HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
Darrell & Vicki, Thank you very much for your discussions and insights. And, "Yes", Darrell, I would appreciate the contact information for The Legal Action Center. Thanks again. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 9:40 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy) You are absolutely correct that there is much in HIPAA than what is in 42 C.F.R. Part 2. Isn't it nice that SAMHSA et al are being so timely with their assistance? The Legal Action Center, a well-known, well-respected non-profit based in New York that has done a lot of work in interpreting 42 C.F.R. Part 2, is also supposed to be coming out with a "cross-walk" supplement, but if people are not already working on this, well ... If anyone is interested, I can give you contact information for the Legal Action Center. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. > -Original Message- > From: Vicki Hohner [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 22, 2003 12:13 PM > To: Darrell Rishel; [EMAIL PROTECTED] > Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 > (Alcohol and Drug Patient Privacy) > > > I have been doing a lot of work with substance abuse programs > and HIPAA, > and while not deeply familar with 42 CFR protections we have > identified > that there are limited areas of overlap with HIPAA privacy. > Many subject > to 42 CFR mistakenly believe that the fact that they comply with this > law, which is more stringent in its use and disclosure requirements, > means they are exempt from complying with HIPAA. However, note that > there are only a few overlaps between the two: primarily with uses and > disclosures/minimum necessary, authorizations, and some > limited parts of > individual rights. This leaves a lot more under HIPAA that is not > addressed in 42 CFR--all the policies and procedures, the privacy > officer, business associate terms, the notice of privacy > practices, and > accounting of disclosures, to name a few. Note also that the > definitions > of what information is protected is broader under HIPAA than under 42 > CFR. > > My understanding is that the feds (SAMHSA/CSAT) are working on a > comparison matrix between the two--no idea when that may be > available. > > Vicki Hohner > FOX Systems, Inc. > 360-970-6856 > 360-352-4584 > Information transmitted is confidential and may be proprietary to FOX > Systems, Inc. It is intended only for the person or entity > to which it > is addressed. Anyone else is prohibited from disclosing, copying, or > disseminating the contents or attachments. If you receive this in > error, please notify sender immediately, or us at www.foxsys.com and > delete from your system. > >>> Darrell Rishel <[EMAIL PROTECTED]> 01/20/03 08:57 AM >>> > Matt- > > I'll take a stab at answering your question. Please remember > that in an > effort to keep it relatively brief, this is a fairly simplistic, > high-level > overview. > > Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and > Other > Drugs)regs), disclosure within a "program" is allowed on a > need-to-know > basis without the consent of the patient. This "internal" > disclosure is > limited to "personnel having a need for the information in connection > with > their duties which arise out of the provision of diagnosis, treatment, > or > referral for treatment." In practi
RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
You are absolutely correct that there is much in HIPAA than what is in 42 C.F.R. Part 2. Isn't it nice that SAMHSA et al are being so timely with their assistance? The Legal Action Center, a well-known, well-respected non-profit based in New York that has done a lot of work in interpreting 42 C.F.R. Part 2, is also supposed to be coming out with a "cross-walk" supplement, but if people are not already working on this, well ... If anyone is interested, I can give you contact information for the Legal Action Center. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. > -Original Message- > From: Vicki Hohner [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 22, 2003 12:13 PM > To: Darrell Rishel; [EMAIL PROTECTED] > Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 > (Alcohol and Drug Patient Privacy) > > > I have been doing a lot of work with substance abuse programs > and HIPAA, > and while not deeply familar with 42 CFR protections we have > identified > that there are limited areas of overlap with HIPAA privacy. > Many subject > to 42 CFR mistakenly believe that the fact that they comply with this > law, which is more stringent in its use and disclosure requirements, > means they are exempt from complying with HIPAA. However, note that > there are only a few overlaps between the two: primarily with uses and > disclosures/minimum necessary, authorizations, and some > limited parts of > individual rights. This leaves a lot more under HIPAA that is not > addressed in 42 CFR--all the policies and procedures, the privacy > officer, business associate terms, the notice of privacy > practices, and > accounting of disclosures, to name a few. Note also that the > definitions > of what information is protected is broader under HIPAA than under 42 > CFR. > > My understanding is that the feds (SAMHSA/CSAT) are working on a > comparison