RE: business associate - yes or no?
Wendy, Just to add my own humble opinion I think that Errick has a good point - one worth emphasizing. Don't let the flow of money confuse the issue. The definition of business associate does not mention who is paying who; just what is done, and for whom. I think what you have to look at (as you indicate below) is what services are being provided, are they done on your behalf, and do some of these services go beyond the realm of treatment. We (as a nursing facility) have contracts with several providers to define the services provided to residents of the facility, but these contracts address treatment and do not necessarily bring us into the realm of a business associate relationship. Some of the providers provide services that go beyond treatment, and are for our benefit; in those cases, we sign a BAA. Some of the providers simply provide treatment, and the contracts are required for other reasons, but pretty much just say they are there for treatment of residents; we do not sign BAA with them. Just my own thoughts. I think sometimes we let other details confuse us (kinda like the math word problems when we were kids, and we had to identify which information given to us was necessary to solve the problem). I do remember OCR stating that just because a provider has a contract with someone does not mean that they are a business associate. Rather, the nature of the relationship has to be examined to determine if they are a BA. Rachel -Original Message- From: Reynolds, Wendy J [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 1:28 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: business associate - yes or no? I guess my heartburn with this one is that this is the not the normal indirect treatment relationship which we'd normally have with another covered entity. This is for contracted services. We receive grant money, and in turn we contract with a hospital to provide breast and cervical cancer screenings and follow up diagnostic services. This contract is for the contractor to follow our criteria for patient eligibility, we tell the contractor what types of services to provide and how often, we also tell the contractor how to report the findings. Furthermore, the contractor must perform case management, surveillance, transportation as per the agreement signed by us. The contractor also has to provide a percentage of matching funds which may include a differential between any usual fees charged and the reimbursable capita rate. I can understand that diagnostic services are indirect treatment, but these services are not the same as a doctor referring patients to an independent diagnostic facility. There are other operational type things going on beside treatment. If I cannot talk the contractor into signing a mutually acceptable BAA, I will probably let them execute without it and pose the question to OCR (and wait 6 months for an answer...) Thank you everyone who replied. I appreciate the sounding board. Wendy J. Reynolds, MPA, CHP EVMS Director of Privacy Program EVMS HS Clinical Auditor Eastern Virginia Medical School Fairfax Hall, 1st floor 721 Fairfax Avenue Norfolk, VA 23507 (757) 446-0337 [EMAIL PROTECTED] -Original Message- From: taway3 [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 2:18 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: business associate - yes or no? Rachel and Wendy, I'm going to respectfully disagree. If my physician sends me to an imaging facility for x-ray, would that not be a treatment relationship? My understanding is that two CE's collaborating on treatment do not require a BAA. What is different here? Regards, Roger Wernow RMW Associates (A Consulting Company) 321-956-0485 -Original Message- From: Rachel Foerster [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 1:38 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: business associate - yes or no? Wendy, based on your description of this activity I would conclude that your contractor is indeed your business associate. You have engaged this contractor to perform a function on your behalf using PHI. Rachel Foerster Rachel Foerster Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] -Original Message- From: Reynolds, Wendy J [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 12:06 PM To: WEDI SNIP Privacy Workgroup List Subject: business associate - yes or no? I am in the process of reviewing a contact which will entail an agreement between us (a covered entity) and the contractor (another covered entity) in which the contractor will provide cancer screening/diagnostic tests to a specific category of women (income guidelines, age, etc.) per grant parameters. I am having trouble with this one, because usually treatment reasons do not necessitate a business associate agreement between two covered entities. However, we are paying the contractor a per capita rate to provide the services (diagnostic
Unnecessary BAAs
Does anyone have any suggestions on what to do when a Business Associate Agreement has been signed unnecessarily? For instance, a nursing facility has signed a BAA with a durable medical equipment provider, naming the nursing facility as the BA. As both entities are considered health care providers, and the nursing facility has been determined not to be providing services to the durable medical equipment provider, it is not necessary for the nursing facility to sign the BAA naming the facility as the BA. The facility did this, and now has a contractual obligation to do a number of things unnecessarily. For instance, the terms of the agreement state that the facility will notify the medical equipment provider within X number of days of a breach of privacy, notify when accounting for an accountable disclosure, etc. This being the case, the agreement requires that the facility do such things as notify the organization every time it has a state inspection (which occurs no less than annually), because that is an accountable disclosure. This seems absolutely unnecessary; the facility does not provide any services to the other entity. If anything, it would be the other way around. What is the best way to terminate or modify these provisions? Can they just cancel the agreement, even though it has the termination provisions required by the Privacy Rule (return or destruction of PHI, etc.) What if the other entity is adverse to terminating or modifying the BAA? Has anyone else encountered this? On a completely unrelated note, I just had one of my previous health care providers (who is