Ellen, This is one of those HIPAA topics where we would advise hanging a large "Proceed with Caution" sign, and where we would welcome additional guidance from HHS.
Section 164.528(a)(1)(iii) of the Privacy rules --Accounting of disclosures of protected health information-- notes that HIPAA does NOT require a "use" incident to an otherwise permitted "use or disclosure" (as provided in section 164.502) to be included in an "accounting". Conversely, this leads us to believe that HHS intends for ALL "privacy breaches", whether a "use" or "disclosure" to be included in an "accounting". I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener informaci�n privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicaci�n por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la direcci�n mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Ellen Rubin [mailto:[EMAIL PROTECTED] Sent: Saturday, November 01, 2003 3:59 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: Employee Access and Accounting of Disclosures My understanding is that this is a "use" (albeit inappropriate) and not necessary to put in the accounting log. However, if this information was then "disclosed" outside the entity, it would need to be accounted for. I asked this question a few weeks ago....the piece I was interested in was whether entities are notifying their patients of this disclosure at the time of the event as well as entering in the accounting. Ellen ______________________ Ellen Rubin, RN, BSN Privacy Officer Harborview Medical Center 206 731-6048 Voice 206 731-2097 Fax ----- Original Message ----- From: "Walter Suarez" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Saturday, November 01, 2003 5:06 AM Subject: Employee Access and Accounting of Disclosures > When an employee of a covered entity accesses PHI and it is determined that > this was done wrongly (say, violating the minimum necessary requirements for > that employee, or just plain inappropriate access someone's PHI by the > employee), would this result in the employer having to log it into the > accounting of disclosure? > > Many thanks for your comments and reactions. > > Walter. > > ================================ > Walter G. Suarez, MD, MPH > President and CEO > Midwest Center for HIPAA Education > 2850 Metro Drive, Suite 118 > Bloomington, MN 55425 > (952) 854-3401 - v > (952) 814-4805 - f > [EMAIL PROTECTED] > http://www.mche.us.com > ================================ > > > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] > If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org > --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
