Re: HIPAA-related privacy question (I think)

[Doug Webb]

---
You are currently subscribed to wedi-privacy as: archive@jab.org
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org
---
Because the rule was set to only apply to those who do electronic transactions.  I 
know it doesn't make sense -- it doesn't have to -- it's the government.  Discresion 
being the better part of valor, I would reccomment that everyone behave as if they 
were a covered entity with respect to the Privacy rules even though you think you may 
be exempt from the letter of the law.

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It areIt is intended only for the use of the individual(s) and entity 
named as recipients in the message. If you are not an intended recipient of the 
message, please notify the sender immediately and delete the material from any 
computer. Do not deliver, distribute, or copy this message, and do not disclose its 
contents or take action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Sparma, Deborah, nashccon" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Tuesday, October 22, 2002 03:37 PM
Subject: RE: HIPAA-related privacy question (I think)


> ---
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org or send a blank email to 
>[EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same as the 
>address subscribed to the list, please use the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org
> ---
> I appreciate the clarifications. However, my next question becomes this
> the definition of Health Care information in the rule is as follows:
> 
> Health information means any information, whether oral or recorded in any
> form or
> medium, that:
> (1) Is created or received by a health care provider, health plan, public
> health authority, employer, life insurer, school or university, or health
> care
> clearinghouse; and
> (2) Relates to the past, present, or future physical or mental health or
> condition of an individual; the provision of health care to an individual;
> or
> the past, present, or future payment for the provision of health care to an
> individual.
> 
> If health care information can be in ANY form and covered under the privacy
> rule, then why is it only providers who submit electronic transaction that
> are covered entities. Wouldn't the providers choose NOT to conduct an
> electronic transaction still have Health Care information as defined in the
> rule? Are you telling me there are totally exempt of this privacy rule
> because they are not conducting an electronic transaction, BUT they have
> health information in any form?
> 
> Deborah
> 
> -Original Message-
> From: Sadauskas, Thomas, CON, OASD(HA)/TMA
> [mailto:Thomas.Sadauskas@;tma.osd.mil]
> Sent: Tuesday, October 22, 2002 2:13 PM
> To: WEDI SNIP Privacy Workgroup List
> Subject: RE: HIPAA-related privacy question (I think)
> 
> 
> ---
> You are currently subscribed to wedi-privacy as:
> [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
> http://subscribe.wedi.org or send a blank email to
> [EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same as
> the address subscribed to the list, please use the Subscribe/Unsubscribe
> form at http://subscribe.wedi.org
> ---
> Deborah,
> 
> I'm afraid you're incorrect about that.  The rules and HIPAA legislation
> exempt health care providers who do NOT engage in any of the HIPAA covered
> transactions. Double check the definition of a covered entity for health
> care providers.
> 
> That's a very small subset of the total of providers.  Such providers may
> have a hard time come April 2003 when their patients ask why they're not
> being given an NPP and the provider says I'm not required to follow HIPAA
> privacy rules because I'm not a covered entity under the letter of the law.
> 
> They may find their patients going elsewhere since HIPAA privacy rules will
> be viewed as the accepted "standard of care".  
> 
> Just a thought.
> 
> Tom Sadauskas, FHFMA, CHE, CPA
> Northrop Grumman Information Technology
> 703-575-0119  Fax - 703-575-0215
> [EMAIL PROTECTED]
> 
> 
> -Original Message-
> From: Sparma, Deborah, nashccon
> [mailto:Deborah.Sparma.nashccon@;acs-inc.com]
> Sent: Tuesday, October 22, 2002

Re: Parent Inquiries and HIPAA

[Doug Webb]

Chris, 
That would be my take, too..
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Chris Brancato 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Tuesday, January 14, 2003 03:20 
  PM
  Subject: RE: Parent Inquiries and 
  HIPAA
  
  
  Deborah,
  My experience tells 
  me that your relationship (here we go again) is with all members and that all 
  emancipated minors or children above the age of majority are offered the same 
  protection under HIPAA. 
   
  From the OCR’s 
  guidance:
  “When an individual 
  reaches the age of majority or becomes emancipated, who controls the protected 
  health information concerning health services rendered while the individual 
  was an unemancipated minor?
   
  The individual who is 
  the subject of the PHI can exercise all rights granted by the HIPAA Privacy 
  Rule with respect to all PHI about him or her, including information obtained 
  while the individual was an unemancipated minor consistent with State or other 
  law.  Generally, the parent would 
  no longer be the personal representative of his or her child once the child 
  reaches the age of majority or becomes emancipated, and therefore, would no 
  longer control the health information about his or her child.  Of course, any individual can have a 
  personal representative-which may include a parent-who can exercise rights on 
  his or her behalf.”
   
  I conclude that to 
  mean, the parent regardless of member status would need the child’s 
  authorization for release of information.
   
  Hope that 
  helps/
  Chris Brancato
   
   
  Chris Brancato
   
  -Original 
  Message-From: Deborah 
  Campbell [mailto:[EMAIL PROTECTED]]Sent: Tuesday, January 14, 2003 3:54 
  PMTo: WEDI SNIP Privacy 
  Workgroup ListSubject: RE: 
  Parent Inquiries and HIPAA
   
  I would 
  really love to hear everyone's response to this. This is an issue we are 
  trying to address. Who can we talk to about PHI? Only the member? The 
  subscriber for all the member's under him (Which seems to be an industry 
  standard)? We are trying to have as few "exceptions" or opt-outs as possible. 
  Otherwise it makes life very difficult for member services when someone calls. 
  (Multiple places to check for exceptions and multiple opportunities to make a 
  mistake).  
  Any 
  advice anyone can give would be appreciated.
  Deborah 
  Campbell 
  Compliance 
  Coordinator 
  
  Dominion 
  Dental Services, Inc. 
  115 
  South Union Street, Suite 300 
  Alexandria, 
  Virginia 22314 
  
  Phn: 
  (703) 518-5000 ext. 3035 
  Fax: 
  (703) 518-8849 
  Toll 
  Free:  888-518-5338 
  Email: 
  [EMAIL PROTECTED] 
  
  *** 
  The 
  information in this email is confidential and may be legally privileged.  
  It is intended solely for the addressee.  Access to this email by anyone 
  else is unauthorized.
  If 
  you are not the intended recipient, any disclosure, copying, distribution or 
  any action taken or omitted to be taken in reliance on it is prohibited and 
  may be unlawful.
  * 
  
  -Original 
  Message-From: dale 
  pocklington [mailto:[EMAIL PROTECTED]]Sent: Tuesday, January 14, 2003 3:41 
  PMTo: WEDI SNIP Privacy 
  Workgroup ListSubject: 
  Parent Inquiries and HIPAA
  I have a 
  privacy related question that I just can't seem to find a specific answer for. 
  I am dealing with a TPA/Broker type environment that has about 80% of the 
  calls from non-providers whose parents are calling on behalf of their 
  adult college-aged children. This is probably because the students either 
  don't understand the insurance process, don't have time to handle their 
  claims, or because the parents still handle all the child's finances. The 
  nature of the calls are everything from claims payment status to inquiries 
  about problems. I can't find anything in the HIPAA privacy regs. that 
  specifically addresses this issue. Mostly, I have found language regarding 
  being a "personal representative". However, that seems to address minor 
  children, or situations where the parent has some sort of legal authority over 
  an adult child.
  My question is, 
  under HIPAA, is there any sort of language or interpretation th

Re: HIPAA privacy and telephone

[Doug Webb]

An extension to this -- how do you handle answering machines?

My gut feeling is that either a no-no (the machine more questionable than a family 
member) -- the information could only be released to the patient or his/her 
representative designated in a written authorizaton.  Perhaps another signature on 
your main consent/authorization form to allow these types of communications is what's 
needed???

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Thursday, January 16, 2003 04:04 PM
Subject: HIPAA privacy and telephone


> I would like the lists opinion on this topic.
> 
> Patient comes to the office to have their potassium checked because they are on a 
>diuretic.  Later, the physician's nurse calls the patient at home with results but 
>the patient is not home.  Spouse answers the phone.  Can you tell the spouse that the 
>potassium was fine and that he/she should tell the spouse to continue the same dose 
>of diuretic and potassium supplement?  If you say "no, this type of disclosure is not 
>allowed", would it matter that we put a statment in our Notice of Privacy Practices 
>that stated  (in the section on Payment, treatment and  health care operations) "On 
>occasion, we call test results to your home and leave the results with a family 
>member if you are not present".  Now, obviously, we would not do this with a HIV 
>result but it seems like such a waste of everyone's time to play phone tag to 
>accommodate the one patient in a million that is actually upset because you told the 
>spouse what the potassium result was.  Thank you.
> 
> Rich Fairley, 
> Dubuque, IA


---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

Re: Business Associates

[Doug Webb]

Traci,
It looks to me like someone's trying to cover 
all bases with a shotgun approach (run it up the flagpole and see who 
salutes) .
 
My understanding is that you wouldn't need a 
BAC any more than a surgeon's office needs one with a Primary Care Physician 
referring a patient to them.  This is Covered Entity to Covered Entity for 
the purposes of Treatment.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Traci Winter 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, January 22, 2003 12:47 
  PM
  Subject: Business Associates
  
  Hey everyone, I know this topic has been hashed out like crazy but I find 
  myself confused.
   
  As a homecare agency we receive our business via referrals from health 
  care facilities and MD offices. We are not providing services on behalf of 
  these entities. It was my understanding that we wouldn't be considered BAs of 
  these CEs but, due to receiving a BAC in the mail today, I find that I am now 
  unsure…
   
  Help….
   
  Traci Winter
  Hospitals Home Health Care, Inc.
  Special Projects Coordinator, Privacy Official---The WEDI SNIP 
  listserv to which you are subscribed is not moderated. The discussions on this 
  listserv therefore represent the views of the individual participants, and do 
  not necessarily represent the views of the WEDI Board of Directors nor WEDI 
  SNIP. If you wish to receive an official opinion, post your question to the 
  WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs 
  should not be used for commercial marketing purposes or discussion of specific 
  vendor products and services. They also are not intended to be used as a forum 
  for personal disagreements or unprofessional communication at any 
  time.You are currently subscribed to wedi-privacy as: 
  [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: to sign or not to sign

[Doug Webb]

Traci,
My vote's for the round file.
Any lawyers out there feel free to chime 
in.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Traci Winter 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, January 22, 2003 02:49 
  PM
  Subject: to sign or not to sign
  
  OK so the next question is do we sign these BACs or just put them in the 
  round file. Your answers reflected what my impression was, but I wanted 
  reinforcement.
   
  Thanks,
  Traci Winter---The WEDI SNIP listserv to which you are 
  subscribed is not moderated. The discussions on this listserv therefore 
  represent the views of the individual participants, and do not necessarily 
  represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish 
  to receive an official opinion, post your question to the WEDI SNIP Issues 
  Database at http://snip.wedi.org/tracking/. These listservs should not be used 
  for commercial marketing purposes or discussion of specific vendor products 
  and services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED]If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: to sign or not to sign

[Doug Webb]

Leslie,
In general, I agree.

The vendor is attempting to reduce the load on ITS legal staff by getting its 
customers to sign their version of the BAA before their cusomers write their own. 

You will have to have a BAA in place with most of these entities.

It doesn't matter who originates the agreement. The CE (in your case, the hospital) is 
the one who must see that the agreement is in place.
Note that the last part of BAA is significant - Agreement.  The final wording must be 
mutually agreed to.

On the other hand, whose wording is used may depend on the amount of competition in 
the field and/or the volume of business you do with the vendor.  If they're the only 
game in town (an example: GE/Marquette EKG systems), or you would be considered "small 
potatoes", you may have to live with their wording.  If you can easily change to 
another vendor, you may be able to insist on your wording.

IMHO, the best way to ensure that the wording is closer to your wording is to beat the 
vendors to the punch (send them your version before they try to send you theirs).

In any case, don't sign just because they sent you one.  There may not even be a 
business relationship that makes one necessary.  Make sure that the final agreement 
protects your interests.

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Harpe, Leslie" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Thursday, January 23, 2003 01:13 PM
Subject: RE: to sign or not to sign


> I don't think vendors should write agreements.
>  
> I represent a hospital that is getting a lot of agreements from vendors.  I
> say this with strong conviction, I do not want to sign vendor agreements.  I
> think that if I've given you access to my patient information, you should
> sign my agreement.  After all, its my information and I'm responsible for
> it.  Furthermore, you are not a covered entity and you are not required by
> law to have an agreement. Do you have a Notice of Privacy Practice?  Of
> course not, but why would you follow part of the law and not all of it?
>  
> I wonder if I'll have this same strong conviction when JCAHO sends me their
> agreement.
>  
> Thanks,
> Leslie Harpe
> South Georgia Medical Center
>  Valdosta, GA  31605
> [EMAIL PROTECTED]  
>  
> 
> -Original Message-
> From: Ian Leedom [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 23, 2003 12:23 PM
> To: WEDI SNIP Privacy Workgroup List
> Subject: RE: to sign or not to sign
> 
> 
> I also represent a software vendor in a similar situation.  Our take has
> been that we must have Business Agreements (BA) with the CE's simply because
> we have access to PHI.  It also means that at some level, we need to know
> who has in fact accessed things and when.  I think that the fact that you
> have access to a DB which has PHI in it is enough to trigger all of the
> privacy rule in HIPAA .  
>  
> My problem, and I'd love to hear from others about this, is what sort of BA
> we should in fact have.  We have enough clients that if we send every
> agreement from every client to our corporate attorneys then we'll be
> bankrupt before April.  And you're right that some clients want
> indemnification for things which are THEIR business and for us to keep data
> even after a business contract has ended.  If anyone has any to add to this,
> I for one would love to hear it.
>  
> 
> Ian Leedom
> Psyche Systems
> 321 Fortune Blvd.
> Milford, MA 01757
> Tel: (508) 473-1500 x341
> Compliments humbly accepted.  Flames cheerfully ignored.
> 
> -Original Message-
> From: Jim Randolph [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 23, 2003 11:39 AM
> To: WEDI SNIP Privacy Workgroup List
> Subject: RE: to sign or not to sign
> 
> 
> 
> Let me carry this a step further.  We are a software vendor that has
> received BACs, TPAs and Chain of Trust agreements from different customers.
> 
> As a vendor to this particular customer base we are exposed to PHI but never
> manipulate it in any way.  Our support personnel do review setup
> configurations, billing problems or DB issues; but don't do anything to PHI.
> Attorneys and consultants are advising our customers so differently that no
> matter what, we end up being "the evil vendor."  Some of the BACs we receive
>

Re: Covered Entity or not

[Doug Webb]

Susan,
Well said.
 
Still another kink -- come October, you will have to file your 
Medicare claims electronically, which makes the loopholes even 
smaller.
 
IMHO, this makes just about anyoune who does "Health Care" a 
CE, except for those few providers who do a strictly cash business, and never 
file a claim with anyone.
 
I kind of expect that in another few years, large numbers of 
payors other than Medicare will be rejecting paper claims.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, February 03, 2003 09:19 
  AM
  Subject: Covered Entity or not
  Everyone,We can argue all day long whether or not we 
  are a covered entity, but I think it makes good business decision to agree 
  that you are if you send in claims and be done with it.Look at this 
  situation, I don't know if many doctors or support staff realize this:  
  Anytime a claim is sent to Medicare, paper or electronic, it is coverted into 
  an electronic transaction because Medicare forwards it to 2nd insurance 
  companies.  So now you are a covered entity.  The only way to get 
  out of sending claims to Medicare is not to treat anyone who may have 
  Medicare.  Who can afford to refuse to treat a large portion of our 
  society.  Another kink- Medicare requires the doctor to file the claim 
  for the patient so don't think you can give the claim to the patient and he 
  files it for you.  The loop holes for not being a covered entity 
  is so small, you almost have to practicing in the dark ages to not be a 
  covered entity.  I think you just have to resign yourself that if 
  you practice and treat patient whether cash practice or not, you ARE A COVERED 
  ENTITY.  At least that is what I am advising our clients, better safe 
  than sorry.Thanks,Susan BowesProfessional Procedures & 
  ControlPractice Consulting Firm for the Small PractionerContact 
  info:211 Turner DriveReidsville, NC  27320Phone- 
  336-578-7461Fax-  336-578-7461 or 336-342-2030---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services. They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Fw: Covered Entity or not

[Doug Webb]

Title: Message



I agree -- no bill is the same as cash in my 
book.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Mendel, Linda 
  R. 
  To: 'Doug Webb' 
  Sent: Monday, February 03, 2003 11:05 
  AM
  Subject: RE: Covered Entity or not
  
  I 
  think one category of CE that will stay uncovered at least for a while is 
  employer sponsored on site medical clinics that don't bill at 
  all.
  

-----Original Message-From: Doug Webb 
[mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:57 
AMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: 
Covered Entity or not
Susan,
Well said.
 
Still another kink -- come October, you will have to file 
your Medicare claims electronically, which makes the loopholes even 
smaller.
 
IMHO, this makes just about anyoune who does "Health Care" 
a CE, except for those few providers who do a strictly cash business, and 
never file a claim with anyone.
 
I kind of expect that in another few years, large numbers 
of payors other than Medicare will be rejecting paper claims.
 
