Confidentiality Agreement for Board Members
I am putting the finishing touches on my policies and procedures and just realized that the confidentiality agreement I have for staff will not be sufficient for our board members. I have seen others in the past talk about this issue and was wondering if anyone can point in the direction of a good confidentiality agreement specifically for board members. I would truly appreciate it. These listservs have proven to be my best resource. Thank You in advance, Kristen EmersonManagement Analyst/HIPAA Compliance OfficerMid-Florida Area Agency on Aging CONFIDENTIALITY NOTICE: This E-Mail, including attachments, is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
BA Agreement
My agency is entering into a contract with a pharmacist to provide free "brown bag checks" for elderly citizens. These "brown bag checks" consist of an elderly citizen bringing all the prescription drugs that they are taking to the pharmacist and receiving counseling on medication management by the pharmacist. We sponsor a booth at health fairs where this service is offered free of charge to the elderly. We are contracting with this one pharmacist to provide these "brown bag checks" for us at the health fairs. Do we need a BA with this pharmacist or not? My feeling is that he is providing the service to the clients and we are just the payer therefore he is not utilizing PHI to provide a service on our behalf, but I keep getting stuck on BA's. This area of HIPAA is the hardest one for me to nail down and understand. Thanks in advance, Kristen Emerson Management Analyst/HIPAA Compliance Officer Mid-Florida Area Agency on Aging --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Covered Entity Status
If Provider "A" shares PHI with Provider "B" for one of their clients for treatment purposes, does Provider "A" need some sort of certification that shows Provider "B" has designated itself a covered entity under HIPAA. In other words before you share PHI with other health care providers for treatment purposes should you have some sort of documentation that they are abiding by HIPAA as they should be and just not ignoring it and hoping it will go away. I know the rule states that CE's can share PHI with other CE's for treatment purposes, but do you just take for granted that the provider has done its due diligence and is HIPAA compliant. This is probably a very simple question, but I would appreciate any input. Thanks in advance, Kristen Emerson Management Analyst/HIPAA Compliance Officer Mid-Florida Area Agency on Aging --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Business Associate
I am really having a hard time grasping who is a BA and who is not. Just for clarification, what is the feeling out there on this. Our agency (which is a CE) executes contracts with other CE's to provide health care services to a target population, and they report services to our agency for payment. Are the agencies that are providing the service to the client doing so on our behalf, because we contract and pay them to provide the service? I guess what I am having trouble understanding is would all the CE's that we contract with to provide services to clients be our Business Associates? Thanks in advance, Kristen Emerson Management Analyst/HIPAA Compliance Officer Mid-Florida Area Agency on Aging --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Access Control
Does anyone out there have any suggestions to help me with the following. Our agency is required to use an application provided to us by a state agency that we contract with. We do not have any control over the design or functionality of this application, but we do house the database that contains all the PHI on the clients in our area. The state agency has remote access to all our servers develops and maintains the application (forms, reports, etc.), but we have to administer the accounts and access for our staff and for the local service providers that contract with us. As I am looking at the Privacy Rule, I am reading it that we should have role-based access for every individual who needs access to the application to limit them to only what they need to see to accomplish there job. This would include reports, etc. Unfortunately, I feel that we are in an awkward position because even if we control the access to the best of our ability at our agency and to the local service providers below us, there still is multiple points of access to the database in which I have no control (the state). We are also limited in our abilities to control what the application does, for example, audit who was in the application, and when, or alert us if someone is trying to get into areas they do not have permission to, etc. I guess the bottom line, is that since the database which contains the PHI is actually located on our premises, I feel it is our responsibility to maintain access controls and provide adequate safeguards. As I have brought this up in discussions, many I talk to feel a lot of this is addressed in the security rule and can wait to be dealt with later. Is there anyone out there that can help me in finding materials to support my argument that these issues should be addressed with regards to privacy. I have read and researched the minimum necessary requirement and do see some helpful issues addressed there but I am trying to make the point that if there was a breach and PHI was released, we should have a system that could help us in determining how it happened. Currently, I would not be able to produce a list of who was in, when, etc. This is really a confusing situation, so I hope it makes some sense. Any suggestions, advice, or direction would be greatly appreciated. Thanks, Kristen Emerson Management Analyst/HIPAA Compliance Officer --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Question about our Elder Help Line
