Re: HIPAA-related privacy question (I think)

2002-10-22 Thread Doug Webb
--- You are currently subscribed to wedi-privacy as: archive@jab.org To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the

Re: Business Associates

2003-01-22 Thread Doug Webb
Traci, It looks to me like someone's trying to cover all bases with a shotgun approach (run it up the flagpole and see who salutes). My understanding is that you wouldn't need a BAC any more than a surgeon's office needs one with a Primary Care Physician referring a patient to them. This

Re: to sign or not to sign

2003-01-22 Thread Doug Webb
Traci, My vote's for the round file. Any lawyers out there feel free to chime in. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic

Re: to sign or not to sign

2003-01-23 Thread Doug Webb
Leslie, In general, I agree. The vendor is attempting to reduce the load on ITS legal staff by getting its customers to sign their version of the BAA before their cusomers write their own. You will have to have a BAA in place with most of these entities. It doesn't matter who originates the

Re: Covered Entity or not

2003-02-03 Thread Doug Webb
Susan, Well said. Still another kink -- come October, you will have to file your Medicare claims electronically, which makes the loopholes even smaller. IMHO, this makes just about anyoune who does "Health Care" a CE, except for those few providers who do a strictly cash business, and

Re: Business Associates Agreements

2003-02-05 Thread Doug Webb
Brenda, As Noel pointed out, not quite. They may be a CE in addition to being a BA, but, because they perform a function (billing) for the Provider, they are a BA of the provider. If their functionality includes anything outside of obtaining non-standard claims information, generating

Re: Recording Disclosures (was BA Agreement Questions)

2003-02-10 Thread Doug Webb
Title: RE: Recording Disclosures (was BA Agreement Questions) I also agree with Carolyn. An external Auditor would be a BA if (and only if) YOU hired the firm to perform audits for YOUR business purposes, and the auditor had to access to PHI in order to perform the audits. Government

Re: Home and Offsite Use of PHI

2003-02-18 Thread Doug Webb
Rebecca, That is precisely the point. PHI that leaves the office by any means must still be protected to the same level as the office information, and it is much more difficult to do, because you do not have the same control over the off-site environment. Therefore, your policies need to be

Re: Question

2003-02-19 Thread Doug Webb
Carolyn, Jonathah's question was about the need for encryption on a dial-up line. For detailed discussions, he should see the Security listserv. Generally, though, a direct dial-in connection to a receiver's system (not via the Internet) would be considered an acceptable risk if you trust the

Re: Nursing Homes and Ambulance Services

2003-02-21 Thread Doug Webb
Title: Message Kathy, The Nursing Home and Ambulance Service would both be Covered Entities if they do any of the covered functions electronically. Business Associates are entities who do something on behalf of a Covered Entity. The opinions expressed here are my own and not necessarily the

Re: DOL vs. HIPAA

2003-02-21 Thread Doug Webb
Title: DOL vs. HIPAA Agree. Subject to the restriction that whatever is disclosed for any purpose be only the minimum necessary for that purpose (which applys to all disclosures indipendant of the medium). Remember that the great difficulty in giving out info over the phone is making that

Re: BA contracts

2003-02-24 Thread Doug Webb
Robyn, 1) The term of the BA contract is as long as it itself states. 2) Other than using another entity, I'm not sure. You are responsible for whatever PHI they leak, unless you have that contract in place makeing them responsible for their actons. 3) I think your list covers everything,

Re: medical vendors as Business Associates

2003-02-26 Thread Doug Webb
Jill, I agree with Dan. The critical question is do you do anything on behalf of a Covered Entity that involves PHI? If this answer is "No", you do not need a BAA. Providing devices to non-patients isolates you from PHI. Providing devices to patients is acting on behalf of yourself (I

Re: medical vendors as Business Associates

2003-02-26 Thread Doug Webb
ains. Thank you." - Original Message - From: Dawn Lenox To: Doug Webb Sent: Wednesday, February 26, 2003 09:37 AM Subject: Re: medical vendors as Business Associates I tried to explain this to a vendor that sent us (CE) their BA (non-CE) as a favor to usThey s

Re: medical vendors as Business Associates

2003-02-26 Thread Doug Webb
k you." - Original Message - From: Vicki Schaff To: Doug Webb Sent: Wednesday, February 26, 2003 10:53 AM Subject: Re: medical vendors as Business Associates Consider the vendor who supplies anew medical deviceto ahealthcare facility (CE)and the vend