a covered entity, I received a NPP from them) leave a message on my answering machine informing me that their office is providing services to someone else with my name. They apparently haven't been checking birth dates, or other information, and they think they may have accidentally billed my insurance. They want my help in investigating/fixing this situation. Seems to me that there may have been a way to approach this without telling me that someone else named Rachel Cass is receiving services from them; anyone agree? (No, I really don't intend to contact OCR on this; just think it is an interesting Privacy scenario). It also make me wonder if another Rachel Cass has been told that I have been treated by that provider. Thanks - Rachel M. Cass (319) 430-6591 [EMAIL PROTECTED] IMPORTANT NOTICE: This e-mail, including attachments, may be confidential or privileged communication intended for the exclusive use of the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you think that you have received this e-mail in error, please advise the sender by reply e-mail of the error and then delete this e-mail immediately. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Thanking a patient for a referral
Why does the thank you note have to identify the patient who was referred? Seems to me if the thank you note said "Our office thanks you for referring a friend to our office," that accomplishes the same purpose, and does not release PHI. I had an eye doctor once who was referred to me by my aunt. I was apparently not the first person she referred, and he ended up giving her a discount on her next visit for all the business. But I do not think it would have been necessary for him to tell her "Rachel stated she was referred by you; that's the fourth referral you made, here's a 10% discount," but could say "Thank you for the four referrals. To show our appreciation, we are offering you a 10% discount on you next visit." Rachel --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: NPP in the waiting room
I believe that in the conference call Wednesday, an OCR rep stated that there is no requirement as to how a provider posts the NPP, only that the provider post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice 164.520(c)(2)(iii)(B) I think that the goal is that it is accessible; not necessarily that a person can stand in a office and read it from the wall. I work with providers who plan to hang a notice in a publicly accessible place on the wall (the pages binded) or on a table, and clearly mark its location. I would think that this satisfies the requirement that individuals seeking service...be able to read the notice. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 28, 2003 9:57 AM To: WEDI SNIP Privacy Workgroup List Subject: NPP in the waiting room Is the requirement for the posting of the NPP satisfied in a provider's office by having multiple copies in notebooks throughout the waiting room, or does it have to be posted on the wall? Thanks very much. Vicki Saunders Compliance Manager/Privacy Officer [EMAIL PROTECTED] Confidentiality Notice: The information contained in this e-mail transmission is confidential information and intended for the sole use of the individual(s) or entity named in the message header. If you are not the intended recipient, you are hereby notified that any dissemination, copying or taking any action in reliance on the contents of this information is strictly prohibited. If you receive this message in error, please notify the sender of the error and delete this message, any attachments and all copies. Thank you. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
policy dev for clearinghouse
Another clearinghouse question 164.506 (c)(4) states that (paraphrased): 'A covered entity may disclose protected health information to another covered entity for health care operations of the entity that receives the information, if both covered entities has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is for quality related healthcare operations or for the purpose of healthcare fraud and abuse detection or compliance.' My question is as follows: For this purpose, would a health care clearinghouse be considered to have a relationship with the individual who is the subject of the protected health information? For instance, in developing policies and procedures for a clearinghouse, would one interpret this provision to permit the clearinghouse to disclose information it has on an individual to other covered entities (who have a relationship with the individual) for the reasons listed? I ask this question for the purpose of policy development. Its obvious to me that the clearinghouse would be permitted to exchange information with the entity from which it originally received the information, but what about other covered entities? (Covered Provider A gives the information to the clearinghouse; if Covered Provider B or Insurance C has a relationship with the individual, would the clearinghouse disclose the individual's information to Covered Provider B or Insurance C for the reasons listed in this reference?) Is this even a concern, or a possibility that this situation would arise? Thanks, Rachel M. [EMAIL PROTECTED] IMPORTANT NOTICE: This e-mail, including attachments, may be confidential or privileged communication intended for the exclusive use of the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you think that you have received this e-mail in error, please advise the sender by reply e-mail of the error and then delete this e-mail immediately. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Business Associate Contracts
I apologize for redundancy if this has already been addressed I wonder if anyone can point me to a resource that indicates how a BAA might be structured if both entities are a covered entity? For instance, in the case of an agreement between a clearinghouse and provider. Should the clearinghouse require similar BAA provisions of the provider? Thanks in advance. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Temporary Employees
