RE: SS# and e-mail
Title: Message Those interested in this subject might want to review this GAO report. http://www.gao.gov/highlights/d03941thigh.pdf With identity theft, I would not want my SSN sent via email. I have already had credit card information stolen which had been sent via an email. Anita HaltermanNMEH HIPAA Integration and Transition (HIT) co-chairHealth Policy Analyst & HIPAA Privacy and Security CoordinatorState of Alaska,Department of Health and Social Services,Division of Health Care Services,4501 Business Park Blvd., Suite 24Anchorage, AK 99503-7167Phone: (907)334-2431Fax: (907)561-1684 -Original Message-From: Dan Hoskins [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 12:41 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: SS# and e-mail Dana, "not tied to any other personal identifiers" is a can of worms. Email resides on, potentially, a variety of servers on its way from sender to recipient. Some are administered with sound security practice, many are not. It is reasonable to expect some of them to be hacked, and the traffic sniffed. If a hacker with bad intentions copied all emails from your organization passing through a given, hacked server, and matched up the ones with common recipients, matching the SSN with other info wouldn't be that hard. I suppose you could institute a policy that SSNs, and no other info, could go by email in cleartext. Wouldn't want to administer that. Safer to establish gateway encription for your enterprise, and encript anything with PHI. My .02$ FWIW. Daniel S. Hoskins, VP HIPAA Compliance Services Square One Computer Security Services, Inc. 36 Chickering Dr., Brattleboro, VT 05301 877-583-8158 -Original Message-From: Dana Frank [mailto:[EMAIL PROTECTED]Sent: Thursday, November 06, 2003 10:58 AMTo: WEDI SNIP Privacy Workgroup ListSubject: SS# and e-mail If a social security number is not tied to any other personal identifiers, is it okay to send via e-mail? Any thoughts? Dana M Frank Sales Administration Manager Dental Select (800) 999-9789 CONFIDENTIALITY This email and any attachments are confidential and also may be privileged. If you are not the named recipient, or have otherwise received this communication in error, please delete it from your inbox, notify the sender immediately, and do not disclose its contents to any other person, use them for any purpose, or store or copy them in any medium. Thank you for your cooperation. ---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: NPP and accounting for disclosures - was Medicare audits: op erations?
Title: Message The disclosures I had referenced in my earlier email posting are permissible disclosures (disclosures for audit purposes are allowed by HIPAA). I did not mean to imply that all accounting can be avoided as the notice should address typical uses of PHI for a CE. In general HIPAA's Privacy Rule requires all covered entities to track all disclosures of protected health information that occurred within a six year period except for the following: A disclosure made for the purposes of treatment, payment or health care operations as outlined by 45 CFR 164.506; A disclosure that is made to the individual about their own protected health information; A disclosure that is incidental to a use or disclosure otherwise permitted or required, as provided for in 45 CFR 164.502; A disclosure that is made pursuant to an authorization as provided for in 45 CFR 164.508; A disclosure made for the purpose of including information in a facility directory, or to people who are involved in an individual's care, or other notification purposes, provided the individual has been given an opportunity to agree or object to such use or disclosure; A disclosure made for national security or intelligence purposes as provided for by the National Security Act; A disclosure made to correctional institutions or to law enforcement officials as allowed by 45 CFR 164.512(k)(5); As part of a limited data set in accordance with 45 CFR 164.514(e); or A disclosure that occurred prior to the compliance date for the covered entity. Covered entities have limited rights to suspend an individual's right to receive an accounting of disclosures. These limitations are restricted to health oversight activities and or law enforcement activities. To learn more about these restrictions 45 CFR 164.528 should be reviewed. If I implied otherwise please accept my apology as I did not intend to. Anita -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 11:10 AMTo: Halterman, Anita; WEDI SNIP Privacy Workgroup ListSubject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? Anita, I do not agree with your interpretation. You are required to provide the notice, yes. You are allowed disclosures for TPO, yes. You are also allowed other disclosures documented in the notice, yes. However, the only disclosures that do not require accounting, are for TPO purposes only. All other permissible disclosures, outside of TPO must be accounted for regardless of their inclusion in the notice. Also all impermissible disclosures must be accounted, regardless of if an authorization is in place or not. Regards, Tim McGuinness, Ph.D.Email: [EMAIL PROTECTED]Alt Email: [EMAIL PROTECTED]Direct Phone: 1-727-787-9801 / Voice Mail & Fax: 1-240-525-1149 Consulting Specialist in Regulatory Privacy, Security, and Application Compliance - Specialist in Medicaid Provider & Local Government Compliance[HIPAA/FDA/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A]Websites: www.HIPAAhelpNETWORK.com www.LocalGovernmentCompliance.com www.TimMcGuinness.com www.McGuinnessDesigns.com Executive Co-Chairman for Privacy,HIPAA Conformance Certification Organization (www.HCCO.us) === IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -Original Message-From: Halterman, Anita [mailto:[EMAIL PROTECTED]]Sent: Friday, February 14, 2003 1:
