Anita, I think you are inferring more from the rule than you should.
With regard to the Notice, section 164.520(b)(1)(ii)(B) says the NPP must include a description of each of the other purposes for which the CE is permitted or required by this subpart to use or disclose PHI without the individual's written authorization. So I don't think there is any question as to whether or not your Notice should mention (in your words) "that you may make a disclosure that is allowed by the law and that does not require that you first receive an authorization before you make the disclosure". In fact, your Notice is required to do just that. I'm not sure I can think of any disclosure that you are allowed to make that doesn't need to be mentioned in some general way within the NPP. Indeed, the NPP is intended to give individuals "adequate notice of the uses and disclosures of PHI that may be made by the CE" (164.520(a)(1)). If you are disclosing PHI in a way that is not discussed in the NPP, then your NPP is by definition inadequate. So if every type of disclosure I make is addressed in the NPP, and you believe that as long as I put individuals on Notice of a permitted disclosure then I do not have to account for it, then what do you think you do have to account for? Only your illegal disclosures!?! I don't see anything in section 164.520 that addresses whether or not a disclsoure has to be accounted for. And I don't see anything in section 164.528 that says disclosures that are mentioned in the NPP do not need to be accounted for. SOME disclosures that 164.528 does exempt from the accounting requirement do also have to be mentioned in the NPP but I think that is an unintended overlap. One should not read into that overlap that ALL disclosures addressed in the NPP are exempt from accounting. Noel Chang -- Open WebMail Project (http://openwebmail.org) ---------- Original Message ----------- From: "Halterman, Anita" <[EMAIL PROTECTED]> To: Noel Chang <[EMAIL PROTECTED]>, WEDI SNIP Privacy Workgroup List <[EMAIL PROTECTED]> Sent: Fri, 14 Feb 2003 09:28:17 -0900 Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations? > Read 45 164.502 uses and disclosures of protected health information: > general rules: > > (i) "Standard: Uses and disclosures consistent with notice. A > covered entity that is required by 164.520 [the section addressing > the notice of privacy practices] to have a notice may not use or > disclose protected health information in a manner inconsistent with > such notice. A covered entity that is required by 164.502(b)(a)(iii) > [separate statements for certain uses or disclosures] to include a > specific statement in its notice if it intends to engage in an > activity listed in 164.502(b)(1)(iii)(A)-(C) may not use or disclose > protected health information for such activities, unless the > required statement is included in the notice." > > I am not an attorney and do not work for OCR so can not say without doubt > that what has been said by many (including myself) regarding the > fact that if you notice a disclosure that the law allows you to make > that you don't have to account for it. But I believe that this can > be concluded from reading the above section of the regulations. I > believe if you inform a patient in your notice that you may make a > disclosure that is allowed by the law and that does not require that > you first receive an authorization before you make the disclosure > that you do not have to account for it. I assume that none of us > would make a disclosure that is not specifically allowed without > first receiving an authorization to do so and if we inadvertently > make a disclosure that is not allowed (for instance a mis-sent fax) > we would account for it. > > The way I have read the above section leads me to believe that if > you notice a patient regarding a disclosure that is permissible > means that you do not need to account for it. > > Any one else out there that supports this? > > By posting my email to the listserv, I had hoped to hear more from agencies > involved in auditing or that are subject to audits. Surly you folks have > given this some thought - anyone willing to state how they are > viewing this particular subject? > > Thanks, > Anita > > -----Original Message----- > From: Noel Chang [mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> ] > Sent: Thursday, February 13, 2003 10:20 PM > To: Halterman,Anita; WEDI SNIP Privacy Workgroup List > Subject: NPP and accounting for disclosures - was Medicare audits: > operations? > > Changing the subject for a minute: > > I have seen several emails from people, including the one below, > that have made various statements all to the effect that if you > mention a particular type of disclosure in your NPP, you will not > have to account for such disclosures. > > Anita wrote: > > "One way a covered entity might get around having to account for disclosures > made for auditing purposes is to inform their patients through their > notice of privacy practices that they may make a disclosure for this > type of activity." > > Could someone please cite for me where in the Rule they believe this > is authorized? When I read section 164.528(a)(1) it says a CE must > account for all disclosures except for the ones listed in sub- > paragraphs (i) through > (ix). No where in that list do I see "disclosures that are > mentioned in your Notice of Privacy Practices". > > Is the assumption that by mentioning a type of disclosure in my NPP > I can then claim it is part of TPO? I don't see any room to make > that argument since TPO is clearly defined in sections 164.501 and 164.506. > > Thanks, > > Noel Chang > > -- > Open WebMail Project (http://openwebmail.org > <http://openwebmail.org> ) > > ---------- Original Message ----------- > From: "Halterman, Anita" <[EMAIL