The opinions expressed here are my own and not necessarily the opinion 
of LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the 
individual(s) and entity(s)  named as recipients in the message. If you 
are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: WEDI SNIP Privacy Workgroup 
  List 
  Sent: Monday, February 03, 2003 09:19 
  AM
  Subject: Covered Entity or not
  Everyone,We can argue all day long whether or not 
  we are a covered entity, but I think it makes good business decision to 
  agree that you are if you send in claims and be done with it.Look 
  at this situation, I don't know if many doctors or support staff realize 
  this:  Anytime a claim is sent to Medicare, paper or electronic, it 
  is coverted into an electronic transaction because Medicare forwards it to 
  2nd insurance companies.  So now you are a covered entity.  The 
  only way to get out of sending claims to Medicare is not to treat anyone 
  who may have Medicare.  Who can afford to refuse to treat a large 
  portion of our society.  Another kink- Medicare requires the doctor 
  to file the claim for the patient so don't think you can give the claim to 
  the patient and he files it for you.  The loop holes for not 
  being a covered entity is so small, you almost have to practicing in the 
  dark ages to not be a covered entity.  I think you just have 
  to resign yourself that if you practice and treat patient whether cash 
  practice or not, you ARE A COVERED ENTITY.  At least that is what I 
  am advising our clients, better safe than 
  sorry.Thanks,Susan BowesProfessional Procedures & 
  ControlPractice Consulting Firm for the Small 
  PractionerContact info:211 Turner DriveReidsville, 
  NC  27320Phone- 336-578-7461Fax-  336-578-7461 or 
  336-342-2030---The WEDI SNIP listserv to which you are 
  subscribed is not moderated. The discussions on this listserv therefore 
  represent the views of the individual participants, and do not necessarily 
  represent the views of the WEDI Board of Directors nor WEDI SNIP. If you 
  wish to receive an official opinion, post your question to the WEDI SNIP 
  Issues Database at http://snip.wedi.org/tracking/. These listservs should 
  not be used for commercial marketing purposes or discussion of specific 
  vendor products and services. They also are not intended to be used as a 
  forum for personal disagreements or unprofessional co

Fw: Covered Entity or not

[Doug Webb]

Title: Message



Another thought -- we have exchanged many words on what is 
"Health Care", especially with respect to Medicaid.  Here's my simplified 
version -- It's "Health Care" if you expect a Health Plan to pay for it (in the 
case of Medicaid, which doesn't necessarily act as only a Health Plan, possibly 
extended to if you don't expect any other Health Plans to cover it, it may not 
be to the Medicaid carrier either).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 
- Original Message - 
From: Doug Webb 
To: WEDI SNIP Privacy Workgroup List 

Sent: Monday, February 03, 2003 11:37 AM
Subject: Fw: Covered Entity or not

I agree -- no bill is the same as cash in my 
book.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Mendel, Linda 
  R. 
  To: 'Doug Webb' 
  Sent: Monday, February 03, 2003 11:05 
  AM
  Subject: RE: Covered Entity or not
  
  I 
  think one category of CE that will stay uncovered at least for a while is 
  employer sponsored on site medical clinics that don't bill at 
  all.
  

-Original Message-From: Doug Webb 
[mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 11:57 
AMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: 
Covered Entity or not
Susan,
Well said.
 
Still another kink -- come October, you will have to file 
your Medicare claims electronically, which makes the loopholes even 
smaller.
 
IMHO, this makes just about anyoune who does "Health Care" 
a CE, except for those few providers who do a strictly cash business, and 
never file a claim with anyone.
 
I kind of expect that in another few years, large numbers 
of payors other than Medicare will be rejecting paper claims.
 
The opinions expressed here are my own and not necessarily the opinion 
of LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the 
individual(s) and entity(s)  named as recipients in the message. If you 
are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: WEDI SNIP Privacy Workgroup 
  List 
  Sent: Monday, February 03, 2003 09:19 
  AM
  Subject: Covered Entity or not
  Everyone,We can argue all day long whether or not 
  we are a covered entity, but I think it makes good business decision to 
  agree that you are if you send in claims and be done with it.Look 
  at this situation, I don't know if many doctors or support staff realize 
  this:  Anytime a claim is sent to Medicare, paper or electronic, it 
  is coverted into an electronic transaction because Medicare forwards it to 
  2nd insurance companies.  So now you are a covered entity.  The 
  only way to get out of sending claims to Medicare is not to treat anyone 
  who may have Medicare.  Who can afford to refuse to treat a large 
  portion of our society.  Another kink- Medicare requires the doctor 
  to file the claim for the patient so don't think you can give the claim to 
  th

Re: Business Associates Agreements

[Doug Webb]

The Billing Companies won't need to ensure any BAAs are in place unless someone out 
there acts on behalf of the Billing Company rather than on behalf of the Covered 
Entity (Provider) [CUSTOMER!]

Their Customers will need BAAs in place with the following:
*   The Billing Company
*   A Collection Agency, if used
*   Any Transactions Clearinghouse (note: if the Billing Company does all its 
transactions as Standard Transactions, a BAA is not required with a clearinghouse 
acting only as a switcher -- just an ordinary contract to do business)

Neither the Billing Company nor their Customers need BAAs with any Health Plans unless 
they doing a non-health-plan function.


The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Tuesday, February 04, 2003 02:11 PM
Subject: Business Associates Agreements


> Hi, I'm helping some small Billing companies in my area
> become HIPAA compliant and I'm not sure if they need a
> Business Associates Agreement with the Insurance
> carriers that they submit claims to.  Any information
> would be greatly appreciated.  
> 
> Thank you,
> 
> M.Noren
> 
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
>on this listserv therefore represent the views of the individual participants, and do 
>not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
>you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
>Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
>commercial marketing purposes or discussion of specific vendor products and services. 
> They also are not intended to be used as a forum for personal disagreements or 
>unprofessional communication at any time.
> 
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org or send a blank email to 
>[EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same as the 
>address subscribed to the list, please use the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

Re: Business Associates Agreements

[Doug Webb]

Brenda,
As Noel pointed out, not quite.  They may be a CE in addition to being a BA, but, 
because they perform a function (billing) for the Provider, they are a BA of the 
provider.  If their functionality includes anything outside of obtaining non-standard 
claims information, generating standard claims information, and transmitting them 
(such as sending bills to patients), a BAA will be necessary.  Even in the event that 
the functionality is totally "clearinghouse", a BAA would be desirable to clarify 
where eveyone stands.

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Brenda K. Burton" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, February 05, 2003 08:24 AM
Subject: Re: Business Associates Agreements



Be careful, because not all billing companies are BA!  If the billing service 
translates a standard transaction, they they may well be considered a clearinghouse, 
thus, a covered entity.  It is correct, however, that a BAA is not necessary between a 
billing company and the payer.  

No.
> 
> Billing companies are Business Associates of their health care provider 
> clients because they are performing a covered function on behalf of those 
> client.
> 
> The insurance companies they bill to and the cilling company are each 
> performing their own discrete step in the paymeny process.  Neither is 
> performing any function on behalf of the other.
> 
> Noel Chang 
> 
> --
> Open WebMail Project (http://openwebmail.org)
> 
> 
> -- Original Message ---
> From: [EMAIL PROTECTED]
> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> Sent: Tue, 04 Feb 2003 12:11:22 -0800 (PST)
> Subject: Business Associates Agreements
> 
> > Hi, I'm helping some small Billing companies in my area
> > become HIPAA compliant and I'm not sure if they need a
> > Business Associates Agreement with the Insurance
> > carriers that they submit claims to.  Any information
> > would be greatly appreciated.  
> > 
> > Thank you,
> > 
> > M.Noren
> > 
> > ---
> > The WEDI SNIP listserv to which you are subscribed is not moderated. 
> > The discussions on this listserv therefore represent the views of 
> > the individual participants, and do not necessarily represent the 
> > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to 
> > receive an official opinion, post your question to the WEDI SNIP 
> > Issues Database at http://snip.wedi.org/tracking/.   These listservs 
> > should not be used for commercial marketing purposes or discussion 
> > of specific vendor products and services.  They also are not 
> > intended to be used as a forum for personal disagreements or 
> > unprofessional communication at any time.
> > 
> > You are currently subscribed to wedi-privacy as: 
> > [EMAIL PROTECTED] To unsubscribe from this list, go to the 
> > Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a 
> > blank email to [EMAIL PROTECTED] If you 
> > need to unsubscribe but your current email address is not the same 
> > as the address subscribed to the list, please use the 
> > Subscribe/Unsubscribe form at http://subscribe.wedi.org
> --- End of Original Message ---
> 
> 
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
>on this listserv therefore represent the views of the individual participants, and do 
>not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
>you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
>Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
>commercial marketing purposes or discussion of specific vendor products and services. 
> They also are not intended to be used as a forum for personal disagreements or 
>unprofessional communication at any time.
> 
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org or send a blank email to 
>[EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same as the 
>address subscribed to the list, please use the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org


---
The WEDI SNIP listserv to

Re: Business Associates Agreements

[Doug Webb]

William,
I stand corrected.
If I understand what this implies, the only time a BAA would not be required with a 
"Clearinghouse" would be if its only function is as a conduit of Standard Transactions.

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "William J. Kammerer" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Wednesday, February 05, 2003 10:37 AM
Subject: Re: Business Associates Agreements


> A covered entity clearinghouse may convert between standard and
> non-standard on behalf of another covered entity only when it's acting
> as a business associate (of that covered entity); see 45 CFR § 162.930.
> Otherwise, a clearinghouse can only serve as a conduit for standard
> transactions.
> 
> William J. Kammerer
> Novannet, LLC.
> Columbus, US-OH 43221-3859
> +1 (614) 487-0320
> 
> - Original Message -
> From: "Doug Webb" <[EMAIL PROTECTED]>
> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, 05 February, 2003 10:24 AM
> Subject: Re: Business Associates Agreements
> 
> 
> Brenda,
> As Noel pointed out, not quite.  They may be a CE in addition to being a
> BA, but, because they perform a function (billing) for the Provider,
> they are a BA of the provider.  If their functionality includes anything
> outside of obtaining non-standard claims information, generating
> standard claims information, and transmitting them (such as sending
> bills to patients), a BAA will be necessary.  Even in the event that the
> functionality is totally "clearinghouse", a BAA would be desirable to
> clarify where eveyone stands.
> 
> The opinions expressed here are my own and not necessarily the opinion
> of LCMH.
> 
> Douglas M. Webb
> Computer System Engineer
> Little Company of Mary Hospital & Health Care Centers
> [EMAIL PROTECTED]
> 
> - Original Message -
> From: "Brenda K. Burton" <[EMAIL PROTECTED]>
> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, February 05, 2003 08:24 AM
> Subject: Re: Business Associates Agreements
> 
> 
> 
> Be careful, because not all billing companies are BA!  If the billing
> service translates a standard transaction, they they may well be
> considered a clearinghouse, thus, a covered entity.  It is correct,
> however, that a BAA is not necessary between a billing company and the
> payer.
> 
> 
> 
> 
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
>on this listserv therefore represent the views of the individual participants, and do 
>not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
>you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
>Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
>commercial marketing purposes or discussion of specific vendor products and services. 
> They also are not intended to be used as a forum for personal disagreements or 
>unprofessional communication at any time.
> 
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org or send a blank email to 
>[EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same as the 
>address subscribed to the list, please use the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes o

Re: Recording Disclosures (was BA Agreement Questions)

[Doug Webb]

Title: RE: Recording Disclosures (was BA Agreement Questions)



I also agree with Carolyn.
 
An external Auditor would be a BA if (and only if) YOU hired 
the firm to perform audits for YOUR business purposes, and the auditor had to 
access to PHI in order to perform the audits.
 
Government overseers are a different type of entity from the 
various Covered Entities and Business  Associates, and are enumerated as 
separate types in the regs.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Deborah Campbell 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, February 10, 2003 08:26 
  AM
  Subject: RE: Recording Disclosures (was 
  BA Agreement Questions)
  
  I've 
  got to agree with Carolyn. These audits are done as required by law, or for 
  Health Oversight. Not on behalf of the health plan. 
  
  Deborah Campbell 
  Compliance Coordinator 
  
  Dominion Dental Services, 
  Inc. 115 South Union 
  Street, Suite 300 Alexandria, Virginia 22314 
  Phn: (703) 518-5000 ext. 
  3035 Fax: (703) 
  518-8849 Toll 
  Free:  888-518-5338 Email: [EMAIL PROTECTED] 
  
  *** The information in this email is confidential and may be 
  legally privileged.  It is intended solely for the addressee.  
  Access to this email by anyone else is unauthorized.
  If you are not the intended recipient, any 
  disclosure, copying, distribution or any action taken or omitted to be taken 
  in reliance on it is prohibited and may be unlawful.
  * 
  
  
-Original Message-From: Price, Carolyn 
[mailto:[EMAIL PROTECTED]]Sent: Friday, February 07, 2003 4:41 
PMTo: WEDI SNIP Privacy Workgroup ListCc: 'Bill 
MacBain'; 'Judy.Griffith'Subject: RE: Recording Disclosures (was 
BA Agreement Questions)
IMHO, the audits are being performed on behalf of the State, under 
federal guidelines, and the auditors are NOT business associates.  
Their audits are on behalf of the State and Federal governments (i.e. 
Medicaid), NOT on behalf of the health plans, believe me. Sorry, but I 
respectfully disagree.
Carolyn Price

  -Original Message-From: Matthew Rosenblum 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, February 07, 2003 1:33 
  PMTo: WEDI SNIP Privacy Workgroup ListCc: 'Bill 
  MacBain'; 'Judy.Griffith'Subject: RE: Recording Disclosures 
  (was BA Agreement Questions)
  
  Traci,
   
  I tend to view 
  (at least some of) the "audit" activities performed by the State as being 
  conducted on behalf of the CE-Health Plans (e.g., Medicaid) as opposed to 
  the CE-providers.  As such, those State-conducted "audit" activities 
  are part of the Health Plan's "health care operations".  
  Consequently, the State auditors would probably be construed as Business 
  Associates of the Health Plan.
   
  How do others 
  view this?
  
   
  I hope that this 
  helps.
   
  Your questions 
  are always welcome.
   
  Matt
   
  Matthew 
  Rosenblum
  Chief Operations 
  Officer
  Privacy, Quality 
  Management & Regulatory Affairs
   
  CPI 
  Directions, Inc.
  10 West 15th 
  Street, Suite 1922
  New 
  York, NY 
  10011
   
  (212) 
  675-6367
  [EMAIL PROTECTED]
   
  CONFIDENTIALITY 
  NOTICE: This E-Mail is intended only for the use of the individual or 
  entity to which it is addressed and may contain information that is 
  privileged, confidential and exempt from disclosure under applicable law. 
  If you have received this communication in error, please do not distribute 
  it.  Please notify the sender by E-Mail at the address shown and 
  delete the original message. Thank you.
   
  AVISO 
  DEL CONFIDENCIALIDAD: Este email es solamente para el uso 
  del 
  individuo o la entidad a la cual se dirige y puede contener información 
  privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si 
  usted ha recibido esta comunicación por error, por favor no lo 
  distribuya.  Favor notificar al remitente del E-Mail a la dirección 
  mos

Re: NPP and accounting for disclosures - was Medicare audits: operations?

[Doug Webb]

Noel,
Quite so.

As you said, quite a few emails seem to overlook that the Authorization to do a 
certian disclosure and the actual disclosure are two separate actions and need to be 
addressed independantly.

Don't forget that the acknowledgment of receipt of your NPP is not an Authorization 
for release of information.  The Authorization is either separate (although it might 
be on the same piece of paper and/or covered by the same signature), or not required 
(TPO disclosures).

If a disclosure is permitted (either by an Authorization or by being part of TPO), it 
may or may not be required to be logged.  This must be determined for every type of 
disclosure, independantly from the need for an Authorization.

I would use the following rules for determining when to log disclosures (my own 
hueristic, not sealed in stone):
If it is not a part of routine operations, log it.
If you need a separate Authorization to do the disclosure, log it.
For all routine operations, determine if logging is necessary
If there are any questions, err on the side of logging rather than on the side of 
not logging.

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Noel Chang" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Friday, February 14, 2003 01:19 AM
Subject: NPP and accounting for disclosures - was Medicare audits: operations?


