That sounds like an audit that the provider would be doing for their own 
operations.  Why would Medicare be interested in a provider's "Bad Debt" 
account?  If you are performing an audit for your own operations then I think 
we can safely say you are within TPO and any disclosure would not have to be 
accounted for.

Of course, if the audit is for your own purposes, why are you disclosing the 
audit information to anyone outside the provider's office (unless you are 
using a business associate to perform the audit for you).

Noel Chang

--
Open WebMail Project (http://openwebmail.org)


---------- Original Message -----------
From: Beth Cole <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Fri, 14 Feb 2003 09:52:11 -0600
Subject: Re: Medicare audits:  operations?

> I just got a bit more information regarding the specific audit we're 
> talking about.
> 
> It isn't the generalized Medicare audit.  Instead, it is the cost 
> report audit (my understanding is that it has to do with the 
> accounts that have Medicare as the primary payor but whose balance 
> after payment has gone to a "bad debt" status.  I'm not generally 
> involved in things financial, so I'm not really sure).
> 
> Does that make a difference in people's opinions?
> 
> Beth
> 
> Halterman, Anita wrote:
> 
> > I have been thinking about this issue for some time now and this is my 
> > two cents for what it is worth.... (I am not an attorney). Sorry Chris 
> > I don't agree with your take on this.
> >
> > In order for this activity to be a part of your health care 
> > operations, the activity would have to fall under the definition of 
> > "Health care operations" as follows:
> >
> > "Health care operations" means any of the following activities of the 
> > covered entity to the extent that the activities are related to 
> > covered functions:
> > (1) Conducting quality assessment and improvement activities, 
> > including outcomes evaluation and development of clinical guidelines, 
> > provided that the obtaining of generalizable knowledge is not the 
> > primary purpose of any studies resulting from such activities; 
> > population-based activities relating to improving health or reducing 
> > health care costs, protocol development, case management and care 
> > coordination, contacting of health care providers and patients with 
> > information about treatment alternatives; and related functions that 
> > do not include treatment;
> > (2) Reviewing the competence or qualifications of health care 
> > professionals, evaluating practitioner and provider performance, 
> > health plan performance, conducting training programs in which 
> > students, trainees, or practitioners in areas of health care learn 
> > under supervision to practice or improve their skills as health care 
> > providers, training of non-health care professionals, accreditation, 
> > certification, licensing, or credentialing activities;
> > (3) Underwriting, premium rating, and other activities relating to the 
> > creation, renewal or replacement of a contract of health insurance or 
> > health benefits, and ceding, securing, or placing a contract for 
> > reinsurance of risk relating to claims for health care (including 
> > stop-loss insurance and excess of loss insurance), provided that the 
> > requirements of §164.514(g) [disclosures relating to underwriting] are 
> > met, if applicable;
> > (4) Conducting or arranging for medical review, legal services, and 
> > auditing functions, including fraud and abuse detection and compliance 
> > programs;
> > (5) Business planning and development, such as conducting 
> > cost-management and planning-related analyses related to managing and 
> > operating the entity, including formulary development and 
> > administration, development or improvement of methods of payment or 
> > coverage policies; and
> > (6) Business management and general administrative activities of the 
> > entity, including, but not limited to:
> > (i) Management activities relating to implementation of and compliance 
> > with the requirements of this subchapter;
> > (ii) Customer service, including the provision of data analyses for 
> > policy holders, plan sponsors, or other customers, provided that 
> > protected health information is not disclosed to such policy holder, 
> > plan sponsor, or customer.
> > (iii) Resolution of internal grievances;
> > (iv) The sale, transfer, merger, or consolidation of all or part of 
> > the covered entity with another covered entity, or an entity that 
> > following such activity will become a covered entity and due diligence 
> > related to such activity; and
> > (v) Consistent with the applicable requirements of §164.514 [/Other 
> > requirements relating to the uses and disclosures of protected health 
> > information/], creating de-identified health information or a limited 
> > data set, and fundraising for the benefit of the covered entity.
> >
> > I highlighted in red the sections above in the definition that I 
> > believe are important to review.
> >
> > If a covered entity is being audited, I believe that the covered 
> > entity being audited would be subject to account for the disclosure 
> > that they made for audit purposes. The activity (audit) is not an 
> > activity of the covered entity being audited, but instead is the 
> > activity of another agency to ensure that the covered entity under 
> > audit has met its obligations.
> >  
> > Since the audit is required by law, no authorization is needed to 
> > allow for the disclosure, see 42 CFR 164.512(a), this section 
> > addresses disclosures that are permitted by law and don't require an 