PROTECTED]> > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> > Sent: Thu, 13 Feb 2003 14:37:17 -0900 > Subject: RE: Medicare audits: operations? > > > I have been thinking about this issue for some time now and this is > > my two cents for what it is worth.... (I am not an attorney). Sorry > > Chris I don't agree with your take on this. > > > > In order for this activity to be a part of your health care > > operations, the activity would have to fall under the definition of > > "Health care operations" as follows: > > > > "Health care operations" means any of the following activities of the > > covered entity to the extent that the activities are related to > > covered > > functions: > > > > (1) Conducting quality assessment and improvement activities, > > including outcomes evaluation and development of clinical guidelines, > > provided that the obtaining of generalizable knowledge is not the > > primary purpose of any studies resulting from such activities; > > population- based activities relating to improving health or reducing > > health care costs, protocol development, case management and care > > coordination, contacting of health care providers and patients with > > information about treatment alternatives; and related functions that > > do not include treatment; > > (2) Reviewing the competence or qualifications of health care > > professionals, evaluating practitioner and provider performance, > > health plan performance, conducting training programs in which > > students, trainees, or practitioners in areas of health care learn > > under supervision to practice or improve their skills as health care > > providers, training of non-health care professionals, accreditation, > > certification, licensing, or credentialing activities; > > (3) Underwriting, premium rating, and other activities relating to > > the creation, renewal or replacement of a contract of health > > insurance or health benefits, and ceding, securing, or placing a > > contract for reinsurance of risk relating to claims for health care > > (including stop-loss insurance and excess of loss insurance), > > provided that the requirements of §164.514(g) [disclosures relating > > to underwriting] are met, if applicable; > > (4) Conducting or arranging for medical review, legal services, and > auditing > > functions, including fraud and abuse detection and compliance programs; > > > > (5) Business planning and development, such as conducting > > cost-management and planning-related analyses related to managing and > > operating the entity, including formulary development and > > administration, development or improvement of methods of payment or > > coverage policies; and > > (6) Business management and general administrative activities of the > > entity, including, but not limited to: > > (i) Management activities relating to implementation of and > > compliance with the requirements of this subchapter; > > (ii) Customer service, including the provision of data analyses for policy > > holders, plan sponsors, or other customers, provided that protected health > > information is not disclosed to such policy holder, plan sponsor, or > > customer. > > (iii) Resolution of internal grievances; > > > > (iv) The sale, transfer, merger, or consolidation of all or part of > > the covered entity with another covered entity, or an entity that > > following such activity will become a covered entity and due diligence > > related to such activity; and > > (v) Consistent with the applicable requirements of §164.514 [Other > > requirements relating to the uses and disclosures of protected > > health information], creating de-identified health information or a > > limited data set, and fundraising for the benefit of the covered entity. > > > > I highlighted in red the sections above in the definition that I > > believe are important to review. > > > > If a covered entity is being audited, I believe that the covered > > entity being audited would be subject to account for the disclosure > > that they made for audit purposes. The activity (audit) is not an > > activity of the covered entity being audited, but instead is the > > activity of another agency to ensure that the covered entity under > > audit has met its obligations. > > > > Since the audit is required by law, no authorization is needed to > > allow for the disclosure, see 42 CFR 164.512(a), this section > > addresses disclosures that are permitted by law and don't require an > > authorization. Also 42 CFR 164.512(d) specifically addresses health > > oversight, which both Beth and I obviously agree that this is. > > > > 42 CFR 164.528 does not specifically exclude health oversight > > activities from being subject to an accounting. Because of this it is > > my conclusion that audit activity related disclosures made by an > > entity under audit are subject to an accounting. This is also not the > > function of the covered entity being audited but instead is the > > function of an outside agency, to determine compliance with program > > rules. > > > > One way a covered entity might get around having to account for > > disclosures made for auditing purposes is to inform their patients > > through their notice of privacy practices that they may make a > > disclosure for this type of activity. This would require careful > > crafting of the notice of privacy practices. If a disclosure is not > > addressed in your notice and you don't have an authorization to make > > the disclosure you will most likely have to account for it (there are > > some exceptions). > > > > For the covered entity doing the audit (I am assuming they are > > covered - ours is), I don't believe an accounting would be required > > as this function is one of their health care operations functions. > > > > Based on the information on Beth's posting, I assume Beth works for a > > covered entity that would be subject to the audit. I work for an > > agency who would be involved with the performance of the audit. > > > > I had hoped to discuss this matter with someone on the same side of > > the fence that I am but when I recently posted a question related to > > auditing, I got no responses from anyone who could offer assistance to > > me. > > > > I suspect that some of the entities that perform audit functions are > > not covered entities. Our agencies unit that performs audits is a > > part of our Medical Assistance program, therefore is part of our > > covered entity. Some audit agencies may actually be business > > associates of covered entities (or so I believe). I had hoped to > > learn more about this to support my belief that they are but since I > > got no responses from my past posting to the NMEH, I suspect many > > audit agencies are not listening to this listserv. > > > > I recently spoke with staff with our certification and licensing > > unit who perform audits and they gave me the name of a contact whom > > they suggested I send my questions to. I intend to pose some > > questions to this contact so that I can get input from others > > regarding this subject but will wait to see if others want to rule > > on this. > > > > It would be nice if we could get some input from both CMS and OCR on > > this issue. OCR for obvious reasons as they oversee the privacy > > issues and CMS because CMS often engages state agencies to conduct > > audit functions for the Medicare program. > > > > I don't normally post my responses to the listserv but maybe others > > could offer input as April 14, 2003 is not far away. > > > > Good luck, > > Anita Halterman > > HIPAA Integration and Transition (HIT) Co-Chair > > Health Policy Analyst & > > HIPAA Privacy and Security Coordinator > > State of Alaska, > > Department of Health and Social Services, > > Division of Medical Assistance, > > 4501 Business Park Blvd., Suite 24 > > Anchorage, AK 99503-7167 > > (907)334-2431 > > -----Original Message----- > > From: Beth Cole [ <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] > > Sent: Thursday, February 13, 2003 6:53 AM > > To: WEDI SNIP Privacy Workgroup List > > Subject: Medicare audits: operations? > > > > We're having an internal debate regarding whether or not the audits > > Medicare does of a random selection of Medicare patients at our > > facility can be classified as operations. > > > > If they can, we don't have to account for the disclosure. If they > > can't, then we have to account for them, under 164.512(d), as health > > oversight activities. > > > > The group that feels they can says that participation in the audits > > is mandatory for participation in the Medicare program, thus they > > are operations to receive payment. > > > > The group that feels they can says that these are not our operations, > > but the operations of Medicare as a separate covered entity, and that > > we could function without doing them. > > > > So, who wants to weigh in? > > > > Beth > > > > -- > > Beth Cole > > Information Services Support Specialist > > Newman Regional Health > > Emporia, Kansas > > > > --- > > The WEDI SNIP listserv to which you are subscribed is not moderated. > > The discussions on this listserv therefore represent the views of > > the individual participants, and do not necessarily represent the > > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to > > receive an official opinion, post your question to the WEDI SNIP > > Issues Database at <http://snip.wedi.org/tracking/ > <http://snip.wedi.org/tracking/> > > > http://snip.wedi.org/tracking/ <http://snip.wedi.org/tracking/> . These > listservs should not be used > > for commercial marketing purposes or discussion of specific vendor > > products and services. They also are not intended to be used as a > > forum for personal disagreements or unprofessional communication at > > any time. > > > > You are currently subscribed to wedi-privacy as: > > [EMAIL PROTECTED] > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form > > at <http://subscribe.wedi.org <http://subscribe.wedi.org> > > http://subscribe.wedi.org <http://subscribe.wedi.org> or send a > > blank email to [EMAIL PROTECTED] If you > > need to unsubscribe but your current email address is not the same > > as the address subscribed to the list, please use the > Subscribe/Unsubscribe > > form at <http://subscribe.wedi.org <http://subscribe.wedi.org> > > http://subscribe.wedi.org <http://subscribe.wedi.org> > > > > --- > > The WEDI SNIP listserv to which you are subscribed is not moderated. > > The discussions on this listserv therefore represent the views of > > the individual participants, and do not necessarily represent the > > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to > > receive an official opinion, post your question to the WEDI SNIP > > Issues Database at http://snip.wedi.org/tracking/ > <http://snip.wedi.org/tracking/> . These listservs > > should not be used for commercial marketing purposes or discussion > > of specific vendor products and services. They also are not > > intended to be used as a forum for personal disagreements or > > unprofessional communication at any time. > > > > You are currently subscribed to wedi-privacy as: > > [EMAIL PROTECTED] To unsubscribe from this list, go to the > > Subscribe/Unsubscribe form at http://subscribe.wedi.org > <http://subscribe.wedi.org> or send a > > blank email to [EMAIL PROTECTED] If you > > need to unsubscribe but your current email address is not the same > > as the address subscribed to the list, please use the > > Subscribe/Unsubscribe form at http://subscribe.wedi.org > <http://subscribe.wedi.org> > ------- End of Original Message ------- ------- End of Original Message ------- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