matrix between the two--no idea when that may be > available. > > Vicki Hohner > FOX Systems, Inc. > 360-970-6856 > 360-352-4584 > Information transmitted is confidential and may be proprietary to FOX > Systems, Inc. It is intended only for the person or entity > to which it > is addressed. Anyone else is prohibited from disclosing, copying, or > disseminating the contents or attachments. If you receive this in > error, please notify sender immediately, or us at www.foxsys.com and > delete from your system. > >>> Darrell Rishel <[EMAIL PROTECTED]> 01/20/03 08:57 AM >>> > Matt- > > I'll take a stab at answering your question. Please remember > that in an > effort to keep it relatively brief, this is a fairly simplistic, > high-level > overview. > > Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and > Other > Drugs)regs), disclosure within a "program" is allowed on a > need-to-know > basis without the consent of the patient. This "internal" > disclosure is > limited to "personnel having a need for the information in connection > with > their duties which arise out of the provision of diagnosis, treatment, > or > referral for treatment." In practice, I think this is very > close to, if > not > the same as, the HIPAA "use" definition. Although the AOD regs do not > require a formal minimum necessary analysis, the concept of only > disclosing > the minimum amount of information necessary to accomplish the purpose > for > making the disclosure is clearly embedded in the regs. > > It is the disclosure to external entities where, especially with the > adoption of the August, 2002, HIPAA changes, a wide gap > remains between > the > two sets of regs. While HIPAA allows treatment providers to > disclose PHI > for > treatment and payment (even another provider's payment) without the > patient's written consent, the AOD regs absolutely prohibit such > disclosures > related to payment, and disclosures for treatment (except for medical > emergencies) require that a written agreement be in place and that the > services which the external provider render be something > different than > what > the primary provider is providing. This written agreement is known in > the > AOD regs as a Qualified Service Organization Agreement (QSOA, for > short). A > QSOA is akin to a BA agreement, though much shorter and less > complicated, > charachteristics which are, unfortunately, soon to be a thing of the > past. > While a QSOA can be used in limited circumstances for treatment (the > biggest > problem is that we cannot have one with another AOD > pr
RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Alcohol and Drug Patient Privacy)
ustice system where treatment is a part of the disposition), the name of the patient, the patient's signature and the date of the signature. The remaining situations where disclosure can be made without written patient consent under the AOD regs are very limited. I'll list only a few of the major differences between the HIPAA and AOD regs. There is no general exception for "otherwise required by law." I've forgotten exactly when the exception for allowing a child abuse report to be filed if required by state law was added, sometime around 1990, I think, but that used to be quite a problem and even now the exception is very limited. There are no exceptions for reporting any other kind of abuse. The HIPAA "law enforcement" exception. There are provisions for disclosure in response to a court order, but it requires a very specific order after following very specific procedures. I hope this has been helpful. Let me know if you have any other questions. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. > -Original Message- > From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 18, 2003 5:02 PM > To: Darrell Rishel; 'WEDI SNIP Privacy Workgroup List' > Subject: RE: HIPAA privacy and people > > > Darrell, > > Thank you for sharing your thoughts. And now that you > brought it up, how > would you compare the "42 CFR" consent with the (voluntary) > HIPAA-consent > and the HIPAA-authorization. In my mind, the "42 CFR" allows a more > generalized use and disclosure for TPO, and consequently is > more equivalent > to the (voluntary) HIPAA-consent, than it is to the more specific > HIPAA-authorization. > > But, I would like to know your take on this matter. > > Thanks in advance. > > Matt > > Matthew Rosenblum > Chief Operations Officer > Privacy, Quality Management & Regulatory Affairs > http://www.CPIdirections.com > > CPI Directions, Inc. > 10 West 15th Street, Suite 1922 > New York, NY 10011 > > (212) 675-6367 > [EMAIL PROTECTED] > > CONFIDENTIALITY NOTICE: This E-Mail is intended only for the > use of the > individual or entity to which it is addressed and may contain > information > that is privileged, confidential and exempt from disclosure > under applicable > law. If you have received this communication in error, please do not > distribute it. Please notify the sender by E-Mail at the > address shown and > delete the original message. Thank you. > > AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del > individuo o la entidad a la cual se dirige y puede contener > información > privilegiada, confidencial y exenta de acceso bajo la ley > aplicable. Si > usted ha recibido esta comunicación por error, por favor no > lo distribuya. > Favor notificar al remitente del E-Mail a la dirección > mostrada y elimine el > mensaje original. Gracias. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
