In general HIPAA's Privacy Rule requires all covered
entities to track all
disclosures of protected health information that occurred within a six year
period except for the following:
- A disclosure made for the purposes
of treatment, payment or health care operations as outlined by 45 CFR
164.506;
- A disclosure that is made to the
individual about their own protected health information;
- A disclosure that is incidental to
a use or disclosure otherwise permitted or required, as provided for in 45 CFR
164.502;
- A disclosure that is made pursuant
to an authorization as provided for in 45 CFR 164.508;
- A disclosure made for the purpose
of including information in a facility directory, or to people who are
involved in an individual's care, or other notification purposes, provided the
individual has been given an opportunity to agree or object to such use or
disclosure;
- A disclosure made for national
security or intelligence purposes as provided for by the National Security
Act;
- A disclosure made to correctional
institutions or to law enforcement officials as allowed by 45 CFR
164.512(k)(5);
- As part of a limited data set in
accordance with 45 CFR 164.514(e); or
- A disclosure that occurred prior to the compliance date for the covered entity.
Covered entities have limited rights to suspend an individual's right to receive an accounting of disclosures. These limitations are restricted to health oversight activities and or law enforcement activities. To learn more about these restrictions 45 CFR 164.528 should be reviewed.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 14, 2003 11:10 AM
To: Halterman, Anita; WEDI SNIP Privacy Workgroup List
Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations?
---Anita, I do not agree with your interpretation. You are required to provide the notice, yes. You are allowed disclosures for TPO, yes. You are also allowed other disclosures documented in the notice, yes. However, the only disclosures that do not require accounting, are for TPO purposes only. All other permissible disclosures, outside of TPO must be accounted for regardless of their inclusion in the notice. Also all impermissible disclosures must be accounted, regardless of if an authorization is in place or not.Regards,Tim McGuinness, Ph.D.
Email: [EMAIL PROTECTED]
Alt Email: [EMAIL PROTECTED]
Direct Phone: 1-727-787-9801 / Voice Mail & Fax: 1-240-525-1149Consulting Specialist in Regulatory Privacy, Security, and Application Compliance - Specialist in Medicaid Provider & Local Government Compliance
[HIPAA/FDA/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A]
Websites: www.HIPAAhelpNETWORK.com www.LocalGovernmentCompliance.com www.TimMcGuinness.com www.McGuinnessDesigns.comExecutive Co-Chairman for Privacy,
HIPAA Conformance Certification Organization (www.HCCO.us)===========================================================================
IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you're use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation.
-----Original Message-----
From: Halterman, Anita [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 14, 2003 1:28 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations?Read 45 164.502 uses and disclosures of protected health information: general rules:
---
(i) "Standard: Uses and disclosures consistent with notice. A covered entity that is required by 164.520 [the section addressing the notice of privacy practices] to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by 164.502(b)(a)(iii) [separate statements for certain uses or disclosures] to include a specific statement in its notice if it intends to engage in an activity listed in 164.502(b)(1)(iii)(A)-(C) may not use or disclose protected health information for such activities, unless the required statement is included in the notice."
I am not an attorney and do not work for OCR so can not say without doubt that what has been said by many (including myself) regarding the fact that if you notice a disclosure that the law allows you to make that you don't have to account for it. But I believe that this can be concluded from reading the above section of the regulations. I believe if you inform a patient in your notice that you may make a disclosure that is allowed by the law and that does not require that you first receive an authorization before you make the disclosure that you do not have to account for it. I assume that none of us would make a disclosure that is not specifically allowed without first receiving an authorization to do so and if we inadvertently make a disclosure that is not allowed (for instance a mis-sent fax) we would account for it.
The way I have read the above section leads me to believe that if you notice a patient regarding a disclosure that is permissible means that you do not need to account for it.
Any one else out there that supports this?
By posting my email to the listserv, I had hoped to hear more from agencies involved in auditing or that are subject to audits. Surly you folks have given this some thought - anyone willing to state how they are viewing this particular subject?
Thanks,
Anita
-----Original Message-----
From: Noel Chang [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 10:20 PM
To: Halterman,Anita; WEDI SNIP Privacy Workgroup List
Subject: NPP and accounting for disclosures - was Medicare audits: operations?
Changing the subject for a minute:
I have seen several emails from people, including the one below, that have
made various statements all to the effect that if you mention a particular
type of disclosure in your NPP, you will not have to account for such
disclosures.
Anita wrote:
"One way a covered entity might get around having to account for disclosures
made for auditing purposes is to inform their patients through their notice
of privacy practices that they may make a disclosure for this type of
activity."
