RE: HIPAA Job Shadowing

[Matthew Rosenblum]

Heidi,



You are
very wise to treat the shadow students as part of their workforce (i.e., volunteers)
and educate them accordingly.  (It has been our experience that from time to
time the shadow students often may be asked to use the PHI in carrying out
responsibilities in ways that may often exceed an organization's original
intention.)



However,
depending upon your State statutes, another important matter may need to be
considered: shadow students are often under 17 years of age, and consequently
may NOT be allowed to be members of your workforce.  Under those circumstances,
your organization may actually need to have patients sign an authorization for
the disclosure of PHI to the shadow students.



I hope
that this helps.





Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs



http://www.CPIdirections.com



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have received
this communication in error, please do not distribute it.  Please notify the
sender by E-Mail at the address shown and delete the original message. Thank
you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.





-Original Message-
From: Heidi Gosho
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 12, 2003
6:12 PM
To: WEDI SNIP Privacy Workgroup
List
Subject: HIPAA  Job Shadowing





Hello All,











The standard advice with regard to
high school student job shadowing in hospitals is to have the students sign
confidentiality agreements and to require them toparticipate inthe
same HIPAA training as for volunteers or other employees. I would
appreciate hearing about any other policies/practices that might facilitate job
shadowing.











Thanks!





Heidi Gosho 
Project
Director 
Alaska
State Hospital  Nursing Home Association 
907-586-1790

907-463-3573
Fax 

This message is intended for the sole use of the
individual to whom it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law. If
you are not the addressee you are hereby notified that you may not use, copy,
disclose, or distribute to anyone the message or any information contained in
the message. If you have received this message in error, please immediately
advise the sender by reply email and delete this message. 









---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address

RE: business associate - yes or no?

[Matthew Rosenblum]

Wendy,

What is the dilemma?  From your description (below) it sounds as though the
contractor is providing diagnostic screenings and tests akin to those
provided by a laboratory or other indirect treatment provider.  Though the
contractor's treatment services are paid-for by the CE does not change the
(apparent) fact that PHI is being shared with the contractor as part of
the patient's treatment process.  Are there other factors here that are as
yet unstated?

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Reynolds, Wendy J [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 10, 2003 1:06 PM
To: WEDI SNIP Privacy Workgroup List
Subject: business associate - yes or no?


I am in the process of reviewing a contact which will entail an agreement
between us (a covered entity) and the contractor (another covered entity) in
which the contractor will provide cancer screening/diagnostic tests to a
specific category of women (income guidelines, age, etc.) per grant
parameters.  I am having trouble with this one, because usually treatment
reasons do not necessitate a business associate agreement between two
covered entities.  However, we are paying the contractor a per capita rate
to provide the services (diagnostic tests) to these patients. If patients
need further treatment, they are referred back to us to take care of.   

In this situation, I am not sure the contractor is really providing
treatment to the patients.  Furthermore, in this situation, the contractor
is providing this service on our behalf, for us, and are receiving money
from us to provide these services.  This arrangement does not fit the
business associate exceptions or examples as listed on the OCR website.  I
have read the definition of treatment in the regs, but really think this
arrangement should have a BAA.  But of course the contractor disagrees.  

Am I being too picky?  Any opinions out there?


Wendy J. Reynolds, MPA, CHP
EVMS Director of Privacy Program
EVMS HS Clinical Auditor
Eastern Virginia Medical School
Fairfax Hall, 1st floor
721 Fairfax Avenue
Norfolk, VA 23507
(757) 446-0337
[EMAIL PROTECTED]

 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.537 / Virus Database: 332 - Release Date: 11/6/2003
 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal

RE: is this practice O.K.?

[Matthew Rosenblum]

John,

You are quite right that the proposed rule was modified, and that is why we
included BOTH versions in our second response to you.  Our point is, that
based on that modification, HHS clarifies what it intends as the third
party.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:29 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Matt:

With all due respect, each time you have responded on this thread you have
cited small excerpts which support your position, but have failed to cite
the additional language following your excerpt which calls your position
into question.

The first time, you pulled this language from the definition of treatment
in the final rule --

consultation between health care providers [i.e., physicians and
pharmacists] relating to a patient 

-- without citing the follow-up language which is included in the
definition:

INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE
PROVIDER WITH A
THIRD PARTY.

And now this time, you have now pulled some language from the final rule
preamble --

THE PROPOSED RULE defined 'treatment' as the provision of health care by
... health
care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE
INDIVIDUAL...

-- without acknowledging that the language in the paragraphs which
immediately follow the language you excerpted notes that the proposed rule's
definition which you are citing, Matt, WAS MODIFIED:

Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include
the management of health care and related services

If the list members will go back to the 1999 proposed HIPAA rule's
definition of treatment, you can see just exactly which language in the
definition of treatment was modified.  See at
http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions under section
164.504 at page 60053; the proposed rule's definition of treatment was:

Treatment means the provision of health care by, or the coordination of
health care (including health care management of the individual through risk
assessment, case management, and disease management) among, health care
providers; the referral of a patient from one provider to another; OR THE
COORDINATION OF HEALTH CARE OR OTHER
SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE
HEALTH PLAN OR THE INDIVIDUAL. (emphasis added)

In the final rule, under section 164.501 at page 82805 (see
http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment
was changed to:

Treatment means the provision, coordination, or management of
health care and related services by one or more health care providers,
including the coordination or management of health care by a health
care provider WITH A THIRD PARTY; consultation between health care
providers relating to a patient; or the referral of a patient for
health care from one health care provider to another. (emphasis added)

[This final definition was not changed in the August 2002 Privacy Rule
modification (see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is
the current definition].

The list members will see that some of the exact language which was removed
from the proposed rule's definition is the very qualifying language at the
end of the definition that limited the third parties to only those third
parties who were authorized by the health plan or the individual!

So, in the final rule, as the sentences immediately following the one which
you cited make clear, Matt, DHHS TOOK OUT THE LIMITATION THAT YOU ARE
RELYING UPON.  The limitation on third parties, to only those who were
authorized by the health plan or the individual, no longer exists.  The
excerpt you emphasized actually undermines your position rather than
supporting it, given that the final rule's preamble was pointing out that
that excerpt is obsolete.

I appreciate

RE: is this practice O.K.?

[Matthew Rosenblum]

John,

HHS made the modification, and then explained how come:

Specifically, we modify the proposed definition of “treatment” to include
the management of health care and related services.  Under the definition,
the provision, coordination, or management of health care or related
services may be undertaken by one or more health care providers.
'Treatment' includes coordination or management by a health care provider
with a third party and consultation between health care providers.  The term
also includes referral by a health care provider of a patient to another
health care provider.

Treatment refers to activities undertaken on behalf of a single patient,
not a population. Activities are considered treatment only if delivered by a
health care provider or a health care provider working with another party.
Activities of health plans are not considered to be treatment.  Many
services, such as a refill reminder communication or nursing assistance
provided through a telephone service, are considered treatment activities if
performed by or on behalf of a health care provider, such as a pharmacist,
but are regarded as health care operations if done on behalf of a different
type of entity, such as a health plan.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:44 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Clarified it?  They removed the limiting language -- they EXPANDED it,
didn't they? :-)

Thanks for your thoughts, Matt, much appreciated.  What do others think?
Thanks, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the
policies, practices or opinions of my employer or anyone else.  Nothing
herein constitutes legal advice - if you need legal advice, please consult
your own attorney.]


-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:39 PM
To: Cody, John (OFT); 'WEDI SNIP Privacy Workgroup List'
Subject: RE: is this practice O.K.?


John,

You are quite right that the proposed rule was modified, and that is why we
included BOTH versions in our second response to you.  Our point is, that
based on that modification, HHS clarifies what it intends as the third
party.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:29 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Matt:

With all due respect, each time you have responded on this thread you have
cited small excerpts which support your position, but have failed to cite
the additional language following your excerpt which calls your position

RE: is this practice O.K.?