RE: NPP and accounting for disclosures - was Medicare audits: op erations?
Title: Message No... I hadn't looked. Read 45 164.502 uses and disclosures of protected health information: general rules:(i) "Standard: Uses and disclosures consistent with notice. A covered entity that is required by 164.520 [the section addressing the notice of privacy practices] to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by 164.502(b)(a)(iii) [separate statements for certain uses or disclosures] to include a specific statement in its notice if it intends to engage in an activity listed in 164.502(b)(1)(iii)(A)-(C) may not use or disclose protected health information for such activities, unless the required statement is included in the notice."I am not an attorney and do not work for OCR so can not say without doubt that what has been said by many (including myself) regarding the fact that if you notice a disclosure that the law allows you to make that you don't have to account for it. But I believe that this can be concluded from reading the above section of the regulations. I believe if you inform a patient in your notice that you may make a disclosure that is allowed by the law and that does not require that you first receive an authorization before you make the disclosure that you do not have to account for it. I assume that none of us would make a disclosure that is not specifically allowed without first receiving an authorization to do so and if we inadvertently make a disclosure that is not allowed (for instance a mis-sent fax) we would account for it. The way I have read the above section leads me to believe that if you notice a patient regarding a disclosure that is permissible means that you do not need to account for it. I had hoped to get feedback from others. Someone did put a bit of a different spin on this and they pointed out that most audit functions would be related to post-payment activities, which would exclude them from an accounting. I should have been clearer in my original posting because I was thinking more about audits performed for certification or licensing. If you informed a person in your notice that you may make a disclosure for an intended purpose, why would you have to account for it as you already told them you would make disclosure for this purpose? Anita -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 10:41 AMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? Do you have HHS commentary that states if 'a disclosure allowed by law if it is addressed in your notice of privacy practices doesn't have to be accounted for'? If so please let me know where to find it. If there is supporting commentary then it would make a lot of health care providers happy where I work. All indications I have been given are we have to account for such disclosures. Thanks in advance, Cindi -Original Message-From: Halterman, Anita [mailto:[EMAIL PROTECTED]]Sent: Friday, February 14, 2003 2:29 PMTo: Cindi Bowman; WEDI SNIP Privacy Workgroup ListSubject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? I agree with you and what I stated below your response is not inconsistent with the preamble. I still believe that a disclosure allowed by law if it is addressed in your notice of privacy practices doesn't have to be accounted for. If you notice it, you already told the person you make disclosures for whatever purpose you listed in your notice. Anita -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 10:22 AMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? I don't think saying a CE "may not use or disclose protected health information in a manner inconsistent with such notice" is the same as "if you notice a patient regarding a disclosure that is permissible means that you do not need to account for it". My beliefs are based on the below HHS Commentary where they are very clear that CEs must account for even disclosures required by law. Comments? Cindi Bowman Quality and Compliance Coordinator Catawba County Health Department 828-695-5847 Right to an Accounting of Disclosures of Protected Health Information - § 164.528(a) HHS Description of and Commentary on August 2002 Revisions Right to an Accounting of Disclosures of Protected Health Information Comment: A number of commenters recommended other types of disclosures for exemption from t
RE: NPP and accounting for disclosures - was Medicare audits: op erations?
