Re: mail filtering
Sorry to be naive, but how is this different then expecting my colleagues to follow other procedures? Cover sheets on faxes? Not taking PHI home? Not discussing PHI in the lunch room? They are professionals, there are certain professional rules they have to follow like wearing gloves around blood borne pathogens and the like, why is privacy different? It is my responsibility to get a system that works for my staff. It is their responsibility to follow any accompanying policies and procedures that support/surround the system. My opinion only...Mimi Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] >>> Jim Hewitt <[EMAIL PROTECTED]> 03/04/03 09:05PM >>> I agree with most of Bill Kammerer's contributions on this forum, but disagree with this one: > do we need any more proof that email filtering doesn't work? Filtering isn't a silver bullet, but it's part of the solution. > ..."rely on users' training and intelligence." That won't work. Taking email encryption as an analogous example, you've probably seen the Carnegie Mellon paper from a few years ago, "Why Johnny Can't Encrypt." They studied a group of fairly high-skill users (CS researchers), and gave them the task of sending and receiving encrypted email. Most of them had trouble with the software (PGP 5.1, I think), but more importantly they consistently forgot to click on "encrypt" when they had a confidential message to send. If you're relying on users' training and intelligence ALONE you're almost certainly not compliant. You don't rely on that alone. As one user told me, "It would be insane to install a bunch of keyword triggers, sit back and assume you're compliant." It would also be insane to base your compliance on users remembering to do the right thing. Email filtering is similar to IDS. You have to buy a good commercial package, spend a lot of time tuning it for your organization, install update almost daily, and put in a lot of maintenance by a live sysadmin. Nobody said it was cheap, and the false positives certainly are annoying, but it's necessary, in my view. By the way, I've seen a lot of unanswered requests for lists of PHI keywords. I don't think anybody has a list they are happy with. Anybody who has, please chime in. __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org * This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. * --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended t
RE: Non-Routine and Non-Recurring
Boo-boos are a good non-routine, non-recurring example...faxing PHI to the wrong physician office, a claim that accidently lands at the wrong payer..eligibilty requests to the wrong TPA.I think these are some of the biggees that people are overlooking. MIMI Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/19/03 09:49AM >>> Greg, To a large extent the difference between routine and non-routine disclosures for TPO may reflect the type of treatments, payments, and operations that are "routinely" executed by the various types of health care providers. For example, reporting "birth information" to the State is more of a "routine" for a hospital with an obstetrics unit, than say, for a geriatric nursing home. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com <http://www.cpidirections.com/> CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Bard, Greg [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 9:31 AM To: WEDI SNIP Privacy Workgroup List Subject: Non-Routine and Non-Recurring Does anyone have some good examples of non-routine and non-recurring disclosures? I have included marketing as a non-routine and non-recurring for a policy example but was hopeful someone had some additional examples. Thanks! Greg Bard NASCO HIPAA Privacy and Security Project Manager (W) 678.441.6059 (F) 678.441.6359 [EMAIL PROTECTED] __ CONFIDENTIALITY NOTICE The information in this message (and the documents attached to it, if any) is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken, or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this message in error, please delete all electronic copies of this message (and the documents attached to it, if any), destroy any hard copies you may have created and notify me immediately. Thank you. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a fo
RE: NPP revisions
My non-legal opinion is that this is overkill...and that patients will annoyed. I don't believe that was the intent of the privacy regulations. 1. Why do you expect your NPP to change frequently? Is it so specific that every new request for data (such as from a new accreditation agency) will cause it to be updated? 2. Could you date or letter your NPP so it is easier to recognize which edition/version was given? If your application can accomodate a yes/no to show they received it, why could it not accomodate a date or letter? 3. Think of the costs of this practice. Will you be keeping paper copies, which must be filed, or electronic copies, which take up disk space? My personal opinion only. Mimi Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 01/29/03 18:56 PM >>> Traci, You will still need to maintain (and track) those signed-acknowledgements. In the Committee's plan, it seems that there will be many more acknowledgements to maintain. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com <http://www.cpidirections.com/> CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Noel, Linda A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 3:15 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: NPP revisions Expense. Linda Noel Corporate Privacy Officer Corporate Compliance Orlando Regional Healthcare 321-843-8693 -Original Message- From: Traci Winter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 2:27 PM To: WEDI SNIP Privacy Workgroup List Subject: NPP revisions 164.520 [c][2][iv] Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph [c][2][iii] of this section, if applicable. I just want to run this by everyone, in our HIPAA committee meeting today we have decided to provide a NPP and get a signed acknowledgement of receipt with each admission to home care services, even if the patient was previously receiving services from our agency. The reasoning is, with the rapid turnover of our patients it would be extremely difficult to track which "edition" of our NPP a patient had received, and since our patients sometimes are re-admitted to our services years down the road it would allow us to make sure we had documentation that the NPP had been given. We may put a section on our acknowledgement form for the patient to check/sign if they are refusing a copy due to previous receipt. I think this should cover us pretty well**. any cons to the plan? Traci Winter Hospitals Home Health Care, Inc. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org This e-mail message and any attached files are confidential and are intended solely
