Matt -- The Q&A demonstrates that HHS intends that the Privacy Rule generally apply to all PHI that the CE maintains as of 4/14/03. If HHS had intended to exempt from the access and amendment rights PHI created before 4/14/03 it would have said so in the � 164.524 and � 164.526 of the Rule.
The Privacy Rule is a law. Administrative rules are interpreted in accordance with the standards of statutory construction. The U.S. Supreme Court has ruled that "When Congress [or another law maker -- here HHS] includes particular language in one section of a statute [here the pre-4/14/03 disclosure exception from the accounting for disclosures section"] but omits it from another section of the same Act [or other law -- here �� 164.524 and 164.526], it is generally presumed that Congress [or the pertinent law maker] acts intentionally and purposefully in the disparate inclusion or exclusion." Bates v. United States, 522 U.S. 23, 29-30 (1997). In my opinion, a CE cannot just create additional exceptions to the amendment right because they might make sense. I personally don't think that access and amendment rights are particularly onerous to implement as there are a number of fairly broad, express exceptions to the amendment right. The amendment right, by the way, was the subject of a Seinfeld episode in which Kramer unsuccessfully tried to get Elaine's medical records from her doctor who had noted that Elaine was a troublemaker. As for the BA transition rule, if after 4/14/03 a CE receives an amendment request, and the CE believes that the amendment request should be granted, it must pass that information to the business associate. If the contract provisions are not in place, I imagine that a BA could refuse to process the amendment. I don't know why a BA would refuse to do so, but in that case, the CE should hold onto the amendment request, and once the BA contract provisions are in place, then it should require the BA to process the amendment in accordance with the contract and the Privacy Rule. I agree with you that there are a lot of ambiguities in this complex Rule, but I don't think that the amendment question falls into this category. Remember under the law, you don't get into a reasonableness analysis when the language of the regulation is unambiguous. I do appreciate all the prompt advice that you give CE's on this list serv and this exchange in particular. if HHS provides more guidance, let us know. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> [EMAIL PROTECTED] 03/01/03 12:15AM >>> Dave, I must respectfully disagree with your application of the Q&A that you cited (below). Clearly that Q&A was intended to convey HHS' intent that on and after the compliance date the Privacy Rule will protect all PHI that a CE creates or maintains about an individual, regardless of when that PHI was created. No one would disagree with that intent. However, the Privacy Rule is imbued with "reasonableness" that provides us with guidance against implementing onerous processes that would be untenable and too costly. (This concept has been greatly advanced and supported by the recently published Security Rules.) Consequently, and in a number of instances, the Privacy Rule reflects this notion by NOT mandating that CE's implement certain retrieval processes with regard to PHI created prior to the compliance date, for example "accountings of disclosure". Further, the "transition" rule is relevant to this notion, because the CE is in some instances NOT obligated to execute the BAC until one year after the compliance date, and until that is done, what would be the BA's legal obligation to assist in the amendment of the PHI unless specified in a contract? Please advise. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener informaci�n privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicaci�n por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la direcci�n mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:26 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Amendment Questions Matt -- Here is an interesting excerpt from the 12/28/00 HHS Preamble which clearly supports my position: "Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One commenter suggested that the rule should apply only to information gathered after the effective date of the final rule. Response: We disagree with the commenter's suggestion. The requirements of this regulation apply to all protected health information held by a covered entity, regardless of when or how the covered entity obtained the information. Congress required us to adopted privacy standards that apply to individually identifiable health information. While it limited the compliance date for health plans, covered health care providers, and healthcare clearinghouses, it did not provide similar limiting language with regard to individually identifiable health information. Therefore, uses and disclosures of protected health information made by a covered entity after the compliance date of this regulation must meet the requirements of these rules. Uses or disclosures of individually identifiable health information made prior to the compliance date are not affected; covered entities will not be sanctioned under this rule based on past uses or disclosures that are inconsistent with this regulation." I agree with you that CE's should clarify gray areas in their NPPs. I do not find this amendment question to be a gray area, however. I find the BA transition provision irrelevant to the resolution of this issue. Please refer to the following excerpted BA guidance from the 12/4/02 OCR guidance: "Q: What are a covered entity's obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period? A: During the contract transition period, covered entities must observe the following responsibilities with respect to protected health information held by their business associates: * * * Fulfill an individual's rights to access and amend his or her protected health information contained in a designated record set, including information held by a business associate, if appropriate, and receive an accounting of disclosures by a business associate." I would be interested in any further clarification that HHS may provide, but written guidance already is out there. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/28/03 21:03 PM >>> David, In many instances the CE's DSR is maintained by a BA, and those CE-BA relationships are subject to the "transition" requirements and the timing of the execution of the BAC. Given this, and the explicit exemption given for "accountings" for PHI created prior to the "compliance date", I would say that HHS's intention would be to allow the CE to start with the "compliance date" and go forward from that day. But I agree with you that this may be a "gray" area, and that is why I suggested to Pat that the NPP would let the individual (patient) know what the CE may be "allowed" to do. I would certainly like to hear from the folks at HHS and OCR about this one. I'll be at the HIPAA conference in Brooklyn tomorrow, and if I have an opportunity to ask, I will. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener informaci�n privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicaci�n por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la direcci�n mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:20 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: Amendment Questions Matt -- I respectfully question your response. The Privacy Rule, 45 CFR � 164.526(a), states that individuals have the right to request an amendment as long as the CE holds the PHI in a designated record set. Neither � 164.526 or � 164.524 (the access right) create an exception for PHI created or received before 4/14/03. If such an exception were implicit in the Privacy Rule then there would have been no need for the express exception found in � 164.528 for otherwise accountable disclosures occurring before 4/14/03. Obviously, the right to request an amendment is prospective. A CE is not obligated to search its files for amendment requests that it may have received and denied before April 14. But in my opinion, beginning April 14, an individual is entitled to request PHI access or amendment with respect to PHI created before that date found in the CE's designated records sets. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/27/03 08:22PM >>> Patricia, 1) It depends what you say in your NPP, but HIPAA does not mandate that a CE include past information (i.e., PHI created prior to the compliance date) 2) HIPAA does NOT require a "written" request from the individual I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener informaci�n privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicaci�n por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la direcci�n mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Patricia Conroe [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 2:31 PM To: WEDI SNIP Privacy Workgroup List Subject: Amendment Questions I have two questions regarding amendment of the medical/billing record. 1. Do we have to amend info kept prior to the deadline? (The disclosure log specifically says you do not, but nothing on the amendment. What about all those places that have info on microfilm?) and 2. When a patient calls regarding charges on their bill and after investigation it's discovered that those charges are in fact wrong and shouldn't be there. Do you go through the whole amendment process (we have 3 different forms right now for amending info) or is this something we can just go ahead and do? Thanks for your help! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
