RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Alcohol and Drug Patient Privacy)

2003-01-22 Thread Vicki Hohner
of the signature.

The remaining situations where disclosure can be made without written
patient consent under the AOD regs are very limited. I'll list only a
few of
the major differences between the HIPAA and AOD regs. There is no
general
exception for otherwise required by law. I've forgotten exactly when
the
exception for allowing a child abuse report to be filed if required by
state
law was added, sometime around 1990, I think, but that used to be quite
a
problem and even now the exception is very limited. There are no
exceptions
for reporting any other kind of abuse. The HIPAA law enforcement
exception. There are provisions for disclosure in response to a court
order,
but it requires a very specific order after following very specific
procedures.

I hope this has been helpful. Let me know if you have any other
questions.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc.

This message is not legal advice or a binding signature.



 -Original Message-
 From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, January 18, 2003 5:02 PM
 To: Darrell Rishel; 'WEDI SNIP Privacy Workgroup List'
 Subject: RE: HIPAA privacy and people
 
 
 Darrell,
 
 Thank you for sharing your thoughts.  And now that you 
 brought it up, how
 would you compare the 42 CFR consent with the (voluntary) 
 HIPAA-consent
 and the HIPAA-authorization.  In my mind, the 42 CFR allows a more
 generalized use and disclosure for TPO, and consequently is 
 more equivalent
 to the (voluntary) HIPAA-consent, than it is to the more specific
 HIPAA-authorization.
 
 But, I would like to know your take on this matter.
 
 Thanks in advance.
  
 Matt
  
 Matthew Rosenblum
 Chief Operations Officer
 Privacy, Quality Management  Regulatory Affairs
 http://www.CPIdirections.com
  
 CPI Directions, Inc.
 10 West 15th Street, Suite 1922
 New York, NY 10011
  
 (212) 675-6367
 [EMAIL PROTECTED]
  
 CONFIDENTIALITY NOTICE: This E-Mail is intended only for the 
 use of the
 individual or entity to which it is addressed and may contain 
 information
 that is privileged, confidential and exempt from disclosure 
 under applicable
 law. If you have received this communication in error, please do not
 distribute it.  Please notify the sender by E-Mail at the 
 address shown and
 delete the original message. Thank you.
  
 AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
 individuo o la entidad a la cual se dirige y puede contener 
 información
 privilegiada, confidencial y exenta de acceso bajo la ley 
 aplicable. Si
 usted ha recibido esta comunicación por error, por favor no 
 lo distribuya.
 Favor notificar al remitente del E-Mail a la dirección 
 mostrada y elimine el
 mensaje original. Gracias.

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)

2003-01-22 Thread Darrell Rishel
You are absolutely correct that there is much in HIPAA than what is in 42
C.F.R. Part 2. Isn't it nice that SAMHSA et al are being so timely with
their assistance? The Legal Action Center, a well-known, well-respected
non-profit based in New York that has done a lot of work in interpreting 42
C.F.R. Part 2, is also supposed to be coming out with a cross-walk
supplement, but if people are not already working on this, well ... If
anyone is interested, I can give you contact information for the Legal
Action Center.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc. 
This message is not legal advice or a binding signature.


 -Original Message-
 From: Vicki Hohner [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 22, 2003 12:13 PM
 To: Darrell Rishel; [EMAIL PROTECTED]
 Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2
 (Alcohol and Drug Patient Privacy)
 
 
 I have been doing a lot of work with substance abuse programs 
 and HIPAA,
 and while not deeply familar with 42 CFR protections we have 
 identified
 that there are limited areas of overlap with HIPAA privacy. 
 Many subject
 to 42 CFR mistakenly believe that the fact that they comply with this
 law, which is more stringent in its use and disclosure requirements,
 means they are exempt from complying with HIPAA. However, note that
 there are only a few overlaps between the two: primarily with uses and
 disclosures/minimum necessary, authorizations, and some 
 limited parts of
 individual rights. This leaves a lot more under HIPAA that is not
 addressed in 42 CFR--all the policies and procedures, the privacy
 officer, business associate terms, the notice of privacy 
 practices, and
 accounting of disclosures, to name a few. Note also that the 
 definitions
 of what information is protected is broader under HIPAA than under 42
 CFR. 
 
 My understanding is that the feds (SAMHSA/CSAT) are working on a
 comparison matrix between the two--no idea when that may be 
 available.  
 