Title: Message I agree with you and what I stated below your response is not inconsistent with the preamble. I still believe that a disclosure allowed by law if it is addressed in your notice of privacy practices doesn't have to be accounted for. If you notice it, you already told the person you make disclosures for whatever purpose you listed in your notice. Anita -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 10:22 AMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? I don't think saying a CE "may not use or disclose protected health information in a manner inconsistent with such notice" is the same as "if you notice a patient regarding a disclosure that is permissible means that you do not need to account for it". My beliefs are based on the below HHS Commentary where they are very clear that CEs must account for even disclosures required by law. Comments? Cindi Bowman Quality and Compliance Coordinator Catawba County Health Department 828-695-5847 Right to an Accounting of Disclosures of Protected Health Information - § 164.528(a) HHS Description of and Commentary on August 2002 Revisions Right to an Accounting of Disclosures of Protected Health Information Comment: A number of commenters recommended other types of disclosures for exemption from the accounting requirement. Many recommended elimination of the accounting requirement for public health disclosures arguing that the burden of the requirement may deter entities from making such disclosures and that because many are made directly to public health authorities by doctors and nurses, rather than from a central records component of the entity, public health disclosures are particularly difficult to track and document. Others suggested exempting from an accounting requirement any disclosure required by another law on the grounds that neither the individual nor the entity has any choice about such required disclosures. Still others wanted all disclosures to a governmental entity exempted as many such disclosures are required and often reports are routine or require lots of data. Some wanted disclosures to law enforcement or to insurers for claims investigations exempted from the accounting requirement to prevent interference with such investigatory efforts. Finally, a few commenters suggested that all of the disclosures permitted or required by the Privacy Rule should be excluded from the accounting requirement. Response: Elimination of an accounting requirement for authorized disclosures is justified in large part by the individual's knowledge of and voluntary agreement to such disclosures. None of the above suggestions for exemption of other permitted disclosures can be similarly justified. The right to an accounting of disclosures serves an important function in informing the individual as to which information was sent to which recipients. While it is possible that informing individuals about the disclosures of their health information may on occasion discourage some worthwhile activity, the Department believes that the individual's right to know who is using their information and for what purposes takes precedence. -----Original Message-From: Halterman, Anita [mailto:[EMAIL PROTECTED]]Sent: Friday, February 14, 2003 1:28 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? Read 45 164.502 uses and disclosures of protected health information: general rules:(i) "Standard: Uses and disclosures consistent with notice. A covered entity that is required by 164.520 [the section addressing the notice of privacy practices] to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by 164.502(b)(a)(iii) [separate statements for certain uses or disclosures] to include a specific statement in its notice if it intends to engage in an activity listed in 164.502(b)(1)(iii)(A)-(C) may not use or disclose protected health information for such activities, unless the required statement is included in the notice."I am not an attorney and do not work for OCR so can not say without doubt that what has been said by many (including myself) regarding the fact that if you notice a disclosure that the law allows you to make that you don't have to account for it. But I believe that this can be concluded from reading the above section of the regulations. I believe if you inform a patient in your notice that you may make a disclosure that is allowed by the law and that does not
RE: NPP and accounting for disclosures - was Medicare audits: op erations?