[Matthew Rosenblum]

John,

Perhaps this will help.  HHS provides these additional clarifications in the
Treatment QA section of the Preamble to the (initial) Privacy rules:

Comment:  Some commenters advocated for a narrow interpretation of
treatment that applies only to the individual who is the subject of the
information.  Other commenters asserted that treatment should be broadly
defined when activities are conducted by health care providers to improve or
maintain the health of the patient.  A broad interpretation may raise
concerns about potential misuse of information, but too limited an
interpretation will limit beneficial activities and further contribute to
problems in patient compliance and medical errors.
 
Response:  We find the commenters’ arguments for a broad definition of
treatment persuasive.  Today, health care providers consult with one
another, share information about their experience with particular therapies,
seek advise about how to handle unique or challenging cases, and engage in a
variety of other discussions that help them maintain and improve the quality
of care they provide.  Quality of care improves when providers exchange
information about treatment successes and failures.  These activities
require sharing of protected health information.  We do not intend this rule
to interfere with these important activities.  We therefore define treatment
broadly and allow use and disclosure of protected health information about
one individual for the treatment of another individual.

Under this definition, only health care providers or a health care provider
working with a third party can perform treatment activities.  In this way,
we temper the breadth of the definition by limiting the scope of information
sharing.  The various codes of professional ethics also help assure that
information sharing among providers for treatment purposes will be
appropriate.

Comment:  Many commenters were concerned that the definition of treatment
would not permit Third Party Administrators (TPAs) to be involved with
disease management programs without obtaining authorization.  They asserted
that while the proposed definition of treatment included disease management
conducted by health care providers it did not recognize the role of
employers and TPAs in the current disease management process.

Response: Covered entities disclose protected health information to other
persons, including TPAs, that they hire to perform services for them or on
their behalf.  If a covered entity hires a TPA to perform the disease
management activities included in the rule’s definitions of treatment and
health care operations that disclosure will not require authorization.  The
relationship between the covered entity and the TPA may be subject to the
business associate requirements of §§ 164.502 and 164.504.  Disclosures by
covered entities to plan sponsors, including employers, for the purpose of
plan administration are addressed in § 164.504.

Again, we believe that within these clarifying scenarios and examples
utilized by HHS (above), that you would be hard-pressed to stretch the term
third party to include the media.  Though, in an exception circumstance,
such as an emergency, a case may be made for that type of disclosure.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 02, 2003 6:44 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: is this practice O.K.?

Clarified it?  They removed the limiting language -- they EXPANDED it,
didn't they? :-)

Thanks for your thoughts, Matt, much appreciated.  What do others think?
Thanks, John

John C. Cody, Esq.
NYS Central HIPAA Coordination Project
NYS Office for Technology
http://www.oft.state.ny.us/hipaa/index.htm
[The opinions expressed herein are my own and do not necessarily reflect the
policies, practices or opinions of my employer or anyone else.  Nothing
herein constitutes legal advice

RE: Employee Access and Accounting of Disclosures

[Matthew Rosenblum]

Ellen,

This is one of those HIPAA topics where we would advise hanging a large
Proceed with Caution sign, and where we would welcome additional guidance
from HHS.

Section 164.528(a)(1)(iii) of the Privacy rules --Accounting of disclosures
of protected health information-- notes that HIPAA does NOT require a use
incident to an otherwise permitted use or disclosure (as provided in
section 164.502) to be included in an accounting.  Conversely, this leads
us to believe that HHS intends for ALL privacy breaches, whether a use
or disclosure to be included in an accounting.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Ellen Rubin [mailto:[EMAIL PROTECTED] 
Sent: Saturday, November 01, 2003 3:59 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: Employee Access and Accounting of Disclosures

My understanding is that this is a use (albeit inappropriate) and not
necessary to put in the accounting log.  However, if this information was
then disclosed outside the entity, it would need to be accounted for.  I
asked this question a few weeks agothe piece I was interested in was
whether entities are notifying their patients of this disclosure at the time
of the event as well as entering in the accounting.  Ellen

__
Ellen Rubin, RN, BSN
Privacy Officer
Harborview Medical Center
206 731-6048 Voice
206 731-2097 Fax


- Original Message -
From: Walter Suarez [EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Saturday, November 01, 2003 5:06 AM
Subject: Employee Access and Accounting of Disclosures


 When an employee of a covered entity accesses PHI and it is determined
that
 this was done wrongly (say, violating the minimum necessary requirements
for
 that employee, or just plain inappropriate access someone's PHI by the
 employee), would this result in the employer having to log it into the
 accounting of disclosure?

 Many thanks for your comments and reactions.

 Walter.

 
 Walter G. Suarez, MD, MPH
 President and CEO
 Midwest Center for HIPAA Education
 2850 Metro Drive, Suite 118
 Bloomington, MN 55425
 (952) 854-3401 - v
 (952) 814-4805 - f
 [EMAIL PROTECTED]
 http://www.mche.us.com
 



 ---
 The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

 You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
 To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
 If you need to unsubscribe but your current email address is not the same
as the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication

RE: Requiring picture ID

[Matthew Rosenblum]

Judith,

Many of our clients (mostly hospitals, ICFs, ambulatory care centers, etc.)
operate in or near the 5 boroughs of NYC, and for about two years now most
have instituted a continuum of measures with regard to physical space
security and identification of persons entering the facilities and some
specialty units (for example maternity, forensic, etc.)

A sign-in and a checking of picture IDs (usually a driver's license or
City-issued ID cards) is almost always a prerequisite.  In some settings
(for example prison infirmaries or forensic units in general hospitals)
persons entering will be electronically photographed, and the tapes will be
maintained.  Also, depending upon the setting and functional level of the
patients (for example, L-T versus acute, or adults versus children) printed
or electronic pictures of the patients are taken by the facility staff, and
maintained as part of the DRS.

I hope that this helps, and please let me know if we may provide you with
additional guidance or resources for integrating HIPAA into your Total
Quality Management (TQM) process.

Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Bentz-Miller, Judith [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 29, 2003 1:28 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Requiring picture ID


We are a large multi-specialist clinic and we are in the process of doing a
risk assessment for requesting picture ID for each visit. Can you let me
know:

Do you currently request picture ID at check in?

Do you keep a copy of it, electronic or paper?

Why do you or do not request positive ID?

If you have any polices on this, I would greatly appreciate it!

Judith


Judith Bentz-Miller
Privacy Officer
Arnett Clinic
765-448-8843


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

RE: Multiagency authorizations

[Matthew Rosenblum]

Title: Message









Laura,



When an Authorization Form contains check-offs
that correspond to various types of PHI and various types of uses and
disclosures, workforce members may tend to misuse the Form to combine HIPAA-required
authorizations with other types of consents or authorizations that, under
HIPAA, should not be combined.



To be sure, the HIPAA-Authorization Form
may be a template that is used for (only) a relatively small number of HIPAA-specified
purposes: marketing, research without an IRB waiver, media or press releases,
release of PHI to employers, and the like.  It could be that the need to
execute the HIPAA-required authorization will NOT arise as often as your
clinicians anticipate.





I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it.  Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.





-Original Message-
From: Schmitt, Laura A.
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 27, 2003
8:49 PM
To: WEDI SNIP Privacy Workgroup
List
Subject: Multiagency
authorizations





Several people on our
HIPAA implementation team are hopingothers inputmighthelp in
resolving ourquestion about HIPAA'sinstructions to avoid compound
authorizations and how that relate tothe useof multi-agency
authorization forms. 











Thefinal HIPAA
Privacy regulations - 164.508 (b)(3) -prohibit the use of compound authorizations
(i.e., combining with any other document an authorization for use or disclosure
of phi...except for limited and specific exceptions).