> Changing the subject for a minute:
> 
> I have seen several emails from people, including the one below, that have 
> made various statements all to the effect that if you mention a particular 
> type of disclosure in your NPP, you will not have to account for such 
> disclosures.
> 
> Anita wrote:
> 
> "One way a covered entity might get around having to account for disclosures 
> made for auditing purposes is to inform their patients through their notice 
> of privacy practices that they may make a disclosure for this type of 
> activity."
> 
> Could someone please cite for me where in the Rule they believe this is 
> authorized?  When I read section 164.528(a)(1) it says a CE must account for 
> all disclosures except for the ones listed in sub-paragraphs (i) through 
> (ix).  No where in that list do I see "disclosures that are mentioned in your 
> Notice of Privacy Practices".
> 
> Is the assumption that by mentioning a type of disclosure in my NPP I can 
> then claim it is part of TPO?  I don't see any room to make that argument 
> since TPO is clearly defined in sections 164.501 and 164.506.
> 
> Thanks,
> 
> Noel Chang
> 
> 
> --
> Open WebMail Project (http://openwebmail.org)
> 
> 
> -- Original Message ---
> From: "Halterman, Anita" <[EMAIL PROTECTED]>
> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> Sent: Thu, 13 Feb 2003 14:37:17 -0900
> Subject: RE: Medicare audits:  operations?
> 
> > I have been thinking about this issue for some time now and this is 
> > my two cents for what it is worth (I am not an attorney). Sorry 
> > Chris I don't agree with your take on this. 
> > 
> > In order for this activity to be a part of your health care 
> > operations, the activity would have to fall under the definition of 
> > "Health care operations" as follows:
> > 
> > "Health care operations" means any of the following activities of the
> > covered entity to the extent that the activities are related to covered
> > functions:
> > 
> > (1) Conducting quality assessment and improvement activities, including
> > outcomes evaluation and development of clinical guidelines, provided 
> > that the obtaining of generalizable knowledge is not the primary 
> > purpose of any studies resulting from such activities; population-
> > based activities relating to improving health or reducing health 
> > care costs, protocol development, case management and care 
> > coordination, contacting of health care providers and patients with 
> > information about treatment alternatives; and related functions that 
> > do not include treatment;
> > (2) Reviewing the competence or qualifications of health care 
> > professionals, evaluating practitioner and provider performance, 
> > health plan performance, conducting training programs in which 
> > students, trainees, or practitioners in areas of health care learn 
> > under supervision to practice or improve the

Re: NPP and accounting for disclosures - was Medicare audits: op erations?

[Doug Webb]

Molly, Cindi:
Where I was coming from is that if I made such a disclosure, I would want to know that 
I made it, irrespective of what the rules say I must account for.  The rules don't 
prohibit me from doing this, just don't mandate it.

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Shek, Molly" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Friday, February 14, 2003 09:57 AM
Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations?


> I quite agree with your assessment of the difference between Authorization
> and the need for Accounting of Disclosures.  However, one of the exceptions
> to an Accounting of PHI disclosures is disclosures made pursuant to patient
> authorization.
> 
> Molly Shek, MS, RHIA 
>   
> 
> 
> 
> -Original Message-
> From: Doug Webb [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 14, 2003 8:47 AM
> To: WEDI SNIP Privacy Workgroup List
> Subject: Re: NPP and accounting for disclosures - was Medicare audits:
> operations?
> 
> 
> Noel,
> Quite so.
> 
> As you said, quite a few emails seem to overlook that the Authorization to
> do a certian disclosure and the actual disclosure are two separate actions
> and need to be addressed independantly.
> 
> Don't forget that the acknowledgment of receipt of your NPP is not an
> Authorization for release of information.  The Authorization is either
> separate (although it might be on the same piece of paper and/or covered by
> the same signature), or not required (TPO disclosures).
> 
> If a disclosure is permitted (either by an Authorization or by being part of
> TPO), it may or may not be required to be logged.  This must be determined
> for every type of disclosure, independantly from the need for an
> Authorization.
> 
> I would use the following rules for determining when to log disclosures (my
> own hueristic, not sealed in stone):
> If it is not a part of routine operations, log it.
> If you need a separate Authorization to do the disclosure, log it.
> For all routine operations, determine if logging is necessary
> If there are any questions, err on the side of logging rather than on
> the side of not logging.
> 
> The opinions expressed here are my own and not necessarily the opinion of
> LCMH.
> 
> Douglas M. Webb
> Computer System Engineer
> Little Company of Mary Hospital & Health Care Centers
> [EMAIL PROTECTED]
> 
> "This electronic message may contain information that is confidential and/or
> legally privileged. It is intended only for the use of the individual(s) and
> entity(s)  named as recipients in the message. If you are not an intended
> recipient of the message, please notify the sender immediately,  delete the
> material from any computer, do not deliver, distribute, or copy this
> message, and do not disclose its contents or take action in reliance on the
> information it contains. Thank you."
> 
> 
> 
> - Original Message - 
> From: "Noel Chang" <[EMAIL PROTECTED]>
> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> Sent: Friday, February 14, 2003 01:19 AM
> Subject: NPP and accounting for disclosures - was Medicare audits:
> operations?
> 
> 
> > Changing the subject for a minute:
> > 
> > I have seen several emails from people, including the one below, that have
> 
> > made various statements all to the effect that if you mention a particular
> 
> > type of disclosure in your NPP, you will not have to account for such 
> > disclosures.
> > 
> > Anita wrote:
> > 
> > "One way a covered entity might get around having to account for
> disclosures 
> > made for auditing purposes is to inform their patients through their
> notice 
> > of privacy practices that they may make a disclosure for this type of 
> > activity."
> > 
> > Could someone please cite for me where in the Rule they believe this is 
> > authorized?  When

Fw: NPP and accounting for disclosures - was Medicare audits: op erations?

[Doug Webb]

A further thought --
Since most separate Authorizations are for specific releases, wouldn't noting that the 
Authorization was satisfied be a very good idea?

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Doug Webb" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Friday, February 14, 2003 11:11 AM
Subject: Re: NPP and accounting for disclosures - was Medicare audits: op erations?


Molly, Cindi:
Where I was coming from is that if I made such a disclosure, I would want to know that 
I made it, irrespective of what the rules say I must account for.  The rules don't 
prohibit me from doing this, just don't mandate it.

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Shek, Molly" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Friday, February 14, 2003 09:57 AM
Subject: RE: NPP and accounting for disclosures - was Medicare audits: op erations?


> I quite agree with your assessment of the difference between Authorization
> and the need for Accounting of Disclosures.  However, one of the exceptions
> to an Accounting of PHI disclosures is disclosures made pursuant to patient
> authorization.
> 
> Molly Shek, MS, RHIA 
>   
> 
> 
> 
> -Original Message-
> From: Doug Webb [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 14, 2003 8:47 AM
> To: WEDI SNIP Privacy Workgroup List
> Subject: Re: NPP and accounting for disclosures - was Medicare audits:
> operations?
> 
> 
> Noel,
> Quite so.
> 
> As you said, quite a few emails seem to overlook that the Authorization to
> do a certian disclosure and the actual disclosure are two separate actions
> and need to be addressed independantly.
> 
> Don't forget that the acknowledgment of receipt of your NPP is not an
> Authorization for release of information.  The Authorization is either
> separate (although it might be on the same piece of paper and/or covered by
> the same signature), or not required (TPO disclosures).
> 
> If a disclosure is permitted (either by an Authorization or by being part of
> TPO), it may or may not be required to be logged.  This must be determined
> for every type of disclosure, independantly from the need for an
> Authorization.
> 
> I would use the following rules for determining when to log disclosures (my
> own hueristic, not sealed in stone):
> If it is not a part of routine operations, log it.
> If you need a separate Authorization to do the disclosure, log it.
> For all routine operations, determine if logging is necessary
> If there are any questions, err on the side of logging rather than on
> the side of not logging.
> 
> The opinions expressed here are my own and not necessarily the opinion of
> LCMH.
> 
> Douglas M. Webb
> Computer System Engineer
> Little Company of Mary Hospital & Health Care Centers
> [EMAIL PROTECTED]
> 
> "This electronic message may contain information that is confidential and/or
> legally privileged. It is intended only for the use of the individual(s) and
> entity(s)  named as recipients in the message. If you are not an intended
> recipient of the message, please notify the sender immediately,  delete the
> material from any computer, do not deliver, distribute, or copy this
> message, and do not disclose its contents or take action in reliance on the
> information it contains. Thank yo

Re: Home and Offsite Use of PHI

[Doug Webb]

Rebecca,
That is precisely the point.  PHI that leaves the office by any means must still be 
protected to the same level as the office information, and it is much more difficult 
to do, because you do not have the same control over the off-site environment.

Therefore, your policies need to be considerably more parinoid than those of a 
locally-contained system.

Whether it leaves on a piece of paper, in a laptop, over a phone line,  or via the 
Internet, policies and procedures must identify all possible risks, evaluate them, and 
address them at the level that reduces your percieved risk to an acceptable level 
(there is no such thing as no risk).

Just a few additional risks (this is by no means anywhere close to exhaustive) you're 
exposed to:
Hacker access to the main system (you've exposed it to the outside -- outside access 
protection must be a lot stronger than inside access)
Stolen laptop
Little Johnny downloaded a game with a virus
Internet snooping on the data being transferred
Your latest houseguest looking over your shoulder
You lost the slip of paper with directions to the patient's home that also contained 
why you were going there (that last makes it PHI).
Backup policies for the home machine
etc, etc, etc!

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Rebecca Cowling" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Tuesday, February 18, 2003 12:25 PM
Subject: Re: Home and Offsite Use of PHI


> Question:  If an employee is working with PHI away from an office location,
> why would that employee be taking paper from the office?  Would the employee
> not be working with electronic information?  And if so, the security login
> procedure should guard against unauthorized access.
> 
> Off-site access to PHI should be governed by the same policies as on-site
> access, I would think.  Am I missing something here?
> 
> - Original Message -
> From: "Shah Rakesh" <[EMAIL PROTECTED]>
> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> Sent: Tuesday, February 18, 2003 12:11 PM
> Subject: RE: Home and Offsite Use of PHI
> 
> 
> > We, as a large health plan, are utilizing employee confidentiality
> > statements that have been revised to include language specific to
> protecting
> > PHI in instances where employees carry it off-site to perform their
> regular
> > duties. Examples include field nurses collecting data for HEDIS studies,
> > employees processing claims at home, etc.  All employees that do handle
> the
> > PHI offsite are being asked to sign these statements.  Additionally, the
> > training for such employees will include a emphasis on protection of PHI
> > when it is off-site.
> >
> > Thanks
> >
> > Rakesh Shah
> > HIPAA Privacy Project Manager
> > PacifiCare Health Systems
> >
> > > -Original Message-
> > > From: M. Newsome [SMTP:[EMAIL PROTECTED]]
> > > Sent: Tuesday, February 18, 2003 9:44 AM
> > > To: WEDI SNIP Privacy Workgroup List
> > > Subject: Home and Offsite Use of PHI
> > >
> > > I would like to know how others are addressing home and offsite use of
> PHI
> > > for telecommuters. If anyone has any p&p's they would be willing to
> share
> > > --
> > > that would be most appreciated.
> > >
> > > Please feel free to contact me off-line.
> > >
> > > Thank you,
> > >
> > >
> > > M. Newsome
> > > [EMAIL PROTECTED]
> > >
> > >
> > >
> > >
> > >
> > > ---
> > > The WEDI SNIP listserv to which you are subscribed is not moderated. The
> > > discussions on this listserv therefore represent the views of the
> > > individual participants, and do not necessarily represent the views of
> the
> > > WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
> official
> > > opinion, post your question to the WEDI SNIP Issues Database at
> > > http://snip.wedi.org/tracking/.   These listservs should not be used for
> > > commercial marketing purposes or discussion of specific vendor products
> > > and services.  They also are not intended to be used as a forum for
> > > personal disagreements or unprofessional communication at any time.
> > >
> > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
> > > http://subscribe.wedi.org or send a blank email to
> > > [EMAIL

Re: Question

[Doug Webb]

Carolyn,
Jonathah's question was about the need for encryption on a dial-up line.  For detailed 
discussions, he should see the Security listserv.

Generally, though, a direct dial-in connection to a receiver's system (not via the 
Internet) would be considered an acceptable risk if you trust the receiver's privacy 
practices.

If you're going via the Internet, the strongest encryption the government allows 
(128-bit keys) may be adequate; weaker keys or no keys would be at high risk of 
comprimising PHI.

The opinions expressed here are my own and not necessarily the opinion of LCMH.

Douglas M. Webb
Computer System Engineer
Little Company of Mary Hospital & Health Care Centers
[EMAIL PROTECTED]

"This electronic message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and entity(s)  named 
as recipients in the message. If you are not an intended recipient of the message, 
please notify the sender immediately,  delete the material from any computer, do not 
deliver, distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."



- Original Message - 
From: "Price, Carolyn" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Tuesday, February 18, 2003 05:17 PM
Subject: RE: Question


> Johnathan:
> The April 14 deadline is for Privacy.  The transaction deadline (if you
> filed an extension) is October 16. Stick with the list-serv.  We all learn
> every day.  
> Carolyn Price
> 
> 
> -Original Message-
> From: Jonathan Fox [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 18, 2003 2:22 PM
> To: WEDI SNIP Privacy Workgroup List
> Subject: Question
> 
> 
> I have a question regarding the Privacy Regs. as they relate to Health
> Care Claims and dial-up claims submission.  Is standard, non-encrypted
> dial-up submission allowed after April 14?
> 
> If this question has been answered already, forgive me, I just joined
> this listserv.  If there are archives, please indicate where I can go to
> view them.  Thanks in advance!!!
> 
> Jonathan Fox
> Independent Health
> 
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The
> discussions on this listserv therefore represent the views of the individual
> participants, and do not necessarily represent the views of the WEDI Board
> of Directors nor WEDI SNIP. If you wish to receive an official opinion, post
> your question to the WEDI SNIP Issues Database at
> http://snip.wedi.org/tracking/.   These listservs should not be used for
> commercial marketing purposes or discussion of specific vendor products and
> services.  They also are not intended to be used as a forum for personal
> disagreements or unprofessional communication at any time.
> 
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
> http://subscribe.wedi.org or send a blank email to
> [EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same as
> the address subscribed to the list, please use the Subscribe/Unsubscribe
> form at http://subscribe.wedi.org
> 
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
>on this listserv therefore represent the views of the individual participants, and do 
>not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
>you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
>Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
>commercial marketing purposes or discussion of specific vendor products and services. 
> They also are not intended to be used as a forum for personal disagreements or 
>unprofessional communication at any time.
> 
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org or send a blank email to 
>[EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same as the 
>address subscribed to the list, please use the Subscribe/Unsubscribe form at 
>http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently s

Re: Are we a CE

[Doug Webb]

Robin,
Your office definiately is a Covered Entity.
 
That one electronic transaction that the billing service does 
on your behalf makes you so.  (Incidenteally, if you ever do an on-line 
check of eligibility or claim status, those actions would also make you a 
CE).
 
This means that you need (in order of urgency):
    A Notice of Privacy Practices must be 
developed by April 16 to give to all of your patients (and have your patients 
sign that they received it).  
 
    You must make sure that a Business 
Associate Agreement is in place with the billing agency (and any collection 
agency that you use) to ensure that they protect PHI properly
 
    The full implications of the Security Rule 
also apply, requiring you to exercise due diligence to protect all the PHI in 
your posession.
 
Opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, February 20, 2003 12:20 
  AM
  Subject: Are we a CE
  Our doctor performs services for an OB/GYN clinic. He sees 
  patients at the clinic and is not reimbursed for those services by the clinic 
  or by insurance.  When it comes to delivery, the physician on call for 
  the day will deliver the patient.  An outside billing agency 
  bills(electronic) and payment is sent to our office by the insurance 
  carrier.Medical records are sent to our office  from the hospital for 
  each pt. admitted to the hospital that the doctor delivers. Payment is 
  received by the Insurance company. It appears to me that we would need to 
  be HIPAA compliant even though his personal office may never bill 
  electronic.Am i correct.Thank you for respondingRobin 
  OB/GYN ---The WEDI SNIP listserv to which you are subscribed is 
  not moderated. The discussions on this listserv therefore represent the views 
  of the individual participants, and do not necessarily represent the views of 
  the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. These listservs should not be used for 
  commercial marketing purposes or discussion of specific vendor products and 
  services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED]If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Nursing Homes and Ambulance Services

[Doug Webb]

Title: Message



Kathy,
The Nursing Home and Ambulance Service would both be Covered 
Entities if they do any of the covered functions electronically.  Business 
Associates are entities who do something on behalf of a Covered 
Entity.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Vikas Budhiraja 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, February 21, 2003 08:52 
  AM
  Subject: RE: Nursing Homes and Ambulance 
  Services
  
  Kathy,
  If 
  you are referring patients to a Nursing Home as part of continuing treatment, 
  they will not be your BA.
  Similarly Ambulance Services is also not a BA of a 
  hospital.
   
  Regards,
  Vikas
  
-Original Message-From: Kathy Findley 
[mailto:[EMAIL PROTECTED]]Sent: Thursday, February 20, 
2003 7:46 PMTo: WEDI SNIP Privacy Workgroup 
ListSubject: Nursing Homes and Ambulance 
Services
Sorry if this 
has been covered before... but I keep hearing opposite 
interpretations.
Are Nursing 
Homes and / or Ambulance Services considered Business 
Associates?
 