Title: Message Read 45 164.502 uses and disclosures of protected health information: general rules:(i) "Standard: Uses and disclosures consistent with notice. A covered entity that is required by 164.520 [the section addressing the notice of privacy practices] to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by 164.502(b)(a)(iii) [separate statements for certain uses or disclosures] to include a specific statement in its notice if it intends to engage in an activity listed in 164.502(b)(1)(iii)(A)-(C) may not use or disclose protected health information for such activities, unless the required statement is included in the notice."I am not an attorney and do not work for OCR so can not say without doubt that what has been said by many (including myself) regarding the fact that if you notice a disclosure that the law allows you to make that you don't have to account for it. But I believe that this can be concluded from reading the above section of the regulations. I believe if you inform a patient in your notice that you may make a disclosure that is allowed by the law and that does not require that you first receive an authorization before you make the disclosure that you do not have to account for it. I assume that none of us would make a disclosure that is not specifically allowed without first receiving an authorization to do so and if we inadvertently make a disclosure that is not allowed (for instance a mis-sent fax) we would account for it.The way I have read the above section leads me to believe that if you notice a patient regarding a disclosure that is permissible means that you do not need to account for it.Any one else out there that supports this?By posting my email to the listserv, I had hoped to hear more from agencies involved in auditing or that are subject to audits. Surly you folks have given this some thought - anyone willing to state how they are viewing this particular subject?Thanks,Anita-Original Message-From: Noel Chang [mailto:[EMAIL PROTECTED]]Sent: Thursday, February 13, 2003 10:20 PMTo: Halterman,Anita; WEDI SNIP Privacy Workgroup ListSubject: NPP and accounting for disclosures - was Medicare audits: operations?Changing the subject for a minute:I have seen several emails from people, including the one below, that havemade various statements all to the effect that if you mention a particulartype of disclosure in your NPP, you will not have to account for suchdisclosures.Anita wrote:"One way a covered entity might get around having to account for disclosuresmade for auditing purposes is to inform their patients through their noticeof privacy practices that they may make a disclosure for this type ofactivity."Could someone please cite for me where in the Rule they believe this isauthorized? When I read section 164.528(a)(1) it says a CE must account forall disclosures except for the ones listed in sub-paragraphs (i) through(ix). No where in that list do I see "disclosures that are mentioned in yourNotice of Privacy Practices".Is the assumption that by mentioning a type of disclosure in my NPP I canthen claim it is part of TPO? I don't see any room to make that argumentsince TPO is clearly defined in sections 164.501 and 164.506.Thanks,Noel Chang--Open WebMail Project (http://openwebmail.org)------ Original Message ---From: "Halterman, Anita" <[EMAIL PROTECTED]>To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>Sent: Thu, 13 Feb 2003 14:37:17 -0900Subject: RE: Medicare audits: operations?> I have been thinking about this issue for some time now and this is> my two cents for what it is worth (I am not an attorney). Sorry> Chris I don't agree with your take on this.>> In order for this activity to be a part of your health care> operations, the activity would have to fall under the definition of> "Health care operations" as follows:>> "Health care operations" means any of the following activities of the> covered entity to the extent that the activities are related to> covered> functions:>> (1) Conducting quality assessment and improvement activities,> including outcomes evaluation and development of clinical guidelines,> provided that the obtaining of generalizable knowledge is not the> primary purpose of any studies resulting from such activities;> population- based activities relating to improving health or reducing> health care costs, protocol development, case management and care> coordination, contacting of health care providers and patients with> information about treatment alternatives; and related functions that> do not include treatment;> (2) Reviewing the competence or qualifications of health care> professiona
RE: Medicare audits: operations? Correction 42 CFR should be 45
Please note that on the posting I posted regarding audits the citations to 42 CFR should be 45 CFR. Sorry for the confusion, as you may be able to tell I work for an agency that usually has me using 42 CFR... Anita --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Medicare audits: operations?