Darrell, Thank you very much for this wonderful comparison of the HIPAA regulations to the "signed-consent" aspects of the AOD regulations (42 CFR part 2). This is very helpful to many of us who work in SAMHSA-funded programs. Best regards, Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 19, 2003 4:43 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy) Matt- I'll take a stab at answering your question. Please remember that in an effort to keep it relatively brief, this is a fairly simplistic, high-level overview. Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other Drugs)regs), disclosure within a "program" is allowed on a need-to-know basis without the consent of the patient. This "internal" disclosure is limited to "personnel having a need for the information in connection with their duties which arise out of the provision of diagnosis, treatment, or referral for treatment." In practice, I think this is very close to, if not the same as, the HIPAA "use" definition. Although the AOD regs do not require a formal minimum necessary analysis, the concept of only disclosing the minimum amount of information necessary to accomplish the purpose for making the disclosure is clearly embedded in the regs. It is the disclosure to external entities where, especially with the adoption of the August, 2002, HIPAA changes, a wide gap remains between the two sets of regs. While HIPAA allows treatment providers to disclose PHI for treatment and payment (even another provider's payment) without the patient's written consent, the AOD regs absolutely prohibit such disclosures related to payment, and disclosures for treatment (except for medical emergencies) require that a written agreement be in place and that the services which the external provider render be something different than what the primary provider is providing. This written agreement is known in the AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A QSOA is akin to a BA agreement, though much shorter and less complicated, charachteristics which are, unfortunately, soon to be a thing of the past. While a QSOA can be used in limited circumstances for treatment (the biggest problem is that we cannot have one with another AOD provider), its most common use is for operations, just as the HIPAA BA agreement will be used (e.g., we have a QSOA with our auditor, or outside attorneys, the company which prints and sends out our bills, the lab which analyzes the urine specimens we collect, etc.). But, if we want to be able to bill an insurance company or any other third party payer, we have to have the patient's written consent (in fact, we cannot even call to get pre-authorization without written consent; how's that for customer friendly?). If we want to refer the patient to another health care provider, of whatever type, or consult with another provider (like their primary care provider) who has seen the patient, we must have the patient's written consent unless the situation fits within the pretty narrow exception where a QSOA can be used and we have (or can get) one in place (the logistics and pain of trying to get a QSOA with all of those providers, which make doing so pretty impracticle). The requirements in the AOD regs for a valid written consent are very similar to those for a HIPAA authorization: who is disclosing the information, to whom is the information being disclosed, what information is being disclosed and why is it being disclosed, there must be a reasonble, identifiable expiration date, the patient must be able to revoke the consent at any time (one specific exception here for persons referred by an element of the criminal justice system where trea
RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
Matt- I'll take a stab at answering your question. Please remember that in an effort to keep it relatively brief, this is a fairly simplistic, high-level overview. Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other Drugs)regs), disclosure within a "program" is allowed on a need-to-know basis without the consent of the patient. This "internal" disclosure is limited to "personnel having a need for the information in connection with their duties which arise out of the provision of diagnosis, treatment, or referral for treatment." In practice, I think this is very close to, if not the same as, the HIPAA "use" definition. Although the AOD regs do not require a formal minimum necessary analysis, the concept of only disclosing the minimum amount of information necessary to accomplish the purpose for making the disclosure is clearly embedded in the regs. It is the disclosure to external entities where, especially with the adoption of the August, 2002, HIPAA changes, a wide gap remains between the two sets of regs. While HIPAA allows treatment providers to disclose PHI for treatment and payment (even another provider's payment) without the patient's written consent, the AOD regs absolutely prohibit such disclosures related to payment, and disclosures for treatment (except for medical emergencies) require that a written agreement be in place