RE: Unlocked charts

[Huber, Cheri]

Title: Message

Cindi,   I totally agree that the term incidental disclosure would not apply in such instances.  For an outside service provider, such as a building maintenance contractor, to actually ‘access’ the PHI would require physical action on the part of the service provider, such as opening a filing cabinet.  That’s obviously not an ‘incidental’ disclosure.  (Unless, and this is purely facetious, the inside of the filing cabinet was being serviced.)   About Ms. Sanches’s response, (my apologies for misspelling her name previously), I only mean to suggest that perhaps she either did not clearly understand the question or that her response was somehow misinterpreted.  I  attended The HIPAA Summit West in June of 2001 at which Ms. Sanches spoke and recall that the response to a similar question was that a BA agreement was not required.  Knowing that Ms. Sanches was largely responsible for the content of the OCR Guidance and having heard her speak on several occasions I have the utmost regard for both her expertise and her opinion.   My previous response was directed to the statement that a business associate agreement was required in instances such as that described. I merely wanted to point out that that is incorrect and emphasize the fact that “reasonable safeguards” ARE required.    About obtaining a BA agreement when such is not necessary, (pursuant to a strict reading of the rule and commentary), I absolutely agree there’s no harm in doing so. In fact, obtaining the assurances inherent to a BA agreement is the best ‘due diligence’ approach.  However, that isn’t always an option, such as in situations where the CE has no leverage to use to persuade a service provider to enter into such an agreement which is not required by law.  In those circumstances the CE must look to other means to obtain adequate assurances and should consider all such options from a risk management standpoint. Such other means may include requiring a confidentiality agreement and/or installing locks.  That’s a call the CE must make and, regardless of the final course of action, the reason for such decisions must be thoroughly documented.   Cheri   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 12:57 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Unlocked charts   Cheri,   My position is this situation is not an incidential disclosure, do you disagree with that?  It was Linda Sanchez of DHHS that said a BAA was needed.   Like you, my concern is also the stipulation of your quoted text that "provided reasonable safeguards are in place."  I don't think an unlocked filing system to be appropriate safeguards when an outside service has complete unsupervised access to PHI.   I also have a concern over the stipulation of your quoted text "where any access to protected health information by such persons would be de minimus, if at all".    As I stated above, the outside service has complete unsupervised access to PHI.    I agree that a confidentiality agreement would provide additional safety but don't see where a BAA would cause harm, if not add additional protections where appropiate safeguards are not in place.   Cindi Bowman Quality and Compliance Coordinator Catawba County Health Department 828-695-5847   -----Original Message----- From: Huber, Cheri [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:27 PM To: Cindi Bowman; WEDI SNIP Privacy Workgroup List Subject: RE: Unlocked charts Cindi,   I must respectfully disagree with yours and Joanne’s positions and suggest that perhaps Ms. Sanchez’s comments were ambiguous enough as to permit a misunderstanding.   In support of my opinion that a business associate contract is not required with a janitorial service nor a repair service, assuming such service is typical of its type, I would refer you to the commentary section of the August 14, 2002, modifications to the privacy rule.  The following is from page 53252 of the Federal Register:    “The Department also clarifies that a business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be de minimus, if at all. For example, a health care provider is not required to enter into a business associate contract with its janitorial service because the performance of such service does not involve the use or disclosure of protected health information. In this case, where a janitor has contact with protected health information incidentally, such disclosure is permissible under Sec. 164.502(a)(1)(iii) provided reasonable safeguards are in place.   Back to the initial question about locking file cabinets, the key here is, I believe, that “reasonable safeguards are in place”.  I should also mention that whether a business associate agreement is required or not it is often advisable to obtain written assurances that the contractor is aware of the confidentiality requirements of your organization – perhaps in the form of a vendor confidentiality agreement.   Again, this is only my opinion.   Cheri Huber County Privacy Officer County of Napa 1195 Third Street, Room 301 Napa, CA  94559 707-253-4523     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 11:43 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: Unlocked charts   Cindy,   The key work here is incidential.  I don't feel this would be an incidential disclosure since you know the cleaning folks will have access to PHI.  See text below from another list about the topc.   Date 1/16/03 "...yesterday during a conference call with 2,000 plus conferees, Linda Sanchez of DHHS clarified the incidental disclosure concept in a way that I thought made sense and which I hadn't seen discussed in the regulatory preambles or the recent OCR Guidance document. In the context of someone coming in to your facility to do repairs on machinery, for example, she said in sum or substance that if you know that a repairperson *WILL* have access to PHI as part of her/his job to repair something, then that is not an incidental disclosure, and must be addressed in a Business Associate Contract".   Cindi Bowman Quality and Compliance Coordinator Catawba County Health Department 828-695-5847   -----Original Message----- From: Rupe, Cindy [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 12:48 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Unlocked charts The OCR guidance states that a BA is not required:   With persons or organizations (e.g. janitorial sercie or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.   Thanks, Cindy Cindy Rupe, RHIA, CPHQ HIPAA Coord/Consultant Billings Area IHS 406-247-7161 [EMAIL PROTECTED] HIPAA Ready, HIPAA Compliant, and HIPAA Aware -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:15 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: Unlocked charts This was brought up in San Diego by the folks from OCR.  One of them said her owned doctor accused her of being "one of those people who are making us put locks on our file cabinets."  She stated that the requirement is to keep the PHI private.  If the file cabinet is in a patient area, it might be wise to lock it.  If it is out of a public area, the location may be all that is needed to keep it private. *The cleaning company should sign a BAA. Joanne Marquez Senior Director Beech Street Corporation Account Services (949) 672-1519   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2003 7:06 PM To: WEDI SNIP Privacy Workgroup List Subject: Unlocked charts This has probably been covered before, but for those of us still not clear: Do charts have to locked up if they are within the area of the practice to which no one but employees who may need them have access? The cleaning crew would be in the same area at night. Thanks very much. Vicki Saunders Pain Clinic Associates, PC [EMAIL PROTECTED] Pain Clinic Associates, PC Confidentiality Notice: The information contained in this e-mail transmission is confidential information, proprietary to the sender and legally protected. Its purpose is intended for the sole use of the individual(s) or entity named in the message header. If you are not the intended recipient, you are hereby notified that any dissemination, copying or taking any action in reliance on the contents of this information is strictly prohibited. If you received this message in error, please notify the sender of the error and delete this message, any attachments and all copies. Thank you.   --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org