amount of information necessary to accomplish the purpose
 for
 making the disclosure is clearly embedded in the regs.
 
 It is the disclosure to external entities where, especially with the
 adoption of the August, 2002, HIPAA changes, a wide gap 
 remains between
 the
 two sets of regs. While HIPAA allows treatment providers to 
 disclose PHI
 for
 treatment and payment (even another provider's payment) without the
 patient's written consent, the AOD regs absolutely prohibit such
 disclosures
 related to payment, and disclosures for treatment (except for medical
 emergencies) require that a written agreement be in place and that the
 services which the external provider render be something 
 different than
 what
 the primary provider is providing. This written agreement is known in
 the
 AOD regs as a Qualified Service Organization Agreement (QSOA, for
 short). A
 QSOA is akin to a BA agreement, though much shorter and less
 complicated,
 charachteristics which are, unfortunately, soon to be a thing of the
 past.
 While a QSOA can be used in limited circumstances for treatment (the
 biggest
 problem is that we cannot have one with another AOD 
 provider), its most
 common use is for operations, just as the HIPAA BA agreement will be
 used
 (e.g., we have a QSOA with our auditor, or outside attorneys, the
 company
 which prints and sends out our bills, the lab which analyzes the urine
 specimens we collect, etc.). But, if we want to be able to bill an
 insurance
 company or any other third party payer, we have to have the patient's
 written consent (in fact, we cannot even call to get pre-authorization
 without written consent; how's that for customer friendly

RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)

2003-01-20 Thread Darrell Rishel
Matt-

I'll take a stab at answering your question. Please remember that in an
effort to keep it relatively brief, this is a fairly simplistic, high-level
overview.

Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other
Drugs)regs), disclosure within a program is allowed on a need-to-know
basis  without the consent of the patient. This internal disclosure is
limited to personnel having a need for the information in connection with
their duties which arise out of the provision of diagnosis, treatment, or
referral for treatment. In practice, I think this is very close to, if not
the same as, the HIPAA use definition. Although the AOD regs do not
require a formal minimum necessary analysis, the concept of only disclosing
the minimum amount of information necessary to accomplish the purpose for
making the disclosure is clearly embedded in the regs.

It is the disclosure to external entities where, especially with the
adoption of the August, 2002, HIPAA changes, a wide gap remains between the
two sets of regs. While HIPAA allows treatment providers to disclose PHI for
treatment and payment (even another provider's payment) without the
patient's written consent, the AOD regs absolutely prohibit such disclosures
related to payment, and disclosures for treatment (except for medical
emergencies) require that a written agreement be in place and that the
services which the external provider render be something different than what
the primary provider is providing. This written agreement is known in the
AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A
QSOA is akin to a BA agreement, though much shorter and less complicated,
charachteristics which are, unfortunately, soon to be a thing of the past.
While a QSOA can be used in limited circumstances for treatment (the biggest
problem is that we cannot have one with another AOD provider), its most
common use is for operations, just as the HIPAA BA agreement will be used
(e.g., we have a QSOA with our auditor, or outside attorneys, the company
which prints and sends out our bills, the lab which analyzes the urine
specimens we collect, etc.). But, if we want to be able to bill an insurance
company or any other third party payer, we have to have the patient's
written consent (in fact, we cannot even call to get pre-authorization
without written consent; how's that for customer friendly?). If we want to
refer the patient to another health care provider, of whatever type, or
consult with another provider (like their primary care provider) who has
seen the patient, we must have the patient's written consent unless the
situation fits within the pretty narrow exception where a QSOA can be used
and we have (or can get) one in place (the logistics and pain of trying to
get a QSOA with all of those providers, which make doing so pretty
impracticle). The requirements in the AOD regs for a valid written consent
are very similar to those for a HIPAA authorization: who is disclosing the
information, to whom is the information being disclosed, what information is
being disclosed and why is it being disclosed, there must be a reasonble,
identifiable expiration date, the patient must be able to revoke the consent
at any time (one specific exception here for persons referred by an element
of the criminal justice system where treatment is a part of the
disposition), the name of the patient, the patient's signature and the date
of the signature.

The remaining situations where disclosure can be made without written
patient consent under the AOD regs are very limited. I'll list only a few of
the major differences between the HIPAA and AOD regs. There is no general
exception for otherwise required by law. I've forgotten exactly when the
exception for allowing a child abuse report to be filed if required by state
law was added, sometime around 1990, I think, but that used to be quite a
problem and even now the exception is very limited. There are no exceptions
for reporting any other kind of abuse. The HIPAA law enforcement
exception. There are provisions for disclosure in response to a court order,
but it requires a very specific order after following very specific
procedures.