and that the services which the external provider render be something different than what the primary provider is providing. This written agreement is known in the AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A QSOA is akin to a BA agreement, though much shorter and less complicated, charachteristics which are, unfortunately, soon to be a thing of the past. While a QSOA can be used in limited circumstances for treatment (the biggest problem is that we cannot have one with another AOD provider), its most common use is for operations, just as the HIPAA BA agreement will be used (e.g., we have a QSOA with our auditor, or outside attorneys, the company which prints and sends out our bills, the lab which analyzes the urine specimens we collect, etc.). But, if we want to be able to bill an insurance company or any other third party payer, we have to have the patient's written consent (in fact, we cannot even call to get pre-authorization without written consent; how's that for customer friendly?). If we want to refer the patient to another health care provider, of whatever type, or consult with another provider (like their primary care provider) who has seen the patient, we must have the patient's written consent unless the situation fits within the pretty narrow exception where a QSOA can be used and we have (or can get) one in place (the logistics and pain of trying to get a QSOA with all of those providers, which make doing so pretty impracticle). The requirements in the AOD regs for a valid written consent are very similar to those for a HIPAA authorization: who is disclosing the information, to whom is the information being disclosed, what information is being disclosed and why is it being disclosed, there must be a reasonble, identifiable expiration date, the patient must be able to revoke the consent at any time (one specific exception here for persons referred by an element of the criminal justice system where treatment is a part of the disposition), the name of the patient, the patient's signature and the date of the signature. The remaining situations where disclosure can be made without written patient consent under the AOD regs are very limited. I'll list only a few of the major differences between the HIPAA and AOD regs. There is no general exception for "otherwise required by law." I've forgotten exactly when the exception for allowing a child abuse report to be filed if required by state law was added, sometime around 1990, I think, but that used to be quite a problem and even now the exception is very limited. There are no exceptions for reporting any other kind of abuse. The HIPAA "law enforcement" exception. There are provisions for disclosure in response to a court order, but it requires a very specific order after following very specific procedures. I hope this has been helpful. Let me know if you have any other questions. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. > -Original Message- > From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 18, 2003 5:02 PM > To: Darrell Rishel; 'WEDI SNIP Privacy Workgroup List' > Subject: RE: HIPAA privacy and people > > > Darrell, > > Thank you for sharing your thoughts. And now that you > brought it up, how > would you compare the "42 CFR" consent with the (voluntary) > H
RE: HIPAA privacy and people
Darrell, Thank you for sharing your thoughts. And now that you brought it up, how would you compare the "42 CFR" consent with the (voluntary) HIPAA-consent and the HIPAA-authorization. In my mind, the "42 CFR" allows a more generalized use and disclosure for TPO, and consequently is more equivalent to the (voluntary) HIPAA-consent, than it is to the more specific HIPAA-authorization. But, I would like to know your take on this matter. Thanks in advance. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 18, 2003 5:11 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA privacy and people I really find many of these conversations entertaining (also frequently enlightening and helpful). "Unworkable?" Hardly. Most of you appear to not realize how lucky you are! Nor does it appear that you give yourselves much credit for being creative and resourceful. I work for an alcohol and drug abuse treatment provider. We in this field have successfully operated under what is, generally, a more demanding set of patient privacy rules (42 C.F.R. Part 2, not to mention state mental health statutes, which are also usually very strict)than those found in HIPAA. E.g., unlike "regular" health care providers, we have to have the patient's written authorization to talk to another treatment provider, not to mention just about everyone else, including payers. If we can successfully operate in our environment, you can successfully operate in the HIPAA environment! Will you have to change some of your current business practices? Yes. Will you frequently find the rules to be a pain in the neck (not to mention other parts of your anatomy)? Certainly. Is compliance an impossible task? No. Will it cost you some money, not only to implement, but to abide by in the future? Probably. Are all of these new rules, which are intended to benefit patients in terms of protecting their privacy, going to be otherwise beneficial to them? No. Some of the burden of complying