Teri,

I also agree - these are separate requirements that are not mutually
exclusive.  A covered entity must meet all requirements, relevant to a
particular use or disclosure:  

A covered entity must have a notice of privacy practices which lists
relevant disclosures and examples, among other things.  164.520

A covered entity Must use and disclose information only in accordance
with its Notice.  164.502(i)

A covered entity must ALSO have satisfactory assurances (generally in
the form of the BA Contract) in place with its business associates. 
164.502(e)

A covered entity must ALSO obtain authorization when making disclosures
that require an authorization (e.g. marketing communications).  164.508

A covered entity must ALSO track disclosures that are required to be
accounted for to the individual (e.g. disclosures to public health
authority). 164.528

A covered entity may ALSO get a consent for certain disclosures if it
chooses to do so (e.g. for treatment, payment, and operations). 164.506.


It is often difficult to prove a negative - meaning that there isn't a
place in the regulation that specifically states that the requirements
are cumulative, however when you read the accompanying comments, there
isn't anything that I see that would lead you to think that you could
leave out an accounting for certain disclosures if you include the
disclosure in your notice - the comments and the regulation require you
to do both.  

In discussing a governmental entities' choices with respect to hybrid,
there is a comment and answer that touches on this, it states in part:  


<Comment>...Alternatively, it was suggested that a governmental hybrid
entity be permitted to include in its notice of privacy practices the
possibility that information may be shared with other divisions within
the same government entity for specific purposes... 
<Response> ...Additionally, the Department encourages covered entities
to develop a notice of privacy practices that is as specific as
possible, which may include, for a government hybrid entity, a statement
that information may be shared with other divisions within the
government entity as permitted by the Rule.  However, the notice of
privacy practices is not an adequate substitute for, as appropriate, a
memorandum of understanding; designation of business associate functions
as partof of a health care component; or alternatively conditioning
disclosures to such business associate functions on individuals'
authorization.  67 Fed. Reg. pages 53206, 53207.

As noted, this isn't directly on point, but it does states that the the
Notice is not a substitute for other requirements:  you need both.

Regards, lhc



Leah Hole-Curry, JD
FOX Systems, Inc.
602.708.1045 
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
>>> "Teri Baskett" <[EMAIL PROTECTED]> 02/17/03 10:19 AM >>>
I hate to weigh in here one more time, but my understanding what that we
have to provide the pt/client an accounting of all disclosures that were
not specifically covered by an authorization (initially, it was
interpreted that those had to be logged and tracked also, but that was
amended in the final regs, since the argument was made that the pt would
have knowledge of disclosures s/he had authorized in writing).  I know
another gentleman on this thread last week indicated that he planned to
track those also, just to keep the disclosure log complete and to
simplify the procedures for HIM staff; however, I do believe that
authorized disclosures are not required to be tracked.

So, our disclosure log must contain a record of all disclosures not
covered by a written authorization and those that are not a part of
treatment, payment and healthcare operations.  Regardless of everything
we list in the NPP (and it should list all these as possibilities), we
have to track these and record them, providing them for a pt when
requested.

Have I confused different parts of the regs in this interpretation?

Teri Baskett, CISO
LifeSpring Mental Health Services
[EMAIL PROTECTED]



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

Reply via email to