Cindi, I totally agree that the term incidental disclosure would not apply in such
instances. For an outside service
provider, such as a building maintenance contractor, to actually ‘access’ the
PHI would require physical action on the part of the service provider, such as
opening a filing cabinet. That’s
obviously not an ‘incidental’ disclosure.
(Unless, and this is purely facetious, the inside of the filing cabinet
was being serviced.) About Ms. Sanches’s response, (my apologies for misspelling her name
previously), I only mean to suggest that perhaps she either did not clearly
understand the question or that her response was somehow misinterpreted. I attended The HIPAA Summit West in June of 2001 at which Ms.
Sanches spoke and recall that the response to a similar question was that a BA
agreement was not required. Knowing
that Ms. Sanches was largely responsible for the content of the OCR Guidance
and having heard her speak on several occasions I have the utmost regard for both
her expertise and her opinion. My previous response was directed to the statement that a business
associate agreement was required in instances such as that described. I merely
wanted to point out that that is incorrect and emphasize the fact that “reasonable
safeguards” ARE required. About obtaining a BA agreement when such is not necessary, (pursuant to
a strict reading of the rule and commentary), I absolutely agree there’s no
harm in doing so. In fact, obtaining the assurances inherent to a BA agreement is
the best ‘due diligence’ approach.
However, that isn’t always an option, such as in situations where the CE
has no leverage to use to persuade a service provider to enter into such an
agreement which is not required by law.
In those circumstances the CE must look to other means to obtain
adequate assurances and should consider all such options from a risk management
standpoint. Such other means may include requiring a confidentiality agreement
and/or installing locks. That’s a call
the CE must make and, regardless of the final course of action, the reason for
such decisions must be thoroughly documented. Cheri -----Original
Message----- Cheri, My
position is this situation is not an incidential disclosure, do you
disagree with that? It was Linda Sanchez of DHHS that said a
BAA was needed. Like
you, my concern is also the stipulation of your quoted text that "provided
reasonable safeguards are in place." I don't think an unlocked
filing system to be appropriate safeguards when an outside service has complete
unsupervised access to PHI. I also
have a concern over the stipulation of your quoted text "where any access
to protected health information by such persons would be de minimus, if at
all". As I stated above, the outside service has
complete unsupervised access to PHI. I agree
that a confidentiality agreement would provide additional safety but don't see
where a BAA would cause harm, if not add additional protections
where appropiate safeguards are not in place. Cindi Bowman -----Original Message----- Cindi, I must respectfully disagree with yours and Joanne’s positions and suggest that perhaps Ms. Sanchez’s comments were ambiguous enough as to permit a misunderstanding. In support of my opinion that a business associate contract is not required with a janitorial service nor a repair service, assuming such service is typical of its type, I would refer you to the commentary section of the August 14, 2002, modifications to the privacy rule. The following is from page 53252 of the Federal Register: “The Department also clarifies that a business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be de minimus, if at all. For example, a health care provider is not required to enter into a business associate contract with its janitorial service because the performance of such service does not involve the use or disclosure of protected health information. In this case, where a janitor has contact with protected health information incidentally, such disclosure is permissible under Sec. 164.502(a)(1)(iii) provided reasonable safeguards are in place.
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org |
Title: Message
- Unlocked charts PainClinicAssoc
- Re: Unlocked charts Noel Chang
- RE: Unlocked charts Joanne.Marquez
- RE: Unlocked charts Rupe, Cindy
- RE: Unlocked charts CBowman
- RE: Unlocked charts Huber, Cheri
- RE: Unlocked charts CBowman
- RE: Unlocked charts CBowman
- RE: Unlocked charts Hare, Dennis
- RE: Unlocked charts Hare, Dennis
- RE: Unlocked charts Huber, Cheri
- RE: Unlocked charts CBowman
- RE: Unlocked charts Matthew Rosenblum
- RE: Unlocked charts Matthew Rosenblum
- RE: Unlocked charts CBowman