Re: medical vendors as Business Associates

2003-02-26 Thread Doug Webb
r facility on this? Thanks. Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools 612-237-1966 -Original Message-From: Doug Webb [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 26, 2003 11:29 AMTo: WEDI SNIP Privacy

Re: medical vendors as Business Associates

2003-02-26 Thread Doug Webb
ibute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." - Original Message - From: Craig Moen To: 'Doug Webb' Sent: Wednesday, February 26, 2003 03:28 PM Subject: RE: medical vendors a

Re: medical vendors as Business Associates

2003-02-26 Thread Doug Webb
of TPO. It brings up an interesting liability issue as well as a patient consent issue for reps being in the OR. Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 612-237-1966 -Original Message

Re: medical vendors as Business Associates

2003-02-27 Thread Doug Webb
he information it contains. Thank you." - Original Message - From: Jo Clair To: 'Doug Webb' Sent: Wednesday, February 26, 2003 04:17 PM Subject: RE: medical vendors as Business Associates Not all providers are CE's (they may not do ele

Re: Questions in regard to Security/Privacy

2003-02-27 Thread Doug Webb
Richard, The first question is: Is what is being transmitted Protected Healthcare Information? If not all the rest is moot. If what is being transmitted is strictly the financial data (This merchant charged this person this much), it probably isn't PHI, but just money. If it is you must do

Re: Questions in regard to Security/Privacy

2003-02-27 Thread Doug Webb
Catherine, Just a clarification. These non-financial POS terminals would have to use standard transactions (such as 270/271, 278, etc.) to do their job when a standard is available. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer

Re: medical vendors as Business Associates

2003-02-28 Thread Doug Webb
f the lack of clarity of HIPAA. Regards, David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 612-237-1966 -Original Message-From: Doug Webb [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 26, 2003 4:

Re: PHI In Mail

2003-02-28 Thread Doug Webb
Title: Glacier Likewise. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic message may contain information that is confidential

Re: Custodial parent rights to minor's PHI

2003-02-28 Thread Doug Webb
Steve, The Court rulings in the individual case would determine which parent(s) have access to how much PHI. There may also be State laws that override a decree from a different State. In general, the custodial parent has primary responsibility for the child's healthcare, but in Family

Re: Another thread on Security/Privacy question

2003-02-28 Thread Doug Webb
Chistine, I'll give it a shot. My comments are below your questions. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic message may

Re: Clarification of Question re: who is the originator of PHI?

2003-03-04 Thread Doug Webb
Jill, I think that the question revolves around who was responsible for generating and maintaining the original report (i.e., who has the master, and who has a copy). If the Physical Therapist maintains his/her own records, the therapist's copy is probably the master, and thus must be where

Re: Fundraising Question

2003-03-05 Thread Doug Webb
Patricia, Your NPP should state that PHI will not be used for these purposes. A opt out isn't necessary whennobody,s in. To clarify things for your patients, you may wish to mention that the foundation uses independantly-generated lists that contain no PHI. The opinions expressed here are

Re: JCAHO BAA

2003-03-05 Thread Doug Webb
Teri, In theory, yes. In practice, they're the 800-pound gorilla. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic message may

Re: CLAIMS ADJUSTMENT CODES

2003-03-07 Thread Doug Webb
Dee, Yes, only the codes on the list may be used on a Complient claim. This applies now. CMS stated in the Federal Register that they won't enforce until October. You can get the list from WPC. http://www.wpc-edi.com/ClaimAdjustment_40.asp Also, the Remark codes are at

Re: BA contract with Reps

2003-03-11 Thread Doug Webb
I think that since this is a total opt-in, if your sign-up form had the company clearly identified, and spaces for address, it would no more be PHI than the same form in a supermarket (which I have seen, even filled out a few when my daughter was on the way [15 years ago]). It gets a

Re: Facility Directory

2003-03-13 Thread Doug Webb
Donald, I agree with your opinion that you don't have to ask, but a check-off line in the sign-in form would be nice. It would also document that the option had indeed been offered, and since, in this game, documentation is everything, that would be a Good Thing. The opinions expressed here

Re: Security Requirements

2003-03-13 Thread Doug Webb
Daryn, Yes. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally

Re: Filing deadline for complaints

2003-03-14 Thread Doug Webb
Amen, Cindi! The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally

Re: Displaying Data in web browser. Indefinitely.