with these rules is going to make it harder for patients, too. These rules are not necessarily "customer friendly." The patients are going to have to make some changes and part of our responsibility will be to educate and help them. No doubt we will frequently be blamed for the inconvenience, but what's new? As with any other set of government statutes and regulations which I have ever read, there are ambiguities, if not worse defects. It will take time, and perhaps additional rule-making, to sort everything out (if we ever get to that point, which may never happen in such a complex area with so many legitimate, competing private and public interests). I suggest, however, that it would be more productive to spend time looking for solutions to the challenges presented rather than bemoaning our fate. Pin numbers? I think that may be a very workable concept for some settings. I've been telephoning my bank for years (mostly I do it on-line now) and putting in a pin number and my account code to access my bank account. Let's get on with it! Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. > -Original Message- > From: fwdanby [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 17, 2003 5:01 PM > To: WEDI SNIP Privacy Workgroup List > Cc: WEDI SNIP Privacy Workgroup List > Subject: Re: HIPAA privacy and people > > > With the same due respect, and I, too, mean it sincerely, the word > 'unworkable' is very tempting to apply to the whole HIPAA > scenario where > there is an interface with patients. > Take a look at what all you very bright and well-intentioned > folks have been > posting over the past several months. This is a high level of > confusion > among intellig
RE: HIPAA privacy and people
I really find many of these conversations entertaining (also frequently enlightening and helpful). "Unworkable?" Hardly. Most of you appear to not realize how lucky you are! Nor does it appear that you give yourselves much credit for being creative and resourceful. I work for an alcohol and drug abuse treatment provider. We in this field have successfully operated under what is, generally, a more demanding set of patient privacy rules (42 C.F.R. Part 2, not to mention state mental health statutes, which are also usually very strict)than those found in HIPAA. E.g., unlike "regular" health care providers, we have to have the patient's written authorization to talk to another treatment provider, not to mention just about everyone else, including payers. If we can successfully operate in our environment, you can successfully operate in the HIPAA environment! Will you have to change some of your current business practices? Yes. Will you frequently find the rules to be a pain in the neck (not to mention other parts of your anatomy)? Certainly. Is compliance an impossible task? No. Will it cost you some money, not only to implement, but to abide by in the future? Probably. Are all of these new rules, which are intended to benefit patients in terms of protecting their privacy, going to be otherwise beneficial to them? No. Some of the burden of complying with these rules is going to make it harder for patients, too. These rules are not necessarily "customer friendly." The patients are going to have to make some changes and part of our responsibility will be to educate and help them. No doubt we will frequently be blamed for the inconvenience, but what's new? As with any other set of government statutes and regulations which I have ever read, there are ambiguities, if not worse defects. It will take time, and perhaps additional rule-making, to sort everything out (if we ever get to that point, which may never happen in such a complex area with so many legitimate, competing private and public interests). I suggest, however, that it would be more productive to spend time looking for solutions to the challenges presented rather than bemoaning our fate. Pin numbers? I think that may be a very workable concept for some settings. I've been telephoning my bank for years (mostly I do it on-line now) and putting in a pin number and my account code to access my bank account. Let's get on with it! Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. > -Original Message- > From: fwdanby [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 17, 2003 5:01 PM > To: WEDI SNIP Privacy Workgroup List > Cc: WEDI SNIP Privacy Workgroup List > Subject: Re: HIPAA privacy and people > > > With the same due respect, and I, too, mean it sincerely, the word > 'unworkable' is very tempting to apply to the whole HIPAA > scenario where > there is an interface with patients. > Take a look at what all you very bright and well-intentioned > folks have been > posting over the past several months. This is a high level of > confusion > among intelligent people. Now translate that to the > undeniable fact that > half the people in the real world are below average > intelligence (IQ < 100) > and the world we physicians live and work in is populated by > patients who, > through no fault of their own, exhibit an even higher > percentage of room > temperature IQs. > Sure, we will get some of the people complying some of the > time, but all of > the people all of the time is, in a word, unworkable. > To have us exposed to legal liability in this situation is, > in