> > authorization. Also 42 CFR 164.512(d) specifically addresses health 
> > oversight, which both Beth and I obviously agree that this is.
> >
> > 42 CFR 164.528 does not specifically exclude health oversight 
> > activities from being subject to an accounting. Because of this it is 
> > my conclusion that audit activity related disclosures made by an 
> > entity under audit are subject to an accounting. This is also not the 
> > function of the covered entity being audited but instead is the 
> > function of an outside agency, to determine compliance with program 
> > rules.
> >  
> > One way a covered entity might get around having to account 
> > for disclosures made for auditing purposes is to inform their patients 
> > through their notice of privacy practices that they may make a 
> > disclosure for this type of activity. This would require careful 
> > crafting of the notice of privacy practices. If a disclosure is not 
> > addressed in your notice and you don't have an authorization to make 
> > the disclosure you will most likely have to account for it (there are 
> > some exceptions).
> >
> > For the covered entity doing the audit (I am assuming they are covered 
> > - ours is), I don't believe an accounting would be required as this 
> > function is one of their health care operations functions.
> >
> > Based on the information on Beth's posting, I assume Beth works for a 
> > covered entity that would be subject to the audit. I work for an 
> > agency who would be involved with the performance of the audit.
> >
> > I had hoped to discuss this matter with someone on the same side of 
> > the fence that I am but when I recently posted a question related to 
> > auditing, I got no responses from anyone who could offer assistance to me.
> >
> > I suspect that some of the entities that perform audit functions are 
> > not covered entities. Our agencies unit that performs audits is a part 
> > of our Medical Assistance program, therefore is part of our covered 
> > entity. Some audit agencies may actually be business associates of 
> > covered entities (or so I believe). I had hoped to learn more about 
> > this to support my belief that they are but since I got no responses 
> > from my past posting to the NMEH, I suspect many audit agencies are 
> > not listening to this listserv. 
> >
> > I recently spoke with staff with our certification and licensing unit 
> > who perform audits and they gave me the name of a contact whom they 
> > suggested I send my questions to. I intend to pose some questions 
> > to this contact so that I can get input from others regarding this 
> > subject but will wait to see if others want to rule on this.
> >
> > It would be nice if we could get some input from both CMS and OCR on 
> > this issue. OCR for obvious reasons as they oversee the privacy issues 
> > and CMS because CMS often engages state agencies to conduct audit 
> > functions for the Medicare program. 
> >  
> > I don't normally post my responses to the listserv but maybe others 
> > could offer input as April 14, 2003 is not far away.
> >  
> > Good luck,
> > Anita Halterman
> > HIPAA Integration and Transition (HIT) Co-Chair
> > Health Policy Analyst &
> > HIPAA Privacy and Security Coordinator
> > State of Alaska,
> > Department of Health and Social Services,
> > Division of Medical Assistance,
> > 4501 Business Park Blvd., Suite 24
> > Anchorage, AK 99503-7167
> > (907)334-2431
> > -----Original Message-----
> > From: Beth Cole [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, February 13, 2003 6:53 AM
> > To: WEDI SNIP Privacy Workgroup List
> > Subject: Medicare audits: operations?
> >
> >
> > We're having an internal debate regarding whether or not the audits
> > Medicare does of a random selection of Medicare patients at our facility
> > can be classified as operations.
> >
> > If they can, we don't have to account for the disclosure.  If they
> > can't, then we have to account for them, under 164.512(d), as health
> > oversight activities.
> >
> > The group that feels they can says that participation in the audits is
> > mandatory for participation in the Medicare program, thus they are
> > operations to receive payment.
> >
> > The group that feels they can says that these are not our operations,
> > but the operations of Medicare as a separate covered entity, and that we
> > could function without doing them.
> >
> > So, who wants to weigh in?
> >
> > Beth
> 
> -- 
> Beth Cole
> Information Services Support Specialist
> Newman Regional Health
> Emporia, Kansas
> 
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. 
> The discussions on this listserv therefore represent the views of 
> the individual participants, and do not necessarily represent the 
> views of the WEDI Board of Directors nor WEDI SNIP. If you wish to 
> receive an official opinion, post your question to the WEDI SNIP 
> Issues Database at http://snip.wedi.org/tracking/.   These listservs 
> should not be used for commercial marketing purposes or discussion 
> of specific vendor products and services.  They also are not 
> intended to be used as a forum for personal disagreements or 
> unprofessional communication at any time.
> 
> You are currently subscribed to wedi-privacy as: 
> [EMAIL PROTECTED] To unsubscribe from this list, go to the 
> Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a 
> blank email to [EMAIL PROTECTED] If you 
> need to unsubscribe but your current email address is not the same 
> as the address subscribed to the list, please use the 
> Subscribe/Unsubscribe form at http://subscribe.wedi.org
------- End of Original Message -------


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

Reply via email to