RE: Employee Access and Accounting of Disclosures

[Matthew Rosenblum]

Ellen,

This is one of those HIPAA topics where we would advise hanging a large
"Proceed with Caution" sign, and where we would welcome additional guidance
from HHS.

Section 164.528(a)(1)(iii) of the Privacy rules --Accounting of disclosures
of protected health information-- notes that HIPAA does NOT require a "use"
incident to an otherwise permitted "use or disclosure" (as provided in
section 164.502) to be included in an "accounting".  Conversely, this leads
us to believe that HHS intends for ALL "privacy breaches", whether a "use"
or "disclosure" to be included in an "accounting".

I hope that this helps.
 
Your questions are always welcome.
 
Matt
 
Matthew Rosenblum
Chief Operations Officer
Privacy, Quality Management & Regulatory Affairs

http://www.CPIdirections.com
 
CPI Directions, Inc.
10 West 15th Street, Suite 1922
New York, NY 10011
 
(212) 675-6367
[EMAIL PROTECTED]
 
CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If you have received this communication in error, please do not
distribute it.  Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
 
AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo distribuya.
Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el
mensaje original. Gracias.
 
-Original Message-
From: Ellen Rubin [mailto:[EMAIL PROTECTED] 
Sent: Saturday, November 01, 2003 3:59 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: Employee Access and Accounting of Disclosures

My understanding is that this is a "use" (albeit inappropriate) and not
necessary to put in the accounting log.  However, if this information was
then "disclosed" outside the entity, it would need to be accounted for.  I
asked this question a few weeks agothe piece I was interested in was
whether entities are notifying their patients of this disclosure at the time
of the event as well as entering in the accounting.  Ellen

__
Ellen Rubin, RN, BSN
Privacy Officer
Harborview Medical Center
206 731-6048 Voice
206 731-2097 Fax


- Original Message -
From: "Walter Suarez" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Saturday, November 01, 2003 5:06 AM
Subject: Employee Access and Accounting of Disclosures


> When an employee of a covered entity accesses PHI and it is determined
that
> this was done wrongly (say, violating the minimum necessary requirements
for
> that employee, or just plain inappropriate access someone's PHI by the
> employee), would this result in the employer having to log it into the
> accounting of disclosure?
>
> Many thanks for your comments and reactions.
>
> Walter.
>
> 
> Walter G. Suarez, MD, MPH
> President and CEO
> Midwest Center for HIPAA Education
> 2850 Metro Drive, Suite 118
> Bloomington, MN 55425
> (952) 854-3401 - v
> (952) 814-4805 - f
> [EMAIL PROTECTED]
> http://www.mche.us.com
> 
>
>
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.
>
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same
as the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org
>


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WED

Re: Employee Access and Accounting of Disclosures

[Ellen Rubin]

My understanding is that this is a "use" (albeit inappropriate) and not
necessary to put in the accounting log.  However, if this information was
then "disclosed" outside the entity, it would need to be accounted for.  I
asked this question a few weeks agothe piece I was interested in was
whether entities are notifying their patients of this disclosure at the time
of the event as well as entering in the accounting.  Ellen

__
Ellen Rubin, RN, BSN
Privacy Officer
Harborview Medical Center
206 731-6048 Voice
206 731-2097 Fax


- Original Message -
From: "Walter Suarez" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Saturday, November 01, 2003 5:06 AM
Subject: Employee Access and Accounting of Disclosures


> When an employee of a covered entity accesses PHI and it is determined
that
> this was done wrongly (say, violating the minimum necessary requirements
for
> that employee, or just plain inappropriate access someone's PHI by the
> employee), would this result in the employer having to log it into the
> accounting of disclosure?
>
> Many thanks for your comments and reactions.
>
> Walter.
>
> 
> Walter G. Suarez, MD, MPH
> President and CEO
> Midwest Center for HIPAA Education
> 2850 Metro Drive, Suite 118
> Bloomington, MN 55425
> (952) 854-3401 - v
> (952) 814-4805 - f
> [EMAIL PROTECTED]
> http://www.mche.us.com
> 
>
>
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services.  They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.
>
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same
as the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org
>


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org