The agency I work for operates a toll-free telephone assistance service for older persons and their caregivers. The Elder Help Line assists callers by identifying their critical needs and providing practical information about the best ways to obtain services and benefits that will most effectively address their problems. Sometimes our I&R Specialist receive calls from individuals in the community that are looking for services for their elderly parents, etc. Our specialist will collect Personal Health Information on the elderly parent and may contact another agency in the community that could provide certain services to the elderly person. Our specialists may then supply that agency with the name, location, and contact information for the individual. Many times the information given on these calls relates to the elderly persons health and/or functional or mental status. My question is how should we start treating these calls so as to make sure we are complying with HIPAA? One thing I know we definitely plan to do before we collect any information is to briefly describe our NPP and mail it out to that individual with an acknowledgement form and a self addressed stamped envelope to document our "good faith" effort. I just wonder if we will need to get an authorization signed by the actual individual before we can contact any other agency/community resource regarding the individual in need of service. We are considered a covered entity based on the fact that our agency provides case management , along with home health care services, medical transportation, counseling, occupational therapy, etc. Thanks in advance, Kristen Emerson Management Analyst/HIPAA Compliance Officer Mid-Florida Area Agency on Aging --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: NPP and home & community-based waiver programs
Here is some information that may help. I found this letter (9/12/01) to Secretary Thompson and the response helpful. http://www.dhfs.state.wi.us/HIPAA/Documents/hap.htm Here is our reasoning behind the standard transactions. The federal regulations define health care claims or equivalent encounter information as follows: "(a) A request to obtain payment, and the necessary accompanying information from a health care provider to a health plan, for health care. OR (b) If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care." Our software is utilized for a variety of purposes, including validation of subcontractors' monthly requests for payment as well as for analyzing and reporting individual client/service information that we submit to the state for payment. >From this we decided that by simply reporting services that are defined as health care to the state via our software for payment, that we are processing a standard transaction. We also use our software for enrollment and disenrollment, and to determine eligibility. There is some discussion in the regulations about community based services, which have already been referenced, that we found useful. Though I have to admit there is not much out there with regards to programs like ours, we are still pretty confident that we are covered. I would appreciate any documentation that you have from CMS or anyone else that pertains to human service agencies. Thanks, Kristen - Original Message - From: "Kelli Knuckles" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Cc: "Steven Klepzig" <[EMAIL PROTECTED]>; "Thomas Papin" <[EMAIL PROTECTED]>; "Diann Rice" <[EMAIL PROTECTED]>; "Eleanor Walker" <[EMAIL PROTECTED]> Sent: Thursday, January 09, 2003 4:20 PM Subject: RE: NPP and home & community-based waiver programs > We are also a Human Services agency, and act in the manner which you > have described. We were provided with white papers by CMS (and were > also told by CMS) that we are not a covered entity. The white papers > were put together by the County Issues Subgroup, affiliated with > California Behavioral Health, as I understand it. > > According to CMS (and the County issues Subgroup) , Social Services > activities acting to enroll or assess people for Medicaid purposes are > exempt from HIPAA provisions. I have a packet that CMS provided when > they came and spoke directly to Western Colorado counties about this > issue with all of the documentation to support that opinion. Our county > attorney also agrees with this opinion. Are we way off base? Can > anyone provide me with definitive evidence to the contrary? > > Also Kristin, it doesn't sound to me like the electronic activity that > your agency is engaged in consist of covered transactions (unless you > are billing medical claims electronically). > > We were up to our eyeballs in HIPAA compliance activities before CMS > dropped this little nugget on us about three months ago. Any info would > be appreciated. > > Thanks- > Kelli Knuckles > Mesa County Department of Human Services > > >>> "Debby Bartow" <[EMAIL PROTECTED]> 01/09/03 12:21PM >>> > In working with many local agencies such as yourself, it has also been > our finding that this puts you in the seat of a covered entity. > > > > Debby Bartow > > Tobin & Associates, Inc. > > www.TobinIT.com > > [EMAIL PROTECTED] > > 585.586.2103 x3040 > > -Original Message- > From: Chris Brancato [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 09, 2003 2:05 PM > To: WEDI SNIP Privacy Workgroup List > Subject: RE: NPP and home & community-based waiver programs > > > > Sorry. Its my experience your lawyer got it right. > > > > Chris Brancato > > > > -Original Message- > From: Kristen Emerson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 09, 2003 12:53 PM > To: WEDI SNIP Privacy Workgroup List > Subject: Re: NPP and home & community-based waiver programs > > > > Our agency has received an outside legal opinion that we are a covered > entity. > > > > One of the main reasons is that our agency administers Medicaid Waiver > programs along with our other programs. > > > > It was determined that we provide health care services. > > > > "Health Care means preventive, diagnostic, therapeutic, > rehabilitative, > maintenance, or palliative care, and counseling, ser