John, You are quite right that the proposed rule was modified, and that is why we included BOTH versions in our second response to you. Our point is, that based on that modification, HHS clarifies what it intends as the "third party".
I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 6:29 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Matt: With all due respect, each time you have responded on this thread you have cited small excerpts which support your position, but have failed to cite the additional language following your excerpt which calls your position into question. The first time, you pulled this language from the definition of "treatment" in the final rule -- "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient" -- without citing the follow-up language which is included in the definition: "INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY". And now this time, you have now pulled some language from the final rule preamble -- "THE PROPOSED RULE defined 'treatment' as the provision of health care by ... health care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL..." -- without acknowledging that the language in the paragraphs which immediately follow the language you excerpted notes that the proposed rule's definition which you are citing, Matt, WAS MODIFIED: "Specifically, WE MODIFY THE PROPOSED DEFINITION of ``treatment'' to include the management of health care and related services...." If the list members will go back to the 1999 proposed HIPAA rule's definition of "treatment", you can see just exactly which language in the definition of "treatment" was modified. See at http://aspe.hhs.gov/admnsimp/nprm/pvcnprm.pdf, the definitions under section 164.504 at page 60053; the proposed rule's definition of "treatment" was: "Treatment means the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; OR THE COORDINATION OF HEALTH CARE OR OTHER SERVICES AMONG HEALTH CARE PROVIDERS AND THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL." (emphasis added) In the final rule, under section 164.501 at page 82805 (see http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm) the definition of treatment was changed to: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) [This final definition was not changed in the August 2002 Privacy Rule modification (see http://www.hhs.gov/ocr/hipaa/privruletxt.txt), and thus is the current definition]. The list members will see that some of the exact language which was removed from the proposed rule's definition is the very qualifying language at the end of the definition that limited the "third parties" to only those "third parties" who were "authorized by the health plan or the individual"! So, in the final rule, as the sentences immediately following the one which you cited make clear, Matt, DHHS TOOK OUT THE LIMITATION THAT YOU ARE RELYING UPON. The limitation on third parties, to only those who were "authorized by the health plan or the individual", no longer exists. The excerpt you emphasized actually undermines your position rather than supporting it, given that the final rule's preamble was pointing out that that excerpt is obsolete. I appreciate your perspective, Matt. But I'm not really asking for incomplete language excerpts which falsely describe the current regulatory language and which appear to support a particular preconceived opinion on this issue. Instead, I'm suggesting that the language which made it into the final Rule, that "treatment" can mean the sharing of PHI from providers to some entities called "third parties" (unqualified, undefined), is subject to multiple interpretations, and I'm curious as to whether physicians or providers or others ever believe that sharing PHI with a community can sometimes constitute "treatment". We know what you think now, Matt, thanks, and I really do appreciate knowing your viewpoint. But let's hear from some others now, thanks. John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -----Original Message----- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 5:19 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? John, We believe that HHS is clear in the use of the term "third party" in its definition of "treatment". The following guidance is provided in the Preamble to the (initial) Privacy rules: "The proposed rule defined 'treatment' as the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; or the coordination of health care or other services among health care providers and THIRD PARTIES AUTHORIZED BY THE HEALTH PLAN OR THE INDIVIDUAL." (The emphasis is mine). "Under the definition [of treatment], the provision, coordination, or management of health care or related services may be undertaken by one or more health care providers. 'Treatment' includes coordination or management by a health care provider with a third party and consultation between health care providers. The term also includes referral by a health care provider of a patient to another health care provider." "Treatment refers to activities undertaken on behalf of a single patient, not a population. Activities are considered treatment only if delivered by a health care provider or a health care provider working with another party. Activities of health plans are not considered to be treatment. Many services, such as a refill reminder communication or nursing assistance provided through a telephone service, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity, such as a health plan." Within this context of HHS intentions (above), a "third party" might be a "therapy aide" or "clinical coordinator", but we do not currently see how the term "third party" may be stretched to include "mass media". Be this as it may, we do welcome an opportunity to vet this important topic. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 2:46 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Aaah, but Matt, the full definition of "treatment" at sec. 164.501 of the Privacy Rule is as follows: "Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, INCLUDING THE COORDINATION OR MANAGEMENT OF HEALTH CARE BY A HEALTH CARE PROVIDER WITH A THIRD PARTY; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another." (emphasis added) What the emphasized phrase means is the question. I don't see all that much in the Privacy Rule Preamble discussing what "treatment" means in the first place, much less what this "coordination or management...with a third party" means. Is the "third party" language mere surplusage, or does it refer to non-providers? (FWIW, IMO it is the latter). There are a few references to AMA ethical materials in the Preamble, and a few other sections (see for example the Privacy Rule preamble at pages 82625 to 82626), where DHHS says that it intends the term "treatment" itself to be defined very broadly, albeit limited to "treatment's" performance by only physicians and medical providers (and not, for example, by health plans), and also, limited to treatment of an individual. In other words: WHO DOES IT? "Treatment" must be performed by a provider. WHO IS IT DONE TO? "Treatment" must also concern the medical care provided to an individual, and not to a community. But once the above limitations are imposed, all bets are off. In terms of ... WHAT IS IT? "Treatment" can be just about any type of health care and... WHO ELSE CAN THE PROVIDER PERFORM IT WITH? I think the Rule says that, as long as the above qualifications are met, a physician or provider can perform "treatment" with anybody else (a "third party"). So, noting the reference to "coordination or management of health care by a health care provider with a third party", I am wondering, can that "third party" be read as broadly as to include the community at large? I wonder if the physicians or medical providers on the list can give examples or otherwise expand upon, in their experience, what this coordination with a third party might entail? For example, if a physician believed that enlisting the community's help in identifying a comatose patient was essential for performing treatment on that patient, would that be the physician's "coordination or management of health care ... with a third party"? Thanks again, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -----Original Message----- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 12:48 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? John, Clearly, HIPAA allows a health care provider to disclose PHI to any other health care provider for the purposes of "treatment", and the HIPAA-definition includes "consultation between health care providers [i.e., physicians and pharmacists] relating to a patient". As most pharmacists are CEs, they would be mandated to comply with the HIPAA rules. The general scenario to which you refer (below) is not so clearly defined by HIPAA: the photo of a comatose patient disclosed to the general public through mass media in order to "identify" the individual might (or might not) apply to a "treatment" or "public health" emergency. For example, if the need-to-identify is intertwined with a "public health" emergency, possibly HIPAA would allow the disclosure of the photo by the provider to a public health authority. But in that case, it would be public health authority (and not the provider) that makes the photo available to the media. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Cody, John (OFT) [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 11:18 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Matt: That is an interesting perspective, and one which I have wondered about myself. But I wonder how far the concept can be stretched under the HIPAA Privacy Rule. For example, one of the listserves a few months ago (I think it was a different one than this one) was discussing the situation where an unidentified comatose patient is brought to the hospital and the hospital believes the only way to identify the patient is through a photo disclosed to the mass media. The discussion took various twists and turns, but one thing which I privately pondered at the time was whether there is such a thing as "community" treatment. Under the principle you embrace below, would the hospital's media disclosure also constitute "treatment"? If not, why not? Is the distinction that in Dr. Fairley's example, the disclosure is to other providers, while in the hospital's scenario, the disclosure is made to a wider audience than providers? Where in the HIPAA Privacy Rule is that distinction defined? Thanks for your thoughts, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -----Original Message----- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 5:12 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: is this practice O.K.? Dear Dr. Fairley, What a great question! We believe that HIPAA allows this practice and in doing so, provides patient with privacy protections. For nearly 2000 years physicians, nurses, and pharmacists (chemists) have comprised the "treatment" triad. And especially when treating substance abuse and addiction, it does take a community to provide a safe and therapeutic environment: whenever we remove a member of the treatment community from the process, errors and mistakes may increase and disease resolution may decrease. Within this context, the scenario that you describe (below) fits well within the bounds of sharing PHI for treatment purposes, and the involved providers will be beholden to the related HIPAA rules. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:54 PM To: WEDI SNIP Privacy Workgroup List Subject: is this practice O.K.? The practice that I am going to describe is quite common in our community but I am not sure it is acceptable. I wanted the opinion of the experts on this list. Occassionally, we run into a problem with a patient who seems to be doctor hopping and getting multiple prescriptions for narcotics. In order for the patient's principle physician to keep a close watch on the patient's use of narcotics and to avoid abuse/misuse of narcotics, the physician makes a deal with the patient. The deal is "ALL prescriptions for narcotics must be funneled through one doctor-the primary care physician." The patient usually agrees but then (and here is where I am not sure if we are infringing on privacy)we can send an "Alert" to all the area pharmacies to alert them that this deal occurred and if the patient shows up at one of the area pharmacies with a narcotic prescription from someone other than the primary care physician, the patient is told that they have an order that they can not fill the prescription unless it comes from the designated doctor. Is this practice acceptable? Do we need the patient's consent to notify all heighborhood pharmacies? Is verbal consent acceptable? Can the information be sent to the pharmacies without the patient's specific consent (that is, the patient consented to the arrangement that one doctor fills all narcotic prescriptions but the patient did not consent to the information being sent to all area pharmacies? ) Thank you Rich Fairley, M.D. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
