RE: NPP and accounting for disclosures - was Medicare audits: op erations?
Doug, Thanks for the clairication for your organization. Since the Privacy Rule requires we document and retain any signed authorization as required by ยง 164.530(j)..for six years from the date of its creation or the date when it last was in effect, whichever is later, we have elected to store authorizations in our records, thus serving as a reference to our diclosure if we ever desire to refer back to disclosures made based on an authorization. Cindi Bowman Quality and Compliance Coordinator Catawba County Health Department 828-695-5847 -Original Message- From: Doug Webb [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 12:12 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: NPP and accounting for disclosures - was Medicare audits: op erations? Molly, Cindi: Where I was coming from is that if I made such a disclosure, I would want to know that I made it, irrespective of what the rules say I must account for. The rules don't prohibit me from doing this, just don't mandate it. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital Health Care Centers [EMAIL PROTECTED] This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you. - Original Message - From: Shek, Molly [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Friday, February 14, 2003 09:57 AM Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? I quite agree with your assessment of the difference between Authorization and the need for Accounting of Disclosures. However, one of the exceptions to an Accounting of PHI disclosures is disclosures made pursuant to patient authorization. Molly Shek, MS, RHIA -Original Message- From: Doug Webb [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 8:47 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: NPP and accounting for disclosures - was Medicare audits: operations? Noel, Quite so. As you said, quite a few emails seem to overlook that the Authorization to do a certian disclosure and the actual disclosure are two separate actions and need to be addressed independantly. Don't forget that the acknowledgment of receipt of your NPP is not an Authorization for release of information. The Authorization is either separate (although it might be on the same piece of paper and/or covered by the same signature), or not required (TPO disclosures). If a disclosure is permitted (either by an Authorization or by being part of TPO), it may or may not be required to be logged. This must be determined for every type of disclosure, independantly from the need for an Authorization. I would use the following rules for determining when to log disclosures (my own hueristic, not sealed in stone): If it is not a part of routine operations, log it. If you need a separate Authorization to do the disclosure, log it. For all routine operations, determine if logging is necessary If there are any questions, err on the side of logging rather than on the side of not logging. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital Health Care Centers [EMAIL PROTECTED] This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you. - Original Message - From: Noel Chang [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Friday, February 14, 2003 01:19 AM Subject: NPP and accounting for disclosures - was Medicare audits: operations? Changing the subject for a minute: I have seen several emails from people, including the one below, that have made various statements all to the effect that if you mention a particular type of disclosure in your NPP, you will not have to account for such disclosures. Anita wrote: One way a covered entity might get around having to account for disclosures made for auditing purposes is to inform
RE: NPP and accounting for disclosures - was Medicare audits: op erations?
Title: Message Read 45 164.502 uses and disclosures of protected health information: general rules:(i) "Standard: Uses and disclosures consistent with notice. A covered entity that is required by 164.520 [the section addressing the notice of privacy practices] to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by 164.502(b)(a)(iii) [separate statements for certain uses or disclosures] to include a specific statement in its notice if it intends to engage in an activity listed in 164.502(b)(1)(iii)(A)-(C) may not use or disclose protected health information for such activities, unless the required statement is included in the notice."I am not an attorney and do not work for OCR so can not say without doubt that what has been said by many (including myself) regarding the fact that if you notice a disclosure that the law allows you to make that you don't have to account for it. But I believe that this can be concluded from reading the above section of the regulations. I believe if you inform a patient in your notice that you may make a disclosure that is allowed by the law and that does not require that you first receive an authorization before you make the disclosure thatyou do not have to account for it. I assume that none of us would make a disclosure that is not specifically allowed without first receiving an authorization to do so and if we inadvertently make a disclosure that is not allowed (for instance a mis-sent fax) we would account for it.The way I have read the above section leads me to believe that if you notice a patient regarding a disclosure that is permissible means that you do not need to account for it.Any one else out there that supports this?By posting my email to the listserv, I had hoped to hear more from agencies involved in auditing or that are subject to audits. Surly you folks have given this some thought - anyone willing to state how they