We are
acounty-operated yetmulti-jurisdictional behavioral health
organization that plans,contracts, and directly providestreatment
 prevention services. We are one ofseveral covered health care
components of our County government's hybrid entity. Much of theclinical
work we do isas part ofcollaborative teamswith other
organizations (i.e., court staff, county social service staff, coordinating
offices that serve as fundors, and other community groups, agencies 
service providers). 











In the past, the local
human service organizations thatstaffed such effortsagreed to use a
multi-agency Universal authorization form. This form includes
checkboxes for the various organizations involved, and then all of
theother listed elements of a valid authorization.The clinical
staff point out the obvious benefitthat staff and the client need only
sign one form.











Theother point of
view is that proffered by our MIS vendor and endorsed by several groups similar
to ours in the state is thesingle purpose release forms, whichallow
for only one-on-one exchanges of information between entities.This option
assuries that the system records the limits of each release
individually.Primarily the technical staff consider the single
agent/purpose release form to conform to the spirit of the regulations...but
clinicians believe that they will create an overwhelming paperwork burden on
staff  clients. 











I've found the language
of this section confusing, and would be interested in knowing how others have
interpreted this section and resolved the issue of handling releases of
information when working with clients involved with numerous
organizations. 











Thanks in advance for any
insights you can offer.









Laura
Schmitt, Business Analyst
Fairfax-Falls Church
Community Services Board


___
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all copies of
the original message. Thank you. 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http

RE: psych notes

[Matthew Rosenblum]

Paulette,



Among
most behavioral health professionals process notes (referred to by
HIPAA as psychotherapy notes) are those pieces of documentation
that therapists write, basically for their own use, to remind themselves of what
the patient has said, for example, the content of a dream, or the experience of
guilt associated with a forbidden feeling.  HHS has given us the
opportunity to strictly limit the availability of this information by providing
a higher order of protection for these process notes, and with few
exceptions, disclosures may be made only if the CE obtains a
signed-authorization.



Under
HIPAA psychotherapy notes are defined as those notes:



1) Recorded
by a health care provider who is a mental health professional documenting or
analyzing the contents of conversation during a private counseling session or a
group, joint, or family counseling session, and,

 

2)
Maintained separate from the medical record, and

 

3) That
exclude:

 

a.
Medication prescription and monitoring

b.
Counseling session start and stop times

c. The
modalities and frequencies of treatment furnished

d.
Results of clinical tests

e. Any
summary of diagnosis, functional status, the treatment plan, symptoms,
prognosis, and progress to date



Note,
that #3 (above) delineates most of the information that we normally put into
our progress notes to substantiate treatment, and consequently, we
must separate that information from the psychotherapy or process
notes (that is, if we want to further protect the process
information.)



So,
under HIPAA, psychotherapy notes must be SEPARATED from the rest of
the record if they are to be afforded the additional protections provided by
the Privacy Rules.  In the paper world, this probably means the psychotherapy
notes should remain under the lock-and-key of the writer of the note. 
In the electronic world, user ID and password protections would probably
be the minimum.





I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs

http://www.CPIdirections.com



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it.  Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March
 18, 2003 4:11 PM
To: WEDI SNIP Privacy Workgroup
List
Subject: psych notes



Our practice is family
practice. We contract in a LCSW who uses our charts for her progress
notes. I understand that mental health is handled differently than that
of a PCP as far as authorizations for release of info. (we need specific auth to
release). I also remember reading somewhere that mental health needs to
be seperately identifiable in the chart. Can someone help me
out with this? We do not have a seperate divider in the chart for mental
health however we do have the LCSW use blue progress notes. This seems
reasonable to me to satisfy the seperately identifiable. Any
words of advise?

Paulette Ortega
Practice Administrator
Comprehensive Family Care Center
2002 Lake Ave., Ste. D
Pueblo, CO 81004
(719) 562-1122
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http

RE: Employee Assistance Program

[Matthew Rosenblum]

Cindy,



There is
much variation among EAP services, and among the providers of those services. 
Some of our clients are covered entities and they provide EAP services; and,
other clients are not covered entities and they provide EAP services.  Further,
some of the EAP services may (or may not) be defined by HIPAA as health care. 
So, in regard to determining how HIPAA may (or may

not)
apply to the information created, received, or maintained by an EAP, it is
important to ask three relevant questions:



1) Do
the services of the EAP include the provision of health care?

2) When
services are provided by the EAP, is the EAP doing so in its role as a health
care provider?

3) Does
the EAP or its workforce members perform (or have performed) any of the HIPAA
standardized transactions?



If the
answer to all three questions is, Yes, then the health information
that is created, received, or maintained by the EAP is most likely protected by
HIPAA.



As your
organization is also a treatment provider, you will be interested in pages
53192  53193 of the Federal Register (August 14, 2002) that provide a
discussion of a covered entity's potential for having a dual role, both as an
employer and as a health care provider.  Individually identifiable health
information created, received, or maintained by a covered entity in its health
care capacity is protected health information.  It does not matter if the
individual is a member of the covered entity's workforce or not. Thus, the
medical record of a hospital employee who is receiving treatment at the
hospital is protected health information and is covered by the Rule, just as
the medical record of any other patient of that hospital is protected health
information and covered by the Rule.  However, when the individual gives his or
her medical information to the covered entity as the employer, such as when
submitting a doctor's statement to document sick leave, or when the covered
entity as employer obtains the employee's written authorization for disclosure
of protected health information, such as an authorization to disclose the
results of a fitness for duty examination, that medical information becomes
part of the employment record, and, as such, is no longer protected health
information.



According
to HHS, the nature of the health information does not determine whether
it is an employment record.  Rather, it depends on whether the covered entity
obtains or creates the information in its capacity as employer or in its
capacity as covered entity.





I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs

http://www.CPIdirections.com



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it.  Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.












---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

RE: NPP in Other Languages

[Matthew Rosenblum]

The intent of the plain language clause pushes us to implement procedures
to educate our patients about how we use and disclose their information,
and consequently, we encourage our clients (covered entities) to view
reading level as only one aspect.  (BTW, this clause is applied to the
authorizations, as well.)

On Page 53241 of the Preamble to the (revised) Privacy rules HHS notes the
Department continues to believe strongly that promoting individuals'
understanding of privacy practices is an essential component of providing
notice to individuals.  Further, on Page 53219 HHS notes that the HIPAA
documents must be written in plain language so individuals can read and
understand its contents.  And still, in its recent guidance-report, OCR
says that a CE must maximize readability and clarity of the HIPAA
documents.

The concepts of readability and understanding are not new and pervade
many (other) Federal and State laws and accreditor standards that regulate
health care.

In NY the NYS DOH has issued a consumer advisory that states, Translations
and/or transcriptions of important hospital forms, instructions and
information must be provided to you if you feel you need them, and the NYS
State auditors enforce the regulations and intents.  Consequently, in NYC we
must provide some of our (clients') hospitals and ambulatory centers in
Brooklyn with translations in Russian, translations in Chinese in Manhattan,
and translations in Spanish are distributed throughout the five Burroughs;
translations in Hindi will be needed in Queens.

In addition to NY, a number of States have health or mental health laws that
mandate patient rights activities in hospitals, nursing homes, and similar
residences or institutions.  And these laws usually contain the language
understandable clauses regarding how we must provide information to the
patient.  One of the clearest examples of this language is Iowa State law
(Chapter 28) for all institutions --28.4(229) Patients’ rights for the
mentally ill:

In order to preserve the patients’ self-respect and dignity..The
patient shall be provided with complete and current information concerning
patient diagnosis, treatment and progress in terms and language
understandable to the patient.

The JCAHO, too, is definitely NOT silent on this matter.  Its Rights of
Individuals standards include a statement that the Individuals served have
a right to effective communication..Written information provided is
appropriate to the age, understanding, and language of the individual served
[and] The organization provides for interpretation (including translation
services) as necessary.

As a practical matter, we believe, and advise our clients accordingly, that
for most hospitals it will be the JCAHO or other Accreditor, NOT OCR, that
will provide the initial findings of how well the HIPAA rules have been met
by the hospital.
 