Thanks for any 
clarification!
kf
 

Kathy Findley
Coordinator - Information 
Services and HIPAA
St. Joseph's Hospital Health 
Center
Phone - (315) 448-6111
Beeper - (315) 467-4180
Text Page - 
[EMAIL PROTECTED]
 
 ---The WEDI SNIP 
listserv to which you are subscribed is not moderated. The discussions on 
this listserv therefore represent the views of the individual participants, 
and do not necessarily represent the views of the WEDI Board of Directors 
nor WEDI SNIP. If you wish to receive an official opinion, post your 
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
These listservs should not be used for commercial marketing purposes or 
discussion of specific vendor products and services. They also are not 
intended to be used as a forum for personal disagreements or unprofessional 
communication at any time.You are currently subscribed to 
wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this 
list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or 
send a blank email to [EMAIL PROTECTED]If you 
need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org ---The WEDI SNIP listserv to which 
  you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should 
  not be used for commercial marketing purposes or discussion of specific vendor 
  products and services. They also are not intended to be used as a forum for 
  personal disagreements or unprofessional communication at any time.You 
  are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe 
  from this list, go to the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org or send a blank email to 
  [EMAIL PROTECTED]If you need to unsubscribe but 
  your current email address is not the same as the address subscribed to the 
  list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org 

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http:

Re: DOL vs. HIPAA

[Doug Webb]

Title: DOL vs. HIPAA



Agree.
Subject to the restriction that whatever is disclosed for any 
purpose be only the minimum necessary for that purpose (which applys to all 
disclosures indipendant of the medium).
 
Remember that the great difficulty in giving out info over the 
phone is making that who is on the line is really who you think they are. (I 
like the suggestion of asking for a piece of info (such as patient's DOB) that's 
on the database for confirmation).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Mendel, Linda 
  R. 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, February 21, 2003 09:17 
  AM
  Subject: DOL vs. HIPAA
  
  I was thinking that disclosures to an employee who 
  calls GHP customer service re the claims of his or her spouse could extend to 
  the type of information the employee would get on an EOB.  In other 
  words, if the employee can get the info on a paper EOB, then we (the GHP) 
  should be able to give the employee the same information on the phone.  
  Agree or disagree?
  ___ 
  From the law offices of Vorys, Sater, Seymour 
  and Pease LLP. 
  CONFIDENTIALITY NOTICE: This e-mail message is 
  intended only for the person or entity to which it is addressed and may 
  contain confidential and/or privileged material. Any unauthorized review, use, 
  disclosure or distribution is prohibited.  If you are not the intended 
  recipient, please contact the sender by reply e-mail and destroy all copies of 
  the original message.  If you are the intended recipient but do not wish 
  to receive communications through this medium, please so advise the sender 
  immediately.
  
  

  ---
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Need for Business Associate Agreements

[Doug Webb]

Beth,
The new Security reg does indicate that MOUs take the place of 
BAAs if both are government entities.  If one of the partys is, and one 
isn't, I don't know.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Beth 
  Miller 
  To: WEDI SNIP Privacy Workgroup List 
  
  Cc: Linda Leyva 
  Sent: Friday, February 21, 2003 01:00 
  PM
  Subject: Re: Need for Business Associate 
  Agreements
  
  Hello, everyone 
  -
   
  This is a variation on the 
  question about the need for BAA's.  My agency anticipates 
  beginning a new federal contract soon.  As part of our original proposal, 
  we obtained letters of intent from various partners who would be working 
  with us on the contract if we were awarded.  Now that we've been 
  awarded, we're intending to develop Memorandums of Understanding with 
  these agencies, but are now wondering if we need BAA's with them as well as or 
  instead of MOU's.  My understanding, at this point, is that it would have 
  to do with whether or not PHI is exchanged, handled, etc., between agencies 
  and, if so, how.  What does everyone else think?
  Beth Miller Grant Writer Tri-City Mental Health Center 
   ---The WEDI SNIP listserv to which you are subscribed is 
  not moderated. The discussions on this listserv therefore represent the views 
  of the individual participants, and do not necessarily represent the views of 
  the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. These listservs should not be used for 
  commercial marketing purposes or discussion of specific vendor products and 
  services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED]If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: BA contracts

[Doug Webb]

Robyn,
1) The term of the BA contract is as long as it itself 
states.
2) Other than using another entity, I'm not sure.  You 
are responsible for whatever PHI they leak, unless you have that contract in 
place makeing them responsible for their actons.
3) I think your list covers everything, but you may not need 
them for the last two.  I think that the students would be considered 
staff, and does the courire service really need to access PHI?  They may 
transport PHI, but their relationship with the PHI sould be the same as the Post 
Office's or the phone company's.  Your address and the delivery address 
(the only externally visable info) should not make what they're transporting 
into PHI.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Sunday, February 23, 2003 10:03 
  PM
  Subject: BA contracts
  1. How long is the BA contract effective from date signed 
  (effective date)? ,Unless of course there is a breach.2.  What if BA 
  refuses to sign contract because they have no understanding 
  of    
  HIPAA?3. Am I correct to have the following sign BA 
  contracts?    Billing service/agency    
  Collection agency    Software vendor    
  Hardware vendo    Independent contractors who provide 
  clinical services(NP, PAs)    Students who perform their 
  externships?    Courier Service ?? They have access 
  PHI    I appreciate your help.Robin 
  HenryOB/GYN ---The WEDI SNIP listserv to which you are 
  subscribed is not moderated. The discussions on this listserv therefore 
  represent the views of the individual participants, and do not necessarily 
  represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish 
  to receive an official opinion, post your question to the WEDI SNIP Issues 
  Database at http://snip.wedi.org/tracking/. These listservs should not be used 
  for commercial marketing purposes or discussion of specific vendor products 
  and services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED]If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: BA Agreement

[Doug Webb]

Kristen,
As near as I can tell, no  BAA is needed.
The Parmacist is a Covered Entity acting on his own 
bahalf.
As long as you're not told the content of the bags, I don't 
believe that you're even exposed to any PHI, even for the purposes of 
payment.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Kristen 
  Emerson 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, February 24, 2003 12:29 
  PM
  Subject: BA Agreement
  My agency is entering into a contract with a pharmacist to 
  provide free"brown bag checks" for elderly citizens.  These "brown 
  bag checks" consistof an elderly citizen bringing all the prescription 
  drugs that they aretaking to the pharmacist and receiving counseling on 
  medication managementby the pharmacist.  We sponsor a booth at health 
  fairs where this service isoffered free of charge to the 
  elderly.We are contracting with this one pharmacist to provide these 
  "brown bagchecks" for us at the health fairs.  Do we need a BA with 
  this pharmacist ornot?  My feeling is that he is providing the 
  service to the clients and weare just the payer therefore he is not 
  utilizing PHI to provide a service onour behalf, but I keep getting stuck 
  on BA's.  This area of HIPAA is thehardest one for me to nail down 
  and understand.Thanks in advance,Kristen EmersonManagement 
  Analyst/HIPAA Compliance OfficerMid-Florida Area Agency on 
  Aging---The WEDI SNIP listserv to which you are subscribed 
  is not moderated. The discussions on this listserv therefore represent the 
  views of the individual participants, and do not necessarily represent the 
  views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an 
  official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
  email to [EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Are dieticians Business Associates?

[Doug Webb]

Vikas,
The Dietician would be performing Treatment duties, and thus 
be a Covered Entity if he does any electronic transactions that have HIPAA 
standards.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Vikas Budhiraja 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Tuesday, February 25, 2003 10:51 
  AM
  Subject: Are dieticians Business 
  Associates?
  A question about Dieticians. If a contract dietician reviews a 
  patient'smedical charts for dietary purposes, is he/she considered a BA? 
  Or wouldthis be considered part of 
  treatment.Thanks,Vikas---The WEDI SNIP 
  listserv to which you are subscribed is not moderated. The discussions on this 
  listserv therefore represent the views of the individual participants, and do 
  not necessarily represent the views of the WEDI Board of Directors nor WEDI 
  SNIP. If you wish to receive an official opinion, post your question to the 
  WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
  email to [EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: medical vendors as Business Associates

[Doug Webb]

Jill,
I agree with Dan.
 
The critical question is do you do anything on behalf of a 
Covered Entity that involves PHI?  If this answer is "No", you do not need 
a BAA.
 
Providing devices to non-patients isolates you from 
PHI.
 
Providing devices to patients is acting on behalf of yourself 
(I assume you make a profit on the deal, or you wouldn't be in business), not a 
service to the Covered Entity.  If you also bill insurance carriers 
electronically, you may be a Covered Entity (providing Treatment).
 
As Dan said, it would be extremely rare that a vendor of this 
type would be in a Business Associate relationship with a Covered 
Entity.
 
If it operates in some other role in addition to being a DME 
vendor, that role must be considered independantly.
.
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Dan Kelsey 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, February 26, 2003 08:32 
  AM
  Subject: RE: medical vendors as Business 
  Associates
  
  I think your 
  decision would have to be very fact based.  For example, if a wheelchair 
  company sells 50 wheelchairs to a hospital, then they would not be a BA of the 
  hospital.  However, if the hospital rehab unit orders a custom fit 
  wheelchair that involves disclosure of the patient's limitations, physical 
  build, etc., then chances are a BA relationship does not exist either.  I 
  say "chances are" because treatment by a health care provider is exempt from 
  the BA definition and a BAA is not required.  
   
  The key issue 
  is if the medical vendor meets the definition of a health care provider - 
  there is a mention in HIPAA for the Federal definition, and it is fairly all 
  encompassing.  Generally speaking, I do not think the majority of these 
  vendors would be business associates.
   
  Hope this 
  helps,
  
  Dan Kelsey Practice Advisor Indiana State 
  Medical Association 800-257-4762 
  (317) 261-2060 (317) 261-2076 - fax 
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]Sent: Wednesday, February 26, 2003 7:42 
AMTo: WEDI SNIP Privacy Workgroup ListSubject: medical 
vendors as Business AssociatesAre 
medical vendors that supply products like prosthesis, wheelchairs, etc., 
considered BA? I have been researching this and can't seem to come up with 
clear answer...Thanks in advanceJill Rubin, 
Esq.(617)388-2404[EMAIL PROTECTED] ---The WEDI SNIP 
listserv to which you are subscribed is not moderated. The discussions on 
this listserv therefore represent the views of the individual participants, 
and do not necessarily represent the views of the WEDI Board of Directors 
nor WEDI SNIP. If you wish to receive an official opinion, post your 
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
These listservs should not be used for commercial marketing purposes or 
discussion of specific vendor products and services. They also are not 
intended to be used as a forum for personal disagreements or unprofessional 
communication at any time.You are currently subscribed to 
wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to 
the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
email to [EMAIL PROTECTED]If you need to 
unsubscribe but your current email address is not the same as the address 
subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org ---The WEDI SNIP listserv to 
  which you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should 
  not be used for commercial marketing purposes or discussion of specific vendor 
  products and services. They also are not intended to be used as a forum for 
  personal disagreements or unprofessional communication at any time.You 
  are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe 
  from this list, go to the Subscribe/Unsubs

Re: medical vendors as Business Associates

[Doug Webb]

Dawn,
This looks like a lot of "CYA" BAA contracts being sent 
unnecessarily.  The logic seems to be send them to everybody, and see who 
signs them.
 
Don't forget that the CE is the one who is responsible to 
ensure that the proper BAAs are in place.  Since a contract is signed by 
both sides, it doesn't matter who drafts the text.  A BA who drafts the BAA 
text is trying to increase the likelyhood that their version is the one that is 
signed.  Don't sign anything until your lawyer checks it out!
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Dawn 
  Lenox 
  To: Doug Webb 
  Sent: Wednesday, February 26, 2003 09:37 
  AM
  Subject: Re: medical vendors as Business 
  Associates
  
  I tried to explain this to 
  a vendor that sent us (CE) their BA (non-CE) as a favor to usThey said we 
  were being liberal in our interpretation and that they were being 
  "conservative"...they did not even request that we sign it...go 
  figure.
  
- Original Message - 
From: 
Doug Webb 
To: WEDI SNIP Privacy Workgroup 
List 
Sent: Wednesday, February 26, 2003 9:29 
AM
Subject: Re: medical vendors as 
Business Associates

Jill,
I agree with Dan.
 
The critical question is do you do anything on behalf of a 
Covered Entity that involves PHI?  If this answer is "No", you do not 
need a BAA.
 
Providing devices to non-patients isolates you from 
PHI.
 
Providing devices to patients is acting on behalf of 
yourself (I assume you make a profit on the deal, or you wouldn't be in 
business), not a service to the Covered Entity.  If you also bill 
insurance carriers electronically, you may be a Covered Entity (providing 
Treatment).
 
As Dan said, it would be extremely rare that a vendor of 
this type would be in a Business Associate relationship with a Covered 
Entity.
 
If it operates in some other role in addition to being a 
DME vendor, that role must be considered independantly.
.
The opinions expressed here are my own and not necessarily the opinion 
of LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the 
individual(s) and entity(s)  named as recipients in the message. If you 
are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Dan 
  Kelsey 
  To: WEDI SNIP Privacy Workgroup 
  List 
  Sent: Wednesday, February 26, 2003 
  08:32 AM
  Subject: RE: medical vendors as 
  Business Associates
  
  I think 
  your decision would have to be very fact based.  For example, if a 
  wheelchair company sells 50 wheelchairs to a hospital, then they would not 
  be a BA of the hospital.  However, if the hospital rehab unit orders 
  a custom fit wheelchair that involves disclosure of the patient's 
  limitations, physical build, etc., then chances are a BA relationship does 
  not exist either.  I say "chances are" because treatment by a health 
  care provider is exempt from the BA definition and a BAA is not 
  required.  
   
  The key 
  issue is if the medical vendor meets the definition of a health care 
  provider - there is a mention in HIPAA for the Federal definition, and it 
  is fairly all encompassing.  Generally speaking, I do not think the 
  majority of these vendors would be business 
associates.
   
  Hope this 
  helps,
  
  Dan Kelsey Practice Advisor Indiana State 
  Medical Association 800-257-4762 (317) 
  261-2060 (317) 261-2076 - fax 
  
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL

Re: medical vendors as Business Associates

[Doug Webb]

Vicki,
I believe that in this 
case the vendor would a Healthcare Provider participating in 
Treatment. They 
would not be a BA.  They would be a CE if they used any of the standard 
electronic transactions.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Vicki Schaff 
  To: Doug Webb 
  Sent: Wednesday, February 26, 2003 10:53 
  AM
  Subject: Re: medical vendors as Business 
  Associates
  
  Consider the vendor who supplies a new 
  medical device to a healthcare facility (CE) and the 
  vendor provides instruction to a surgeon (CE) during implantation of 
  the device.  The vendor has 
  access to PHI.One legal 
  opinion has stated that the vendor is a BA of the healthcare 
  facility.  Your Comments.  
  
- Original Message - 
    From: 
Doug Webb 
To: WEDI SNIP Privacy Workgroup 
List 
Sent: Wednesday, February 26, 2003 9:29 
AM
Subject: Re: medical vendors as 
Business Associates

Jill,
I agree with Dan.
 
The critical question is do you do anything on behalf of a 
Covered Entity that involves PHI?  If this answer is "No", you do not 
need a BAA.
 
Providing devices to non-patients isolates you from 
PHI.
 
Providing devices to patients is acting on behalf of 
yourself (I assume you make a profit on the deal, or you wouldn't be in 
business), not a service to the Covered Entity.  If you also bill 
insurance carriers electronically, you may be a Covered Entity (providing 
Treatment).
 
As Dan said, it would be extremely rare that a vendor of 
this type would be in a Business Associate relationship with a Covered 
Entity.
 
If it operates in some other role in addition to being a 
DME vendor, that role must be considered independantly.
.
The opinions expressed here are my own and not necessarily the opinion 
of LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the 
individual(s) and entity(s)  named as recipients in the message. If you 
are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Dan 
  Kelsey 
  To: WEDI SNIP Privacy Workgroup 
  List 
  Sent: Wednesday, February 26, 2003 
  08:32 AM
  Subject: RE: medical vendors as 
  Business Associates
  
  I think 
  your decision would have to be very fact based.  For example, if a 
  wheelchair company sells 50 wheelchairs to a hospital, then they would not 
  be a BA of the hospital.  However, if the hospital rehab unit orders 
  a custom fit wheelchair that involves disclosure of the patient's 
  limitations, physical build, etc., then chances are a BA relationship does 
  not exist either.  I say "chances are" because treatment by a health 
  care provider is exempt from the BA definition and a BAA is not 
  required.  
   
  The key 
  issue is if the medical vendor meets the definition of a health care 
  provider - there is a mention in HIPAA for the Federal definition, and it 
  is fairly all encompassing.  Generally speaking, I do not think the 
  majority of these vendors would be business 
associates.
   
  Hope this 
  helps,
  
  Dan Kelsey Practice Advisor Indiana State 
  Medical Association 800-257-4762 (317) 
  261-2060 (317) 261-2076 - fax 
  
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]Sent: Wednesday, February 26, 2003 
7:42 AMTo: WEDI SNIP Privacy Workgroup 
ListSubject: medical vendors as Business 
AssociatesAre medical vendors that supply 
products like prosthesis, wheelchairs, etc., considered BA? I 

Re: medical vendors as Business Associates

[Doug Webb]

David,
They do, but I'm not directly involved, so I don't know the 
answer to your question.
 
Jim Hewitt did bring up an interesting point that these 
vendors may also be hardware/software support people.  In that role, I 
would think that a BAA would be appropriate to state that they would protect PHI 
they contact while maintaining the equipment.
 
I had been thinking just of their role as a supplier of the 
equipment.
Whew! Covering all bases is tough!.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  David Frenkel 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, February 26, 2003 02:10 
  PM
  Subject: RE: medical vendors as Business 
  Associates
  
  
  Doug,
  Does your facility do 
  medical device implants?  If so, 
  do you know what the official position is of your facility on this?  Thanks.
   