Could someone please cite for me where in the Rule they believe this is
authorized? When I read section 164.528(a)(1) it says a CE must account for
all disclosures except for the ones listed in sub-paragraphs (i) through
(ix). No where in that list do I see "disclosures that are mentioned in your
Notice of Privacy Practices".
Is the assumption that by mentioning a type of disclosure in my NPP I can
then claim it is part of TPO? I don't see any room to make that argument
since TPO is clearly defined in sections 164.501 and 164.506.
Thanks,
Noel Chang
--
Open WebMail Project (http://openwebmail.org)
---------- Original Message -----------
From: "Halterman, Anita" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Thu, 13 Feb 2003 14:37:17 -0900
Subject: RE: Medicare audits: operations?
> I have been thinking about this issue for some time now and this is
> my two cents for what it is worth.... (I am not an attorney). Sorry
> Chris I don't agree with your take on this.
>
> In order for this activity to be a part of your health care
> operations, the activity would have to fall under the definition of
> "Health care operations" as follows:
>
> "Health care operations" means any of the following activities of the
> covered entity to the extent that the activities are related to
> covered
> functions:
>
> (1) Conducting quality assessment and improvement activities,
> including outcomes evaluation and development of clinical guidelines,
> provided that the obtaining of generalizable knowledge is not the
> primary purpose of any studies resulting from such activities;
> population- based activities relating to improving health or reducing
> health care costs, protocol development, case management and care
> coordination, contacting of health care providers and patients with
> information about treatment alternatives; and related functions that
> do not include treatment;
> (2) Reviewing the competence or qualifications of health care
> professionals, evaluating practitioner and provider performance,
> health plan performance, conducting training programs in which
> students, trainees, or practitioners in areas of health care learn
> under supervision to practice or improve their skills as health care
> providers, training of non-health care professionals, accreditation,
> certification, licensing, or credentialing activities;
> (3) Underwriting, premium rating, and other activities relating to
> the creation, renewal or replacement of a contract of health
> insurance or health benefits, and ceding, securing, or placing a
> contract for reinsurance of risk relating to claims for health care
> (including stop-loss insurance and excess of loss insurance),
> provided that the requirements of §164.514(g) [disclosures relating
> to underwriting] are met, if applicable;
> (4) Conducting or arranging for medical review, legal services, and auditing
> functions, including fraud and abuse detection and compliance programs;
>
> (5) Business planning and development, such as conducting
> cost-management and planning-related analyses related to managing and
> operating the entity, including formulary development and
> administration, development or improvement of methods of payment or
> coverage policies; and
> (6) Business management and general administrative activities of the
> entity, including, but not limited to:
> (i) Management activities relating to implementation of and
> compliance with the requirements of this subchapter;
> (ii) Customer service, including the provision of data analyses for policy
> holders, plan sponsors, or other customers, provided that protected health
> information is not disclosed to such policy holder, plan sponsor, or
> customer.
> (iii) Resolution of internal grievances;
>
> (iv) The sale, transfer, merger, or consolidation of all or part of
> the covered entity with another covered entity, or an entity that
> following such activity will become a covered entity and due diligence
> related to such activity; and
> (v) Consistent with the applicable requirements of §164.514 [Other
> requirements relating to the uses and disclosures of protected
> health information], creating de-identified health information or a
> limited data set, and fundraising for the benefit of the covered entity.
>
> I highlighted in red the sections above in the definition that I
> believe are important to review.
>
> If a covered entity is being audited, I believe that the covered
> entity being audited would be subject to account for the disclosure
> that they made for audit purposes. The activity (audit) is not an
> activity of the covered entity being audited, but instead is the
> activity of another agency to ensure that the covered entity under
> audit has met its obligations.
>
> Since the audit is required by law, no authorization is needed to
> allow for the disclosure, see 42 CFR 164.512(a), this section
> addresses disclosures that are permitted by law and don't require an
> authorization. Also 42 CFR 164.512(d) specifically addresses health
> oversight, which both Beth and I obviously agree that this is.
>
> 42 CFR 164.528 does not specifically exclude health oversight
> activities from being subject to an accounting. Because of this it is
> my conclusion that audit activity related disclosures made by an
> entity under audit are subject to an accounting. This is also not the
> function of the covered entity being audited but instead is the
> function of an outside agency, to determine compliance with program
> rules.
>
> One way a covered entity might get around having to account for
> disclosures made for auditing purposes is to inform their patients
> through their notice of privacy practices that they may make a
> disclosure for this type of activity. This would require careful
> crafting of the notice of privacy practices. If a disclosure is not
> addressed in your notice and you don't have an authorization to make
> the disclosure you will most likely have to account for it (there are
> some exceptions).
