Doug, Why do you suggest "If you need a separate Authorization to do the disclosure, log it". Refer to § 164.528(a)(1)(iv)
The rule says: Right to an Accounting of Disclosures of Protected Health Information - § 164.528(a) 1. An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: iv. Pursuant to an authorization as provided in § 164.508; Thank you in advance for your reply, Cindi Bowman Quality and Compliance Coordinator Catawba County Health Department 828-695-5847 -----Original Message----- From: Doug Webb [mailto:[EMAIL PROTECTED]] Sent: Friday, February 14, 2003 9:47 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: NPP and accounting for disclosures - was Medicare audits: operations? Noel, Quite so. As you said, quite a few emails seem to overlook that the Authorization to do a certian disclosure and the actual disclosure are two separate actions and need to be addressed independantly. Don't forget that the acknowledgment of receipt of your NPP is not an Authorization for release of information. The Authorization is either separate (although it might be on the same piece of paper and/or covered by the same signature), or not required (TPO disclosures). If a disclosure is permitted (either by an Authorization or by being part of TPO), it may or may not be required to be logged. This must be determined for every type of disclosure, independantly from the need for an Authorization. I would use the following rules for determining when to log disclosures (my own hueristic, not sealed in stone): If it is not a part of routine operations, log it. If you need a separate Authorization to do the disclosure, log it. For all routine operations, determine if logging is necessary If there are any questions, err on the side of logging rather than on the side of not logging. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital & Health Care Centers [EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." ----- Original Message ----- From: "Noel Chang" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Friday, February 14, 2003 01:19 AM Subject: NPP and accounting for disclosures - was Medicare audits: operations? > Changing the subject for a minute: > > I have seen several emails from people, including the one below, that have > made various statements all to the effect that if you mention a particular > type of disclosure in your NPP, you will not have to account for such > disclosures. > > Anita wrote: > > "One way a covered entity might get around having to account for disclosures > made for auditing purposes is to inform their patients through their notice > of privacy practices that they may make a disclosure for this type of > activity." > > Could someone please cite for me where in the Rule they believe this is > authorized? When I read section 164.528(a)(1) it says a CE must account for > all disclosures except for the ones listed in sub-paragraphs (i) through > (ix). No where in that list do I see "disclosures that are mentioned in your > Notice of Privacy Practices". > > Is the assumption that by mentioning a type of disclosure in my NPP I can > then claim it is part of TPO? I don't see any room to make that argument > since TPO is clearly defined in sections 164.501 and 164.506. > > Thanks, > > Noel Chang > > > -- > Open WebMail Project (http://openwebmail.org) > > > ---------- Original Message ----------- > From: "Halterman, Anita" <[EMAIL PROTECTED]> > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> > Sent: Thu, 13 Feb 2003 14:37:17 -0900 > Subject: RE: Medicare audits: operations? > > > I have been thinking about this issue for some time now and this is > > my two cents for what it is worth.... (I am not an attorney). Sorry > > Chris I don't agree with your take on this. > > > > In order for this activity to be a part of your health care > > operations, the activity would have to fall under the definition of > > "Health care operations" as follows: > > > > "Health care operations" means any of the following activities of the > > covered entity to the extent that the activities are related to covered > > functions: > > > > (1) Conducting quality assessment and improvement activities, including > > outcomes evaluation and development of clinical guidelines, provided > > that the obtaining of generalizable knowledge is not the primary > > purpose of any studies resulting from such activities; population- > > based activities relating to improving health or reducing health > > care costs, protocol development, case management and care > > coordination, contacting of health care providers and patients with > > information about treatment alternatives; and related functions that > > do not include treatment; > > (2) Reviewing the competence or qualifications of health care > > professionals, evaluating practitioner and provider performance, > > health plan performance, conducting training programs in which > > students, trainees, or practitioners in areas of health care learn > > under supervision to practice or improve their skills as health care > > providers, training of non-health care professionals, accreditation, > > certification, licensing, or credentialing activities; > > (3) Underwriting, premium rating, and other activities relating to > > the creation, renewal or replacement of a contract of health > > insurance or health benefits, and ceding, securing, or placing a > > contract for reinsurance of risk relating to claims for health care > > (including stop-loss insurance and excess of loss insurance), > > provided that the requirements of §164.514(g) [disclosures relating > > to underwriting] are met, if applicable; > > (4) Conducting or arranging for medical review, legal services, and auditing > > functions, including fraud and abuse detection and compliance programs; > > > > (5) Business planning and development, such as conducting cost-management > > and planning-related analyses related to managing and operating the > > entity, including formulary development and administration, > > development or improvement of methods of payment or coverage > > policies; and > > (6) Business management and general administrative activities of the > > entity, including, but not limited to: > > (i) Management activities