In the case of a provider using temporary nursing staff, wouldn't the provider be able to sign a BAA with the nursing staffing agency, and as with all facility policies (disaster, etc), indicate to the temp nurses as to where to find the policies and Notice? What kind of burden would that place on a health care facility to individually train every new nurse that arrives at the facility from an agency? I've recently joined this list, so perhaps I missed an earlier discussion on how to handle nursing staffing agencies. I apologize for any redundancy. -Original Message- From: Michael Sullivan [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 3:04 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Temporary Employees HIPAA covers every employee who has access to Protected Health Information, whether temporary or permanent. Given that civil liabilities could be huge, potential plaintiffs would undoubtedly name the employee, the agency and the CE as co-defendants. On the most base level, I can't think of a situation where the Temp employee shouldn't know where to find a Notice of Privacy Practices. Michael Sullivan HIPAA Privacy Consultant -Original Message- From: Deborah Campbell [mailto:[EMAIL PROTECTED]] Sent: Mon 2/10/2003 12:30 PM To: WEDI SNIP Privacy Workgroup List Cc: Subject: RE: Temporary Employees I have heard CE's respond both ways. I would like to get an idea of what the majority of people are doing. And are you treating temp agencies that supply office staff differently than temp agencies who supply nursing staff? Thank you! Deborah Campbell Compliance Coordinator Dominion Dental Services, Inc. 115 South Union Street, Suite 300 Alexandria, Virginia 22314 Phn: (703) 518-5000 ext. 3035 Fax: (703) 518-8849 Toll Free: 888-518-5338 Email: [EMAIL PROTECTED] *** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. * -Original Message- From: Hromatka, Valerie [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 3:30 PM To: WEDI SNIP Privacy Workgroup List Subject: Temporary Employees Had a question come up today regarding temporary employees. If we have a temp for a couple of weeks, is that person considered a member of our workforce and are we required to train that person on HIPAA Privacy? Thanks for your input! Valerie Hromatka System Administrator Privacy Officer Western Washington Medical Group 3207 Wetmore Ave Everett, WA 98201 wwmedgroup.com 425-259-4041 425-252-6642 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used
RE: Covered Entity or Not
I would like to ask the group a related, but varied question, regarding hybrid and affiliated entities. Two scenarios: 1) Skilled Nursing facility has attached assisted living, with same ownership (lets say we call this a single legal entity). (Of course, the nursing facility is Medicare/Medicaid certified, and the assisted living is state certified.) Assisted living does not conduct any electronic transactions (all is done on paper), nursing facility does conduct electronic transactions. The two are distinct parts, offering distinct services. Is this a hybrid situation? If so, I assume this should be documented. 2) Same situation, except 2 nursing facilities, and 2 assisted living, separate legal entities, under common ownership as defined by the rule. May the two facilities designate themselves as affiliated covered entities? Should they include the assisted living as part of that designation? Can they avoid designating the assisted living as a covered component or entity? I've got a handle on this Privacy thing, and even the covered entity thing, but have just recently had questions regarding the definition of hybrid and affiliated entities. Seems a little tricky to me, depending upon one's interpretation. Any input will be appreciated. Thanks. -Original Message- From: Scott F Kimbel [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 02, 2003 10:22 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Covered Entity or Not William, This question always come up in my seminars, my standard answer is, you may not have to legally comply, however HIPAA is meant to be best business practices, it's meant to protect a patients privacy. Think about it this way, on April 15 it's estimated over 10 million Notices of Privacy practice will be sent out or acknowledged. You can bet a single consumer will receive several, all indicating how each particular healthcare provider will protect their personal health information. Maybe they won't care that a particular provider doesn't give them one of these documents, they will probably still hold them to the standard. BTW the definition of in electronic form is as follows (from CMS) In Electronic Form Using electronic media, as that term is defined at 45 C.F.R. 162.103. It includes transmissions over the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, and private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or CD media. Hope this helps, Scott Kimbel Kimbel Morrow and Associates Inc. 866-598-2593 -Original Message- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 02, 2003 11:54 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: Covered Entity or Not I believe you - I've heard nonsense interpretations along those lines in the past, too. But I have a solution. In order for my chiropractor to avoid sanctions and penalties for sending his electronic transaction via his computer fax without using the standard X12 format, he can instead fax it to a heavily capitalized clearinghouse with a large IT staff. Since the clearinghouse can operate as a non-covered entity whenever it damn well pleases, it can print out the fax and mail it to the payer for 35ยข plus postage. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 - Original Message - From: Rachel Foerster [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Sunday, 02 February, 2003 02:32 PM Subject: RE: Covered Entity or Not According to CMS, yes, this scenario would constitute an electronic transaction, and thus be subject to HIPAA requirements. This topic was discussed a few weeks ago on another SNIP list (can't recall which one) and HIPAAlive, I think. Zon Owen responded with a message that attempted to bring insight into CMS' thinking about why this would be electronic transactions - something along the lines of this being computer-to-computer and thus electronic. William, you're good with the archives of these lists - I bet you can find the thread in a heartbeat! Don't yell at meI think this is one of the most ludicrous things amongst myriad HIPAA ludicrous stuff. Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] -Original Message- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 02, 2003 11:52 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: Covered Entity or Not So, let's say I'm a part-time chiropractor and I have occasion to send in a dozen or so claims a week. I get tired of hand-filling in the HCFA 1500, so I get a Word document template for the form and key data in, perhaps with the aid of a macro.