Just out of curiosity... Do the penalties hit the employee or the employer?
-----Original Message----- From: Christiansen, John (SEA) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 4:22 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: "Compliance" I'm an attorney too. From my POV Cory is right to distinguish transactions violations from information misuse/improper disclosure offenses - the former are not grounds for criminal penalties, only civil, and those cap at $25K/calendar year for each specific type of violation. Not pleasant, perhaps, if you have many types of violation, but not prison. Though I would also query whether it would be worth being in intentional violation even if you can afford the civil penalties due to other possible consequences such as harm to accreditation, program exclusion, etc. - depending on the kind of entity you/your customers may be. And I would watch it with knowing participation in any scheme which incorporates plans to violate federal regulation - while it may be legitimate to identify and accept a certain degree of risk due to financial or other legitimate constraints which make compliance impossible, this has the whiff of conspiracy about it. Imperfect but probably acceptable solution? Identify the issues and specify reasoning formally and properly upon recommendations from qualified experts and legal counsel. Document that at least you tried to figure out how to comply and why you concluded you couldn't, and what you intend to do to get compliant. It's better than getting caught red-handed without a defensive record. As to privacy officer personal liability, keep in mind that for personal liability for an organization's HIPAA crimes any officer, "privacy" or otherwise, may be exposed if they have managerial authority over those who commit the violation and failed to prevent it. Before accepting the particular honor of being a privacy officer, it would be prudent to make sure it comes with sufficient authority to act on discovered violations. In the post-Enron world, I would also be concerned about being the officer signing a HIPAA compliance certification such as that required by the Security Rule - you might get nailed for perjury or worse. Of course, Enron and Oxley-Sarbanes also suggest that board members, senior executives and auditors also best be sure they aren't missing or glossing over important regulatory failures in reports to stakeholders. From: John R. Christiansen Preston | Gates | Ellis LLP 701 Fifth Avenue, Seattle, Washington 98104 *Direct: 206.613.7118 - *Cell: 206.799.9388 * [EMAIL PROTECTED] Reader Beware: Internet e-mail is inherently insecure. Unencrypted e-mail may be accessible to unauthorized viewers, e-mail content may have been modified or corrupted, and e-mail headers or signatures may incorrectly identify the sender. If you wish to confirm the contents of this message or identity of the sender, or wish to arrange for more secure communication please contact me using a communications channel other than a "reply" to this e-mail. Thank you. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 2:32 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; ":cory.dekker"@gwl.com Subject: RE: "Compliance" Cory: I am an attorney and I've asked our attorney general for an opinion as to whether Privacy Officers under HIPAA have personal liability. We've not yet received an opinion. I agree with Tim's comments: "Cory, I suggest that you consult with an attorney." Moya T. D. Gray, Director Office of Information Practices State of Hawaii No. 1 Capitol Center 250 South Hotel Street, Suite 107 Honolulu, Hawaii 96813 Tel: 808-586-1400 Fax: 808-586-1412 Web: www.state.hi.us/oip <timmcguinness@ yahoo.com> To: <[EMAIL PROTECTED]>, <:[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> 09/10/02 09:55 cc: AM Subject: RE: "Compliance" Please respond to timmcguinness Cory, I am not an attorney. Having said that. Are you Aware, that you just publicly stated that you have fore knowledge to multiple violations of Federal Law? I would encourage all to remember that this is not a local IT user group bashing Microsoft. That we are dealing with Federal Law!! Any attorneys out there wish to add their two cents in? Unintentional disclosures have potential consequences. (anybody read the Privacy Rule?) Cory, I suggest that you consult with an attorney. Tim McGuinness, Ph.D. President, HIPAA Help Now Inc. [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> www.hipaahelpnow.com <http://www.hipaahelpnow.com/> Executive Co-Chairman for Privacy, HIPAA Conformance Certification Organization? (HCCO?) www.hipaacertification.org <http://www.hipaacertification.org> __________________________________________________________________ Tim McGuinness, Ph.D. - Instant Access Phone: 727-787-3901 Cell: 305-753-4149 Fax: 240-525-1149 Instant Messengers: ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] - Yahoo IM timmcguinness - AOL IM: mcguinnesstim __________________________________________________________________ =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. -----Original Message----- From: Dekker, Cory [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 1:37 PM To: '[EMAIL PROTECTED]' Subject: "Compliance" I'd like to move this to a new thread (since I think the old one is REALLY dead). Christopher makes an assertion that I'd like to see if we can actually get a meaningful discussion going around. I have been involved in interviews with my organization's trading partners, and I've been the one working most directly on defining our companion document specifications. In my research thus far, I have found Christopher's assertion, that no one will intentionally violate the law, to be untrue. At least for now, "some" CH's and payers ARE planning to intentionally violate some small/minor/finer points of the HIPAA IG's, as best fits their business needs. I will be honest enough to say that my own organization is currently "considering" this [insert massive disclaimer about my inability to speak for GWL in any capacity]. Clearly, it is highly unlikely that anyone is going to come out on this ListServ and say "we plan to break the law", and I would NEVER expect anyone associated with WEDI to encourage such. However, without naming any names, I KNOW that more than one of my TP's fully plans to, and I'm not just talking about the bare minimum stuff just to make it work. Depending on how you split hairs, true "compliance" is impossible. For example, the 2 837[PDI]/2010[AB]A/REF segments are IMPOSSIBLE to comply with, given the current wording of the IG's and the legal "LU" value in both REF's. This is NOT fixed in the Addenda, so true compliance will STILL (technically) be IMPOSSIBLE even after they are finalized. You have to disallow "LU" as valid in the 2nd REF; but wait... that would mean intentionally violating the IG, both current, and Addenda. Maybe I'm in Wonderland thinking that we might actually have an honest discussion about this, but given that it significantly impacts our potential recommendations to the industry on Testing, Routing, and general "Compliance" efforts, is it at least worth asking about? -Cory -----Original Message----- From: Christopher J. Feahr, OD [mailto:[EMAIL PROTECTED]] Sent: Monday, September 09, 2002 7:54 PM To: [EMAIL PROTECTED] Subject: RE: Certifications " ... it's more that I doubt any CH or payor would have the nerve to intentionally violate a federal law like that... and no responsible organization like WEDI is going to recommend it. I suspect that payors and CHs are planning to start out a year from now, programmed to reject ALL non-conforming claims, based on their own validator logic. That's really the aspect of healthcare-EDI that transforms what might be a minor flaw we could choose to live with in some industries, into a big deal... potentially triggering massive rejection of what would otherwise be "payable" claims. "What I'm worried about, however, is the receiving system (built on translator/validator A) rejecting lots of messages from a system built around T/V Vendor B's engine... despite the fact that Engine B's validator is saying they are all fine." ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ====================================================== The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. (See attached file: Tim McGuinness Ph. D..vcf) The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