I hope this has been helpful. Let me know if you have any other questions.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc.

This message is not legal advice or a binding signature.



 -Original Message-
 From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, January 18, 2003 5:02 PM
 To: Darrell Rishel; 'WEDI SNIP Privacy Workgroup List'
 Subject: RE: HIPAA privacy and people
 
 
 Darrell,
 
 Thank you for sharing your thoughts.  And now that you 
 brought it up, how
 would you compare the 42 CFR consent with the (voluntary) 
 HIPAA-consent
 and the HIPAA-authorization.  In my mind, the 42 CFR allows a more
 generalized use and disclosure for TPO, and consequently is 
 more equivalent
 to the (voluntary) HIPAA-consent

RE: More questions on Business Associate

2003-01-12 Thread Darrell Rishel
Matt,
 
I agree that two CEs who are sharing PHI for the purposes of treattment do
not need a BA agreement, which is why I included the statement that you must
consider who is doing what for whom. If the what is treatment services,
then a BA agreement is not necessary. The specific examples which I was
addressing, however, involved a Clearinghouse providing data translation
services for a CE  who was a provider. Clearly, in that situation, a BA
agreement is required, even though both entities are CEs, unless they fell
into the exception where a CE provides a service to an Organized Health Care
Arrangement in which it participates.
 
Darrell Rishel, J.D.
Direction of Information Services
Arapahoe House, Inc.
 
This message is not legal advice.

-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 9:50 PM
To: 'WEDI SNIP Privacy Workgroup List'; Darrell Rishel
Subject: RE: More questions on Business Associate



Darrell,

 

I respectfully disagree.

 

Under HIPAA, a BAC is NOT required between two or more health care providers
disclose PHI to each other for the purpose of treating a patient.  And while
the Privacy rules do say that a CE may act in the capacity of a BA (as in
the scenario that I described below related to a physician providing peer
review services), when two entities are engaged in sharing PHI (as CEs) no
BAC would be required.

 

I hope that this helps.

 

Your questions are always welcome.

 

Matt

 

Matthew Rosenblum

Chief Operations Officer

Privacy, Quality Management  Regulatory Affairs

http://www.CPIdirections.com http://www.cpidirections.com/ 

 

CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011

 

(212) 675-6367

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.

 

AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.

 

-Original Message-
From: Darrell Rishel [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 09, 2003 2:21 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: More questions on Business Associate

 

In both cases a BA would be required. In your example, the clearinghouse is
providing a function or activity regulated by HIPAA (formatting the data
to be compliant with HIPAA) for both the provider and the health plan. The
regulations clearly state that the relationship between two covered entities
may require a BA. The key concept to keep in mind is not what kinds of
entities are involved, but the relationship between the entities in terms of
who is doing what for whom.

 

Darrell Rishel, J.D.

-Original Message-
From: Ken Steen [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 09, 2003 8:28 AM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: More questions on Business Associate

What about providers sending data to clearinghouses.  Or payers sending data
to clearinghouses, who reformat the data and send in a proprietary format to
the provider.  Do they require a BA contract anywhere along the line?

 

Ken Steen

Apollo

 

- Original Message - 

From: Matthew  mailto:[EMAIL PROTECTED] Rosenblum 

To: WEDI SNIP Privacy Workgroup  mailto:[EMAIL PROTECTED] List 

Sent: Wednesday, January 08, 2003 10:51 PM

Subject: RE: More questions on Business Associate

 

Andy,

 

In most instances, when PHI is shared between CEs, no BA relationship
exists, and no BA contract would be required.  For example, when a CE
(provider) discloses PHI to another provider for the purpose of treating a
patient, no BA relationship exists, and consequently, no BA contract would
be needed.  Further, when a CE (provider) discloses PHI to a health plan for
the purpose of payment activities, no BA relationship exists, and
consequently no BA contract is required.

 

Generally, BA contracts are only required by HIPAA when a CE discloses PHI
for the purpose of a 2nd entity using the PHI on behalf of the CE to help
the CE perform a payment activity or health care operation (i.e.,
non-treatment activities that include a litany of HIPAA specified functions
such as accounting, legal, consulting, etc.)  For example, if a hospital
discloses PHI to an IT vendor, a BA contract would probably be required.
Also, if a hospital discloses PHI to a physician