Traci,
I tend to view
(at least some of) the "audit" activities performed by the State as being
conducted on behalf of the CE-Health Plans (e.g., Medicaid) as opposed to
the CE-providers. As such, those State-conducted "audit" activities
are part of the Health Plan's "health care operations".
Consequently, the State auditors would probably be construed as Business
Associates of the Health Plan.
How do others
view this?
I hope that this
helps.
Your questions
are always welcome.
Matt
Matthew
Rosenblum
Chief Operations
Officer
Privacy, Quality
Management & Regulatory Affairs
CPI
Directions, Inc.
10 West 15th
Street, Suite 1922
New
York, NY
10011
(212)
675-6367
[EMAIL PROTECTED]
CONFIDENTIALITY
NOTICE: This E-Mail is intended only for the use of the individual or
entity to which it is addressed and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you have received this communication in error, please do not distribute
it. Please notify the sender by E-Mail at the address shown and
delete the original message. Thank you.
AVISO
DEL CONFIDENCIALIDAD: Este email es solamente para el uso
del
individuo o la entidad a la cual se dirige y puede contener información
privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
usted ha recibido esta comunicación por error, por favor no lo
distribuya. Favor notificar al remitente del E-Mail a la dirección
mostrada y elimine el mensaje original. Gracias.
-----Original
Message-----
From:
Traci.Jensen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 06, 2003
11:15 AM
To: WEDI SNIP
Privacy Workgroup List
Cc: 'Bill MacBain';
Judy.Griffith
Subject:
RE: Recording Disclosures (was BA Agreement Questions)
I would like to introduce myself, as I am new to
this listserv. I am the HIPAA Privacy Project Manager for a health
plan in Illinois. Even though I am new to this listserv, several of
your names are familar from the HIPAAlive listserv.
Noel, I want to be clear I understand your
response. Are you saying that it is your opinion that audits
performed by a State agency or someone on their behalf falls under
disclosing information for our own activities related to "Conducting or
arranging for medical review, legal services, and auditing functions,
including fraud and abuse detection and compliance programs"?
I am not convinced that we could constitute audits
being performed by a State agency as part of our own health care
operation. I believe this is something that we would have to track
and provide an accounting for because it is "required by law" and the
disclosures are made for "health oversight activities".
Also, it is more than likely that the State agency
requiring the audit is not a covered entity so the sharing PHI for
"certain health care operations" wouldn't apply, and they would not be
considered a business associate as they are not doing something on our
behalf.
However, I would like to be convinced that this
would fall under our health care operations, because currently our system
does not have a way to track disclosures made on multiple members, without
manually documenting in each member record.
I do agree in that I don't think by mentioning the
possibility of a type of disclsoure in your NPP a covered entity can
relieve themselves of the obligations to track and account for such
disclosures.
I welcome everyone's opinion.
Traci Jensen
Compliance Programs Manager/HIPAA Project
Manager
Health Alliance Medical Plans, Inc.
-----Original Message-----
From: Noel Chang [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February
05, 2003 8:37 AM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: Recording
Disclosures (was BA Agreement Questions)
Under the definition of "health care operations",
found in section 164.501,
item (4) of that definition includes, "Conducting
or arranging for medical
review, legal services, and auditing functions,
including fraud and abuse
detection and compliance programs".
I would take this to mean that the audit is part
of TPO, and there for not a
disclosure that needs to be accounted
for.
As a footnote, I'm not sure I agree with your
implication that by mentioning
the possibility of a type of disclsoure in your
NPP you can relieve yourself
of the obligations to account for such
disclosures. The disclosures that
should and should not be accounted
for are ennumerated clearly in section
164.528(a)(1). I am not aware
of any relief from these requirements through
your NPP.
