I think Noel was going on the basis that the collection agency is performing a function or task "on behalf" of the CE which is how one becomes a BA. these other entities you have described do not do something "on behalf of" of the CE.
CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential and may be protected by legal privilege. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of this e-mail or any attachment is prohibited. If you have received this e-mail in error, please notify us immediately by returning it to the sender and delete this copy from your system. Thank you for your cooperation. Care 1st Health Plan > -----Original Message----- > From: Clay, Roy III (NO) [SMTP:[EMAIL PROTECTED] > Sent: Tuesday, March 04, 2003 12:36 PM > To: WEDI SNIP Privacy Workgroup List > Subject: RE: Another thread on Security/Privacy question > > Noel, > Based upon that interpretation, health care providers (or their banks) > need to add all the credit card companies and banks that issue credit > cards to their BA agreement list if they are to accept credit card payment > for copays. Providers (or their banks) would also need to have BAA's with > all the banks whose checks they accept for "payment for the provision of > health care to an individual". These checks must be presented to the bank > it was written from in order to receive payment. Otherwise all providers > must only accept cash for deductibles and copays. > > I don't think this impact on commerce was the intention of the regulation. > Rather, the definition of individually identifiable health information > refers to the itemized bill which references CPT codes that identify the > procedures which, in turn, identify the health condition of the > individual. This is the threat to privacy. > > Perhaps there will be a further amendment to the regs to address this in > the same way the information about incidental disclosure was added to > address fears that overhearing a doctor's conversation in the hall would > result in a HIPAA violation. > > Whichever way you choose to interpret the regs, you will need to be > consistent across all operations. If you require a BAA for you collection > agency and don't require one for your other methods of managing accounts > receivables, you will need to expain why those operations are different > than the collection agency. I don't see how you can. > > Roy G. Clay III > Interim Compliance Officer > Louisiana State University Health Sciences Center > New Orleans Campus > Phone: (504) 568-4367 > Fax: (504) 568-6378 > Email: [EMAIL PROTECTED] > > -----Original Message----- > From: Noel Chang [ <mailto:[EMAIL PROTECTED]>] > Sent: Monday, March 03, 2003 11:24 PM > To: Clay,Roy III (NO); WEDI SNIP Privacy Workgroup List > Subject: RE: Another thread on Security/Privacy question > > > Roy, > > I disagree with your conclusion that your collection agency is not a BA, > even > if all you give them is a name and an amount. > > The definition of PHI draws on the definition of Individually Identifiable > > Health Information which is defined in section 160.103. That definition > says > that IIHI is information that is "created or received by a health care > provider" and relates to the "past, present, or future payment for the > provision of health care to an individual" and that "identifies the > individual". > > Whether your collection agency realizes it or not, you (the covered > entity) > clearly know that you are releasing information that you 1) created or > received, 2) pertains to the past payment for the provision of health care > to > an individual, and 3) it identifies the individual by giving their name. > Thus YOU are releasing PHI to your BA, even if your BA doesn't realize it > is > PHI. Althoug one could reasonably argue that the BA ought to assume the > data > you are giving them pertains to payment for health care services because > you > are a health care provider and they are a collection agency. You don't > need > much more information than that to fill in the blanks. And HIPAA does > require that the blanks be filled in! HIPAA does say the PHI has to > specify > exactly what procedure the payment was for, or when the payment was due. > Just that it pertains to payment for services. > > Noel Chang > > -- > Open WebMail Project ( <http://openwebmail.org>) > > > ---------- Original Message ----------- > From: "Clay, Roy III (NO)" <[EMAIL PROTECTED]> > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> > Sent: Mon, 3 Mar 2003 08:42:10 -0600 > Subject: RE: Another thread on Security/Privacy question > > > The name and the credit card number are not PHI under HIPAA. It does > > not become PHI until some health information is added. If the > information > > contains CPT codes, for example, then you would either need to > > include that information in the Notice of Privacy Practices or > > obtain an authorization at the time of swiping the card. > > > > One of the questions we had to answer was if the collection agency > > we used to collect