Deborah Campbell
Compliance Coordinator
Dominion Dental Services,
Inc.
115 South Union
Street, Suite 300
Alexandria, Virginia 22314
Phn: (703) 518-5000 ext.
3035
Fax: (703)
518-8849
Toll
Free: 888-518-5338
Email: [EMAIL PROTECTED]
*******************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee. Access
to this email by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful.
*********************************************************************
--------Original Message-----
From: Halterman, Anita [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 14, 2003 2:29 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations?I agree with you and what I stated below your response is not inconsistent with the preamble. I still believe that a disclosure allowed by law if it is addressed in your notice of privacy practices doesn't have to be accounted for. If you notice it, you already told the person you make disclosures for whatever purpose you listed in your notice.Anita-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 14, 2003 10:22 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations?---I don't think saying a CE "may not use or disclose protected health information in a manner inconsistent with such notice" is the same as "if you notice a patient regarding a disclosure that is permissible means that you do not need to account for it". My beliefs are based on the below HHS Commentary where they are very clear that CEs must account for even disclosures required by law. Comments?Cindi Bowman
Quality and Compliance Coordinator
Catawba County Health Department
828-695-5847Right to an Accounting of Disclosures of Protected Health Information - § 164.528(a)
HHS Description of and Commentary on August 2002 Revisions
Right to an Accounting of Disclosures of Protected Health InformationComment: A number of commenters recommended other types of disclosures for exemption from the accounting requirement. Many recommended elimination of the accounting requirement for public health disclosures arguing that the burden of the requirement may deter entities from making such disclosures and that because many are made directly to public health authorities by doctors and nurses, rather than from a central records component of the entity, public health disclosures are particularly difficult to track and document. Others suggested exempting from an accounting requirement any disclosure required by another law on the grounds that neither the individual nor the entity has any choice about such required disclosures. Still others wanted all disclosures to a governmental entity exempted as many such disclosures are required and often reports are routine or require lots of data. Some wanted disclosures to law enforcement or to insurers for claims investigations exempted from the accounting requirement to prevent interference with such investigatory efforts. Finally, a few commenters suggested that all of the disclosures permitted or required by the Privacy Rule should be excluded from the accounting requirement.
Response: Elimination of an accounting requirement for authorized disclosures is justified in large part by the individual's knowledge of and voluntary agreement to such disclosures. None of the above suggestions for exemption of other permitted disclosures can be similarly justified. The right to an accounting of disclosures serves an important function in informing the individual as to which information was sent to which recipients. While it is possible that informing individuals about the disclosures of their health information may on occasion discourage some worthwhile activity, the Department believes that the individual's right to know who is using their information and for what purposes takes precedence.
-----Original Message-----
From: Halterman, Anita [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 14, 2003 1:28 PM
To: WEDI SNIP Privacy Workgroup List
Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations?Read 45 164.502 uses and disclosures of protected health information: general rules:
---
(i) "Standard: Uses and disclosures consistent with notice. A covered entity that is required by 164.520 [the section addressing the notice of privacy practices] to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by 164.502(b)(a)(iii) [separate statements for certain uses or disclosures] to include a specific statement in its notice if it intends to engage in an activity listed in 164.502(b)(1)(iii)(A)-(C) may not use or disclose protected health information for such activities, unless the required statement is included in the notice."
I am not an attorney and do not work for OCR so can not say without doubt that what has been said by many (including myself) regarding the fact that if you notice a disclosure that the law allows you to make that you don't have to account for it. But I believe that this can be concluded from reading the above section of the regulations. I believe if you inform a patient in your notice that you may make a disclosure that is allowed by the law and that does not require that you first receive an authorization before you make the disclosure that you do not have to account for it. I assume that none of us would make a disclosure that is not specifically allowed without first receiving an authorization to do so and if we inadvertently make a disclosure that is not allowed (for instance a mis-sent fax) we would account for it.
The way I have read the above section leads me to believe that if you notice a patient regarding a disclosure that is permissible means that you do not need to account for it.
Any one else out there that supports this?
By posting my email to the listserv, I had hoped to hear more from agencies involved in auditing or that are subject to audits. Surly you folks have given this some thought - anyone willing to state how they are viewing this particular subject?
Thanks,
Anita
-----Original Message-----
From: Noel Chang [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 10:20 PM
To: Halterman,Anita; WEDI SNIP Privacy Workgroup List
Subject: NPP and accounting for disclosures - was Medicare audits: operations?
Changing the subject for a minute:
I have seen several emails from people, including the one below, that have
made various statements all to the effect that if you mention a particular
type of disclosure in your NPP, you will not have to account for such
disclosures.
