RE: Another thread on Security/Privacy question

[David Frenkel]

Title: RE: Another thread on Security/Privacy question

Roy, I would agree with your conclusions with regard to HIPAA but you will probably none the less need a privacy agreement with the collections agency not to disclose or sell credit card information.    The FTC does not look too favorably on the disclosure of credit card information.   Regards,   David Frenkel Business Development GEFEG USA Global Leader in Ecommerce Tools www.gefeg.com 612-237-1966 -----Original Message----- From: Clay, Roy III (NO) [mailto:[EMAIL PROTECTED]] Sent: Monday, March 03, 2003 8:42 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: Another thread on Security/Privacy question   The name and the credit card number are not PHI under HIPAA. It does not become PHI until some health information is added. If the information contains CPT codes, for example,  then you would either need to include that information in the Notice of Privacy Practices or obtain an authorization at the time of swiping the card. One of the questions we had to answer was if the collection agency we used to collect bad debt was a busness associate. We found that all they needed was the guarantor's contact information and an amount. No health information was needed for them to perform their task. Therefore they were not a business associate. Roy G. Clay III Interim Compliance Officer Louisiana State University Health Sciences Center New Orleans Campus Phone:  (504) 568-4367 Fax:            (504) 568-6378 Email:  [EMAIL PROTECTED]   -----Original Message----- From: Christine Hudnall [mailto:[EMAIL PROTECTED]] Sent: Friday, February 28, 2003 2:36 PM To: WEDI SNIP Privacy Workgroup List Subject: Another thread on Security/Privacy question   I'm sending this out again, if someone could please help us.  Thanks. Christine   What about the card swipes that we use when a patient makes a payment on their account using their credit card.  Yes, we only swipe the card and put in the last four digits of the number, but the patient name (or whoever owns the card) prints out on the receipt. Is that considered PHI, even though we are not sending them the name, but they print it from their records? If so, do we need to have an agreement with the company that we use the card swipe from? And as for eligibility, i.e., Medicaid.  We use ROVR, which is through Consultec (if I remember correctly).  Is an agreement needed with them? And how would I check for security for their program?  Is that something they would need to do and put in writing? Sorry for all the questions, just, my co-worker and I are trying to go down list of all possibilities that we need to check on. Thanks, Christine   _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE*  http://join.msn.com/?page=features/junkmail   --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org