 Vicki Hohner
 FOX Systems, Inc.
 360-970-6856
 360-352-4584
 Information transmitted is confidential and may be proprietary to FOX
 Systems, Inc.  It is intended only for the person or entity 
 to which it
 is addressed.   Anyone else is prohibited from disclosing, copying, or
 disseminating the contents or attachments.  If you receive this in
 error, please notify sender immediately, or us at www.foxsys.com and
 delete from your system.
  Darrell Rishel [EMAIL PROTECTED] 01/20/03 08:57 AM 
 Matt-
 
 I'll take a stab at answering your question. Please remember 
 that in an
 effort to keep it relatively brief, this is a fairly simplistic,
 high-level
 overview.
 
 Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and
 Other
 Drugs)regs), disclosure within a program is allowed on a 
 need-to-know
 basis  without the consent of the patient. This internal 
 disclosure is
 limited to personnel having a need for the information in connection
 with
 their duties which arise out of the provision of diagnosis, treatment,
 or
 referral for treatment. In practice, I think this is very 
 close to, if
 not
 the same as, the HIPAA use definition. Although the AOD regs do not
 require a formal minimum necessary analysis, the concept of only
 disclosing
 the minimum amount of information necessary to accomplish the purpose
 for
 making the disclosure is clearly embedded in the regs.
 
 It is the disclosure to external entities where, especially with the
 adoption of the August, 2002, HIPAA changes, a wide gap 
 remains between
 the
 two sets of regs. While HIPAA allows treatment providers to 
 disclose PHI
 for
 treatment and payment (even another provider's payment) without the
 patient's written consent, the AOD regs absolutely prohibit such
 disclosures
 related to payment, and disclosures for treatment (except for medical
 emergencies) require that a written agreement be in place and that the
 services which the external provider render be something 
 different than
 what
 the primary provider is providing. This written agreement is known in
 the
 AOD regs as a Qualified Service Organization Agreement (QSOA, for
 short). A
 QSOA is akin to a BA agreement, though much shorter and less
 complicated,
 charachteristics which are, unfortunately, soon to be a thing of the
 past.
 While a QSOA can be used in limited circumstances for treatment (the
 biggest
 problem is that we cannot have one with another AOD 
 provider), its most
 common use is for operations, just as the HIPAA BA agreement will be
 used
 (e.g., we have a QSOA with our auditor, or outside attorneys, the
 company
 which prints and sends out our bills, the lab which analyzes the urine
 specimens we collect, etc.). But, if we want to be able to bill an
 insurance
 company or any other third party payer, we have to have the patient's
 written consent (in fact, we cannot even call to get pre-authorization
 without written consent; how's that for customer friendly

RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)

2003-01-20 Thread Darrell Rishel
Matt-

I'll take a stab at answering your question. Please remember that in an
effort to keep it relatively brief, this is a fairly simplistic, high-level
overview.

Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other
Drugs)regs), disclosure within a program is allowed on a need-to-know
basis  without the consent of the patient. This internal disclosure is
limited to personnel having a need for the information in connection with
their duties which arise out of the provision of diagnosis, treatment, or
referral for treatment. In practice, I think this is very close to, if not
the same as, the HIPAA use definition. Although the AOD regs do not
require a formal minimum necessary analysis, the concept of only disclosing
the minimum amount of information necessary to accomplish the purpose for
making the disclosure is clearly embedded in the regs.