another word, > unfair. > I believe we providers should demand an umbrella of some sort > to protect us > from unwarranted, arbitrary, over-zealous enforcement of an > essentially > unworkable set of regulations. > I'd love to hear other opinions on this - here if you think > it warranted, > privately if you think otherwise. > FWDanby, MD [EMAIL PROTECTED] > > - Original Message - > From: "Benjamin W. Tartaglia" <[EMAIL PROTECTED]> > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> > Sent: Friday, January 17, 2003 12:17 PM > Subject: RE: HIPAA privacy and telephone > > > > With all due respect, and I mean it sincerely. > > > > Good idea for privacy Based on my many years of management > > engineering and the application of voice, data and image > telecommunications > > systems in healthcare as an employee and later as a > consultant I suggest > it > > is unworkable. (really long and ill structured sentence). > > > > The major premise is "When the patient
RE: HIPAA privacy and people
Well we haven't heard from the AAPS and their supporters for quite a while! Not to worry, private civil litigation will be the enforcement method of choice for those impacted by providers who disregard HIPAA. While some of us have been working with the standards bodies and government to obtain some latitude, thus far it appears it will be afforded to the transactional side of the equation only, and it is very unlikely under privacy. However, I have every confidence that litigators and our state courts will be the ultimate determinator of the workability of HIPAA as applied to individuals providers, particularly those more concerned with avoiding it than implementing it. Frankly HIPAA Privacy is workable. It is already the standard of care. It is irrational resistance to change that has made the process so difficult. Tim McGuinness, Ph.D. -Original Message- From: fwdanby [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 7:01 PM To: WEDI SNIP Privacy Workgroup List Cc: WEDI SNIP Privacy Workgroup List Subject: Re: HIPAA privacy and people With the same due respect, and I, too, mean it sincerely, the word 'unworkable' is very tempting to apply to the whole HIPAA scenario where there is an interface with patients. Take a look at what all you very bright and well-intentioned folks have been posting over the past several months. This is a high level of confusion among intelligent people. Now translate that to the undeniable fact that half the people in the real world are below average intelligence (IQ < 100) and the world we physicians live and work in is populated by patients who, through no fault of their own, exhibit an even higher percentage of room temperature IQs. Sure, we will get some of the people complying some of the time, but all of the people all of the time is, in a word, unworkable. To have us exposed to legal liability in this situation is, in another word, unfair. I believe we providers should demand an umbrella of some sort to protect us from unwarranted, arbitrary, over-zealous enforcement of an essentially unworkable set of regulations. I'd love to hear other opinions on this - here if you think it warranted, privately if you think otherwise. FWDanby, MD [EMAIL PROTECTED] - Original Message - From: "Benjamin W. Tartaglia" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Friday, January 17, 2003 12:17 PM Subject: RE: HIPAA privacy and telephone > With all due respect, and I mean it sincerely. > > Good idea for privacy Based on my many years of management > engineering and the application of voice, data and image telecommunications > systems in healthcare as an employee and later as a consultant I suggest it > is unworkable. (really long and ill structured sentence). > > The major premise is "When the patient calls back, someone who can accept > the call and pin number is available". The major premise, although well > intentioned, is false. > > When I try to get to my Doctor's office, I get a call management system 99% > of the time. If I'm really lucky, I may get an answering service. People > who work for many answering services are part timers, sometimes from > temporary employment companies, working for minimum wage, with little or no > healthcare background. Try and get them HIPAA certified. > (I have also done consulting on Doctors' answering services.) > > I believe such a system would simply generate round after round of call > backs which are unsuccessful. If anyone thinks this would actually work, > should get another opinion and only pay for that opinion when the system is > proven effective. > > I really would like to talk to the people who have used this successfully so > that I might add to my professional knowledge and moderate my opinion on he > matter or... is this simply a "scenario" from a brainstorming session? > > Additional comments are welcomed and desired. I find I learn more from > people who disagree. > > Ben Tartaglia > Benjamin W. Tartaglia, MBA, BSIM, CSP > Director, Client Services > BWT Associates, HealthCare Consultants > > HIPAA, JCAHO, Telemedicine, Contingency Planning, Telecommunications, > Telephone Fraud & Abuse, Training Programs, Policy & Procedures, Management > Audits. > > PO# 4515, Shrewsbury, MA 01545 > Phone: 508-845-6000 > EMail: [EMAIL PROTECTED] > > -Original Message- > From: Ribelin, Donald [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 17, 2003 10:09 AM > To: WEDI SNIP Privacy Workgroup List > Subject: RE: HIPAA privacy and telephone > > > So far, the best scenario I have seen is the phone call that requests the > patient to call back to the office. Part of the call back involves a pin or
