Tim,
On first blush, your idea seems to have merit. On a second read, however,
the only type of entity that has any wiggle room to not have the HIPAA law and
regs apply to it would be a health care provider. All other types of covered
entities are defined in the law/regs, i.e., health plans and clearinghouses, and
I haven't seen any wiggle room for that type of entity at
all.
Thus, for non-health care provider entity types, the only option would be
flagrant non-compliance with the law. Not a very viable option from a
risk/liability viewpoint.
Rachel Foerster
Principal
Rachel Foerster &
Associates, Ltd.
39432 North
Avenue
Beach Park, IL
60099
Voice:
847-872-8070
Fax:
847-872-6860
eMail: [EMAIL PROTECTED]
http://www.rfa-edi.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 23, 2002 3:13 PM
To: Deborah Campbell; [EMAIL PROTECTED]
Subject: WEDI/SNIP MANAGEMENT! Non-compliance modelI think these thought processes are substantially flawed. However, it occurs to me that we are seeing a significant issue emerge that requires addressing:What are the actual requirements for legal non-participation in HIPAA? From my perspective, I can not see how any modern practice can not engage in some form of arguably covered transactions which trigger HIPAA covered entity or business associate status. Even if they sub-contract the transactions services, they're still a covered entity per CMS/OCR. And, as I have stated before, I think the Privacy and Security Rules are generally a good steps forward.So, exactly what does a business have to give up to not be covered under HIPAA? What I am asking is: should SNIP develop a document that clearly states what these requirements are? Until such a document exists, business people can not objectively evaluate non-applicability from non-compliance. Nor can they look at the real loss of business that I believe such moves would entail.I, for one, would be very interested in participating is such a project. I, like many, have found it difficult to express to potential covered entities what their options are in this regard. So I believe that a non-applicability implementation guide is ultimately the only way to resolve this. Or do we simply leave it up to OCR enforcement and case law to determine this?
Tim McGuinness, Ph.D.Consulting Specialist in Regulatory Privacy, Security, and Application Compliance (HIPAA/ASCA/FDA/CMS-HCFA/ICH/ADA 508c),President,HIPAA Help NowExecutive Co-Chairman for Privacy,HIPAA Conformance Certification Organization (HCCO)
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