>
> For the covered entity doing the audit (I am assuming they are
> covered - ours is), I don't believe an accounting would be required
> as this function is one of their health care operations functions.
>
> Based on the information on Beth's posting, I assume Beth works for a
> covered entity that would be subject to the audit. I work for an
> agency who would be involved with the performance of the audit.
>
> I had hoped to discuss this matter with someone on the same side of
> the fence that I am but when I recently posted a question related to
> auditing, I got no responses from anyone who could offer assistance to
> me.
>
> I suspect that some of the entities that perform audit functions are
> not covered entities. Our agencies unit that performs audits is a
> part of our Medical Assistance program, therefore is part of our
> covered entity. Some audit agencies may actually be business
> associates of covered entities (or so I believe). I had hoped to
> learn more about this to support my belief that they are but since I
> got no responses from my past posting to the NMEH, I suspect many
> audit agencies are not listening to this listserv.
>
> I recently spoke with staff with our certification and licensing
> unit who perform audits and they gave me the name of a contact whom
> they suggested I send my questions to. I intend to pose some
> questions to this contact so that I can get input from others
> regarding this subject but will wait to see if others want to rule
> on this.
>
> It would be nice if we could get some input from both CMS and OCR on
> this issue. OCR for obvious reasons as they oversee the privacy
> issues and CMS because CMS often engages state agencies to conduct
> audit functions for the Medicare program.
>
> I don't normally post my responses to the listserv but maybe others
> could offer input as April 14, 2003 is not far away.
>
> Good luck,
> Anita Halterman
> HIPAA Integration and Transition (HIT) Co-Chair
> Health Policy Analyst &
> HIPAA Privacy and Security Coordinator
> State of Alaska,
> Department of Health and Social Services,
> Division of Medical Assistance,
> 4501 Business Park Blvd., Suite 24
> Anchorage, AK 99503-7167
> (907)334-2431
> -----Original Message-----
> From: Beth Cole [ <mailto:[EMAIL PROTECTED]>
> mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 13, 2003 6:53 AM
> To: WEDI SNIP Privacy Workgroup List
> Subject: Medicare audits: operations?
>
> We're having an internal debate regarding whether or not the audits
> Medicare does of a random selection of Medicare patients at our
> facility can be classified as operations.
>
> If they can, we don't have to account for the disclosure. If they
> can't, then we have to account for them, under 164.512(d), as health
> oversight activities.
>
> The group that feels they can says that participation in the audits
> is mandatory for participation in the Medicare program, thus they
> are operations to receive payment.
>
> The group that feels they can says that these are not our operations,
> but the operations of Medicare as a separate covered entity, and that
> we could function without doing them.
>
> So, who wants to weigh in?
>
> Beth
>
> --
> Beth Cole
> Information Services Support Specialist
> Newman Regional Health
> Emporia, Kansas
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated.
> The discussions on this listserv therefore represent the views of
> the individual participants, and do not necessarily represent the
> views of the WEDI Board of Directors nor WEDI SNIP. If you wish to
> receive an official opinion, post your question to the WEDI SNIP
> Issues Database at <http://snip.wedi.org/tracking/>
> http://snip.wedi.org/tracking/. These listservs should not be used
> for commercial marketing purposes or discussion of specific vendor
> products and services. They also are not intended to be used as a
> forum for personal disagreements or unprofessional communication at
> any time.
>
> You are currently subscribed to wedi-privacy as:
> [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form
> at <http://subscribe.wedi.org> http://subscribe.wedi.org or send a
> blank email to [EMAIL PROTECTED] If you
> need to unsubscribe but your current email address is not the same
> as the address subscribed to the list, please use the Subscribe/Unsubscribe
> form at <http://subscribe.wedi.org> http://subscribe.wedi.org
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated.
> The discussions on this listserv therefore represent the views of
> the individual participants, and do not necessarily represent the
> views of the WEDI Board of Directors nor WEDI SNIP. If you wish to
> receive an official opinion, post your question to the WEDI SNIP
> Issues Database at http://snip.wedi.org/tracking/. These listservs
> should not be used for commercial marketing purposes or discussion
> of specific vendor products and services. They also are not
> intended to be used as a forum for personal disagreements or
> unprofessional communication at any time.
>
> You are currently subscribed to wedi-privacy as:
> [EMAIL PROTECTED] To unsubscribe from this list, go to the
> Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a
> blank email to [EMAIL PROTECTED] If you
> need to unsubscribe but your current email address is not the same
> as the address subscribed to the list, please use the
> Subscribe/Unsubscribe form at http://subscribe.wedi.org
------- End of Original Message -------
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