Title: Message I have been thinking about this issue for some time now and this is my two cents for what it is worth (I am not an attorney). Sorry Chris I don't agree with your take on this. In order for this activity to be a part of your health care operations, the activity would have to fall under the definition of "Health care operations" as follows:"Health care operations" means any of the following activities of the covered entity to the extent that the activities are related to covered functions:(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;(3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of §164.514(g) [disclosures relating to underwriting] are met, if applicable;(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and(6) Business management and general administrative activities of the entity, including, but not limited to:(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.(iii) Resolution of internal grievances;(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and(v) Consistent with the applicable requirements of §164.514 [Other requirements relating to the uses and disclosures of protected health information], creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. I highlighted in red the sections above in the definition that I believe are important to review. If a covered entity is being audited, I believe that the covered entity being audited would be subject to account for the disclosure that they made for audit purposes. The activity (audit) is not an activity of the covered entity being audited, but instead is the activity of another agency to ensure that the covered entity under audit has met its obligations. Since the audit is required by law, no authorization is needed to allow for the disclosure, see 42 CFR 164.512(a), this section addresses disclosures that are permitted by law and don't require an authorization. Also 42 CFR 164.512(d) specifically addresses health oversight, which both Beth and I obviously agree that this is.42 CFR 164.528 does not specifically exclude health oversight activities from being subject to an accounting. Because of this it is my conclusion that audit activity related disclosures made by an entity under audit are subject to an accounting. This is also not the function of the covered entity being audited but instead is the function of an outside agency, to determine compliance with program rules. One way a covered entity might get around having to account for disclosures made for auditing purposes is to inform their patients through their notice of privacy practices that they may make a disclosure for this type of activity. This would require careful crafting of the notice of privacy practices. If a disclosure is not addressed in your notice and you d
Are there any covered entities which include certification and li censing entities?
Are there any covered entities out there that include a component that provides for the licensing and certification of facilities and that addresses long term care program complaints? Our Medicaid agency surveys hospitals, long-term care, etc. facilities for Medicare/Medicaid certification and some facilities for licensure. Are these functions normally performed by Medicaid agencies or does this depend upon the state? I got the impression from responses that I have received to prior questions that the answer may depend upon how a state structures its Medicaid program. What I am looking for is a covered entity (Medicaid ideally) that includes as a unit an agency that performs certification and licensing functions. I would love to gain some insight into your HIPAA privacy approaches with regard to such a relationship. I would love to talk with anyone who can give me insight into how they (if they have a similar structure) have coordinated HIPAA privacy efforts within their Medicaid office. Please respond directly to me if you would. Thanks, Anita Halterman Health Policy Analyst & HIPAA Privacy and Security Coordinator State of Alaska, Department of Health and Social Services, Division of Medical Assistance, 4501 Business Park Blvd., Suite 24 Anchorage, AK 99503-7167 (907)334-2431 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Accounting for disclosures
The NMEH HIT sub workgroup intends to discuss accounting for disclosures during the next HIT call. During our last call the topic came up for discussion and I offered to post an email to a couple of listservs to generate some discussion regarding this topic. How have CE's been dealing with HIPAA's accounting requirements? Do CE's have tools that they would be willing to share that might make it easier for those who are still struggling with this subject to use to assist them with sorting this requirement out? Are CE's approaching the accounting requirements by using paper tracking systems or through the use of electronic tracking systems? If anyone has best practices that they would be willing to share about how to address these issues, please share them. Thank you, Anita Halterman HIPAA Integration and Transition (HIT) Co-Chair, Health Policy Analyst & HIPAA Privacy and Security Coordinator State of Alaska, Department of Health and Social Services, Division of Medical Assistance, 4501 Business Park Blvd., Suite 24 Anchorage, AK 99503-7167 (907)334-2431 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
HIPAA Privacy question regarding business associate agreements