bad debt was a busness associate. We found that > > all they needed was the guarantor's contact information and an > > amount. No health information was needed for them to perform their > > task. Therefore they were not a business associate. > > > > Roy G. Clay III > > Interim Compliance Officer > > Louisiana State University Health Sciences Center > > New Orleans Campus > > Phone: (504) 568-4367 > > Fax: (504) 568-6378 > > Email: [EMAIL PROTECTED] > > > > -----Original Message----- > > From: Christine Hudnall [ <mailto:[EMAIL PROTECTED]>] > > Sent: Friday, February 28, 2003 2:36 PM > > To: WEDI SNIP Privacy Workgroup List > > Subject: Another thread on Security/Privacy question > > > > I'm sending this out again, if someone could please help us. Thanks. > > > > Christine > > > > What about the card swipes that we use when a patient makes a > > payment on their account using their credit card. Yes, we only > > swipe the card and put in the last four digits of the number, but > > the patient name (or whoever owns the card) prints out on the > > receipt. > > > > Is that considered PHI, even though we are not sending them the > > name, but they print it from their records? > > > > If so, do we need to have an agreement with the company that we use > > the card swipe from? > > > > And as for eligibility, i.e., Medicaid. We use ROVR, which is > > through Consultec (if I remember correctly). Is an agreement needed > > with them? > > > > And how would I check for security for their program? Is that > > something they would need to do and put in writing? > > > > Sorry for all the questions, just, my co-worker and I are trying to > > go down list of all possibilities that we need to check on. > > > > Thanks, > > > > Christine > > > > _________________________________________________________________ > > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > > <http://join.msn.com/?page=features/junkmail> > > > > --- > > The WEDI SNIP listserv to which you are subscribed is not moderated. > > The discussions on this listserv therefore represent the views of > > the individual participants, and do not necessarily represent the > > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to > > receive an official opinion, post your question to the WEDI SNIP > > Issues Database at <http://snip.wedi.org/tracking/>. These listservs > > should not be used for commercial marketing purposes or discussion > > of specific vendor products and services. They also are not > > intended to be used as a forum for personal disagreements or > > unprofessional communication at any time. > > > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form > > at <http://subscribe.wedi.org> or send a blank email to leave-wedi- > > [EMAIL PROTECTED] If you need to unsubscribe but your > > current email address is not the same as the address subscribed to > > the list, please use the Subscribe/Unsubscribe form at > <http://subscribe.wedi.org> > > > > --- > > The WEDI SNIP listserv to which you are subscribed is not moderated. > > The discussions on this listserv therefore represent the views of > > the individual participants, and do not necessarily represent the > > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to > > receive an official opinion, post your question to the WEDI SNIP > > Issues Database at <http://snip.wedi.org/tracking/>. These listservs > > should not be used for commercial marketing purposes or discussion > > of specific vendor products and services. They also are not > > intended to be used as a forum for personal disagreements or > > unprofessional communication at any time. > > > > You are currently subscribed to wedi-privacy as: > > [EMAIL PROTECTED] To unsubscribe from this list, go to the > > Subscribe/Unsubscribe form at <http://subscribe.wedi.org> or send a > > blank email to [EMAIL PROTECTED] If you > > need to unsubscribe but your current email address is not the same > > as the address subscribed to the list, please use the > > Subscribe/Unsubscribe form at <http://subscribe.wedi.org> > ------- End of Original Message ------- > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. The > discussions on this listserv therefore represent the views of the > individual participants, and do not necessarily represent the views of the > WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official > opinion, post your question to the WEDI SNIP Issues Database at > http://snip.wedi.org/tracking/. These listservs should not be used for > commercial marketing purposes or discussion of specific vendor products > and services. They also are not intended to be used as a forum for > personal disagreements or unprofessional communication at any time. > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at > http://subscribe.wedi.org or send a blank email to > [EMAIL PROTECTED] > If you need to unsubscribe but your current email address is not the same > as the address subscribed to the list, please use the > Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