It is the disclosure to external entities where, especially with the
adoption of the August, 2002, HIPAA changes, a wide gap remains between the
two sets of regs. While HIPAA allows treatment providers to disclose PHI for
treatment and payment (even another provider's payment) without the
patient's written consent, the AOD regs absolutely prohibit such disclosures
related to payment, and disclosures for treatment (except for medical
emergencies) require that a written agreement be in place and that the
services which the external provider render be something different than what
the primary provider is providing. This written agreement is known in the
AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A
QSOA is akin to a BA agreement, though much shorter and less complicated,
charachteristics which are, unfortunately, soon to be a thing of the past.
While a QSOA can be used in limited circumstances for treatment (the biggest
problem is that we cannot have one with another AOD provider), its most
common use is for operations, just as the HIPAA BA agreement will be used
(e.g., we have a QSOA with our auditor, or outside attorneys, the company
which prints and sends out our bills, the lab which analyzes the urine
specimens we collect, etc.). But, if we want to be able to bill an insurance
company or any other third party payer, we have to have the patient's
written consent (in fact, we cannot even call to get pre-authorization
without written consent; how's that for customer friendly?). If we want to
refer the patient to another health care provider, of whatever type, or
consult with another provider (like their primary care provider) who has
seen the patient, we must have the patient's written consent unless the
situation fits within the pretty narrow exception where a QSOA can be used
and we have (or can get) one in place (the logistics and pain of trying to
get a QSOA with all of those providers, which make doing so pretty
impracticle). The requirements in the AOD regs for a valid written consent
are very similar to those for a HIPAA authorization: who is disclosing the
information, to whom is the information being disclosed, what information is
being disclosed and why is it being disclosed, there must be a reasonble,
identifiable expiration date, the patient must be able to revoke the consent
at any time (one specific exception here for persons referred by an element
of the criminal justice system where treatment is a part of the
disposition), the name of the patient, the patient's signature and the date
of the signature.

The remaining situations where disclosure can be made without written
patient consent under the AOD regs are very limited. I'll list only a few of
the major differences between the HIPAA and AOD regs. There is no general
exception for otherwise required by law. I've forgotten exactly when the
exception for allowing a child abuse report to be filed if required by state
law was added, sometime around 1990, I think, but that used to be quite a
problem and even now the exception is very limited. There are no exceptions
for reporting any other kind of abuse. The HIPAA law enforcement
exception. There are provisions for disclosure in response to a court order,
but it requires a very specific order after following very specific
procedures.

I hope this has been helpful. Let me know if you have any other questions.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc.

This message is not legal advice or a binding signature.



 -Original Message-
 From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, January 18, 2003 5:02 PM
 To: Darrell Rishel; 'WEDI SNIP Privacy Workgroup List'
 Subject: RE: HIPAA privacy and people
 
 
 Darrell,
 
 Thank you for sharing your thoughts.  And now that you 
 brought it up, how
 would you compare the 42 CFR consent with the (voluntary) 
 HIPAA-consent
 and the HIPAA-authorization.  In my mind, the 42 CFR allows a more
 generalized use and disclosure for TPO, and consequently is 
 more equivalent
 to the (voluntary) HIPAA-consent

RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)

2003-01-20 Thread Matthew Rosenblum
Darrell,

Thank you very much for this wonderful comparison of the HIPAA regulations
to the signed-consent aspects of the AOD regulations (42 CFR part 2).
This is very helpful to many of us who work in SAMHSA-funded programs.

Best regards,
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com

CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Darrell Rishel [mailto:[EMAIL PROTECTED]] 
Sent: Sunday, January 19, 2003 4:43 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al
cohol and Drug Patient Privacy)

Matt-

I'll take a stab at answering your question. Please remember that in an
effort to keep it relatively brief, this is a fairly simplistic, high-level
overview.

Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other
Drugs)regs), disclosure within a program is allowed on a need-to-know
basis  without the consent of the patient. This internal disclosure is
limited to personnel having a need for the information in connection with
their duties which arise out of the provision of diagnosis, treatment, or
referral for treatment. In practice, I think this is very close to, if not
the same as, the HIPAA use definition. Although the AOD regs do not
require a formal minimum necessary analysis, the concept of only disclosing
the minimum amount of information necessary to accomplish the purpose for
making the disclosure is clearly embedded in the regs.

It is the disclosure to external entities where, especially with the
adoption of the August, 2002, HIPAA changes, a wide gap remains between the
two sets of regs. While HIPAA allows treatment providers to disclose PHI for
treatment and payment (even another provider's payment) without the
patient's written consent, the AOD regs absolutely prohibit such disclosures
related to payment, and disclosures for treatment (except for medical
emergencies) require that a written agreement be in place and that the
services which the external provider render be something different than what
the primary provider is providing. This written agreement is known in the
AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A
QSOA is akin to a BA agreement, though much shorter and less complicated,
charachteristics which are, unfortunately, soon to be a thing of the past.
While a QSOA can be used in limited circumstances for treatment (the biggest
problem is that we cannot have one with another AOD provider), its most
common use is for operations, just as the HIPAA BA agreement will be used
(e.g., we have a QSOA with our auditor, or outside attorneys, the company
which prints and sends out our bills, the lab which analyzes the urine
specimens we collect, etc.). But, if we want to be able to bill an insurance
company or any other third party payer, we have to have the patient's
written consent (in fact, we cannot even call to get pre-authorization
without written consent; how's that for customer friendly?). If we want to
refer the patient to another health care provider, of whatever type, or
consult with another provider (like their primary care provider) who has
seen the patient, we must have the patient's written consent unless the
situation fits within the pretty narrow exception where a QSOA can be used
and we have (or can get) one in place (the logistics and pain of trying to
get a QSOA with all of those providers, which make doing so pretty
impracticle). The requirements in the AOD regs for a valid written consent
are very similar to those for a HIPAA authorization: who is disclosing the
information, to whom is the information being disclosed, what information is
being disclosed and why is it being disclosed, there must be a reasonble,
identifiable expiration date, the patient must be able to revoke the consent
at any time (one specific exception here for persons referred by an element
of the criminal justice system where treatment is a part of the
disposition), the name of the patient, the patient's signature and the date