I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Charles H. Thulin [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 18, 2003 8:10 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: NPP in Other Languages

John,

I don't agree that the plain language requirement of the privacy
regulations requires translation of the NPP into other languages.

In its discussion of the plain language requirement in the preamble to
the final privacy regulations DHHS notes that Title VI of the Civil
Rights Act -- a separate statute -- generally requires entities that
receive Federal financial assistance to provide material ordinarily
distributed to the public in the primary languages of persons with
limited English proficiency in the recipients' service areas, 65
Fed.Reg. 82461, 82549 (December 28, 2000),  thereby creating an
obligation in some cases -- for entities that are subject to Title VI --
to provide the HIPAA notice in non-English languages.  

Employer group health plans, for example, aren't subject to Title VI
(they don't receive Federal

RE: Fundraising Question

[Matthew Rosenblum]

Patricia,

The HIPAA regulations with regard to fundraising allow the CE to use or
disclose PHI for the purpose of contacting the subject of the PHI (i.e., the
patient) to ask for donations.  Apparently, your organization does NOT do
that.  Consequently, the HIPAA provision that mandates that the patient be
given an opportunity to opt-out does NOT apply to the scenario that you
have described.

However, you may want to consider including in your NPP the possibility of
using the PHI for contacting the patients for the purpose of fundraising, if
in the future you anticipate doing so.  (Revising the NPP at a later date to
include this possibility may be more onerous.)
 
I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Patricia Conroe [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 05, 2003 9:59 AM
To: WEDI SNIP Privacy Workgroup List
Subject: Fundraising Question

Our hospital foundation is responsible for fundraising.  For about 5 years
they have not used patient information for their fundraising.  They purchase
lists through other companies and they have created their own donor base
based on who's donated before.  They send information to the donor base
because their donors and not because their patients.  So, since the donors
and patient's are different do we need to worry about the fundraising opt
out requirement?  I hope I made myself clear with what I was explaining and
trying to ask.


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

RE: Amendment Questions

[Matthew Rosenblum]

Rachel,

No one here is saying otherwise.  It is clear that the Privacy rule applies
to all PHI maintained by the Covered Entity.  And it is also clear that a CE
must only provide an accounting for PHI disclosed AFTER the compliance date
for those disclosures specified by HIPAA.

However, apparently there is some confusion about whether or not a CE is
responsible for acquiescing to all requests to amend PHI created prior to
the compliance date.  Clearly a CE MAY make the amendment if they are able.
But, for those of us who are struggling to implement a cost-effective
process, there is more to this issue than simply allowing access to the PHI:
the ability to find and link together the various places were the PHI
resides in order to amend all of it no matter where it resides will be very
onerous, especially for PHI created prior to the compliance date.

And in this light, it is very interesting to me that the HHS attorney that I
heard (speak) yesterday in Brooklyn was much less emphatic when considering
these issues than was the attorney in Chicago that you heard (speak).  And
it is for this reason that I would like to see a clearly written statement
from HHS.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Rachel Foerster [mailto:[EMAIL PROTECTED] 
Sent: Sunday, March 02, 2003 7:14 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: Amendment Questions

And just to reinforce Dave's comments at today's CMS/OCR Privacy meeting
in Chicago an OCR attorney explicitly stated that health information
held by a covered entity that was created or received prior to 4/14/03
IS subject to all of the privacy rule's requirements on and AFTER
4/14/03. In other words, the CE must account for all disclosures of
health information that occur after 4/14/03 to health information it had
in its possession prior to 4/14/03, and likewise, health information in
its possession prior to 4/14/03 is subject to a request for an amendment
by the individual on and after 4/14/03 as well as the individual having
the right of access to that health information.

The same OCR attorney also cautioned the audience that if the CE
modified its NPP subsequent to its original NPP that must be provided on
and after 4/14/03 it should take care to ensure that there is language
in the modified NPP to indicate that the NPP applies not only to health
information created or received after the new NPP but also to ALL health
held by the CE prior to the newly modified NPP.

Rachel Foerster
Rachel Foerster  Associates, Ltd.
Voice: 847-872-8070
email: [EMAIL PROTECTED]
http://www.rfa-edi.com 

#
This transmission may be confidential or protected from disclosure and
is only for review and use by the intended recipient.  Access by anyone
else is unauthorized. Any unauthorized reader is hereby notified that
any review, use, dissemination, disclosure or copying of this
information, or any act or omission taken in reliance on it, is
prohibited and may be unlawful.  If you received this transmission in
error, please notify the sender immediately.  Thank you.


-Original Message-
From: David Ermer [mailto:[EMAIL PROTECTED] 
Sent: Sunday, March 02, 2003 1:18 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: Amendment Questions


Matt -- The QA demonstrates that HHS intends that the Privacy Rule
generally apply to all PHI that the CE maintains as of 4/14/03. If HHS
had intended to exempt from the access and amendment rights PHI created
before 4/14/03 it would have said so in the § 164.524 and § 164.526 of
the Rule. 

The Privacy Rule is a law.  Administrative rules are interpreted in
accordance with the standards of statutory construction. The U.S.
Supreme Court has ruled that When Congress [or another law maker --
here HHS] includes particular language in one section of a statute [here
the pre-4/14/03 disclosure exception from the accounting

RE: Amendment Questions

[Matthew Rosenblum]

Dave,

It was an interesting day in Brooklyn yesterday at the HIPAA conference.
And three HHS or OCR attorneys did respond to some questions concerning
access, amendment, and accountings.

Clearly a CE MAY make the amendment if they are able.  And the attorneys
were mindful that, for many of us (in the audience yesterday) who are
struggling to implement a cost-effective process, there is more to this
issue than simply allowing access to the PHI: the ability to find and link
together the various places were the PHI resides in order to amend all of it
no matter where it resides will be very onerous, especially for PHI created
prior to the compliance date.

It will be very helpful when to see a clearly written statement from HHS.

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 01, 2003 12:15 AM
To: 'David Ermer'; '[EMAIL PROTECTED]'
Subject: RE: Amendment Questions

Dave,

I must respectfully disagree with your application of the QA that you cited
(below).  Clearly that QA was intended to convey HHS' intent that on and
after the compliance date the Privacy Rule will protect all PHI that a CE
creates or maintains about an individual, regardless of when that PHI was
created.  No one would disagree with that intent.

However, the Privacy Rule is imbued with reasonableness that provides us
with guidance against implementing onerous processes that would be untenable
and too costly.  (This concept has been greatly advanced and supported by
the recently published Security Rules.)  Consequently, and in a number of
instances, the Privacy Rule reflects this notion by NOT mandating that CE's
implement certain retrieval processes with regard to PHI created prior to
the compliance date, for example accountings of disclosure.  Further, the
transition rule is relevant to this notion, because the CE is in some
instances NOT obligated to execute the BAC until one year after the
compliance date, and until that is done, what would be the BA's legal
obligation to assist in the amendment of the PHI unless specified in a
contract?

Please advise.

Your questions are always welcome. 

Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: David Ermer [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 28, 2003 10:26 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Amendment Questions

Matt -- Here is an interesting excerpt from the 12/28/00 HHS Preamble
which clearly supports my position:

Comment: Several comments raised questions about the application of the
rule to individually identifiable information created prior to (1) the
effective date of the rule, and (2) the compliance dates of the rule.
One commenter suggested that the rule should apply only to information
gathered after the effective date of the final rule. 

Response: We disagree with the commenter's suggestion. The requirements
of this regulation apply to all protected health

RE: Hospital programs involving physician shadowing

[Matthew Rosenblum]

Melissa,

There are at least two issues here:

1) It has been our experience that from time to time the shadow students
often may be asked to use the PHI in carrying out responsibilities in ways
that may often exceed an organization's original intention.  If that is true
for a particular organization, we advise them to treat shadow students as
part of their workforce, and educate them accordingly.