  Regards,
   
  
  David 
  Frenkel
  Business 
  Development
  GEFEG 
  USA
  Global 
  Leader in Ecommerce Tools
  612-237-1966
  -Original 
  Message-From: Doug Webb 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 26, 2003 11:29 
  AMTo: WEDI SNIP Privacy 
  Workgroup ListSubject: Re: 
  medical vendors as Business Associates
   
  
  Vicki,
  
  I believe that 
  in this case the vendor would a Healthcare Provider participating in 
  Treatment. They would not be a BA.  They would be a CE if they used 
  any of the standard electronic transactions.
  
   
  
  The 
  opinions expressed here are my own and not necessarily the opinion of 
  LCMH.
  
   
  
  Douglas M. 
  WebbComputer System EngineerLittle Company of Mary Hospital & 
  Health Care Centers[EMAIL PROTECTED]
  
   
  
  "This 
  electronic message may contain information that is confidential and/or legally 
  privileged. It is intended only for the use of the individual(s) and 
  entity(s)  named as recipients in the message. If you are not an intended 
  recipient of the message, please notify the sender immediately,  delete 
  the material from any computer, do not deliver, distribute, or copy this 
  message, and do not disclose its contents or take action in reliance on the 
  information it contains. Thank you."
  
   
  
   
  

- Original 
Message - 

From: Vicki Schaff 


To: Doug Webb 


Sent: Wednesday, 
February 26, 2003 10:53 AM

Subject: Re: medical 
vendors as Business Associates

 

Consider 
the vendor who supplies a new medical device to a healthcare 
facility (CE) and the vendor provides instruction to a surgeon 
(CE) during implantation of the device.  The vendor has access to 
PHI.One legal opinion has stated that 
the vendor is a BA of the healthcare facility.  Your 
Comments.  

  
  - Original 
  Message - 
  
  From: Doug Webb 
  
  
  To: WEDI SNIP Privacy Workgroup 
  List 
  
  Sent: Wednesday, 
  February 26, 2003 9:29 AM
  
  Subject: Re: medical 
  vendors as Business Associates
  
   
  
  Jill,
  
  I agree with 
  Dan.
  
   
  
  The critical 
  question is do you do anything on behalf of a Covered Entity that involves 
  PHI?  If this answer is "No", you do not need a 
  BAA.
  
   
  
  Providing 
  devices to non-patients isolates you from PHI.
  
   
  
  Providing 
  devices to patients is acting on behalf of yourself (I assume you make a 
  profit on the deal, or you wouldn't be in business), not a service to the 
  Covered Entity.  If you also bill insurance carriers electronically, 
  you may be a Covered Entity (providing Treatment).
  
   
  
  As Dan said, it 
  would be extremely rare that a vendor of this type would be in a Business 
  Associate relationship with a Covered Entity.
  
   
  
  If it operates 
  in some other role in addition to being a DME vendor, that role must be 
  considered independantly.
  
  .
  
  The opinions 
  expressed here are my own and not necessarily the opinion of 
  LCMH.
  
   
  
  Douglas M. 
  WebbComputer System En

Re: medical vendors as Business Associates

[Doug Webb]

Craig,
That would be my 
understanding.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Craig 
  Moen 
  To: 'Doug Webb' 
  Sent: Wednesday, February 26, 2003 03:28 
  PM
  Subject: RE: medical vendors as Business 
  Associates
  
  Doug-
   
  I want to make sure I am 
  understanding.  
  We are a home health agency 
  that provides therapy services.  Our therapists interact with DME 
  providers, and orthotists and obviously share PHI.  Since these are 
  outside services not provided by us, the DME providers, and orthotist 
  independently bill the appropriate insurance company.  They would then 
  also be CE's and then we would be able to share info with them without a BAA 
   because information can be shared between CE's as a part of 
  treatment.  
  Correct?
   
  Thanks for your 
  input
   
  Craig 
Moen
  Director of 
  Rehabilitation
  THERAPY 
  2000
  Dallas, 
TX
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: medical vendors as Business Associates

[Doug Webb]

David,
I would also tend to lean that way.  Could we get a 
definitive answer "From Above"?
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  David Frenkel 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, February 26, 2003 02:55 
  PM
  Subject: RE: medical vendors as Business 
  Associates
  
  
  Doug,
  This discussion has 
  appeared on other healthcare listservs and there 
  seems to be a strong leaning towards having medical device manufacture reps be 
  considered part of TPO.   It brings up an interesting liability 
  issue as well as a patient consent issue for reps being in the 
  OR.
   
  Regards,
   
  
  David 
  Frenkel
  Business 
  Development
  GEFEG 
  USA
  Global 
  Leader in Ecommerce Tools
  www.gefeg.com
  612-237-1966
  -Original 
  Message-From: Doug Webb 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 26, 
  2003 2:53 
  PMTo: David Frenkel; WEDI SNIP Privacy 
  Workgroup ListSubject: Re: 
  medical vendors as Business Associates
   
  
  David,
  
  They do, but I'm not directly involved, 
  so I don't know the answer to your 
question.
  
   
  
  Jim Hewitt did bring up an interesting 
  point that these vendors may also be hardware/software support people.  
  In that role, I would think that a BAA would be appropriate to state that they 
  would protect PHI they contact while maintaining the 
  equipment.
  
   
  
  I had been thinking just of their role as 
  a supplier of the equipment.
  
  Whew! Covering all bases is 
  tough!.
  
   
  
  The opinions expressed here are my own 
  and not necessarily the opinion of LCMH.
  
   
  
  Douglas M. WebbComputer System 
  EngineerLittle Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED]
  
   
  
  "This electronic message may contain 
  information that is confidential and/or legally privileged. It is intended 
  only for the use of the individual(s) and entity(s)  named as recipients 
  in the message. If you are not an intended recipient of the message, please 
  notify the sender immediately,  delete the material from any computer, do 
  not deliver, distribute, or copy this message, and do not disclose its 
  contents or take action in reliance on the information it contains. Thank 
  you."
  
   
  
   
  

- Original Message - 


From: David Frenkel 


To: WEDI SNIP Privacy Workgroup 
List 

Sent: 
Wednesday, February 
26, 2003 02:10 
PM

Subject: RE: 
medical vendors as Business Associates

 
Doug,
Does 
your facility do medical device implants?  If so, do you know what the official 
position is of your facility on this?  
Thanks.
 
Regards,
 

David 
Frenkel
Business 
Development
GEFEG 
USA
Global 
Leader in Ecommerce Tools
612-237-1966
    -----Original 
Message-From: Doug 
Webb [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 
2003 11:29 
AMTo: WEDI SNIP Privacy Workgroup 
ListSubject: Re: medical 
vendors as Business Associates
 

Vicki,

I believe 
that in this case the vendor would a Healthcare Provider participating 
in Treatment. They would not be a BA.  They would be a CE if they 
used any of the standard electronic transactions.

 

The 
opinions expressed here are my own and not necessarily the opinion of 
LCMH.

 

Douglas M. 
WebbComputer System EngineerLittle Company of Mary Hospital & 
Health Care Centers[EMAIL PROTECTED]

 

"This electronic 
message may contain information that is confidential and/or legally 
privileged. It is intended only for the use of the individual(s) and 
entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank 
you."

 

 

  
  - Original 
  Message ----- 

Re: medical vendors as Business Associates

[Doug Webb]

Jo,
quite so.
I would lkie to call an 
entity that would be a CE if they did a single electronic transaction that a 
standard has been established for a "Potential Covered Entity" (PCE) and avoid 
all the repeated verbiage.
Any takers?
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Jo Clair 
  To: 'Doug Webb' 
  Sent: Wednesday, February 26, 2003 04:17 
  PM
  Subject: RE: medical vendors as Business 
  Associates
  
  Not all providers are CE's 
  (they may not do electronic transactions).
  
    -----Original Message-From: Doug Webb 
[mailto:[EMAIL PROTECTED]Sent: Wednesday, February 26, 2003 1:57 
PMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: 
medical vendors as Business Associates
Craig,
That would be my 
understanding.
 
The opinions expressed here are my own and not necessarily the opinion 
of LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the 
individual(s) and entity(s)  named as recipients in the message. If you 
are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message ----- 
  From: 
  Craig 
  Moen 
  To: 'Doug Webb' 
  Sent: Wednesday, February 26, 2003 
  03:28 PM
  Subject: RE: medical vendors as 
  Business Associates
  
  Doug-
   
  I want to make sure I am 
  understanding.  
  We are a home health 
  agency that provides therapy services.  Our therapists interact with 
  DME providers, and orthotists and obviously share PHI.  Since 
  these are outside services not provided by us, the DME providers, and 
  orthotist independently bill the appropriate insurance company.  They 
  would then also be CE's and then we would be able to share info with them 
  without a BAA  because information can be shared between CE's as a 
  part of treatment.  
  Correct?
   
  Thanks for your 
  input
   
  Craig 
  Moen
  Director of 
  Rehabilitation
  THERAPY 
  2000
  Dallas, 
  TX---The WEDI SNIP listserv to which 
you are subscribed is not moderated. The discussions on this listserv 
therefore represent the views of the individual participants, and do not 
necessarily represent the views of the WEDI Board of Directors nor WEDI 
SNIP. If you wish to receive an official opinion, post your question to the 
WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs 
should not be used for commercial marketing purposes or discussion of 
specific vendor products and services. They also are not intended to be used 
as a forum for personal disagreements or unprofessional communication at any 
time.You are currently subscribed to wedi-privacy as: 
[EMAIL PROTECTED]To unsubscribe from this list, go to the 
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
email to [EMAIL PROTECTED]If you need to 
unsubscribe but your current email address is not the same as the address 
subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org 
  CONFIDENTIALITY NOTICE: This E-Mail is intended 
  only for the use of the individual or entity to which it is addressed and may 
  contain information that is privileged, confidential and exempt from 
  disclosure under applicable law. If you have received this communication in 
  error, please do not distribute it. Please notify the sender by E-Mail at the 
  address shown and delete the original message. Thank 
you.
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily

Re: Questions in regard to Security/Privacy

[Doug Webb]

Richard,
The first question is: Is what is being transmitted Protected 
Healthcare Information?  If not all the rest is moot.  If what is 
being transmitted is strictly the financial data (This merchant charged this 
person this much), it probably isn't PHI, but just money.
 
If it is you must do a risk-of exposure analysis.
First, the receiving system must be capable of properly 
protecting any PHI it receives.
 
Terminal-to-Private Network is probably adequately 
secured.  In this case, you may decide that encryption is just wasting 
resources.
 
Going via the Internet will probably need some kind of 
end-to-end encryption to be adequately secure, since the Internet is inherently 
a broadcast to every computer connected to the net, received by anyone who wants 
to listen.
 
Make your decisions and document them.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Richard 
  Smith 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, February 27, 2003 11:52 
  AM
  Subject: Questions in regard to 
  Security/Privacy
  I would like to know how the privacy & 
  security act under HIPAA will impact ourcurrent systems today? I support 
  POS card/swipe machines that dialup (via anasync/sync modem) over the 
  public telephone system into a server that isconnected to a private 
  network. These machines (terminals) are located throughout the USA in 
  Provider offices, clinics and hospitals. The dialup protocol(VISA) is the 
  same protocol that the financial processors use today doingcredit/debit 
  transactions. Are there any issues that I need to be concernedabout from 
  the terminal point of view?The second part of my question, I would 
  like to know how the privacy & securityact under HIPAA will impact POS 
  card/swipe machines that dialup (via anasync/sync modem) over the public 
  telephone system into a ISP that is connectedto the Internet.  These 
  machines (terminals) are located through out the USA inProvider offices, 
  clinics and hospitals. The dialup protocol will be either VISAor PPP 
  (Point-to Point). Are there any issues that I need to be concerned 
  aboutfrom the terminal point of view?---The WEDI SNIP listserv 
  to which you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
  email to [EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Questions in regard to Security/Privacy

[Doug Webb]

Catherine,
Just a clarification. These non-financial POS terminals would 
have to use standard transactions (such as 270/271, 278, etc.) to do their job 
when a standard is available.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Catherine Lohmeier 
  To: WEDI SNIP Privacy Workgroup List 
  
  Cc: [EMAIL PROTECTED] 
  
  Sent: Thursday, February 27, 2003 03:07 
  PM
  Subject: RE: Questions in regard to 
  Security/Privacy
  I don't see these POS terminals being affected by HIPAA if in 
  factthey are doing a financial transaction...ie patient is making 
  apayment for services rendered(paying the co-pay with a credit 
  card).Now, there is a network of POS terminals that do eligibility 
  checksand referrals etc..these terminals are conducting transactions 
  forwhich a standard has been defined and are therefore subject to 
  theHIPAA TCS rule.  The use of these POS terminals qualify the 
  provideras a Covered Entity which in turn makes the provider subject to 
  thePrivacy and Security Rule.Any other opinions or 
  observations?CL Original Message From: [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: 
  RE: Questions in regard to Security/PrivacyDate: Thu, 27 Feb 2003 09:52:59 
  -0800>I would like to know how the privacy & security act under 
  HIPAA will>impact our>current systems today? I support POS 
  card/swipe machines that dialup>(via an>async/sync modem) over 
  the public telephone system into a server that>is>connected to a 
  private network. These machines (terminals) are>located 
  through>out the USA in Provider offices, clinics and hospitals. The 
  dialup>protocol>(VISA) is the same protocol that the financial 
  processors use today>doing>credit/debit transactions. Are there 
  any issues that I need to be>concerned>about from the terminal 
  point of view?>>The second part of my question, I would like to 
  know how the privacy>& security>act under HIPAA will impact 
  POS card/swipe machines that dialup (via>an>async/sync modem) 
  over the public telephone system into a ISP that is>connected>to 
  the Internet.  These machines (terminals) are located through 
  out>the USA in>Provider offices, clinics and hospitals. The 
  dialup protocol will be>either VISA>or PPP (Point-to Point). Are 
  there any issues that I need to be>concerned about>from the 
  terminal point of view?>>--->The WEDI SNIP listserv to 
  which you are subscribed is not moderated.>The discussions on this 
  listserv therefore represent the views of the>individual participants, 
  and do not necessarily represent the views>of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive>an official opinion, 
  post your question to the WEDI SNIP Issues>Database at http://snip.wedi.org/tracking/.   
  These listservs should>not be used for commercial marketing purposes or 
  discussion of>specific vendor products and services.  They also 
  are not intended to>be used as a forum for personal disagreements or 
  unprofessional>communication at any time.>>You are 
  currently subscribed to wedi-privacy 
  as:>[EMAIL PROTECTED]>To unsubscribe from this 
  list, go to the Subscribe/Unsubscribe form>at http://subscribe.wedi.org or send a blank 
  email to>[EMAIL PROTECTED]>If you need 
  to unsubscribe but your current email address is not the>same as the 
  address subscribed to the list, please use the>Subscribe/Unsubscribe 
  form at http://subscribe.wedi.orgCatherine 
  LohmeierSr. Business ConsultantPCI: e-commerce for healthcareph. 
  402-304-1918www.hipaasurvival.com---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, 

Re: Questions in regard to Security/Privacy

[Doug Webb]

Richard,
http://www.wpc-edi.com
 
has all the Implimentation Guides and Addenda available for 
download.
 