RE: HIPAA privacy and people

2003-01-18 Thread Matthew Rosenblum
Darrell,

Thank you for sharing your thoughts.  And now that you brought it up, how
would you compare the 42 CFR consent with the (voluntary) HIPAA-consent
and the HIPAA-authorization.  In my mind, the 42 CFR allows a more
generalized use and disclosure for TPO, and consequently is more equivalent
to the (voluntary) HIPAA-consent, than it is to the more specific
HIPAA-authorization.

But, I would like to know your take on this matter.

Thanks in advance.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management  Regulatory Affairs
http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 

-Original Message-
From: Darrell Rishel [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 18, 2003 5:11 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: HIPAA privacy and people

I really find many of these conversations entertaining (also frequently
enlightening and helpful). Unworkable? Hardly. Most of you appear to not
realize how lucky you are! Nor does it appear that you give yourselves much
credit for being creative and resourceful. I work for an alcohol and drug
abuse treatment provider. We in this field have successfully operated under
what is, generally, a more demanding set of patient privacy rules (42 C.F.R.
Part 2, not to mention state mental health statutes, which are also usually
very strict)than those found in HIPAA. E.g., unlike regular health care
providers, we have to have the patient's written authorization to talk to
another treatment provider, not to mention just about everyone else,
including payers. If we can successfully operate in our environment, you can
successfully operate in the HIPAA environment! Will you have to change some
of your current business practices? Yes. Will you frequently find the rules
to be a pain in the neck (not to mention other parts of your anatomy)?
Certainly. Is compliance an impossible task? No. Will it cost you some
money, not only to implement, but to abide by in the future? Probably. Are
all of these new rules, which are intended to benefit patients in terms of
protecting their privacy, going to be otherwise beneficial to them? No. Some
of the burden of complying with these rules is going to make it harder for
patients, too. These rules are not necessarily customer friendly. The
patients are going to have to make some changes and part of our
responsibility will be to educate and help them. No doubt we will frequently
be blamed for the inconvenience, but what's new? As with any other set of
government statutes and regulations which I have ever read, there are
ambiguities, if not worse defects. It will take time, and perhaps additional
rule-making, to sort everything out (if we ever get to that point, which may
never happen in such a complex area with so many legitimate, competing
private and public interests). I suggest, however, that it would be more
productive to spend time looking for solutions to the challenges presented
rather than bemoaning our fate. Pin numbers? I think that may be a very
workable concept for some settings. I've been telephoning my bank for years
(mostly I do it on-line now) and putting in a pin number and my account code
to access my bank account. Let's get on with it!

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc.

This message is not legal advice or a binding signature.
 

 -Original Message-
 From: fwdanby [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 17, 2003 5:01 PM
 To: WEDI SNIP Privacy Workgroup List
 Cc: WEDI SNIP Privacy Workgroup List
 Subject: Re: HIPAA privacy and people
 
 
 With the same due respect, and I, too, mean it sincerely, the word
 'unworkable' is very tempting to apply to the whole HIPAA 
 scenario where
 there is an interface with patients.
 Take a look at what all you very bright and well-intentioned 
 folks have been
 posting over the past several months. This is a high level of 
 confusion
 among intelligent people. Now translate that to the 
 undeniable fact that
 half the people in the real world are below average 
 intelligence (IQ  100)
 and the world we physicians