2) Shadow students are often under 17 years of age, and consequently may NOT
be allowed (under certain State statutes) to be members of your workforce.
Under those circumstances, your organization may actually need to have
patients sign an authorization for the disclosure of PHI to the shadow
students.

I hope that this helps.

Your questions are always welcome.

Matt

Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com

CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011

(212) 675-6367
[EMAIL PROTECTED]

CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.

AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Waterhouse, Melissa [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 28, 2003 1:31 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Hospital programs involving physician shadowing

A facility we work closely with has a couple programs during which community
members come into the hospital and shadow physicians for an entire day.
These community members would be exposed to surgical procedures, patient
charts etc. I understand  that these community members would not be part of
the covered entities workforce, they are not performing any duties for the
facility. Is there any other way to continue these programs after April?

Melissa Waterhouse
HIPAA Project Coordinator
SummaCare Health Plan
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org 


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

RE: Amendment Questions

[Matthew Rosenblum]

David,

In many instances the CE's DSR is maintained by a BA, and those CE-BA
relationships are subject to the transition requirements and the timing of
the execution of the BAC.  Given this, and the explicit exemption given for
accountings for PHI created prior to the compliance date, I would say
that HHS's intention would be to allow the CE to start with the compliance
date and go forward from that day.

But I agree with you that this may be a gray area, and that is why I
suggested to Pat that the NPP would let the individual (patient) know what
the CE may be allowed to do.

I would certainly like to hear from the folks at HHS and OCR about this one.
I'll be at the HIPAA conference in Brooklyn tomorrow, and if I have an
opportunity to ask, I will.
 
I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: David Ermer [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 28, 2003 10:20 AM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: Amendment Questions

Matt -- I respectfully question your response. The Privacy Rule, 45 CFR §
164.526(a), states that individuals have the right to request an
amendment as long as the CE holds the PHI in a designated record set. 
Neither § 164.526 or § 164.524 (the access right) create an exception
for PHI created or received before 4/14/03.  If such an exception were
implicit in the Privacy Rule then there would have been no need for the
express exception found in § 164.528 for otherwise accountable
disclosures occurring before 4/14/03. 

Obviously, the right to request an amendment is prospective. A CE is
not obligated to search its files for amendment requests that it may
have received and denied before April 14. But in my opinion, beginning
April 14, an individual is entitled to request PHI access or amendment
with respect to PHI created before that date found in the CE's
designated records sets.

Best regards, Dave Ermer

Gordon  Barnett
Attorneys at Law
1133 21st St., NW, Suite 450
Washington, DC 20036
202-833-3400 ext 3009 (voice)
202-223-0120 (fax)
www.gordon-barnett.com

 Matthew Rosenblum [EMAIL PROTECTED] 02/27/03 08:22PM 
Patricia,

1) It depends what you say in your NPP, but HIPAA does not mandate that
a CE
include past information (i.e., PHI created prior to the compliance
date)

2)  HIPAA does NOT require a written request from the individual

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com 
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED] 
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of
the
individual or entity to which it is addressed and may contain
information
that is privileged, confidential and exempt from disclosure under
applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown
and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener
información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable.
Si
usted ha recibido esta comunicación por error, por favor no lo
distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el
mensaje original. Gracias.
 

-Original Message-
From: Patricia Conroe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 27, 2003 2:31 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Amendment Questions

I have two questions regarding amendment of the medical/billing record.
 1.
Do we have to amend info kept prior to the deadline?  (The disclosure
log
specifically says you do not, but nothing on the amendment.  What about
all
those places that have info on microfilm?)  and 2.  When a patient
calls
regarding charges

RE: Amendment Questions

[Matthew Rosenblum]

Dave,

I must respectfully disagree with your application of the QA that you cited
(below).  Clearly that QA was intended to convey HHS' intent that on and
after the compliance date the Privacy Rule will protect all PHI that a CE
creates or maintains about an individual, regardless of when that PHI was
created.  No one would disagree with that intent.

However, the Privacy Rule is imbued with reasonableness that provides us
with guidance against implementing onerous processes that would be untenable
and too costly.  (This concept has been greatly advanced and supported by
the recently published Security Rules.)  Consequently, and in a number of
instances, the Privacy Rule reflects this notion by NOT mandating that CE's
implement certain retrieval processes with regard to PHI created prior to
the compliance date, for example accountings of disclosure.  Further, the
transition rule is relevant to this notion, because the CE is in some
instances NOT obligated to execute the BAC until one year after the
compliance date, and until that is done, what would be the BA's legal
obligation to assist in the amendment of the PHI unless specified in a
contract?

Please advise.

Your questions are always welcome. 

Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: David Ermer [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 28, 2003 10:26 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Amendment Questions

Matt -- Here is an interesting excerpt from the 12/28/00 HHS Preamble
which clearly supports my position:

Comment: Several comments raised questions about the application of the
rule to individually identifiable information created prior to (1) the
effective date of the rule, and (2) the compliance dates of the rule.
One commenter suggested that the rule should apply only to information
gathered after the effective date of the final rule. 

Response: We disagree with the commenter's suggestion. The requirements
of this regulation apply to all protected health information held by a
covered entity, regardless of when or how the covered entity obtained
the information. Congress required us to adopted privacy standards that
apply to individually identifiable health information. While it limited
the compliance date for health plans, covered health care providers, and
healthcare clearinghouses, it did not provide similar limiting language
with regard to individually identifiable health information. Therefore,
uses and disclosures of protected health information made by a covered
entity after the compliance date of this regulation must meet the
requirements of these rules. Uses or disclosures of individually
identifiable health information made prior to the compliance date are
not affected; covered entities will not be sanctioned under this rule
based on past uses or disclosures that are inconsistent with this
regulation.

I agree with you that CE's should clarify gray areas in their NPPs. I do
not find this amendment question to be a gray area, however. I find the
BA transition provision irrelevant to the resolution of this issue.
Please refer to the following excerpted BA guidance from the 12/4/02 OCR
guidance:

Q: What are a covered entity's obligations under the HIPAA Privacy Rule
with respect to protected health information held by a business
associate during the contract transition period?
A: During the contract transition period, covered entities must observe
the following responsibilities with respect to protected health
information held by their business associates:

   * * *
Fulfill an individual's rights to access and amend his or her protected
health information contained in a designated record set, including
information held by a business associate, if appropriate, and receive an
accounting of disclosures by a business associate.
 
I would be interested in any further clarification that HHS may provide,
but written guidance already is out there.

Best regards, Dave Ermer






Gordon  Barnett
Attorneys

RE: Amendment Questions

[Matthew Rosenblum]

Patricia,

1) It depends what you say in your NPP, but HIPAA does not mandate that a CE
include past information (i.e., PHI created prior to the compliance date)

2)  HIPAA does NOT require a written request from the individual

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Patricia Conroe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 27, 2003 2:31 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Amendment Questions

I have two questions regarding amendment of the medical/billing record.  1.
Do we have to amend info kept prior to the deadline?  (The disclosure log
specifically says you do not, but nothing on the amendment.  What about all
those places that have info on microfilm?)  and 2.  When a patient calls
regarding charges on their bill and after investigation it's discovered that
those charges are in fact wrong and shouldn't be there.  Do you go through
the whole amendment process (we have 3 different forms right now for
amending info) or is this something we can just go ahead and do?  Thanks for
your help!


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

RE: medical vendors as Business Associates

[Matthew Rosenblum]

Jill,



HHS
provided the following guidance in the Preamble to the (initial) Privacy
regulations:



The
term 'medical and other health services' means any of the following items or
services. (6) durable medical equipment.



So, if
the provider of those services conducts a HIPAA-specified electronic transaction
in regard to its services, the provider may be a CE.