Re: HIPAA privacy and people
With the same due respect, and I, too, mean it sincerely, the word 'unworkable' is very tempting to apply to the whole HIPAA scenario where there is an interface with patients. Take a look at what all you very bright and well-intentioned folks have been posting over the past several months. This is a high level of confusion among intelligent people. Now translate that to the undeniable fact that half the people in the real world are below average intelligence (IQ < 100) and the world we physicians live and work in is populated by patients who, through no fault of their own, exhibit an even higher percentage of room temperature IQs. Sure, we will get some of the people complying some of the time, but all of the people all of the time is, in a word, unworkable. To have us exposed to legal liability in this situation is, in another word, unfair. I believe we providers should demand an umbrella of some sort to protect us from unwarranted, arbitrary, over-zealous enforcement of an essentially unworkable set of regulations. I'd love to hear other opinions on this - here if you think it warranted, privately if you think otherwise. FWDanby, MD [EMAIL PROTECTED] - Original Message - From: "Benjamin W. Tartaglia" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Friday, January 17, 2003 12:17 PM Subject: RE: HIPAA privacy and telephone > With all due respect, and I mean it sincerely. > > Good idea for privacy Based on my many years of management > engineering and the application of voice, data and image telecommunications > systems in healthcare as an employee and later as a consultant I suggest it > is unworkable. (really long and ill structured sentence). > > The major premise is "When the patient calls back, someone who can accept > the call and pin number is available". The major premise, although well > intentioned, is false. > > When I try to get to my Doctor's office, I get a call management system 99% > of the time. If I'm really lucky, I may get an answering service. People > who work for many answering services are part timers, sometimes from > temporary employment companies, working for minimum wage, with little or no > healthcare background. Try and get them HIPAA certified. > (I have also done consulting on Doctors' answering services.) > > I believe such a system would simply generate round after round of call > backs which are unsuccessful. If anyone thinks this would actually work, > should get another opinion and only pay for that opinion when the system is > proven effective. > > I really would like to talk to the people who have used this successfully so > that I might add to my professional knowledge and moderate my opinion on he > matter or... is this simply a "scenario" from a brainstorming session? > > Additional comments are welcomed and desired. I find I learn more from > people who disagree. > > Ben Tartaglia > Benjamin W. Tartaglia, MBA, BSIM, CSP > Director, Client Services > BWT Associates, HealthCare Consultants > > HIPAA, JCAHO, Telemedicine, Contingency Planning, Telecommunications, > Telephone Fraud & Abuse, Training Programs, Policy & Procedures, Management > Audits. > > PO# 4515, Shrewsbury, MA 01545 > Phone: 508-845-6000 > EMail: [EMAIL PROTECTED] > > -Original Message- > From: Ribelin, Donald [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 17, 2003 10:09 AM > To: WEDI SNIP Privacy Workgroup List > Subject: RE: HIPAA privacy and telephone > > > So far, the best scenario I have seen is the phone call that requests the > patient to call back to the office. Part of the call back involves a pin or > secret code that the patient was provided previously. > > Donald L. Ribelin > HIPAA Project Manager > Firsthealth of the Carolinas > (910) 215-2668 > [EMAIL PROTECTED] > > -Original Message- > From: Doug Webb [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 17, 2003 9:51 AM > To: WEDI SNIP Privacy Workgroup List > Subject: Re: HIPAA privacy and telephone > > An extension to this -- how do you handle answering machines? > > My gut feeling is that either a no-no (the machine more questionable than a > family member) -- the information could only be released to the patient or > his/her representative designated in a written authorizaton. Perhaps > another signature on your main consent/authorization form to allow these > types of communications is what's needed??? > > The opinions expressed here are my own and not necessarily the opinion of > LCMH. > > Douglas M. Webb > Computer System Engineer > Little Company of Mary Hospital & Health Care Centers > [EMAIL PROTECTED] > > "This electronic message may contain information that is confidential and/or > legally privileged. It is intended only for the use of the individual(s) and > entity(s) named as recipients in the message. If you are not an intended > recipient of the message, please notify the sender immediately, delete the > material from any compu
