Matt -- Thanks for the update. I have a couple of suggestions. First, I hope you understand that I participate in this list because, as an attorney, I represent covered entities and business associates. As an attorney and a business associate, I emphasize with the struggles that covered entities and BAs face in implementing this complicated rule.
I suggest that covered entities in implementing the access and amendment rights look for flexibility and reasonableness in the designated record set definition. An individual has the right to request access to and amend PHI maintained in designated record sets. The covered entity defines its own designated record sets based on the Privacy Rule's defintion and then documents its designation in its Ps and Ps. At a bare minimum, the designated record set concept structures the scope of the access and amendment rights. According to the Privacy Rule, designated record sets are paper or electronic files that the covered entity uses, in whole or in part, to make decisions about the individual. The Rule provides specific examples of designated record sets. The Preamble notes that quality assurance and peer review records typically are not designated records sets although they include PHI. The Preamble further states that "information may be retrieved or retrievable by name, but if it is never used to make decisions about any individuals, the burdens of requiring a covered entity to find it and to redact information about other individuals outweigh any benefits to the individual of having access to the information." In the context of the access and amendment rights, I think that HHS has expressed the reasonableness concept that you have espoused in the designated record set concept. Finally, I suggest that if a covered entity takes advantage of the BA transition rule, it should send each "transitional" BA a letter before April 14 explaining the situation and identifying the transitional responsibilities that HHS described on page 39 of the 12/4/02 OCR guidance. That guidance includes excellent information on the BA requirement and the transition provision. Thanks again for the dialogue. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 03/02/03 23:24 PM >>> Dave, It was an interesting day in Brooklyn yesterday at the HIPAA conference. And three HHS or OCR attorneys did respond to some questions concerning access, amendment, and accountings. Clearly a CE MAY make the amendment if they are able. And the attorneys were mindful that, for many of us (in the audience yesterday) who are struggling to implement a cost-effective process, there is more to this issue than simply allowing access to the PHI: the ability to find and link together the various places were the PHI resides in order to amend all of it no matter where it resides will be very onerous, especially for PHI created prior to the compliance date. It will be very helpful when to see a clearly written statement from HHS. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Saturday, March 01, 2003 12:15 AM To: 'David Ermer'; '[EMAIL PROTECTED]' Subject: RE: Amendment Questions Dave, I must respectfully disagree with your application of the Q&A that you cited (below). Clearly that Q&A was intended to convey HHS' intent that on and after the compliance date the Privacy Rule will protect all PHI that a CE creates or maintains about an individual, regardless of when that PHI was created. No one would disagree with that intent. However, the Privacy Rule is imbued with "reasonableness" that provides us with guidance against implementing onerous processes that would be untenable and too costly. (This concept has been greatly advanced and supported by the recently published Security Rules.) Consequently, and in a number of instances, the Privacy Rule reflects this notion by NOT mandating that CE's implement certain retrieval processes with regard to PHI created prior to the compliance date, for example "accountings of disclosure". Further, the "transition" rule is relevant to this notion, because the CE is in some instances NOT obligated to execute the BAC until one year after the compliance date, and until that is done, what would be the BA's legal obligation to assist in the amendment of the PHI unless specified in a contract? Please advise. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:26 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Amendment Questions Matt -- Here is an interesting excerpt from the 12/28/00 HHS Preamble which clearly supports my position: "Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One commenter suggested that the rule should apply only to information gathered after the effective date of the final rule. Response: We disagree with the commenter's suggestion. The requirements of this regulation apply to all protected health information held by a covered entity, regardless of when or how the covered entity obtained the information. Congress required us to adopted privacy standards that apply to individually identifiable health information. While it limited the compliance date for health plans, covered health care providers, and healthcare clearinghouses, it did not provide similar limiting language with regard to individually identifiable health information. Therefore, uses and disclosures of protected health information made by a covered entity after the compliance date of this regulation must meet the requirements of these rules. Uses or disclosures of individually identifiable health information made prior to the compliance date are not affected; covered entities will not be sanctioned under this rule based on past uses or disclosures that are inconsistent with this regulation." I agree with you that CE's should clarify gray areas in their NPPs. I do not find this amendment question to be a gray area, however. I find the BA transition provision irrelevant to the resolution of this issue. Please refer to the following excerpted BA guidance from the 12/4/02 OCR guidance: "Q: What are a covered entity's obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period? A: During the contract transition period, covered entities must observe the following responsibilities with respect to protected health information held by their business associates: * * * Fulfill an individual's rights to access and amend his or her protected health information contained in a designated record set, including information held by a business associate, if appropriate, and receive an accounting of disclosures by a business associate." I would be interested in any further clarification that HHS may provide, but written guidance already is out there. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/28/03 21:03 PM >>> David, In many instances the CE's DSR is maintained by a BA, and those CE-BA relationships are subject to the "transition" requirements and the timing of the execution of the BAC. Given this, and the explicit exemption given for "accountings" for PHI created prior to the "compliance date", I would say that HHS's intention would be to allow the CE to start with the "compliance date" and go forward from that day. But I agree with you that this may be a "gray" area, and that is why I suggested to Pat that the NPP would let the individual (patient) know what the CE may be "allowed" to do. I would certainly like to hear from the folks at HHS and OCR about this one. I'll be at the HIPAA conference in Brooklyn tomorrow, and if I have an opportunity to ask, I will. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:20 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: Amendment Questions Matt -- I respectfully question your response. The Privacy Rule, 45 CFR § 164.526(a), states that individuals have the right to request an amendment as long as the CE holds the PHI in a designated record set. Neither § 164.526 or § 164.524 (the access right) create an exception for PHI created or received before 4/14/03. If such an exception were implicit in the Privacy Rule then there would have been no need for the express exception found in § 164.528 for otherwise accountable disclosures occurring before 4/14/03. Obviously, the right to request an amendment is prospective. A CE is not obligated to search its files for amendment requests that it may have received and denied before April 14. But in my opinion, beginning April 14, an individual is entitled to request PHI access or amendment with respect to PHI created before that date found in the CE's designated records sets. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/27/03 08:22PM >>> Patricia, 1) It depends what you say in your NPP, but HIPAA does not mandate that a CE include past information (i.e., PHI created prior to the compliance date) 2) HIPAA does NOT require a "written" request from the individual I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Patricia Conroe [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 2:31 PM To: WEDI SNIP Privacy Workgroup List Subject: Amendment Questions I have two questions regarding amendment of the medical/billing record. 1. Do we have to amend info kept prior to the deadline? (The disclosure log specifically says you do not, but nothing on the amendment. What about all those places that have info on microfilm?) and 2. When a patient calls regarding charges on their bill and after investigation it's discovered that those charges are in fact wrong and shouldn't be there. Do you go through the whole amendment process (we have 3 different forms right now for amending info) or is this something we can just go ahead and do? Thanks for your help! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org