I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management  Regulatory
Affairs



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it. Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
informacin privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicacin por error, por favor
no lo distribuya. Favor notificar al remitente del E-Mail a la
direccin mostrada y elimine el mensaje original. Gracias.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 26, 2003
7:42 AM
To: WEDI SNIP Privacy Workgroup
List
Subject: medical vendors as
Business Associates



Are medical vendors that supply
products like prosthesis, wheelchairs, etc., considered BA? I have been
researching this and can't seem to come up with clear answer...

Thanks in advance

Jill Rubin, Esq.
(617)388-2404
[EMAIL PROTECTED]
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

RE: Are dieticians Business Associates?

[Matthew Rosenblum]

Vikas,

If the dietary purpose is treatment (including evaluations and assessments
for food-intake, medication contraindications, etc.) the dietician would NOT
be defined under HIPAA as a business associate.  However, if the dietary
purpose is related to say, a quality improvement activity (defined under
HIPAA as a health care operation), then the possibility exists for the
dietician to be defined as a business associate.
 
I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com

CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Vikas Budhiraja [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 25, 2003 11:52 AM
To: WEDI SNIP Privacy Workgroup List
Subject: Are dieticians Business Associates?

A question about Dieticians. If a contract dietician reviews a patient's
medical charts for dietary purposes, is he/she considered a BA? Or would
this be considered part of treatment.

Thanks,
Vikas



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

RE: Business contracts between CE

[Matthew Rosenblum]

Robin,



It is my understanding that NO business
associate agreement is needed between CEs that share PHI as long as both of
those entities are acting in their respective roles as CEs (as opposed to BAs.)



For example, when a provider hires a
clearinghouse to translate non-standard health information into standardized
formats, the clearinghouse would be acting in the capacity of a BA, and a BAC
would be required. However, if the provider is disclosing PHI in
any format to a health plans clearinghouse for whatever purpose (on
behalf of the health plan), the clearinghouse is acting in a CE capacity (for
the provider), and no BAC between the provider and the clearinghouse would be
required.





I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs

http://www.CPIdirections.com



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it. Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
informacin privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicacin por error, por favor
no lo distribuya. Favor notificar al remitente del E-Mail a la
direccin mostrada y elimine el mensaje original. Gracias.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Sunday, February 23, 2003
9:25 PM
To: WEDI SNIP Privacy Workgroup
List
Subject: Business contracts
between CE



I have a sample contract for BAs,
but what do I do about a contract between CEs? And do I need one for all
CEs? 
>From what I understand, I can a add an addendum to our renewal contracts.
Do you have a sight I can go to for contracts between CE?
Thank you
Robin
OB/GYN ---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

RE: BA contracts

[Matthew Rosenblum]

Robin,



1)
The BAC would be in effect as long as the stated duration (in
the BAC).

2)
If the BA has no understanding of HIPAA, then, in all
probability, a CE would be precluded from sharing PHI with that BA.

3)
Usually, no BAC is needed for the purpose of sharing PHI for
treatment purposes (e.g., with clinicians, or externs being supervised by
clinicians) nor for conduits (e.g., courier services or post
offices that have nothing more than incidental exposure to PHI). 
The software or hardware vendors may require BACs if the technicians need to
access PHI in order to do their jobs, e.g., verify the integrity of the data. 
The billing and collection services will probably require BACs.



In any case, the Preamble to the (initial)
Final Privacy rules, HHS notes that, independent contractors may or may
not be workforce members. However, for compliance purposes we will assume
that such personnel are members of the workforce if no business associate
contract exists.





I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs

http://www.CPIdirections.com



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it.  Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Sunday, February 23, 2003
11:03 PM
To: WEDI SNIP Privacy Workgroup
List
Subject: BA contracts



1. How long is the BA contract
effective from date signed (effective date)? ,Unless of course there is a
breach.
2. What if BA refuses to sign contract because they have no understanding
of HIPAA?
3. Am I correct to have the following sign BA contracts?
 Billing service/agency
 Collection agency
 Software vendor
 Hardware vendo
 Independent contractors who provide clinical services(NP,
PAs)
 Students who perform their externships?
 Courier Service ?? They have access PHI
 
I appreciate your help.
Robin Henry
OB/GYN ---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

RE: Recording Disclosures (was BA Agreement Questions)

[Matthew Rosenblum]

Title: RE: Recording Disclosures (was BA Agreement Questions)









Traci,



I tend to view (at least some of) the audit
activities performed by the State as being conducted on behalf of the CE-Health
Plans (e.g., Medicaid) as opposed to the CE-providers.  As such, those State-conducted
audit activities are part of the Health Plans health
care operations.  Consequently, the State auditors would probably be
construed as Business Associates of the Health Plan.



How do others view this?





I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it.  Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.





-Original Message-
From: Traci.Jensen
[mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 06, 2003
11:15 AM
To: WEDI SNIP Privacy Workgroup
List
Cc: 'Bill MacBain'; Judy.Griffith
Subject: RE: Recording Disclosures
(was BA Agreement Questions)



I would like to introduce myself, as I am new to this
listserv. I am the HIPAA Privacy Project Manager for a health plan in
Illinois. Even though I am new to this listserv, several of your names
are familar from the HIPAAlive listserv.

Noel, I want to be clear I understand your
response. Are you saying that it is your opinion that audits performed by
a State agency or someone on their behalf falls under disclosing information
for our own activities related to Conducting or arranging for medical
review, legal services, and auditing functions, including fraud and abuse
detection and compliance programs? 

I am not convinced that we could constitute audits
being performed by a State agency as part of our own health care
operation. I believe this is something that we would have to track and
provide an accounting for because it is required by law and the
disclosures are made for health oversight activities.

Also, it is more than likely that the State agency
requiring the audit is not a covered entity so the sharing PHI for
certain health care operations wouldn't apply, and they would not
be considered a business associate as they are not doing something on our
behalf. 

However, I would like to be convinced that this would
fall under our health care operations, because currently our system does not
have a way to track disclosures made on multiple members, without manually
documenting in each member record.

I do agree in that I don't think by mentioning the
possibility of a type of disclsoure in your NPP a covered entity can relieve
themselves of the obligations to track and account for such disclosures. 

I welcome everyone's opinion. 

Traci Jensen 
Compliance Programs Manager/HIPAA
Project Manager 
Health Alliance Medical Plans, Inc.




-Original Message- 
From: Noel Chang [mailto:[EMAIL PROTECTED]]

Sent: Wednesday, February 05, 2003
8:37 AM 
To: WEDI SNIP Privacy Workgroup
List 
Subject: Re: Recording Disclosures
(was BA Agreement Questions) 



Under the definition of health care
operations, found in section 164.501, 
item (4) of that definition
includes, Conducting or arranging for medical 
review, legal services, and
auditing functions, including fraud and abuse 
detection and compliance
programs. 

I would take this to mean that the audit is part of
TPO, and there for not a 
disclosure that needs to be
accounted for. 

As a footnote, I'm not sure I agree with your
implication that by mentioning 
the possibility of a type of
disclsoure in your NPP you can relieve yourself 
of the obligations to account for
such disclosures. The disclosures that 
should and should not be accounted
for are ennumerated clearly in section 
164.528(a)(1). I am not aware
of any relief from these requirements through 
your NPP. 

Noel Chang 

-- 
Open WebMail Project (http://openwebmail.org)




-- Original Message --- 
From: Jim Moores
[EMAIL PROTECTED] 
To: WEDI SNIP Privacy
Workgroup List [EMAIL PROTECTED] 
Sent: Wed, 05 Feb 2003 08:11:02
-0500 
Subject: Recording Disclosures (was
BA Agreement Questions) 

 Hi All, 
 
 I agree with
Noel's interpretation 
 
 But, I would like

RE: authorizations clarification

[Matthew Rosenblum]

Traci,



To which NYS State regulation
are you referring that requires such an authorization?  Please advise?





Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs

http://www.CPIdirections.com



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it.  Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya.  Favor notificar al remitente del E-Mail a la dirección mostrada y
elimine el mensaje original. Gracias.