RE: Off the Shelf/Home Grown Apps containing PHI
Does anyone have an educational document they are willing to share that explains to all those NON IT system admins/developers of homegrown apps (Access Databases, Excel Spreadsheets, etc.) containing PHI what their responsibilities are and some helpful tips on how to secure their information? I know someone on one of the listserves said their corporate policy was that no one was allowed to keep PHI on such beasts, but I am sure many organizations are in the bind of eventually hoping to do away with all of those that are already in use, but not having enough staff to even begin tackling replacing/doing away with them. Thanks MIMI Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] * This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. * --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Here is a good Privacy Issue that will cause problems
My gut feeling tells me "huge issue"...I don't know if there is something in public health law that would state that it is being done in the best interests of the patient and is therefore okay.hopefully one of the lawyers on the group will weigh in. MIMI Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] >>> "Rebekah Savoie" <[EMAIL PROTECTED]> 01/15/03 02:53PM >>> Today, a clinic that I work with received a letter from a local pharmacy about a patient that was a "Drug Seeker" as we call them. Over the course of 30 days he had been to several doctors and several pharmacies and received over 350 total pills all a controlled substance. What happens to the pharmacy's ability to do these types of things under Privacy? Clearly, pharmacist were communicated information back and forth to each other and to physicians on this person. They even sent letters to all physicians in the area. Problem? yes or no Rebekah Savoie, CCS-P Healthcare Consultant --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org * This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. * --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: HIPAA-related privacy question (I think)
--- You are currently subscribed to wedi-privacy as: archive@jab.org To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- * I think we need clarification on this from a higher entity, someone from CMS? Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-369-7767 (phone) 319-369-8365 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] >>> [EMAIL PROTECTED] 10/22/02 03:02PM >>> --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- An covered entity is a health plan, practitioner/facility or a clearinghouse. In the case of electronic transactions, an entity may not have to comply with the electronic transaction and code set standards if it is doing EVERTHING BY PAPER; and it could get an automatic extension until Oct. 2003 if it's a small health plan. But it still is considered a covered entity and has to comply with other parts of the law - such as privacy, for example. Marilyn Musser Provider Relations Manager HIPAA-AS Communications Office Wellmark, Inc. phone: 515.248.5588 fax: 515.245.4620 [EMAIL PROTECTED] -Original Message- From: Jan Root [mailto:janroot@;uhin.com] Sent: Tuesday, October 22, 2002 2:18 PM To: WEDI SNIP Privacy Workgroup List Subject:HIPAA-related privacy question (I think) --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- Here's an issue I'd like people to think about and perhaps share what they (payers and providers alike) might do. I think it is a non-HIPAA issue, but it seems quite closely related to privacy and liability. I'm not an expert on privacy so I might have taken a mis-step somewhere in my chain of thought: all comments or corrections are welcome! The setting: 1. The provider elects not to do HIPAA transactions and thus is a non-covered entity. 2. The provider sends paper claims to a payer. 3. The payer sends a paper EOB to the provider. The payer is disclosing PHI to a non-covered entity (the provider). 4. Covered entites are allowed to disclose PHI for TPO to 'health care providers' Issue: Because the provider is a non-covered entity (NCE), and, hence, is not subject to the Privacy Rule, are payers going to include in their NCE provider-payer contracts some kind of stipulation that the NCE provider protect PHI? (I don't think you can use a business associate contact to do this: The provider cannot be a business associate because they are not performing any of the payer's covered entity functions, yes?.) Are payers, in essence, going to say to their NCE provider contingency "Hey, you need to protect this information to the same level I do (i.e., as if you were a covered entity)"? I would assume that payers would like providers to share some of the risk of handling PHI. If the provider is a covered entity, then HIPAA covers that. If the provider is not a covered entity, then what? Stray thought: Probably one of the major differences for CE and NCE providers is that if there were a breech of privacy involving a NCE provider the matter would not go to the Secretary of HHS (assuming it got that far). Instead it would go to a state (?) court and state laws would apply, both state privacy laws and state contract violation laws (?). Mostly I'm interested in hearing in how payers are going to handle their non-covered-entity providers from a liability perspective. It seems like all payers who allow submission of paper claims, will be faced with this question. Maybe I'm all wet and there's no issue here at all! I don't know if there are any NCE providers on this list serve (??) but if there are, from the provider perspective, are NCE providers going to be willing sign payer-provider contracts that sitpulate that they protect PHI (and are subject to fines if they don't)? Thanks in advance for your thoughts. Jan Root, Ph.D. UHIN Standards Manager --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this