The big thing is that if there is a 004010-series IG for what 
you're doing, you have to use it, and any provider who uses one of your 
terminals is a Covered Entity, and subject to the full force of the Privacy and 
Security regulations.  (First up to bat, theit Notice of Privacy Practices 
must be ready by April 16).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Richard 
  Smith 
  To: WEDI SNIP Privacy Workgroup List 
  
  Cc: [EMAIL PROTECTED] 
  
  Sent: Thursday, February 27, 2003 03:31 
  PM
  Subject: RE: Questions in regard to 
  Security/Privacy
  The Transactions that these POS terminals will be supporting 
  are HealthCare transactions - 270/271, 277/275, 835, 837 etc...Where can I 
  find more information about the TCS 
  rule?Thanks,Richard-Original Message-From: 
  Catherine Lohmeier [mailto:[EMAIL PROTECTED]Sent: 
  Thursday, February 27, 2003 4:08 PMTo: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: 
  RE: Questions in regard to Security/PrivacyI don't see these POS 
  terminals being affected by HIPAA if in factthey are doing a financial 
  transaction...ie patient is making apayment for services rendered(paying 
  the co-pay with a credit card).Now, there is a network of POS 
  terminals that do eligibility checksand referrals etc..these terminals are 
  conducting transactions forwhich a standard has been defined and are 
  therefore subject to theHIPAA TCS rule.  The use of these POS 
  terminals qualify the provideras a Covered Entity which in turn makes the 
  provider subject to thePrivacy and Security Rule.Any other 
  opinions or observations?CL Original Message From: [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: 
  RE: Questions in regard to Security/PrivacyDate: Thu, 27 Feb 2003 09:52:59 
  -0800>I would like to know how the privacy & security act under 
  HIPAA will>impact our>current systems today? I support POS 
  card/swipe machines that dialup>(via an>async/sync modem) over 
  the public telephone system into a server that>is>connected to a 
  private network. These machines (terminals) are>located 
  through>out the USA in Provider offices, clinics and hospitals. The 
  dialup>protocol>(VISA) is the same protocol that the financial 
  processors use today>doing>credit/debit transactions. Are there 
  any issues that I need to be>concerned>about from the terminal 
  point of view?>>The second part of my question, I would like to 
  know how the privacy>& security>act under HIPAA will impact 
  POS card/swipe machines that dialup (via>an>async/sync modem) 
  over the public telephone system into a ISP that is>connected>to 
  the Internet.  These machines (terminals) are located through 
  out>the USA in>Provider offices, clinics and hospitals. The 
  dialup protocol will be>either VISA>or PPP (Point-to Point). Are 
  there any issues that I need to be>concerned about>from the 
  terminal point of view?>>--->The WEDI SNIP listserv to 
  which you are subscribed is not moderated.>The discussions on this 
  listserv therefore represent the views of the>individual participants, 
  and do not necessarily represent the views>of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive>an official opinion, 
  post your question to the WEDI SNIP Issues>Database at http://snip.wedi.org/tracking/.   
  These listservs should>not be used for commercial marketing purposes or 
  discussion of>specific vendor products and services.  They also 
  are not intended to>be used as a forum for personal disagreements or 
  unprofessional>communication at any time.>>You are 
  currently subscribed to wedi-privacy 
  as:>[EMAIL PROTECTED]>To unsubscribe from this 
  list, go to the Subscribe/Unsubscribe form>at http://subscribe.wedi.org or send a blank 
  email to>[EMAIL PROTECTED]>If you need 
  to unsubscribe but your current email address is not the>same as the 
  address subscribed to the list, please use the>Subscribe/Unsubscribe 
  form at http://subscribe.wedi.orgCatherine 
  LohmeierSr. Business ConsultantPCI: e-commerce for healthcareph. 
  402-304-1918www.hipaasurvival.com---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this l

Re: medical vendors as Business Associates

[Doug Webb]

David,
Amen!
I would much rather have a clear answer beforehand 
than enforcement afterword.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  David Frenkel 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, February 27, 2003 11:18 
  PM
  Subject: RE: medical vendors as Business 
  Associates
  
  
  Doug,
  This is another 
  example of the daunting enforcement task CMS has.  There are so many interconnected 
  issues that have no clear resolution.  
  Somebody should calculate the cost of the lack of clarity of 
  HIPAA.
   
  Regards,
   
  
  David 
  Frenkel
  Business 
  Development
  GEFEG 
  USA
  Global 
  Leader in Ecommerce Tools
  www.gefeg.com
  612-237-1966
  -Original 
  Message-----From: Doug Webb 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 26, 
  2003 4:00 
  PMTo: WEDI SNIP Privacy Workgroup 
  ListSubject: Re: medical 
  vendors as Business Associates
   
  
  David,
  
  I would also tend to lean that way.  
  Could we get a definitive answer "From 
  Above"?
  
   
  
  The opinions expressed here are my own 
  and not necessarily the opinion of LCMH.
  
   
  
  Douglas M. WebbComputer System 
  EngineerLittle Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED]
  
   
  
  "This electronic message may contain 
  information that is confidential and/or legally privileged. It is intended 
  only for the use of the individual(s) and entity(s)  named as recipients 
  in the message. If you are not an intended recipient of the message, please 
  notify the sender immediately,  delete the material from any computer, do 
  not deliver, distribute, or copy this message, and do not disclose its 
  contents or take action in reliance on the information it contains. Thank 
  you."
  
   
  
   
  

- Original Message - 


From: David Frenkel 


To: WEDI SNIP Privacy Workgroup 
List 

Sent: 
Wednesday, February 
26, 2003 02:55 
PM

Subject: RE: 
medical vendors as Business Associates

 
Doug,
This 
discussion has appeared on other healthcare listservs and there seems to be 
a strong leaning towards having medical device manufacture reps be 
considered part of TPO.   
It brings up an interesting liability issue as well as a patient 
consent issue for reps being in the OR.
 
Regards,
 

David 
Frenkel
Business 
Development
GEFEG 
USA
Global 
Leader in Ecommerce Tools
www.gefeg.com
612-237-1966
    -----Original 
Message-From: Doug 
Webb [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 
2003 2:53 
PMTo: David Frenkel; WEDI SNIP Privacy 
Workgroup ListSubject: Re: 
medical vendors as Business Associates
 

David,

They do, but I'm not directly involved, 
so I don't know the answer to your 
question.

 

Jim Hewitt did bring up an interesting 
point that these vendors may also be hardware/software support people.  
In that role, I would think that a BAA would be appropriate to state that 
they would protect PHI they contact while maintaining the 
equipment.

 

I had been thinking just of their role 
as a supplier of the equipment.

Whew! Covering all bases is 
tough!.

 

The opinions expressed here are my own 
and not necessarily the opinion of LCMH.

 

Douglas M. WebbComputer System 
EngineerLittle Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED]

 

"This electronic message may contain 
information that is confidential and/or legally privileged. It is intended 
only for the use of the individual(s) and entity(s)  named as 
recipients in the message. If you are not an intended recipient of the 
message, please notify the sender immediately,  delete the material 
from any computer, do not deliver, distribute, or copy this message, and do 
not disclose its contents or take action in reliance on the information it 
contains. Thank you."

 

 

  
  - Original Message - 
  
  
  From: Davi

Re: PHI In Mail

[Doug Webb]

Title: Glacier



Likewise.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Line, 
  Phyllis 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, February 28, 2003 10:52 
  AM
  Subject: RE: PHI In Mail
  
  We will be 
  shredding all documents containing PHI that are no longer needed. 
  
   
  
  Phyllis Line HIPAA Privacy 
  Officer HEREIU Welfare Pension Funds 
  630-236-5114 [EMAIL PROTECTED] 
  
  
-Original Message-From: Schmidt, Lee M 
[mailto:[EMAIL PROTECTED]Sent: Friday, February 28, 
2003 8:34 AMTo: WEDI SNIP Privacy Workgroup 
ListSubject: RE: PHI In MailImportance: 
High
 
Is there a 
HIPAA requirement on how to dispose of returned mail that contains 
PHI?
 
If not, how 
do folks within this workgroup plan on disposing of it?
 
Thanks,
 
Lee M. 
Schmidt
Magellan 
Behavioral Health
HIPAA / I.T. Project Manager, Claims Applications 
Local: (314) 387-5445 Toll Free (St. Louis): 
1-800-450-7281 ext: 75445  New Cell: (314) 960-0964 



Fax: 314-387-5655 
or 314-292-1120 (Electronic)E-Mail: [EMAIL PROTECTED]
 
  Privileged and Confidential: The information 
  contained in this e-mail message is intended only for the personal and 
  confidential use of the intended recipient(s). If the reader of this message 
  is not the intended recipient or an agent responsible for delivering it to the 
  intended recipient, you are hereby notified that you have received this 
  document in error and that any review, dissemination, distribution, or copying 
  of this message is strictly prohibited. If you have received this 
  communication in error, please notify [EMAIL PROTECTED], and delete 
  the original message.
  
  
  

  ---The WEDI SNIP listserv to which you are subscribed is not 
  moderated. The discussions on this listserv therefore represent the views of 
  the individual participants, and do not necessarily represent the views of the 
  WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/.   These listservs should not be used 
  for commercial marketing purposes or discussion of specific vendor products 
  and services.  They also are not intended to be used as a forum for 
  personal disagreements or unprofessional communication at any time.You 
  are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe 
  from this list, go to the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org or send a blank email to 
  [EMAIL PROTECTED]If you need to unsubscribe but 
  your current email address is not the same as the address subscribed to the 
  list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Custodial parent rights to minor's PHI

[Doug Webb]

Steve,
The Court rulings in the individual case would determine which 
parent(s) have access to how much PHI.  There may also be State laws that 
override a decree from a different State.
 
In general, the custodial parent has primary responsibility 
for the child's healthcare, but in Family Court, just about any combination is 
possible.
 
The one thing that I dno't think that any software system is 
set up to handle is if both parents are to receive everything (2 bills on the 
same account???).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Giesecke, Steve 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, February 28, 2003 02:14 
  PM
  Subject: Custodial parent rights to 
  minor's PHI
  I have a question regarding PHI disclosure with respect to 
  minors when there has been a divorce and one parent has been assigned 
  custody.  My understanding is that only the parent with legal custody can 
  (legally) access the children's PHI but I can't put my finger on the reference 
  for this practice.  Payers, for example, may have no way of knowing who 
  has custody, let alone the marital status of a parent calling in concerning 
  the PHI of a child.  If I am reading this correctly,  they will need 
  to develop a system which allows their claims rep's and call centers to know 
  who the custodial parent is.  Does HIPAA defer to state law or is there a 
  common law precedent or something specific I have missed in the Privacy Rule 
  which addresses this situation? Thanks for any 
  information, Steve GieseckeSierra SystemsN24z˻rry j 
  NDzȞʶ+y z z ʶ؉ۖ'vwzˮ)z ؾ' j倷|8yˮɭa!#<청 Ȗ*ʋ*綶ya!#
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Another thread on Security/Privacy question

[Doug Webb]

Chistine,
I'll give it a shot.
My comments are below your questions.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Christine Hudnall 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, February 28, 2003 02:35 
  PM
  Subject: Another thread on 
  Security/Privacy question
  
  I'm sending this out again, if someone could please help us.  
  Thanks.ChristineWhat about the card swipes that we use 
  when a patient makes apayment on their account using their credit 
  card.  Yes, we onlyswipe the card and put in the last four digits of 
  the number, butthe patient name (or whoever owns the card) prints out on 
  thereceipt.Is that considered PHI, even though we are not sending 
  them thename, but they print it from their records?
  I don't believe that this is, just money.  The 
  outer envelope of your bills isn't considered PHI, either (name and return 
  address).  The inside's another story.
  If so, do we need to have an agreement with the company that we 
  usethe card swipe from?And as for eligibility, i.e., 
  Medicaid.  We use ROVR, which isthrough Consultec (if I remember 
  correctly).  Is an agreement neededwith them?
   
  No. You are quering a CE for the purposes of 
  Treatment.  Just be sure you use 270/271 or DDE to do it 
  .
  And how would I check for security for their program?  Is 
  thatsomething they would need to do and put in writing?
   
  You are not responsible for the Security of another 
  Covered Entity.  They are.Sorry for all the 
  questions, just, my co-worker and I are trying togo down list of all 
  possibilities that we need to check 
  on.Thanks,Christine_Help 
  STOP SPAM with the new MSN 8 and get 2 months FREE*  http://join.msn.com/?page=features/junkmail---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
  email to [EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Clarification of Question re: who is the "originator" of PHI?

[Doug Webb]

Jill,
I think that the question revolves around who was responsible 
for generating and maintaining the original report 
(i.e., who has the master, and who has a copy).
 
If the Physical Therapist maintains his/her own records, the 
therapist's copy is probably the master, and thus must be where the amendment 
request originates (note that the hospital may still have to amend its copy at 
the direction of the PT [or his estate], wherever he/she is).
 
On the other hand, if the PT generates original reports that 
are entered and maintained as a part of the Hospital's Medical Record, I believe 
that the Hospital's copy would be the master even if the PT kept a copy for 
temporary reference.
 
I would suggest that the responsibility for maintaining 
records be clearly spelled out in writing regarding all entities that would be 
involved with such records, so that all parties know who is responsible for 
maintaining what.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Tuesday, March 04, 2003 06:32 
  AM
  Subject: Clarification of Question re: 
  who is the "originator" of PHI?
  I meant to write:For ex., if a patient saw a 
  physical therapist at a certain hospital, then later asked the hospital to 
  amend PHI written by the physical therapist but the physical therapist was 
  no longer working there, can the hospital say "we did not create that 
  information so we have no obligation amend it" or do they still have to amend 
  it?Jill Rubin, Esq.(617)388-2404[EMAIL PROTECTED] 
  ---The WEDI SNIP listserv to which you are subscribed is not moderated. 
  The discussions on this listserv therefore represent the views of the 
  individual participants, and do not necessarily represent the views of the 
  WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. These listservs should not be used for 
  commercial marketing purposes or discussion of specific vendor products and 
  services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED]If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Fundraising Question

[Doug Webb]

Patricia,
Your NPP should state that PHI will not be used for these 
purposes.  A opt out isn't necessary when nobody,s in.
 
To clarify things for your patients, you may wish to mention 
that the foundation uses independantly-generated lists that contain no 
PHI.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Patricia Conroe 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, March 05, 2003 08:58 
  AM
  Subject: Fundraising Question
  Our hospital foundation is responsible for fundraising.  
  For about 5 years they have not used patient information for their 
  fundraising.  They purchase lists through other companies and they have 
  created their own donor base based on who's donated before.  They send 
  information to the donor base because their donors and not because their 
  patients.  So, since the donors and patient's are different do we need to 
  worry about the fundraising opt out requirement?  I hope I made myself 
  clear with what I was explaining and trying to ask.---The WEDI 
  SNIP listserv to which you are subscribed is not moderated. The discussions on 
  this listserv therefore represent the views of the individual participants, 
  and do not necessarily represent the views of the WEDI Board of Directors nor 
  WEDI SNIP. If you wish to receive an official opinion, post your question to 
  the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
  email to [EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: JCAHO BAA

[Doug Webb]

Teri,
In theory, yes.  In practice, they're the 800-pound 
gorilla.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Teri 
  Baskett 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, March 05, 2003 08:31 
  AM
  Subject: JCAHO BAA
  On that BA thread, we just recieved a letter from JCAHO wanted 
  us to complete their BAA form.  Following previous messages, 
  shouldn't I (since I'm the CE) be sending them our form, and we 
  shouldn't be signing their's?Teri Baskett, 
  CISOLifeSpring[EMAIL PROTECTED]   
  ---The WEDI SNIP listserv to which you are subscribed is not 
  moderated. The discussions on this listserv therefore represent the views of 
  the individual participants, and do not necessarily represent the views of the 
  WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
  email to [EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: mail filtering

[Doug Webb]

Mimi,
Not only yours!  If this is naive, then so am 
I.
 
William's point was that the exaunt content-based filters DO 
NOT WORK, either because they are mis-configured, or are inappropriate to be 
used on healthcare-related conversations.
 
Encryption and E-signing need to be established on a 
point-to-point basis, along with policies that say don't send PHI to anybody not 
on the list without first establishing the proper security.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Mimi Hart 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 06, 2003 08:03 
  AM
  Subject: Re: mail filtering
  Sorry to be naive, but how is this different then expecting 
  mycolleagues to follow other procedures? Cover sheets on faxes? Not 
  takingPHI home? Not discussing PHI in the lunch room? They are 
  professionals,there are certain professional rules they have to follow 
  like wearinggloves around blood borne pathogens and the like, why is 
  privacydifferent?It is my responsibility to get a system that 
  works for my staff. It istheir responsibility to follow any accompanying 
  policies and proceduresthat support/surround the system.My opinion 
  only...MimiMimi Hart Ó¿Õ*Research Analyst, HIPAAIowa 
  Health System319-369-7767 (phone)319-369-8365 (fax)319-490-0637 
  (pager)[EMAIL PROTECTED]>>> 
  Jim Hewitt <[EMAIL PROTECTED]> 03/04/03 
  09:05PM >>>I agree with most of Bill Kammerer's contributions 
  onthis forum, but disagree with this one:> do we need any more 
  proof that email filteringdoesn't work?Filtering isn't a silver 
  bullet, but it's part of thesolution.  > ..."rely on users' 
  training and intelligence."  That won't work.  Taking email 
  encryption as ananalogous example, you've probably seen the 
  CarnegieMellon paper from a few years ago, "Why Johnny 
  Can'tEncrypt."  They studied a group of fairly high-skillusers 
  (CS researchers), and gave them the task ofsending and receiving encrypted 
  email.  Most of themhad trouble with the software (PGP 5.1, I think), 
  butmore importantly they consistently forgot to click on"encrypt" when 
  they had a confidential message tosend. If you're relying on 
  users' training and intelligenceALONE you're almost certainly not 
  compliant.  Youdon't rely on that alone.  As one user told me, 
  "Itwould be insane to install a bunch of keywordtriggers, sit back and 
  assume you're compliant."  Itwould also be insane to base your 
  compliance on usersremembering to do the right thing.Email 
  filtering is similar to IDS.  You have to buy agood commercial 
  package, spend a lot of time tuning itfor your organization, install 
  update almost daily,and put in a lot of maintenance by a live sysadmin. 
  Nobody said it was cheap, and the false positivescertainly are 
  annoying, but it's necessary, in myview.By the way, I've seen a 
  lot of unanswered requests forlists of PHI keywords.  I don't think 
  anybody has alist they are happy with.  Anybody who has, 
  pleasechime 
  in.__Do you 
  Yahoo!?Yahoo! Tax Center - forms, calculators, tips, morehttp://taxes.yahoo.com/ ---The 
  WEDI SNIP listserv to which you are subscribed is not moderated.The 
  discussions on this listserv therefore represent the views of 
  theindividual participants, and do not necessarily represent the views 
  ofthe WEDI Board of Directors nor WEDI SNIP. If you wish to receive 
  anofficial opinion, post your question to the WEDI SNIP Issues Database 
  athttp://snip.wedi.org/tracking/.   
  These listservs should not be used forcommercial marketing purposes or 
  discussion of specific vendor productsand services.  They also are 
  not intended to be used as a forum forpersonal disagreements or 
  unprofessional communication at any time.You are currently subscribed 
  to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe 
  from this list, go to the Subscribe/Unsubscribe form athttp://subscribe.wedi.org or send a blank 
  email to[EMAIL PROTECTED] 
  If you need to unsubscribe but your current email address is not 
  thesame as the address subscribed to the list, please use 
  theSubscribe/Unsubscribe form at http://subscribe.wedi.org    
  *This message and 
  accompanying documents

Re: CLAIMS ADJUSTMENT CODES

[Doug Webb]

Dee,
Yes, only the codes on the list may be 
used on a Complient claim.  This applies now.  CMS stated in the 
Federal Register that they won't enforce until October.
 