Anita wrote:
"One way a covered entity might get around having to account for disclosures
made for auditing purposes is to inform their patients through their notice
of privacy practices that they may make a disclosure for this type of
activity."
Could someone please cite for me where in the Rule they believe this is
authorized? When I read section 164.528(a)(1) it says a CE must account for
all disclosures except for the ones listed in sub-paragraphs (i) through
(ix). No where in that list do I see "disclosures that are mentioned in your
Notice of Privacy Practices".
Is the assumption that by mentioning a type of disclosure in my NPP I can
then claim it is part of TPO? I don't see any room to make that argument
since TPO is clearly defined in sections 164.501 and 164.506.
Thanks,
Noel Chang
--
Open WebMail Project (http://openwebmail.org)
---------- Original Message -----------
From: "Halterman, Anita" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Thu, 13 Feb 2003 14:37:17 -0900
Subject: RE: Medicare audits: operations?
> I have been thinking about this issue for some time now and this is
> my two cents for what it is worth.... (I am not an attorney). Sorry
> Chris I don't agree with your take on this.
>
> In order for this activity to be a part of your health care
> operations, the activity would have to fall under the definition of
> "Health care operations" as follows:
>
> "Health care operations" means any of the following activities of the
> covered entity to the extent that the activities are related to
> covered
> functions:
>
> (1) Conducting quality assessment and improvement activities,
> including outcomes evaluation and development of clinical guidelines,
> provided that the obtaining of generalizable knowledge is not the
> primary purpose of any studies resulting from such activities;
> population- based activities relating to improving health or reducing
> health care costs, protocol development, case management and care
> coordination, contacting of health care providers and patients with
> information about treatment alternatives; and related functions that
> do not include treatment;
> (2) Reviewing the competence or qualifications of health care
> professionals, evaluating practitioner and provider performance,
> health plan performance, conducting training programs in which
> students, trainees, or practitioners in areas of health care learn
> under supervision to practice or improve their skills as health care
> providers, training of non-health care professionals, accreditation,
> certification, licensing, or credentialing activities;
> (3) Underwriting, premium rating, and other activities relating to
> the creation, renewal or replacement of a contract of health
> insurance or health benefits, and ceding, securing, or placing a
> contract for reinsurance of risk relating to claims for health care
> (including stop-loss insurance and excess of loss insurance),
> provided that the requirements of §164.514(g) [disclosures relating
> to underwriting] are met, if applicable;
> (4) Conducting or arranging for medical review, legal services, and auditing
> functions, including fraud and abuse detection and compliance programs;
>
> (5) Business planning and development, such as conducting
> cost-management and planning-related analyses related to managing and
> operating the entity, including formulary development and
> administration, development or improvement of methods of payment or
> coverage policies; and
> (6) Business management and general administrative activities of the
> entity, including, but not limited to:
> (i) Management activities relating to implementation of and
> compliance with the requirements of this subchapter;
> (ii) Customer service, including the provision of data analyses for policy
> holders, plan sponsors, or other customers, provided that protected health
> information is not disclosed to such policy holder, plan sponsor, or
> customer.
> (iii) Resolution of internal grievances;
>
> (iv) The sale, transfer, merger, or consolidation of all or part of
> the covered entity with another covered entity, or an entity that
> following such activity will become a covered entity and due diligence
> related to such activity; and
> (v) Consistent with the applicable requirements of §164.514 [Other
> requirements relating to the uses and disclosures of protected
> health information], creating de-identified health information or a
> limited data set, and fundraising for the benefit of the covered entity.
>
> I highlighted in red the sections above in the definition that I
> believe are important to review.
>
> If a covered entity is being audited, I believe that the covered
> entity being audited would be subject to account for the disclosure
> that they made for audit purposes. The activity (audit) is not an
> activity of the covered entity being audited, but instead is the
> activity of another agency to ensure that the covered entity under
> audit has met its obligations.
>
> Since the audit is required by law, no authorization is needed to
> allow for the disclosure, see 42 CFR 164.512(a), this section
> addresses disclosures that are permitted by law and don't require an
> authorization. Also 42 CFR 164.512(d) specifically addresses health
> oversight, which both Beth and I obviously agree that this is.
>
> 42 CFR 164.528 does not specifically exclude health oversight
> activities from being subject to an accounting. Because of this it is
> my conclusion that audit activity related disclosures made by an
> entity under audit are subject to an accounting. This is also not the
> function of the covered entity being audited but instead is the
> function of an outside agency, to determine compliance with program
> rules.
>
> One way a covered entity might get around having to account for
> disclosures made for auditing purposes is to inform their patients
> through their notice of privacy practices that they may make a
> disclosure for this type of activity. This would require careful
> crafting of the notice of privacy practices. If a disclosure is not
> addressed in your notice and you don't have an authorization to make
> the disclosure you will most likely have to account for it (there are
> some exceptions).