relating to implementation of and > > compliance with the requirements of this subchapter; > > (ii) Customer service, including the provision of data analyses for policy > > holders, plan sponsors, or other customers, provided that protected health > > information is not disclosed to such policy holder, plan sponsor, or > > customer. > > (iii) Resolution of internal grievances; > > > > (iv) The sale, transfer, merger, or consolidation of all or part of the > > covered entity with another covered entity, or an entity that > > following such activity will become a covered entity and due > > diligence related to such activity; and > > (v) Consistent with the applicable requirements of §164.514 [Other > > requirements relating to the uses and disclosures of protected > > health information], creating de-identified health information or a > > limited data set, and fundraising for the benefit of the covered entity. > > > > I highlighted in red the sections above in the definition that I > > believe are important to review. > > > > If a covered entity is being audited, I believe that the covered entity > > being audited would be subject to account for the disclosure that > > they made for audit purposes. The activity (audit) is not an > > activity of the covered entity being audited, but instead is the > > activity of another agency to ensure that the covered entity under > > audit has met its obligations. > > > > Since the audit is required by law, no authorization is needed to > > allow for the disclosure, see 42 CFR 164.512(a), this section > > addresses disclosures that are permitted by law and don't require an > > authorization. Also 42 CFR 164.512(d) specifically addresses health > > oversight, which both Beth and I obviously agree that this is. > > > > 42 CFR 164.528 does not specifically exclude health oversight activities > > from being subject to an accounting. Because of this it is my conclusion > > that audit activity related disclosures made by an entity under > > audit are subject to an accounting. This is also not the function of > > the covered entity being audited but instead is the function of an > > outside agency, to determine compliance with program rules. > > > > One way a covered entity might get around having to account for disclosures > > made for auditing purposes is to inform their patients through their > > notice of privacy practices that they may make a disclosure for this > > type of activity. This would require careful crafting of the notice > > of privacy practices. If a disclosure is not addressed in your > > notice and you don't have an authorization to make the disclosure > > you will most likely have to account for it (there are some > > exceptions). > > > > For the covered entity doing the audit (I am assuming they are > > covered - ours is), I don't believe an accounting would be required > > as this function is one of their health care operations functions. > > > > Based on the information on Beth's posting, I assume Beth works for a > > covered entity that would be subject to the audit. I work for an > > agency who would be involved with the performance of the audit. > > > > I had hoped to discuss this matter with someone on the same side of the > > fence that I am but when I recently posted a question related to > > auditing, I got no responses from anyone who could offer assistance > > to me. > > > > I suspect that some of the entities that perform audit functions are > > not covered entities. Our agencies unit that performs audits is a > > part of our Medical Assistance program, therefore is part of our > > covered entity. Some audit agencies may actually be business > > associates of covered entities (or so I believe). I had hoped to > > learn more about this to support my belief that they are but since I > > got no responses from my past posting to the NMEH, I suspect many > > audit agencies are not listening to this listserv. > > > > I recently spoke with staff with our certification and licensing > > unit who perform audits and they gave me the name of a contact whom > > they suggested I send my questions to. I intend to pose some > > questions to this contact so that I can get input from others > > regarding this subject but will wait to see if others want to rule > > on this. > > > > It would be nice if we could get some input from both CMS and OCR on > > this issue. OCR for obvious reasons as they oversee the privacy > > issues and CMS because CMS often engages state agencies to conduct > > audit functions for the Medicare program. > > > > I don't normally post my responses to the listserv but maybe others could > > offer input as April 14, 2003 is not far away. > > > > Good luck, > > Anita Halterman > > HIPAA Integration and Transition (HIT) Co-Chair > > Health Policy Analyst & > > HIPAA Privacy and Security Coordinator > > State of Alaska, > > Department of Health and Social Services, > > Division of Medical Assistance, > > 4501 Business Park Blvd., Suite 24 > > Anchorage, AK 99503-7167 > > (907)334-2431 > > -----Original Message----- > > From: Beth Cole [ <mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED]] > > Sent: Thursday, February 13, 2003 6:53 AM > > To: WEDI SNIP Privacy Workgroup List > > Subject: Medicare audits: operations? > > > > We're having an internal debate regarding whether or not the audits > > Medicare does of a random selection of Medicare patients at our facility > > can be classified as operations. > > > > If they can, we don't have to account for the disclosure. If they > > can't, then we have to account for them, under 164.512(d), as health > > oversight activities. > > > > The group that feels they can says that participation in the audits > > is mandatory for participation in the Medicare program, thus they > > are operations to receive payment. > > > > The group that feels they can says that these are not our operations, > > but the operations of Medicare as a separate covered entity, and > > that we could function without doing them. > > > > So, who wants to weigh in? > > > > Beth > > > > -- > > Beth Cole > > Information Services Support Specialist > > Newman Regional Health > > Emporia, Kansas > > > > --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