I am hopeful that by posting this information to the listserv's I can get input from states about how they are approaching the "access, amendment and accounting" requirements of the HIPAA Privacy rule through their business associate contracts. These are my questions: 1) Are any states delegating the responsibility to provide access, amendment and or accountings through their business associate agreements? 2) If you are, what are the pros and cons that you identified regarding doing this? For example: I know that if we delegate these functions, we may lose control over these functions but on the other hand we often don't maintain the designated record sets where this information is maintained, our business associates do. In some cases we have no control over information contained in our business associates designated record sets. If we proceed with the language in the contract that we are using (similar to the language in the template that HHS gave us) we could potentially create a huge burden to overcome in order to meet the obligations that we are laying out through the development of these agreements. We are often not a point of contact for many of the providers who receive services that we contract to various business associates. We could potentially create an administrative burden for us to track requests for access to designated record sets maintained by our business associates, to make amendments to records we don't own, and to provide an accounting of information our business associates hold on our behalf. Any input that might help us make decisions regarding this, would be greatly appreciated. CMS has presented guidance that addresses this issue and they have identified the fact that covered entities may want to consider imposing the requirement to provide access and to make amendments on their business associates especially if the information in need of access or amendment is maintained by a business associate. The guidance further identifies the fact that an accounting may be imposed on the BA by a covered entity. Because each relationship with business associates will be unique and will vary regarding a covered entities access to information maintained by the business associates, I think we need to carefully consider how we develop these agreements. I believe we need to be flexible in our language so that we can dictate when we will provide access, make the requested and agreed to amendments and when we will assume the responsibility to provide the accounting and when we will require these things of our business associates. The FAQ's from OCR dated December 3, 2002 on BA's has a question and answers directly related to this issue, the last sentence for each answer addresses the ability for covered entities to delegate these functions to our business associates, it reads as follows: "Q: Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information? A: The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof. Under 45 CFR 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must amend protected health information in such records (or copies) when requested by the covered entity. The covered entit
RE: HIPAA-related privacy question (I think)
--- You are currently subscribed to wedi-privacy as: archive@jab.org To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- Providers who conduct covered standard transactions electronically are covered by the final Privacy Rule. I quote the regulation HHS fact sheet presented to the public on April 2, 2002 the US Dept. of Health and Human Services: "COVERED ENTITIES: As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically." To see more on this document go to the following link: http://www.hhs.gov/news/press/2002pres/privacy.html The key to determining if a provider falls under HIPAA Privacy rules lies with the Standard transactions. If a standard is adopted as a HIPAA standard and the provider conducts business by using this electronic standard, it makes the provider subject to the HIPAA Privacy Rules. I also took this question and answer from another HHS website: "Q. Who must comply with these new privacy standards? A: As required by Congress in HIPAA, the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards are required to be adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give HHS the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. The "Business Associate" section of this guidance provides more detailed discussion of the covered entities' responsibilities when they engage others to perform essential functions or services for them." I hope that these two items assist in helping to dispel the belief that all providers must comply. I have been saying to staff working for our state for some time now that we may have an issue with providers reverting to paper in order to avoid compliance, I hope that I am wrong, but fear that if I am not we all may see an increase in the volume of claims having to be keyed in manually as providers avoid the early phases of HIPAA compliance by moving backwards and reverting to paper processes. The one advantage is that the majority of Medicare providers are required to conduct business electronically unless there are certain hardship conditions that they have clearly demonstrated are met or if they have less than 10 FTE's. Good luck! -Original Message- From: Mimi Hart [mailto:HartAM@;crstlukes.com] Sent: Tuesday, October 22, 2002 12:26 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- * I think we need clarification on this from a higher entity, someone from CMS? Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] >>> [EMAIL PROTECTED] 10/22/02 03:02PM >>> --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- An covered entity is a health plan, practitioner/facility or a clearinghouse. In the case of electronic transactions, an entity may not have to comply with the electronic transaction and code set standards if it is doing EVERTHING BY PAPER; and it could get an automatic extension until Oct. 2003 if it's a small health plan. But it still is considered a covered entity and has to comply with other parts of the law - such as privacy, for example.