>
> For the covered entity doing the audit (I am assuming they are
> covered - ours is), I don't believe an accounting would be required
> as this function is one of their health care operations functions.
>
> Based on the information on Beth's posting, I assume Beth works for a
> covered entity that would be subject to the audit. I work for an
> agency who would be involved with the performance of the audit.
>
> I had hoped to discuss this matter with someone on the same side of
> the fence that I am but when I recently posted a question related to
> auditing, I got no responses from anyone who could offer assistance to
> me.
>
> I suspect that some of the entities that perform audit functions are
> not covered entities. Our agencies unit that performs audits is a
> part of our Medical Assistance program, therefore is part of our
> covered entity. Some audit agencies may actually be business
> associates of covered entities (or so I believe). I had hoped to
> learn more about this to support my belief that they are but since I
> got no responses from my past posting to the NMEH, I suspect many
> audit agencies are not listening to this listserv.
>
> I recently spoke with staff with our certification and licensing
> unit who perform audits and they gave me the name of a contact whom
> they suggested I send my questions to. I intend to pose some
> questions to this contact so that I can get input from others
> regarding this subject but will wait to see if others want to rule
> on this.
>
> It would be nice if we could get some input from both CMS and OCR on
> this issue. OCR for obvious reasons as they oversee the privacy
> issues and CMS because CMS often engages state agencies to conduct
> audit functions for the Medicare program.
>
> I don't normally post my responses to the listserv but maybe others
> could offer input as April 14, 2003 is not far away.
>
> Good luck,
> Anita Halterman
> HIPAA Integration and Transition (HIT) Co-Chair
> Health Policy Analyst &
> HIPAA Privacy and Security Coordinator
> State of Alaska,
> Department of Health and Social Services,
> Division of Medical Assistance,
> 4501 Business Park Blvd., Suite 24
> Anchorage, AK 99503-7167
> (907)334-2431
> -----Original Message-----
> From: Beth Cole [ <mailto:[EMAIL PROTECTED]>
> mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 13, 2003 6:53 AM
> To: WEDI SNIP Privacy Workgroup List
> Subject: Medicare audits: operations?
>
> We're having an internal debate regarding whether or not the audits
> Medicare does of a random selection of Medicare patients at our
> facility can be classified as operations.
>
> If they can, we don't have to account for the disclosure. If they
> can't, then we have to account for them, under 164.512(d), as health
> oversight activities.
>
> The group that feels they can says that participation in the audits
> is mandatory for participation in the Medicare program, thus they
> are operations to receive payment.
>
> The group that feels they can says that these are not our operations,
> but the operations of Medicare as a separate covered entity, and that
> we could function without doing them.
>
> So, who wants to weigh in?
>
> Beth
>
> --
> Beth Cole
> Information Services Support Specialist
> Newman Regional Health
> Emporia, Kansas
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated.
> The discussions on this listserv therefore represent the views of
> the individual participants, and do not necessarily represent the
> views of the WEDI Board of Directors nor WEDI SNIP. If you wish to
> receive an official opinion, post your question to the WEDI SNIP
> Issues Database at <http://snip.wedi.org/tracking/>
> http://snip.wedi.org/tracking/. These listservs should not be used
> for commercial marketing purposes or discussion of specific vendor
> products and services. They also are not intended to be used as a
> forum for personal disagreements or unprofessional communication at
> any time.
>
> You are currently subscribed to wedi-privacy as:
> [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form
> at <http://subscribe.wedi.org> http://subscribe.wedi.org or send a
> blank email to [EMAIL PROTECTED] If you
> need to unsubscribe but your current email address is not the same
> as the address subscribed to the list, please use the Subscribe/Unsubscribe
> form at <http://subscribe.wedi.org> http://subscribe.wedi.org
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated.
> The discussions on this listserv therefore represent the views of
> the individual participants, and do not necessarily represent the
> views of the WEDI Board of Directors nor WEDI SNIP. If you wish to
> receive an official opinion, post your question to the WEDI SNIP
> Issues Database at http://snip.wedi.org/tracking/. These listservs
> should not be used for commercial marketing purposes or discussion
> of specific vendor products and services. They also are not
> intended to be used as a forum for personal disagreements or
> unprofessional communication at any time.
>
> You are currently subscribed to wedi-privacy as:
> [EMAIL PROTECTED] To unsubscribe from this list, go to the
> Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a
> blank email to [EMAIL PROTECTED] If you
> need to unsubscribe but your current email address is not the same
> as the address subscribed to the list, please use the
> Subscribe/Unsubscribe form at http://subscribe.wedi.org
------- End of Original Message -------
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