-Original Message-
From: Traci Winter
[mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, February 05, 2003
1:21 PM
To: WEDI SNIP Privacy Workgroup
List
Subject: authorizations
clarification





Want
some opinions on this issue. 





NY
requires an authorization for release of information for treatment/payment
purposes. It is included as a bundled portion of our admission packet. Since
this authorization is required by state law is it ok for it to remain bundled
and to havea separate authorizationfor usewhen HIPAA applies
to the disclosure/request for information?











Thanks
to all,





Traci
Winter





Hospitals
Home Health Care, Inc.









---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

RE: Business Associate Question

[Matthew Rosenblum]

Steve,

You are correct. UM/UR is a payment activity, and many QM activities are
health care operations.  When performed by the nurses (as you described
below), the nurses would be acting in the capacity of BAs, and a CE would
want to consider signing a BAC with the agency that provides the help.

However, please note that in the Preamble to the (initial) Final Privacy
rules, HHS says that, .independent contractors may or may not be
workforce members.  However, for compliance purposes we will assume that
such personnel are members of the workforce if no business associate
contract exists.
 
I hope that this helps.

Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Giesecke, Steve [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 29, 2003 2:42 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Business Associate Question

Would appreciate responses to the following BA classification determination:
 
With respect to Nurse staffing and other medical staffing agencies,
including home health care, my assessment is that if nurses are providing
treatment services, they (generally) are not BA's and no BAA is needed (as
with a provider - provider or plan - provider relationship; treatment
exemption applies).  If they are providing other professional or
administrative services such as UM/QM/CM ( come into contact with PHI) then
a BAA with the agencies providing them is needed.
 
Don't want to oversimplify in terms of my assumptions, however anywhere in
HIPAA you can simplify is good!
 
Thank you,
 
Steve Giesecke
Independent Consultant
Subcontractor to Sierra Systems
(360) 561-3803
 


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)

[Matthew Rosenblum]

Darrell  Vicki,

Thank you very much for your discussions and insights.

And, Yes, Darrell, I would appreciate the contact information for The
Legal Action Center.

Thanks again.

Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Darrell Rishel [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 22, 2003 9:40 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al
cohol and Drug Patient Privacy)

You are absolutely correct that there is much in HIPAA than what is in 42
C.F.R. Part 2. Isn't it nice that SAMHSA et al are being so timely with
their assistance? The Legal Action Center, a well-known, well-respected
non-profit based in New York that has done a lot of work in interpreting 42
C.F.R. Part 2, is also supposed to be coming out with a cross-walk
supplement, but if people are not already working on this, well ... If
anyone is interested, I can give you contact information for the Legal
Action Center.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc. 
This message is not legal advice or a binding signature.


 -Original Message-
 From: Vicki Hohner [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 22, 2003 12:13 PM
 To: Darrell Rishel; [EMAIL PROTECTED]
 Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2
 (Alcohol and Drug Patient Privacy)
 
 
 I have been doing a lot of work with substance abuse programs 
 and HIPAA,
 and while not deeply familar with 42 CFR protections we have 
 identified
 that there are limited areas of overlap with HIPAA privacy. 
 Many subject
 to 42 CFR mistakenly believe that the fact that they comply with this
 law, which is more stringent in its use and disclosure requirements,
 means they are exempt from complying with HIPAA. However, note that
 there are only a few overlaps between the two: primarily with uses and
 disclosures/minimum necessary, authorizations, and some 
 limited parts of
 individual rights. This leaves a lot more under HIPAA that is not
 addressed in 42 CFR--all the policies and procedures, the privacy
 officer, business associate terms, the notice of privacy 
 practices, and
 accounting of disclosures, to name a few. Note also that the 
 definitions
 of what information is protected is broader under HIPAA than under 42
 CFR. 
 
 My understanding is that the feds (SAMHSA/CSAT) are working on a
 comparison matrix between the two--no idea when that may be 
 available.  
 
 Vicki Hohner
 FOX Systems, Inc.
 360-970-6856
 360-352-4584
 Information transmitted is confidential and may be proprietary to FOX
 Systems, Inc.  It is intended only for the person or entity 
 to which it
 is addressed.   Anyone else is prohibited from disclosing, copying, or
 disseminating the contents or attachments.  If you receive this in
 error, please notify sender immediately, or us at www.foxsys.com and
 delete from your system.
  Darrell Rishel [EMAIL PROTECTED] 01/20/03 08:57 AM 
 Matt-
 
 I'll take a stab at answering your question. Please remember 
 that in an
 effort to keep it relatively brief, this is a fairly simplistic,
 high-level
 overview.
 
 Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and
 Other
 Drugs)regs), disclosure within a program is allowed on a 
 need-to-know
 basis  without the consent of the patient. This internal 
 disclosure is
 limited to personnel having a need for the information in connection
 with
 their duties which arise out of the provision of diagnosis, treatment,
 or
 referral for treatment. In practice, I think this is very 
 close to, if
 not
 the same as, the HIPAA use definition. Although the AOD regs do not
 require a formal minimum necessary analysis, the concept of only
 disclosing
 the minimum amount of information necessary to accomplish the purpose
 for
 making the disclosure is clearly embedded in the regs.
 
 It is the disclosure to external entities where

RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)

[Matthew Rosenblum]

Darrell,

Thank you very much for this wonderful comparison of the HIPAA regulations
to the signed-consent aspects of the AOD regulations (42 CFR part 2).
This is very helpful to many of us who work in SAMHSA-funded programs.

Best regards,
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com

CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Darrell Rishel [mailto:[EMAIL PROTECTED]] 
Sent: Sunday, January 19, 2003 4:43 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al
cohol and Drug Patient Privacy)

Matt-

I'll take a stab at answering your question. Please remember that in an
effort to keep it relatively brief, this is a fairly simplistic, high-level
overview.

Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other
Drugs)regs), disclosure within a program is allowed on a need-to-know
basis  without the consent of the patient. This internal disclosure is
limited to personnel having a need for the information in connection with
their duties which arise out of the provision of diagnosis, treatment, or
referral for treatment. In practice, I think this is very close to, if not
the same as, the HIPAA use definition. Although the AOD regs do not
require a formal minimum necessary analysis, the concept of only disclosing
the minimum amount of information necessary to accomplish the purpose for
making the disclosure is clearly embedded in the regs.

It is the disclosure to external entities where, especially with the
adoption of the August, 2002, HIPAA changes, a wide gap remains between the
two sets of regs. While HIPAA allows treatment providers to disclose PHI for
treatment and payment (even another provider's payment) without the
patient's written consent, the AOD regs absolutely prohibit such disclosures
related to payment, and disclosures for treatment (except for medical
emergencies) require that a written agreement be in place and that the
services which the external provider render be something different than what
the primary provider is providing. This written agreement is known in the
AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A
QSOA is akin to a BA agreement, though much shorter and less complicated,
charachteristics which are, unfortunately, soon to be a thing of the past.
While a QSOA can be used in limited circumstances for treatment (the biggest
problem is that we cannot have one with another AOD provider), its most
common use is for operations, just as the HIPAA BA agreement will be used
(e.g., we have a QSOA with our auditor, or outside attorneys, the company
which prints and sends out our bills, the lab which analyzes the urine
specimens we collect, etc.). But, if we want to be able to bill an insurance
company or any other third party payer, we have to have the patient's
written consent (in fact, we cannot even call to get pre-authorization
without written consent; how's that for customer friendly?). If we want to
refer the patient to another health care provider, of whatever type, or
consult with another provider (like their primary care provider) who has
seen the patient, we must have the patient's written consent unless the
situation fits within the pretty narrow exception where a QSOA can be used
and we have (or can get) one in place (the logistics and pain of trying to
get a QSOA with all of those providers, which make doing so pretty
impracticle). The requirements in the AOD regs for a valid written consent
are very similar to those for a HIPAA authorization: who is disclosing the
information, to whom is the information being disclosed, what information is
being disclosed and why is it being disclosed, there must be a reasonble,
identifiable expiration date, the patient must be able to revoke the consent
at any time (one specific exception here for persons referred by an element
of the criminal justice system where treatment is a part of the
disposition), the name of the patient, the patient's signature and the date

RE: HIPAA privacy and people

[Matthew Rosenblum]

Darrell,

Thank you for sharing your thoughts.  And now that you brought it up, how
would you compare the 42 CFR consent with the (voluntary) HIPAA-consent
and the HIPAA-authorization.  In my mind, the 42 CFR allows a more
generalized use and disclosure for TPO, and consequently is more equivalent
to the (voluntary) HIPAA-consent, than it is to the more specific
HIPAA-authorization.