You can get the list from 
WPC.
http://www.wpc-edi.com/ClaimAdjustment_40.asp
 
Also, the Remark codes are 
at
http://www.wpc-edi.com/Remittance_40.asp
 
Also, the Remark codes are 
at
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Dee 
  Warrington 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 06, 2003 04:13 
  PM
  Subject: CLAIMS ADJUSTMENT CODES
  
  My question relates to the transaction and 
  code sets rule -- but I am hoping one or more of you privacy gurus may be 
  versed in TCS as well.
   
  I was advised there are standard claim 
  adjustment codes and was wondering if these codes are the only adjustment 
  codes that can be used after 10/16?
   
  Any response is appreciated.
   
  Thank you.
   
   
  Confidentiality 
  Notice: This e-mail message, including any attachments, is for the sole 
  use of the intended recipient(s) and may contain confidential and privileged 
  information.  Any unauthorized review, use, disclosure or distribution is 
  prohibited.  If you are not the intended recipient, please contact the 
  sender by reply e-mail and destroy all copies of the original 
  message.
   ---The WEDI SNIP listserv to which you are subscribed is 
  not moderated. The discussions on this listserv therefore represent the views 
  of the individual participants, and do not necessarily represent the views of 
  the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, post your question to the WEDI SNIP Issues Database at 
  http://snip.wedi.org/tracking/. These listservs should not be used for 
  commercial marketing purposes or discussion of specific vendor products and 
  services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED]If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: OCHA Answer and Disclosure Question

[Doug Webb]

One further thought on Noel's ideas.
 
If there is a requirement that each member of an OHCA have its 
own Privacy Officer, I don't believe that this Privacy Officer has to be a 
unique individual for each member, so that the same person could be the Privacy 
Officer for the group.  I think that this person could even be paid by the 
OHCA (it may have to be arranged as each member hiring the services of an 
outside contractor).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Patricia Conroe 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, March 07, 2003 12:48 
  PM
  Subject: Re: OCHA Answer and Disclosure 
  Question
  I like your answer since it confirms some of my thoughts.  
  We joined the OHCA just to make sure there would be no problems with 
  credentialing, peer review, etc.  We also thought sharing the NPP and 
  policies would be a nice gesture to our medical staff so we would carry the 
  burden of getting all of the paperwork done and then they could just modify it 
  to meet their needs instead of creating it all from scratch.  Downsides 
  to OHCA..hmhope there's not too many, but maybe it makes the hospital 
  more liable when a physician violates the NPP or HIPAA in 
  general?>>> "Noel Chang" <[EMAIL PROTECTED]> 03/07/03 
  12:17PM >>>Here are my thought on OHCA's but they are just 
  that.  I have no experience with OHCA's and would love for someone to 
  tell me if they agree or disagree.  I would only ask that you please 
  cite the applicable section of the rule, preamble, or guidance document 
  that supports your position:The only places I can find OHCA's even 
  mentioned in the rule, other than the definition of an OHCA 
  are: Section 164.520(d) says participants in an OHCA can have a 
  joint notice and distribution by one member of the OHCA is sufficient to 
  fulfill the distribution requirements of all members of the 
  OHCASection 164.506(c)(5) says members of an OHCA can exchange PHI for 
  ANY health care operations, instead of the more limited health care 
  operations allowed under section 164.506(c)(4).Is anyone aware of 
  any other references to OHCA's in the rule?Applying these two 
  citations to the questions in this thread, including the original ones 
  asked by Patricia Conroe, here are my thoughts:Do requests to exercise 
  patient rights submitted to one member of an OHCA apply to all?  I 
  would say no.  I cannot find any citation in the sections on patients 
  rights to support otherwise.  Except if a patient amends their PHI a 
  covered entity must inform other affected by the amendment which I think 
  would naturally include any other memebers of an OHCA that the CE 
  participates in.  But with regard to rights such as restrictions on 
  U&D or alternate communications, I believe the individual would have 
  to submit the same request separately to each member of the 
  OHCA.Aren't we already allowed to disclose PHI to other CE's in our 
  OHCA under the rule that allows disclosure for TPO?  Yes but with 
  some limitation.  The rule allows disclosure of PHI by a CE for their 
  OWN TPO, which under section 164.506(c) is extended to include treatment 
  of OTHER providers, payment of OTHER providers, and only CERTAIN 
  operations of OTHER covered entities as limited by section 
  164.506(c)(4)(i) and (ii).  By participating in an OHCA you will get 
  the added benefit of being able to share PHI with other members of the 
  OHCA for ANY health care operations purposes.Does each member of the 
  OHCA have to identify their own Privacy Official and Contact Official in 
  the NPP?  I do not see any provision that allows OHCA's to share 
  these roles so I assume each member of the OHCA needs to have their own, 
  and therefore any joint Notice prepared for the OHCA would have to 
  identify the Privacy Official and Contact Official for EACH member of the 
  OHCA.The bottom line of all this is that the only real benefit I 
  see in joining an OHCA is it may simplify distributino of your NPP.  
  For example, I have a client who is an interventional cardiologist.  
  Aside from seeing patients in his office he also performs procedures at a 
  local hospital.  The hospital checks in the patient, provides the 
  nursing staff, etc, so I believe the procedure

Re: BA contract with Reps

[Doug Webb]

I think that since this is a total opt-in, if your sign-up 
form had the company clearly identified, and spaces for address, it would no 
more be PHI than the same form in a supermarket (which I have seen, even filled 
out a few when my daughter was on the way [15 years ago]).  
 
It gets a little iffy if you support this with a checkoff 
indicator in your database, and generate the list from the database.  

 
Do any ot the gurus out there know if this crosses the line 
into Marketing, and if so, is it permitted?  If it is permitted, it would 
be required in your NPP.
 
The need for a BAC is less iffy.   I thinka BAC 
would  not be required, since the rep isn't doing anything for YOU, but is 
acting in its own self-interest (providing a service to the patient in hopes of 
future sales).
 
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Tuesday, March 11, 2003 09:50 
  AM
  Subject: BA contract with Reps
  We have pediatric representatives deliver 
  free diaper bags and other free things for our patients.  We keep a 
  mailing list for all patients that desire to get coupons and mail from the 
  company. The patient writes down their name address and pregnancy due date. 
  They understand that they are on a mailing list.  The rep picks them up 
  once a month. Do we need  a BAC? Or do we include this information in our 
  NOPP?Thank youRobin Henry, OMOB/GYN ---The WEDI SNIP 
  listserv to which you are subscribed is not moderated. The discussions on this 
  listserv therefore represent the views of the individual participants, and do 
  not necessarily represent the views of the WEDI Board of Directors nor WEDI 
  SNIP. If you wish to receive an official opinion, post your question to the 
  WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs 
  should not be used for commercial marketing purposes or discussion of specific 
  vendor products and services. They also are not intended to be used as a forum 
  for personal disagreements or unprofessional communication at any 
  time.You are currently subscribed to wedi-privacy as: 
  [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Facility Directory

[Doug Webb]

Donald,
I agree with your opinion that you don't have to ask, but a 
check-off line in the sign-in form would be nice.  It would also document 
that the option had indeed been offered, and since, in this game, documentation 
is everything, that would be a Good Thing.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Ribelin, Donald 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 13, 2003 06:41 
  AM
  Subject: RE: Facility Directory
  
  
  As I 
  read it, there is no requirement to ask, just to inform and this is done via 
  your Notice of Privacy Practice.  
  Should the patient ask for clarification you would be obliged to assist 
  them in understanding their rights but I do not think you have to ask the 
  patient if they want to opt out.
   
  Donald L. Ribelin
  HIPAA Project Manager
  Firsthealth of the 
  Carolinas
  (910) 215-2668
  [EMAIL PROTECTED]
   
  -Original 
  Message-From: Cindy 
  Stroud [mailto:[EMAIL PROTECTED]Sent: Wednesday, March 12, 2003 7:54 
  PMTo: WEDI SNIP Privacy 
  Workgroup ListSubject: 
  Facility Directory
   
  For 
  some reason I have been under the assumption that when a patient registers we, 
  an acute care hospital, need to explain the right to opt-out of the facility 
  directory. Is this something we need to explain verbally or is the fact 
  that explanation in the NPP is sufficient? I really appreciate any 
  feedback
  Cindy
  ---The WEDI 
  SNIP listserv to which you are subscribed is not moderated. The discussions on 
  this listserv therefore represent the views of the individual participants, 
  and do not necessarily represent the views of the WEDI Board of Directors nor 
  WEDI SNIP. If you wish to receive an official opinion, post your question to 
  the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These 
  listservs should not be used for commercial marketing purposes or discussion 
  of specific vendor products and services. They also are not intended to be 
  used as a forum for personal disagreements or unprofessional communication at 
  any time.You are currently subscribed to wedi-privacy as: 
  [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org ---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services. They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Su

Re: Security Requirements

[Doug Webb]

Daryn,
Yes.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Daryn 
  Thompson 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 13, 2003 12:18 
  PM
  Subject: Security Requirements
  
  
  In the final security document, 
  you have standards.  Some 
  standards have implementation specifications and others do not.  On the standards that do have them, 
  they are REQUIRED or ADDRESSABLE.  
  On the ones that do not have specifications, are they 
  Required?
   
  Daryn 
  Thompson 
  
  Network/I.S. 
  Coordinator
  (801) 
  468-2123
   ---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services. They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Filing deadline for complaints

[Doug Webb]

Amen, Cindi!
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, March 14, 2003 07:30 
  AM
  Subject: RE: Filing deadline for 
  complaints
  Diane,If you limit your complaint acceptance period to 
  30 days, the only otherrecourse the person would have is to file a 
  complaint with the Secretary ifthe occurance is more than 30 days 
  old.  For my agency, I had rather ourpatients come to us with a 
  complaint rather than the Secretary of DHHS, so Iam leaving the door open 
  to accepting complaints.  Cindi BowmanQuality and 
  Compliance CoordinatorCatawba County Health 
  Department828-695-5847-Original Message-From: 
  Diana DeWeese [mailto:[EMAIL PROTECTED]Sent: Thursday, March 13, 
  2003 3:29 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Filing 
  deadline for complaintsRegarding complaints filed with the 
  Secretary of DHHS, the Privacy Rulestates in 160.306 (b)(3) that a 
  complaint must be filed within 180 days ofwhen the complainant knew or 
  should have known.Can a covered entity specify a shorter time 
  frame for an individual filing acomplaint with the covered entity - such 
  as - within 30 days?Diana DeWeeseIllinois Dept of 
  Human Services[EMAIL PROTECTED]217-557-9103---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. 
  Thediscussions on this listserv therefore represent the views of the 
  individualparticipants, and do not necessarily represent the views of the 
  WEDI Boardof Directors nor WEDI SNIP. If you wish to receive an official 
  opinion, postyour question to the WEDI SNIP Issues Database athttp://snip.wedi.org/tracking/.   
  These listservs should not be used forcommercial marketing purposes or 
  discussion of specific vendor products andservices.  They also are 
  not intended to be used as a forum for personaldisagreements or 
  unprofessional communication at any time.You are currently subscribed 
  to wedi-privacy as:[EMAIL PROTECTED]To 
  unsubscribe from this list, go to the Subscribe/Unsubscribe form athttp://subscribe.wedi.org or send a blank 
  email to[EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same 
  asthe address subscribed to the list, please use the 
  Subscribe/Unsubscribeform at http://subscribe.wedi.org---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
  email to [EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your c

Re: Displaying Data in web browser... Indefinitely..

[Doug Webb]

IMHO,
Yes, it is a violation, but not yours.  The client 
who accessed the web site is guilty of the violation unless the proper 
protection is taken to blank the screen at the client's site.  You might 
offer a process to blank the web screen after it has been displayed for a 
certain interval as a courtesy.
 
The opinions expressed here are my own and not 
necessarily the opinion of LCMH.
 
Douglas M. WebbComputer System 
EngineerLittle Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information 
that is confidential and/or legally privileged. It is intended only for the use 
of the individual(s) and entity(s)  named as recipients in the message. If 
you are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Hipaa 
  Learner 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, March 14, 2003 07:07 
  PM
  Subject: Displaying Data in web 
  browser……. Indefinitely….
  
   
  We developed a web based application where in patient 
  data get displayed in end user browser. User ID is required to log in to web 
  site and it uses HTTPS to login. My question is, some one logs in,….view the 
  data….. walks away from computer. Since he has not logged out from our 
  website, patient sensitive data is still displayed on his computer. Does it a 
  violation of HIPAA security rule ?  thanks for your 
  suggestion.
   
  
  
  Do you Yahoo!?Yahoo! 
  Web Hosting - establish your business online --- The WEDI SNIP listserv to 
  which you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should 
  not be used for commercial marketing purposes or discussion of specific vendor 
  products and services. They also are not intended to be used as a forum for 
  personal disagreements or unprofessional communication at any time. You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED] If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Displaying Data in web browser. Indefinitely.

[Doug Webb]

Gregory,
You make a good point. 
If the Patient is accessing his/her own data, you are not 
respnsible for what he/she does with it. 
 
If it's a CE or BA of a CE accessing Patient data, the CE is 
responsible for ensuring Privacy.  Offering a process to make the CE's task 
easier might make good business sense.
 
Application time-outs for non-HIPAA reasons make a lot of 
sense, although how long they should be is another question.  You 
definately don't want to keep a session on your server open indefinately 
(conections get dropped frequently, especially on dail-ups that 
forgot to disable Call Waiting).  I've waited an awful long time (as long 
as 5 minutes) for the initial screen from my bank (there must be horrendous 
routing between AOL in Joliet and The Harris Bank (Chicago?)).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Gregory Park 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, March 17, 2003 08:00 
  AM
  Subject: RE: Displaying Data in web 
  browser. Indefinitely.
  
  
  I believe 
  the correct answer is more litigious than technical.  Obviously this 
  sounds like a area that is compromised, but maybe not...depending on your 
  internal analysis.  There are lots of questions here regarding WEB 
  applications and security as a general question, but I think it would be 
  little effort to place application time-outs in your code to eliminate "look 
  over the shoulder breaches".  
   
  But then 
  again, these are patient's looking at their own data on their own computer 
  systems mostly in their own homes?  Probably you could make a case and 
  say there is little to no risk of information leakage.  
  
   
  I think 
  maybe you would want application time-outs in your application above and 
  beyond the security issue.  From an application/server perspective I 
  would want those accounts off my server as soon as possible. 
  
   
  Greg ParkProduct ManagerDB 
  Technology 
  Inc.Office:  
  800-760-4096 
  x117Cell: 
  484-919-0392PA Office: 610-397-0288 
  www.dbtech.com 
  
-Original Message-From: Hipaa Learner 
[mailto:[EMAIL PROTECTED]Sent: Friday, March 14, 2003 8:08 
PMTo: WEDI SNIP Privacy Workgroup ListSubject: 
Displaying Data in web browser. Indefinitely.
 
We developed a web based application where in patient 
data get displayed in end user browser. User ID is required to log in to web 
site and it uses HTTPS to login. My question is, some one logs in,.view the 
data.. walks away from computer. Since he has not logged out from our 
website, patient sensitive data is still displayed on his computer. Does it 
a violation of HIPAA security rule ?  thanks for your 
suggestion.
 