Noel Chang
--
Open WebMail Project (http://openwebmail.org)
---------- Original Message
-----------
From: "Jim Moores"
<[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup
List" <[EMAIL PROTECTED]>
Sent: Wed, 05 Feb 2003 08:11:02
-0500
Subject: Recording Disclosures (was BA Agreement
Questions)
> Hi All,
>
> I agree with Noel's
interpretation....
>
> But, I would like to confirm a
related Privacy implication: When you
> disclose PHI to either the state
or an auditing group that the state
> hired, must you record that as a
disclosure? Do you have to record the
> disclosure at the individual
level or can you just put a statement into
> your NPP that this kind of
disclosure could happen to the person's PHI?
>
> The main reason I
ask the question really centers on what TPO consists
> of. If the state
audits, say an insurance company as a part of it's
> oversight of all insurance
companies, is that disclosure of PHI to
> the state a part of TPO, since
the insurance company doesn't have
> any choice in the matter? Can the same
be said for all regulatory
> types of disclosures?
>
> All opinions expressed are my
own and should not be construed to be
> Medical Mutual or Antares Management
Solutions official policy.
>
> Jim Moores - HIPAA Team Leader -
Privacy
>
Antares Management Solutions
> 23700 Commerce Park Road
> Beachwood,
Ohio 44122-5832
>
> [EMAIL PROTECTED]
> Phone:
(216)292-1605
> Fax:
(216)292-1619
>
>
> >>> "Noel Chang"
<[EMAIL PROTECTED]> 02/04/03 10:36PM >>>
> Is the audit being
done at your request or are you required to
> submit to the audit by the
state?
>
> If you
are initiating the audit then I'd say you should have a BA
> agreement.
> If the
audit is being imposed on you by the state then I'd say no BA
> is
required.
>
> If the billing information you submit to the
schools/nursing
> homes/welfare
> departments are for services you
delivered to them, I don't see why
> a BA
>
> agreement would be necessary. You are
making a disclosure to obtain
> payment. Such disclosures are
specifically permitted, even if the
> disclosure
> is to the financially
responsible party who is not the same person as
> the
> subject of the
PHI.
>
> BA
agreements are only necessary when you have a third party
performing
> a
> covered function on your
behalf.
>
> Noel
Chang
>
>
--
> Open
WebMail Project (http://openwebmail.org)
>
>
---------- Original Message -----------
> From: "Teri Baskett"
<[EMAIL PROTECTED]>
> To: "WEDI SNIP Privacy Workgroup List"
<[EMAIL PROTECTED]>
> Sent: Tue, 4 Feb 2003 17:42:31
-0500
>
Subject: BA Agreement Questions
>
> > I've met with my CFO and our Purchasing
Mgr and we've figured out
> > most of our vendor list. But we
had a couple of questions I hoped
> > someone could help with:
> >
> >
1. What do we do about auditors that come on-site to review records
> > for
payment/compliance. If i read this right, if the auditor is a
> >
govt agency (Medicaid or Medicare) then we don't need an agreement.
> > But
our state contracts with another company to audit our state
> >
contract funds. Do we have to have the BA with that company for
that?
>
>
>
> 2. We have service contract agreements with several
schools/nursing
> > homes/welfare depts. In addition
to the treatment piece, we also
> > (of course) submit bills that include
patient identifiers (name, SSN,
> > address). Do we need BA's
for those relationships?
> >
> > Teri Baskett
> > Information
Officer
>
> LifeSpring Mental Health Services
> >
> > ---
> > The WEDI SNIP listserv to
which you are subscribed is not moderated.
> > The discussions on this
listserv therefore represent the views of
> > the individual
participants, and do not necessarily represent the
> > views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to
> > receive an official
opinion, post your question to the WEDI SNIP
> > Issues Database at http://snip.wedi.org/tracking/.
These listservs
> > should not be used for commercial
marketing purposes or discussion
> > of specific vendor products and
services. They also are not
> > intended to be used as a forum for
personal disagreements or
> > unprofessional communication at any
time.
