The overwhelming focus on "compliance with HHS fogs the real battle which comes with the Plaintiff's bar and real confidentiality and security issues.
William H. Dobson, Jr, CISSP Federal Business Development Information Assurance Assessments Trustwave Corporation, Annapolis, MD Office 410-573-6910 x 2622 Cell 301-655-8548 Fax 410-571-8493 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 8:31 AM To: [EMAIL PROTECTED] Cc: 'Allan Roth'; 'Kelly, Lee'; [EMAIL PROTECTED] Subject: RE: minimal compliance? I think it is important for us, as professionals, to distinguish our terminology with regards to HIPAA. For the record, the following are HIPAA Transactions. Electronic Transactions 1173(a)(1) � Health claims � Encounter information � Enrollment or disenrollment in a health care plan � Eligibility for a health care plan � Health care payment remittance � Premiums � Report of injury � Claim status � Referral information A provider would invoke HIPAA if a provider is sending/receiving protected health information (PHI) to satisfy a HIPAA Transaction, as outlined above. Also, if a provider contracts a third party to conduct such operations, the provider is still covered by HIPAA. David Sweigert, M.S., CISSP State IT Security Policy Officer Office of Statewide IT Policy Computer Services Division http://www.ohio.gov/itp "Gaudio, Paul" <pgaudio@cabrini To: "'Allan Roth'" <[EMAIL PROTECTED]>, "'Kelly, Lee'" ny.org> <[EMAIL PROTECTED]>, [EMAIL PROTECTED] cc: 05/08/2002 04:39 Subject: RE: minimal compliance? PM good afternoon, taking that one step further....it is hard to imagine anyone today that does not have a fax, palm pilot, laptop, etc. each scenario is a hipaa defined "electronic transmission". we try to have our staff and drs accept the fact that hipaa is coming and we need to change our mindset. we ask that everyone focus on the regs and not look for shortcuts and loopholes. paul gaudio director, medical records and priv officer cabrini med ctr, nyc [EMAIL PROTECTED] -----Original Message----- From: Allan Roth [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, May 08, 2002 4:14 PM To: 'Kelly, Lee'; [EMAIL PROTECTED] Subject: RE: minimal compliance? Strictly speaking the narrow definition of "covered entity" �requires electronic transmission of data�and therefore, and organization could avoid being a "covered entity" under this strict definition. However, the�privacy of PHI is dictated�by HIPAA to varying extents�to organizations that are not strictly "covered entities" and that don't generally think of themselves as healthcare institutions. This include organizations and institutions that�are self insured and manage health insurance. Therefore, it is only good practice to follow the HIPAA compliance guidelines and regarding the transaction standards dictated for covered entities, there will be enough�ROI for the changes required that it makes good business sense. Allan C. Roth, Ph.D., CISSP Director of Information Systems Prairie Cardiovascular Consultants, Ltd. Springfield, IL� 62794-9420 [EMAIL PROTECTED] (217) 788-0706 ex 67890 -----Original Message----- From: Kelly, Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 08, 2002 2:15 PM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: FW: minimal compliance? Rebekah, However, keep in mind that the Privacy Rule also applies to 'individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form.' The example given is that phi would remain protected after it is read from a screen and discussed orally, printed onto paper or other media, photographed or otherwise duplicated. You will also need to take a look at the technologies in use at your site. Consider telemedicine, home care givers that have mobile devices, and newer medical devices that store PHI as part of their function. Thank You, Lee Kelly, CISSP Manager, Assessment Services Fortrex Technologies [EMAIL PROTECTED] 1-877-Fortrex - Office 1-301-906-6269 - Cell ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=ivacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