But, I would like to know your take on this matter.

Thanks in advance.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Darrell Rishel [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 18, 2003 5:11 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: HIPAA privacy and people

I really find many of these conversations entertaining (also frequently
enlightening and helpful). Unworkable? Hardly. Most of you appear to not
realize how lucky you are! Nor does it appear that you give yourselves much
credit for being creative and resourceful. I work for an alcohol and drug
abuse treatment provider. We in this field have successfully operated under
what is, generally, a more demanding set of patient privacy rules (42 C.F.R.
Part 2, not to mention state mental health statutes, which are also usually
very strict)than those found in HIPAA. E.g., unlike regular health care
providers, we have to have the patient's written authorization to talk to
another treatment provider, not to mention just about everyone else,
including payers. If we can successfully operate in our environment, you can
successfully operate in the HIPAA environment! Will you have to change some
of your current business practices? Yes. Will you frequently find the rules
to be a pain in the neck (not to mention other parts of your anatomy)?
Certainly. Is compliance an impossible task? No. Will it cost you some
money, not only to implement, but to abide by in the future? Probably. Are
all of these new rules, which are intended to benefit patients in terms of
protecting their privacy, going to be otherwise beneficial to them? No. Some
of the burden of complying with these rules is going to make it harder for
patients, too. These rules are not necessarily customer friendly. The
patients are going to have to make some changes and part of our
responsibility will be to educate and help them. No doubt we will frequently
be blamed for the inconvenience, but what's new? As with any other set of
government statutes and regulations which I have ever read, there are
ambiguities, if not worse defects. It will take time, and perhaps additional
rule-making, to sort everything out (if we ever get to that point, which may
never happen in such a complex area with so many legitimate, competing
private and public interests). I suggest, however, that it would be more
productive to spend time looking for solutions to the challenges presented
rather than bemoaning our fate. Pin numbers? I think that may be a very
workable concept for some settings. I've been telephoning my bank for years
(mostly I do it on-line now) and putting in a pin number and my account code
to access my bank account. Let's get on with it!

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc.

This message is not legal advice or a binding signature.
 

 -Original Message-
 From: fwdanby [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 17, 2003 5:01 PM
 To: WEDI SNIP Privacy Workgroup List
 Cc: WEDI SNIP Privacy Workgroup List
 Subject: Re: HIPAA privacy and people
 
 
 With the same due respect, and I, too, mean it sincerely, the word
 'unworkable' is very tempting to apply to the whole HIPAA 
 scenario where
 there is an interface with patients.
 Take a look at what all you very bright and well-intentioned 
 folks have been
 posting over the past several months. This is a high level of 
 confusion
 among intelligent people. Now translate that to the 
 undeniable fact that
 half the people in the real world are below average 
 intelligence (IQ  100)
 and the world we physicians

RE: Board of Directors - Workforce or Business Associates?

[Matthew Rosenblum]

Leslie,



A
Corporation's charter and bylaws would control how the Board may
function. Consequently, the Board could be construed as part of the
workforce.



Further,
in the Preamble to the (initial) Final Privacy rules, HHS notes that,
independent contractors may or may not be workforce members.
However, for compliance purposes we will assume that such personnel are members
of the workforce if no business associate contract exists.



I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs

http://www.CPIdirections.com



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it. Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
informacin privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicacin por error, por favor
no lo distribuya. Favor notificar al remitente del E-Mail a la
direccin mostrada y elimine el mensaje original. Gracias.





-Original Message-
From: Leslie C Bender
[mailto:[EMAIL PROTECTED]] 
Sent: Thursday,
 January 16, 2003 4:12 PM
To: WEDI SNIP Privacy Workgroup
List
Cc: 'Drexler, Deborah (EHS)'
Subject: RE: Board of Directors -
Workforce or Business Associates?



How are organizations classifying Board of Directors
or Trustee members? Workforce -- or since they are not under the
direction of the covered entity, but have a need from time to time, to
receive PHI, or might they better be classified as business
associates and need a business associate agreement?

Leslie C. Bender 

General Counsel/Privacy Official 
The ROI Companies 
  1922 Greenspring Drive, Suite 7
 
  Timonium, Maryland 21093 









---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

RE: Here is a good Privacy Issue that will cause problems

[Matthew Rosenblum]

Tim,



I must respectfully disagree with your
fundamental analysis of this scenario. Pharmacists (chemists) have, for
more than 2000 years, been part of a triad (including physicians and nurses)
engaged in an on-going clinical (NOT business) practice of ensuring that the
correct medications and drugs are received by the correct patients.
Whenever we remove one of those clinical disciplines from the decision-making
process, medication errors and mistakes are likely to increase.



It is NOT the intention of HIPAA to deter
a good clinical practice. Unfortunately, when unscrupulous people get
hold of blank-prescriptions, innocent people may get hurt. Under HIPAA,
our responsibility then becomes mitigation of the harm.



I hope that this helps.



Your questions are always welcome.



Matt



Matthew
Rosenblum

Chief Operations Officer

Privacy, Quality Management 
Regulatory Affairs

http://www.CPIdirections.com



CPI Directions, Inc.

10 West 15th Street, Suite 1922

New York, NY 10011



(212) 675-6367

[EMAIL PROTECTED]



CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you have
received this communication in error, please do not distribute it. Please
notify the sender by E-Mail at the address shown and delete the original
message. Thank you.



AVISO DEL
CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener
información privilegiada, confidencial y exenta de acceso bajo la ley
aplicable. Si usted ha recibido esta comunicación por error, por favor no lo
distribuya. Favor notificar al remitente del E-Mail a la dirección
mostrada y elimine el mensaje original. Gracias.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] 
Sent: Thursday,
 January 16, 2003 6:00 PM
To: WEDI SNIP Privacy Workgroup
List
Subject: RE: Here is a good
Privacy Issue that will cause problems



In my personal opinion,
this practice - violating patient privacy, in the name of detecting abuse by
private businesses - which is (it appears to me) unsupported by statute (unless
mandated by DEA regulation) - is contrary to both many state laws and
HIPAA. I agree the practice serves a valuable community need, as well as
the needs of the abusing patient (intervention). However, as it (as I see
it) is NOT a law enforcement reporting issue, but rather a home
grown solution, that business simply do out of common sense, the practice
will either have to be suspended, with suspects reported to law enforcement -
cutting out the Sherlock Holms detectionengaged in by pharmacistsin
the process - or get a state statute passed to support and require the
activity. After all, it appears to me that what is really occurring here
is abuse of privacy, and potentially serious defamation, and that a case might
be made for damages if a person is placed on these distribution lists
wrongly. However, as I am not an attorney I can not pass on a formal
opinion. Just keep in mind that a person DOES NOT LOOSE ANY RIGHTS just
because a pharmacist suspects abuse!!! It is up to statutory law
enforcement of investigate, and a court to determine if a crime has been
committed, NOT A CE, regardless of their practices. I am frankly amazed
that we have not heard more litigation on this issue.



Regards,



Tim McGuinness, Ph.D.
Consulting Specialist in Regulatory Privacy, Security, and Application
Compliance




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org