are viewing this particular subject?Thanks,Anita-Original Message-From: Noel Chang [mailto:[EMAIL PROTECTED]]Sent: Thursday, February 13, 2003 10:20 PMTo: Halterman,Anita; WEDI SNIP Privacy Workgroup ListSubject: NPP and accounting for disclosures - was Medicare audits: operations?Changing the subject for a minute:I have seen several emails from people, including the one below, that havemade various statements all to the effect that if you mention a particulartype of disclosure in your NPP, you will not have to account for suchdisclosures.Anita wrote:"One way a covered entity might get around having to account for disclosuresmade for auditing purposes is to inform their patients through their noticeof privacy practices that they may make a disclosure for this type ofactivity."Could someone please cite for me where in the Rule they believe this isauthorized? When I read section 164.528(a)(1) it says a CE must account forall disclosures except for the ones listed in sub-paragraphs (i) through(ix). No where in that list do I see "disclosures that are mentioned in yourNotice of Privacy Practices".Is the assumption that by mentioning a type of disclosure in my NPP I canthen claim it is part of TPO? I don't see any room to make that argumentsince TPO is clearly defined in sections 164.501 and 164.506.Thanks,Noel Chang--Open WebMail Project (http://openwebmail.org)-- Original Message ---From: "Halterman, Anita" [EMAIL PROTECTED]To: "WEDI SNIP Privacy Workgroup List" [EMAIL PROTECTED]Sent: Thu, 13 Feb 2003 14:37:17 -0900Subject: RE: Medicare audits: operations? I have been thinking about this issue for some time now and this is my two cents for what it is worth (I am not an attorney). Sorry Chris I don't agree with your take on this. In order for this activity to be a part of your health care operations, the activity would have to fall under the definition of "Health care operations" as follows: "Health care operations" means any of the following activities of the covered entity to the extent that the activities are related to covered functions: (1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population- based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; (2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under
RE: NPP and accounting for disclosures - was Medicare audits: op erations?
Title: Message The disclosures I had referenced in my earlier email posting are permissible disclosures (disclosures for audit purposes are allowed by HIPAA). I did not mean to imply that all accounting can be avoided as the notice should address typical uses of PHI for a CE. In general HIPAA's Privacy Rule requires all covered entities to track all disclosures of protected health information that occurred within a six year period except for the following: A disclosure made for the purposes of treatment, payment or health care operations as outlined by 45 CFR 164.506; A disclosure that is made to the individual about their own protected health information; A disclosure that is incidental to a use or disclosure otherwise permitted or required, as provided for in 45 CFR 164.502; A disclosure that is made pursuant to an authorization as provided for in 45 CFR 164.508; A disclosure made for the purpose of including information in a facility directory, or to people who are involved in an individual's care, or other notification purposes, provided the individual has been given an opportunity to agree or object to such use or disclosure; A disclosure made for national security or intelligence purposes as provided for by the National Security Act; A disclosure made to correctional institutions or to law enforcement officials as allowed by 45 CFR 164.512(k)(5); As part of a limited data set in accordance with 45 CFR 164.514(e); or A disclosure that occurred prior to the compliance date for the covered entity. Covered entities have limited rights to suspend an individual's right to receive an accounting of disclosures. These limitations are restricted to health oversight activities and or law enforcement activities. To learn more about these restrictions 45 CFR 164.528 should be reviewed. If I implied otherwise please accept my apology as I did not intend to. Anita -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 11:10 AMTo: Halterman, Anita; WEDI SNIP Privacy Workgroup ListSubject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? Anita, I do not agree with your interpretation. You are required to provide the notice, yes. You are allowed disclosures for TPO, yes. You are also allowed other disclosures documented in the notice, yes. However, the only disclosures that do not require accounting, are for TPO purposes only. All other permissible disclosures, outside of TPO must be accounted for regardless of their inclusion in the notice. Also all impermissible disclosures must be accounted, regardless of if an authorization is in place or not. Regards, Tim McGuinness, Ph.D.Email: [EMAIL PROTECTED]Alt Email: [EMAIL PROTECTED]Direct Phone: 1-727-787-9801 /Voice Mail Fax: 1-240-525-1149 Consulting Specialist in Regulatory Privacy, Security, and Application Compliance - Specialist in Medicaid Provider Local Government Compliance[HIPAA/FDA/CMS-HCFA/ICH/ADA Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 CA]Websites: www.HIPAAhelpNETWORK.com www.LocalGovernmentCompliance.com www.TimMcGuinness.com www.McGuinnessDesigns.com Executive Co-Chairman for Privacy,HIPAA Conformance Certification Organization (www.HCCO.us) === IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -Original Message-From: Halterman, Anita [mailto:[EMAIL PROTECTED]]Sent: Friday, February 14, 2003 1:28 PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: NPP and