>
>
>
> You are currently subscribed to wedi-privacy as:
> >
[EMAIL PROTECTED] To unsubscribe from this list, go to the
> >
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a
> >
blank email to [EMAIL PROTECTED] If you
> >
need to unsubscribe but your current email address is not the same
> > as
the address subscribed to the list, please use the
> > Subscribe/Unsubscribe form
at http://subscribe.wedi.org
> ------- End of
Original Message -------
>
> ---
> The WEDI SNIP listserv to which you are
subscribed is not moderated.
> The discussions on this listserv therefore
represent the views of
> the individual participants, and do not
necessarily represent the
> views of the WEDI Board of Directors nor WEDI
SNIP. If you wish to
> receive an official opinion, post your
question to the WEDI SNIP
> Issues Database at http://snip.wedi.org/tracking/.
These listservs
> should not be used for commercial marketing
purposes or discussion
> of specific vendor products and
services. They also are not
> intended to be used as a forum for personal
disagreements or
> unprofessional communication at any
time.
>
> You are
currently subscribed to wedi-privacy as:
>
[EMAIL PROTECTED]
> To unsubscribe from this list, go to the
Subscribe/Unsubscribe form
> at http://subscribe.wedi.org or send a
blank email to leave-wedi-
> [EMAIL PROTECTED] If you need
to unsubscribe but your
> current email address is not the same as the
address subscribed to
> the list, please use the
Subscribe/Unsubscribe form at
http://subscribe.wedi.org
>
>
----------------------------------------------------------------------------
--
> CONFIDENTIALITY NOTICE:
This message is intended only for the
> use of the individual or entity to which it
is addressed and may contain
> information that is privileged, confidential
or exempt from
> disclosure under applicable law. If the
reader of this message is
> not the intended recipient or the employee or
agent responsible for
> delivering the message to the intended
recipient, you are hereby
> notified that you are strictly prohibited
from printing, storing,
> disseminating, distributing or copying
this communication. If you
> have received this communication in error,
please notify us
> immediately by replying to the message and
deleting it from your
> computer. Thank You, Antares Management
Solutions.
>
>
==============================================================================
>
>
---
> The
WEDI SNIP listserv to which you are subscribed is not moderated.
> The
discussions on this listserv therefore represent the views of
> the
individual participants, and do not necessarily represent the
> views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to
> receive
an official opinion, post your question to the WEDI SNIP
> Issues
Database at http://snip.wedi.org/tracking/.
These listservs
> should not be used for commercial marketing
purposes or discussion
> of specific vendor products and
services. They also are not
> intended to be used as a forum for personal
disagreements or
> unprofessional communication at any
time.
>
> You are
currently subscribed to wedi-privacy as:
> [EMAIL PROTECTED] To
unsubscribe from this list, go to the
> Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a
> blank
email to [EMAIL PROTECTED] If you
> need to
unsubscribe but your current email address is not the same
> as the
address subscribed to the list, please use the
> Subscribe/Unsubscribe form at http://subscribe.wedi.org
------- End of Original
Message -------
---
The WEDI SNIP listserv to which you are subscribed
is not moderated. The discussions on this listserv therefore represent the
views of the individual participants, and do not necessarily represent the
views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive
an official opinion, post your question to the WEDI SNIP Issues Database
at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are
not intended to be used as a forum for personal disagreements or
unprofessional communication at any time.
You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a
blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email
address is not the same as the address subscribed to the list, please use
the Subscribe/Unsubscribe form at http://subscribe.wedi.org
---
The WEDI SNIP listserv to
which you are subscribed is not moderated. The discussions on this
listserv therefore represent the views of the individual participants, and
do not necessarily represent the views of the WEDI Board of Directors nor
WEDI SNIP. If you wish to receive an official opinion, post your question
to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These
listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not
intended to be used as a forum for personal disagreements or
unprofessional communication at any time.
You are currently
subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from
this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe
but your current email address is not the same as the address subscribed
to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org
---