2003-03-17 Thread Doug Webb
Gregory, You make a good point. If the Patient is accessing his/her own data, you are not respnsible for what he/she does with it. If it's a CE or BA of a CE accessing Patient data, the CE is responsible for ensuring Privacy. Offering a process to make the CE's task easier might make good

Re: Billing Services with Contractors

2003-03-19 Thread Doug Webb
Daniel, 1) Billing Services are Business Associates of Providers. Because of what they do, if they work with standard transactions, they may also be considered a Covered Entity Clearinghouse (converting [highly] non-standard data to standard transactions, and vice versa). 2) An entity that

Re: BA v Trading Partner Agreements

2003-03-20 Thread Doug Webb
Jonathan, A Trading Partner Agreement is a general contract between two entities who do business with each other. A Busininess Associate Agreement is a Trading Partner Agreement that specificly includes wording to protect any Protected Healthcare Information that may be exchanged, and that

Re: New to this list, have two questions.

2003-03-24 Thread Doug Webb
Title: RE: New to this list, have two questions. Deborah, I agree. Your short answer to 2) was "No". I'll add anothertwo roles (only one of whichhas a "Yes answer). If what they're discussing is actively participating in a Treatment Plan, then the Case Manager would be a potential Covered

Re: New to this list, have two questions.

2003-03-24 Thread Doug Webb
Title: RE: New to this list, have two questions. Gregory, Just to amplify on Judith's remarks, You are exposed to the risk NOW, not when the final Security Rule fully kicks in. You are accepting a huge risk anytime you expose PHI to the Internet. Remenber that any of the millions of computers

Fw: New to this list, have two questions.

2003-03-25 Thread Doug Webb
puter, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." - Original Message - From: Gregory Park To: Doug Webb Sent: Monday, March 24, 2003 03:22 PM Subjec

Re: section 164.514(d)(3)(iii)(B)

2003-03-26 Thread Doug Webb
Leslie, To build on what Leah said, I think that what you have in your NPP is OK, but possibly goes into unnecessary detail (Don't kill any more trees!). The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of

Re: section 164.514(d)(3)(iii)(B)

2003-03-26 Thread Doug Webb
Dan, I had overlooked Leslie's mention of requiring authorization after it hits Medical Records. I agree with you that authorization is notnecessary for sending medical info for Treatment purposes to another Physician. I would think that the older the information, the more questions I

Re: NPP and Disclosure

2003-03-27 Thread Doug Webb
Gregory, Your client is wrong. Accounting for Every disclosure if definately not required by the Privacy or Security regs. Most transactions involving the Treatment of Patients and obtaining Payment are explicitly excluded from the need to report them (in very great detail as to what is

Re: Multiagency authorizations

2003-03-28 Thread Doug Webb
Title: Message Gregory There is a difference between compound authorizations (one authorization for several things, which is prohibited) and several authorizations on the same piece of paper (which is OK, just so long as each one has an indication that it was individually considered). To

Re: Receipt of PHI

2003-03-28 Thread Doug Webb
Marcus, The Covered Entity is the one taking the risk here, not you. You do not have responsibility for the PHI until it enters your system. Some hungry lawyer may try to put some responsibility on your door, since you did not not refuse to accept unencrypted information. I don't think the

Re: developing pictures

2003-04-04 Thread Doug Webb
Noel, I agree with the thrust of the earlier thread on this list -- the additional inscription makes it PHI. I just had a thought, though. Could the autographed picture itself be a kind of authorization for use? I know it's not on a document that has the proper words, but could the intent

Re: Unnecessary BAAs

2003-11-07 Thread Doug Webb
Rachel, Consider how much PHI the facility has acquired from the DME provider while offering the services specified in the BAA to the DME provider (none!). PHI acquired by other means is not affected by this particular BAA. The notification of breaches, and accountable disclosures, etc.

Re: Post-enrollment kits

2003-11-10 Thread Doug Webb
Diana, With respect to Privacy, your mailer would be equivalent to a sealed envelope IF the layout was such that no PHI were visable without breaking one of your seals. Now with respect to Security, it seems to be pretty weak security. I would not recommend this as a long-term solution.