Re: HIPAA privacy and people

2003-01-17 Thread fwdanby
With the same due respect, and I, too, mean it sincerely, the word
'unworkable' is very tempting to apply to the whole HIPAA scenario where
there is an interface with patients.
Take a look at what all you very bright and well-intentioned folks have been
posting over the past several months. This is a high level of confusion
among intelligent people. Now translate that to the undeniable fact that
half the people in the real world are below average intelligence (IQ  100)
and the world we physicians live and work in is populated by patients who,
through no fault of their own, exhibit an even higher percentage of room
temperature IQs.
Sure, we will get some of the people complying some of the time, but all of
the people all of the time is, in a word, unworkable.
To have us exposed to legal liability in this situation is, in another word,
unfair.
I believe we providers should demand an umbrella of some sort to protect us
from unwarranted, arbitrary, over-zealous enforcement of an essentially
unworkable set of regulations.
I'd love to hear other opinions on this - here if you think it warranted,
privately if you think otherwise.
FWDanby, MD [EMAIL PROTECTED]

- Original Message -
From: Benjamin W. Tartaglia [EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Friday, January 17, 2003 12:17 PM
Subject: RE: HIPAA privacy and telephone


 With all due respect, and I mean it sincerely.

 Good idea for privacy Based on my many years of management
 engineering and the application of voice, data and image
telecommunications
 systems in healthcare as an employee and later as a consultant I suggest
it
 is unworkable. (really long and ill structured sentence).

 The major premise is When the patient calls back, someone who can accept
 the call and pin number is available.  The major premise, although well
 intentioned, is false.

 When I try to get to my Doctor's office, I get a call management system
99%
 of the time.  If I'm really lucky, I may get an answering service.  People
 who work for many answering services are part timers, sometimes from
 temporary employment companies, working for minimum wage, with little or
no
 healthcare background.  Try and get them HIPAA certified.
 (I have also done consulting on Doctors' answering services.)

 I believe such a system would simply generate round after round of call
 backs which are unsuccessful.  If anyone thinks this would actually work,
 should get another opinion and only pay for that opinion when the system
is
 proven effective.

 I really would like to talk to the people who have used this successfully
so
 that I might add to my professional knowledge and moderate my opinion on
he
 matter or... is this simply a scenario from a brainstorming session?

 Additional comments are welcomed and desired.  I find I learn more from
 people who disagree.

 Ben Tartaglia
 Benjamin W. Tartaglia, MBA, BSIM, CSP
 Director, Client Services
 BWT Associates, HealthCare Consultants

 HIPAA, JCAHO, Telemedicine, Contingency Planning, Telecommunications,
 Telephone Fraud  Abuse, Training Programs, Policy  Procedures,
Management
 Audits.

 PO# 4515, Shrewsbury, MA 01545
 Phone: 508-845-6000
 EMail: [EMAIL PROTECTED]

 -Original Message-
 From: Ribelin, Donald [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 17, 2003 10:09 AM
 To: WEDI SNIP Privacy Workgroup List
 Subject: RE: HIPAA privacy and telephone


 So far, the best scenario I have seen is the phone call that requests the
 patient to call back to the office.  Part of the call back involves a pin
or
 secret code that the patient was provided previously.

 Donald L. Ribelin
 HIPAA Project Manager
 Firsthealth of the Carolinas
 (910) 215-2668
 [EMAIL PROTECTED]

  -Original Message-
 From: Doug Webb [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 17, 2003 9:51 AM
 To: WEDI SNIP Privacy Workgroup List
 Subject: Re: HIPAA privacy and telephone

 An extension to this -- how do you handle answering machines?

 My gut feeling is that either a no-no (the machine more questionable than
a
 family member) -- the information could only be released to the patient or
 his/her representative designated in a written authorizaton.  Perhaps
 another signature on your main consent/authorization form to allow these
 types of communications is what's needed???

 The opinions expressed here are my own and not necessarily the opinion of
 LCMH.

 Douglas M. Webb
 Computer System Engineer
 Little Company of Mary Hospital  Health Care Centers
 [EMAIL PROTECTED]

 This electronic message may contain information that is confidential
and/or
 legally privileged. It is intended only for the use of the individual(s)
and
 entity(s)  named as recipients in the message. If you are not an intended
 recipient of the message, please notify the sender immediately,  delete
the
 material from any computer, do not deliver, distribute, or copy this
 message, and do not disclose its contents or take action