Roy, I disagree with your conclusion that your collection agency is not a BA, even if all you give them is a name and an amount.
The definition of PHI draws on the definition of Individually Identifiable Health Information which is defined in section 160.103. That definition says that IIHI is information that is "created or received by a health care provider" and relates to the "past, present, or future payment for the provision of health care to an individual" and that "identifies the individual". Whether your collection agency realizes it or not, you (the covered entity) clearly know that you are releasing information that you 1) created or received, 2) pertains to the past payment for the provision of health care to an individual, and 3) it identifies the individual by giving their name. Thus YOU are releasing PHI to your BA, even if your BA doesn't realize it is PHI. Althoug one could reasonably argue that the BA ought to assume the data you are giving them pertains to payment for health care services because you are a health care provider and they are a collection agency. You don't need much more information than that to fill in the blanks. And HIPAA does require that the blanks be filled in! HIPAA does say the PHI has to specify exactly what procedure the payment was for, or when the payment was due. Just that it pertains to payment for services. Noel Chang -- Open WebMail Project (http://openwebmail.org) ---------- Original Message ----------- From: "Clay, Roy III (NO)" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Mon, 3 Mar 2003 08:42:10 -0600 Subject: RE: Another thread on Security/Privacy question > The name and the credit card number are not PHI under HIPAA. It does > not become PHI until some health information is added. If the information > contains CPT codes, for example, then you would either need to > include that information in the Notice of Privacy Practices or > obtain an authorization at the time of swiping the card. > > One of the questions we had to answer was if the collection agency > we used to collect bad debt was a busness associate. We found that > all they needed was the guarantor's contact information and an > amount. No health information was needed for them to perform their > task. Therefore they were not a business associate. > > Roy G. Clay III > Interim Compliance Officer > Louisiana State University Health Sciences Center > New Orleans Campus > Phone: (504) 568-4367 > Fax: (504) 568-6378 > Email: [EMAIL PROTECTED] > > -----Original Message----- > From: Christine Hudnall [mailto:[EMAIL PROTECTED] > Sent: Friday, February 28, 2003 2:36 PM > To: WEDI SNIP Privacy Workgroup List > Subject: Another thread on Security/Privacy question > > I'm sending this out again, if someone could please help us. Thanks. > > Christine > > What about the card swipes that we use when a patient makes a > payment on their account using their credit card. Yes, we only > swipe the card and put in the last four digits of the number, but > the patient name (or whoever owns the card) prints out on the > receipt. > > Is that considered PHI, even though we are not sending them the > name, but they print it from their records? > > If so, do we need to have an agreement with the company that we use > the card swipe from? > > And as for eligibility, i.e., Medicaid. We use ROVR, which is > through Consultec (if I remember correctly). Is an agreement needed > with them? > > And how would I check for security for their program? Is that > something they would need to do and put in writing? > > Sorry for all the questions, just, my co-worker and I are trying to > go down list of all possibilities that we need to check on. > > Thanks, > > Christine > > _________________________________________________________________ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. > The discussions on this listserv therefore represent the views of > the individual participants, and do not necessarily represent the > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to > receive an official opinion, post your question to the WEDI SNIP > Issues Database at http://snip.wedi.org/tracking/. These listservs > should not be used for commercial marketing purposes or discussion > of specific vendor products and services. They also are not > intended to be used as a forum for personal disagreements or > unprofessional communication at any time. > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] > To unsubscribe from this list, go to the Subscribe/Unsubscribe form > at http://subscribe.wedi.org or send a blank email to leave-wedi- > [EMAIL PROTECTED] If you need to unsubscribe but your > current email address is not the same as the address subscribed to > the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. > The discussions on this listserv therefore represent the views of > the individual participants, and do not necessarily represent the > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to > receive an official opinion, post your question to the WEDI SNIP > Issues Database at http://snip.wedi.org/tracking/. These listservs > should not be used for commercial marketing purposes or discussion > of specific vendor products and services. They also are not > intended to be used as a forum for personal disagreements or > unprofessional communication at any time. > > You are currently subscribed to wedi-privacy as: > [EMAIL PROTECTED] To unsubscribe from this list, go to the > Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a > blank email to [EMAIL PROTECTED] If you > need to unsubscribe but your current email address is not the same > as the address subscribed to the list, please use the > Subscribe/Unsubscribe form at http://subscribe.wedi.org ------- End of Original Message ------- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