Do you Yahoo!?Yahoo! 
Web Hosting - establish your business online --- The WEDI SNIP listserv 
to which you are subscribed is not moderated. The discussions on this 
listserv therefore represent the views of the individual participants, and 
do not necessarily represent the views of the WEDI Board of Directors nor 
WEDI SNIP. If you wish to receive an official opinion, post your question to 
the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These 
listservs should not be used for commercial marketing purposes or discussion 
of specific vendor products and services. They also are not intended to be 
used as a forum for personal disagreements or unprofessional communication 
at any time. You are currently subscribed to wedi-privacy as: 
[EMAIL PROTECTED] To unsubscribe from this list, go to the 
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
email to [EMAIL PROTECTED] If you need to 
unsubscribe but your current email address is not the same as the address 
subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org---The WEDI SNIP listserv to which 
  you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database

Re: Another NPP question

[Doug Webb]

Craig,
I agree with your position.  I think that a signed 
document needs at least one full signature.  Having that full signature and 
date, I would think that initials other places should be OK (they work for the 
money people).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Craig 
  Moen 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, March 19, 2003 08:14 
  AM
  Subject: RE: Another NPP question
  During our initial admit paperwork we are planning of having 
  the patientinitial next to acknowledgement of receipt.  However, they 
  also sign the endof that document because they initial other items on that 
  particular pageFor existing patients, I don't see how intials by 
  themselves would workJust my opinionConfidential 
  InformationThis email message is intended only for the person or entity to 
  which it isaddressed. Unless otherwise indicated or obvious by the nature 
  of thistransmittal, the information contained in this email message is 
  privilegedand confidential, intended for the use of the intended recipient 
  (or theemployee or agent responsible to deliver to the intended 
  recipient), you arehereby notified that any dissemination, distribution or 
  copying of thiscommunication is strictly prohibited. If you are not the 
  intended recipient,please contact the sender by reply email and destroy 
  all copies of theoriginal messageTHERAPY 20001881 Sylvan Avenue 
  Suite 210Dallas, Tx 75208-Original Message-From: 
  Harpe, Leslie [mailto:[EMAIL PROTECTED]Sent: Wednesday, March 19, 
  2003 7:58 AMTo: 'Craig Moen'; WEDI SNIP Privacy Workgroup ListSubject: 
  RE: Another NPP questionI have a line that states "I acknowledge 
  receipt of the Notice of PrivacyPractice." and a line to sign on our 
  COA.  I'm going to piggyback a questionwith your question, are 
  initials acceptable for acknowledgment?-Original 
  Message-From: Craig Moen [mailto:[EMAIL PROTECTED]Sent: 
  Tuesday, March 18, 2003 6:00 PMTo: WEDI SNIP Privacy Workgroup 
  ListSubject: Another NPP questionAnother NPP 
  question.We are drafting our aknowledgement of receipt form for 
  existing patients fordistribution.  In 164.520 it describes 
  "acknowledgement of receipt"  I amnot finding specific language that 
  requires they sign that they have "Readand Understand"  It would then 
  seem that they would sign that we havedelivered the NPP.  Is anyone 
  reading that any differently??Craig MoenConfidential 
  InformationThis email message is intended only for the person or 
  entity to which it isaddressed. Unless otherwise indicated or obvious by 
  the nature of thistransmittal, the information contained in this email 
  message is privilegedand confidential, intended for the use of the 
  intended recipient (or theemployee or agent responsible to deliver to the 
  intended recipient), you arehereby notified that any dissemination, 
  distribution or copying of thiscommunication is strictly prohibited. If 
  you are not the intended recipient,please contact the sender by reply 
  email and destroy all copies of theoriginal messageTHERAPY 
  20001881 Sylvan Avenue Suite 210Dallas, Tx 
  75208---The WEDI SNIP listserv to which you are subscribed 
  is not moderated. Thediscussions on this listserv therefore represent the 
  views of the individualparticipants, and do not necessarily represent the 
  views of the WEDI Boardof Directors nor WEDI SNIP. If you wish to receive 
  an official opinion, postyour question to the WEDI SNIP Issues Database 
  athttp://snip.wedi.org/tracking/. 
  These listservs should not be used forcommercial marketing purposes or 
  discussion of specific vendor products andservices. They also are not 
  intended to be used as a forum for personaldisagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To 
  unsubscribe from this list, go to the Subscribe/Unsubscribe form athttp://subscribe.wedi.org or send a blank 
  email to[EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same 
  asthe address subscribed to the list, please use the 
  Subscribe/Unsubscribeform at http://subscribe.wedi.org---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discu

Re: Billing Services with Contractors

[Doug Webb]

Daniel,
1) Billing Services are Business Associates of 
Providers.  Because of what they do, if they work with standard 
transactions, they may also be considered a Covered Entity Clearinghouse 
(converting [highly] non-standard data to standard transactions, and vice 
versa).
 
2) An entity that performs services on your behalf that 
involve PHI is your BA, and there should be a BA contract between you and that 
entity.  An entity that performs services on behalf of your provider 
customers is the BA of the provider, and technically there should be a BA 
contract between your customers and the contractor.  I believe that if you 
have a BA contract with the contractor, that establishes a chain of trust that 
will meet the contract requirements. (check this one out -- my eyes glazed 
over).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Daniel E. McDonald 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, March 19, 2003 11:58 
  AM
  Subject: Billing Services with 
  Contractors
  
  
  I wanted to get input regarding 
  Billing Services that use contractors to perform certain services.  My 
  understanding is the Billing Service is considered a Business Associate and 
  not a covered entity.  If that is true, would the contractors working for 
  a billing service be Business Associates of a Business Associate and would 
  they sign a similair BA agreement as the billing service did but between them 
  and the billing service??
  I look forward to everyone’s 
  intepretation as even our attorney is a bit confused.
   
   
  This e-mail, and any attachments 
  thereto, is intended only for use by the addressee(s) named herein and may 
  contain legally privileged and/or confidential information. If you are not the 
  intended recipient of this e-mail, you are hereby notified that any 
  dissemination, distribution or copying of this e-mail, and any attachments 
  thereto, is strictly prohibited.
  If you have received this e-mail 
  in error, please notify me immediately at 1-800-500-0175 ext 114 and 
  permanently delete the original and any copy of any e-mail and printout 
  thereof. 
   
   ---The WEDI SNIP 
  listserv to which you are subscribed is not moderated. The discussions on this 
  listserv therefore represent the views of the individual participants, and do 
  not necessarily represent the views of the WEDI Board of Directors nor WEDI 
  SNIP. If you wish to receive an official opinion, post your question to the 
  WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs 
  should not be used for commercial marketing purposes or discussion of specific 
  vendor products and services. They also are not intended to be used as a forum 
  for personal disagreements or unprofessional communication at any 
  time.You are currently subscribed to wedi-privacy as: 
  [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: BA v Trading Partner Agreements

[Doug Webb]

Jonathan,
A Trading Partner Agreement is a general contract between two 
entities who do business with each other.
 
A Busininess Associate Agreement is a Trading Partner 
Agreement that specificly includes wording to protect any Protected Healthcare 
Information that may be  exchanged, and that covers all the bases that the 
Privacy and Security rules require.
 
The opinions expressed here are my own and not 
necessarily the opinion of LCMH.
 
Douglas M. WebbComputer System 
EngineerLittle Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information 
that is confidential and/or legally privileged. It is intended only for the use 
of the individual(s) and entity(s)  named as recipients in the message. If 
you are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Jonathan 
  May 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 20, 2003 12:43 
  PM
  Subject: BA v Trading Partner 
  Agreements
  Can anyone offer a simple clarification of the difference 
  between and when to use a Business Associate Agreement and a Trading 
  Partner Agreement?Many 
  thanks._STOP 
  MORE SPAM with the new MSN 8 and get 2 months FREE*  http://join.msn.com/?page=features/junkmail---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
  email to [EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: New to this list, have two questions.

[Doug Webb]

Title: RE: New to this list, have two questions.



Deborah,
I agree.
Your short answer to 2) was "No".  I'll add 
another two roles (only one of which has a "Yes answer).
 
If what they're discussing is actively participating in a 
Treatment Plan, then the Case Manager would be a potential Covered Entity 
(acutal one if she bills electronically) operating on her own behalf and 
participating in Treatment.
 
Only in the case that the Case Manager is doing a service on 
behalf of the Provider, and that service is not delivering health care, would a 
BAA be necessary.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Deborah Campbell 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, March 24, 2003 08:38 
  AM
  Subject: RE: New to this list, have two 
  questions.
  
  Here's my opinion. I'd be interested if anyone has other 
  opinions. 1) An email is unprotected as soon as it is 
  sent over the internet. Almost anyone can intercept it. So you need to 
  determine your risk and what you want to do to eliminate it. We have 
  determined that no PHI will be sent via email until we have an encryption 
  solution.
  2) It depends what the Case Manager is doing. If they are 
  working "on behalf of  the insurance carrier, 
  then they are either an employee of the carrier or a BA of the carrier. If 
  they are doing Quality Assurance on behalf of the carrier, you are permitted 
  to release PHI to them without the need of any contract with them (the carrier 
  would have the contract). Check § 164.506(c)(4) of the August revisions of the 
  Privacy Rule.
  Deborah Deborah Campbell 
  Compliance Coordinator 
  Dominion Dental Services, Inc. 115 
  South Union Street, Suite 300 Alexandria, Virginia 
  22314 
  Phn: (703) 518-5000 ext. 3035 Fax: 
  (703) 518-8849 Toll Free:  888-518-5338 
  Email: [EMAIL PROTECTED] 
  *** The information in this email is confidential and may be legally 
  privileged.  It is intended solely for the addressee.  Access to 
  this email by anyone else is unauthorized.
  If you are not the intended recipient, any disclosure, 
  copying, distribution or any action taken or omitted to be taken in reliance 
  on it is prohibited and may be unlawful.
  * 
  
  -Original Message- From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, March 24, 2003 9:25 AM To: WEDI 
  SNIP Privacy Workgroup List Subject: New to this list, 
  have two questions. 
  Hello List, 
  I am new to this list, so please be patient with me, if I ask 
  any questions that have been addressed repeatedly in 
  the past.  Anyway, I am the HIPAA Privacy Officer 
  for a Physician's Group Practice and have just recently finished our first round of "Privacy Training and Education" for the 
  group.  Two questions came up that I could not 
  answer specifically: 
     1)   Is there 
  specific direction as to what we can and can not discuss during  
  e-mails between the clinic and patient; and 
     2)   Do we need 
  a contract between Nurse Case Manager's that come in to our  
  office to discuss treatment plans with our doctors (that are contracted  
  by the Insurance Carrier) and our Physician's Group to satisfy 
  "Business  
  Associate Policy" portion of our HIPAA Privacy Rule policies? 
  I appreciate any information available.  Also, please let 
  me know if there are other "List-Serves" that are more specific to "Healthcare Privacy, Security 
  & Electronic Transactions." 
  Thank You, Daryl Ewing, CPC 
  RPK Anesthesia, 
  P.A.  
  
  --- The WEDI SNIP listserv to which 
  you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreem

Re: Paper Claim Requirements

[Doug Webb]

Daryl,
The TCS standard applies to electronic claims only.  
Paper claims are not affected  Because the payer's systems will have 
to work with the data content of Complient claims, the paper claim will probably 
have to be modified by each payer to contain the data they need.  This 
means business as usual (possibly different rules for each payer) for paper 
claims.
 
The Privacy rules apply to all PHI if you are a CE, and the 
Security rules apply to all electronic PHI if you are a CE.
.
Whether a payer is willing to accept paper claims at all 
is up to them (except for Medicare, which is mandated by law to require all 
electronic calims by Oct 16, 2003 [except for "Small" providers, via an 
exception process yet to be defined]).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, March 24, 2003 01:10 
  PM
  Subject: Paper Claim Requirements
  Can anyone tell me if 
  there will be any specific requirements that will affect Paper Claims 
  Submission (format or content)?  I have seen this issue have 
  reference made to it, but I have yet to see any part of the actual "Rule" that 
  describes any details.Thanks for your help!Daryl 
  EwingMedical Billing & Compliance Manager  ---The WEDI 
  SNIP listserv to which you are subscribed is not moderated. The discussions on 
  this listserv therefore represent the views of the individual participants, 
  and do not necessarily represent the views of the WEDI Board of Directors nor 
  WEDI SNIP. If you wish to receive an official opinion, post your question to 
  the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These 
  listservs should not be used for commercial marketing purposes or discussion 
  of specific vendor products and services. They also are not intended to be 
  used as a forum for personal disagreements or unprofessional communication at 
  any time.You are currently subscribed to wedi-privacy as: 
  [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: New to this list, have two questions.

[Doug Webb]

Title: RE: New to this list, have two questions.



Gregory,
Just to amplify on Judith's remarks,
You are exposed to the risk NOW, not when the final Security 
Rule fully kicks in.
You are accepting a huge risk anytime you expose PHI to the 
Internet.  Remenber that any of the millions of computers on the net can 
read this if they so choose.  Strong encryption appears to be the only way 
to protect PHI on the Internet.
 
If you would consider putting the information on a post card, 
perhaps it might be far enough away from PHI to consider mentioning it in an 
e-mail.  E-mail can be accessed by many more people than typical a post 
card will be exposed to.
 
As to your third question, there are four (at least) WEDI 
listserves that cover various portions of the topics you mentioned:
   Privacy, Security, Transactions, and Code 
Sets.
Pick the ones that serve your needs the best.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Bentz-Miller, 
  Judith 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, March 24, 2003 02:10 
  PM
  Subject: RE: New to this list, have two 
  questions.
  
  This was part of our privacy audit due to the following 
  reg:
  
  § 164.530 Administrative 
  requirements.
  (c)    (1) 
  Standard: safeguards. A covered entity must have in place appropriate 
  administrative, technical, and physical safeguards to protect the 
  privacy of protected health information.
   (2) 
  Implementation specification: safeguards. 
  (I) 
  A 
  covered entity must reasonably safeguard protected health information from any 
  intentional or unintentional use or disclosure that is in violation of the 
  standards, implementation specifications or other requirements of this 
  subpart.  
  We knew this was an issue, so we took the "no email to 
  patients" approach also.  In our opinion, It is just too big of 
  a risk.   
  Judith Bentz-Miller 
  Privacy Officer Arnett Clinic 765-448-8843 
  
   
   -Original 
  Message-From: Gregory Park 
  [mailto:[EMAIL PROTECTED]Sent: Monday, March 24, 2003 3:01 
  PMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: New 
  to this list, have two questions.
  
One follow-up question/remark/plead for public 
opinion to your response Deborah.
 
"...no 
PHI will be sent via email..."  Is that now or when?  Are you 
considering yourself at risk now because of the ruling?  Just curious 
as I have heard others in the field drop the "PHI Email" gate immediately as 
soon as they understood the Security rules.  Wouldn't you continue as 
usual and work towards a reasonable solution effective before 
2005?
 
Greg ParkProduct ManagerDB 
Technology 
Inc.Office:  
800-760-4096 
x117Cell: 
484-919-0392PA Office: 610-397-0288 
www.dbtech.com 

  -Original Message-From: Deborah Campbell 
  [mailto:[EMAIL PROTECTED]Sent: Monday, March 24, 
  2003 9:39 AMTo: WEDI SNIP Privacy Workgroup 
  ListSubject: RE: New to this list, have two 
  questions.
  Here's my opinion. I'd be interested if anyone has other 
  opinions. 1) An email is unprotected as soon as it 
  is sent over the internet. Almost anyone can intercept it. So you need to 
  determine your risk and what you want to do to eliminate it. We have 
  determined that no PHI will be sent via email until we have an encryption 
  solution.
  2) It depends what the Case Manager is doing. If they are 
  working "on behalf of  the insurance carrier, 
  then they are either an employee of the carrier or a BA of the carrier. If 
  they are doing Quality Assurance on behalf of the carrier, you are 
  permitted to release PHI to them without the need of any contract with 
  them (the carrier would have the contract). Check § 164.506(c)(4) of the 
  August revisions of the Privacy Rule.
  Deborah Deborah Campbell 
  Compliance Coordinator 
  Dominion Dental Services, Inc. 115 
  South Union Street, Suite 300 Alexandria, Virginia 
  22314 
  Phn: (703) 518-5000 ext. 3035 Fax: 
  (703) 518-8849 Toll Free:  
  888-518-5338 Email: 
  [EMAIL PROTECTED] 
  *** 
  The info

Fw: New to this list, have two questions.

[Doug Webb]

Title: RE: New to this list, have two questions.



Gregory,
We just do not send any e-mails containing PHI.  It might 
be something to consider when the ordinary patient has encryption/decrpytion 
capability for e-mail that is easy enough to use that a technoLuddite can use 
it.
 
We do contact Web sites that are capable of secure sessions to 
check on claims status.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Gregory Park 
  To: Doug Webb 
  Sent: Monday, March 24, 2003 03:22 
  PM
  Subject: RE: New to this list, have two 
  questions.
  
  Doug, I in 
  no way disregard the need to encrypt email.  I am a big proponent of it, 
  just not sure which is the best approach at the moment (see previous emails to 
  this list-serve).  Email was at risk at the same level before or after 
  the regulations.  The heart of my question (because I am not sure what 
  exactly is the right answer) is how do YOU (stand up healthcare community) 
  approach the issue?  
   
  Are you 
  dropping the electronic door now because your current methods for 
  electronically delivering PHI, in relation to the recent Security Regs, 
  may fall outside your security analysis, or do you manage the process now with 
  internal policies moving towards a technological fix well before the 
  regulation due dates?
   
   
  Greg ParkProduct ManagerDB 
  Technology 
  Inc.Office:  
  800-760-4096 
  x117Cell: 
  484-919-0392PA Office: 610-397-0288 
  www.dbtech.com 
  
-Original Message-----From: Doug Webb 
[mailto:[EMAIL PROTECTED]Sent: Monday, March 24, 2003 3:45 
PMTo: Gregory Park; WEDI SNIP Privacy Workgroup List; 
Bentz-Miller, JudithSubject: Re: New to this list, have two 
questions.
Gregory,
Just to amplify on Judith's remarks,
You are exposed to the risk NOW, not when the final 
Security Rule fully kicks in.
You are accepting a huge risk anytime you expose PHI to 
the Internet.  Remenber that any of the millions of computers on the 
net can read this if they so choose.  Strong encryption appears to be 
the only way to protect PHI on the Internet.
 
If you would consider putting the information on a post 
card, perhaps it might be far enough away from PHI to consider mentioning it 
in an e-mail.  E-mail can be accessed by many more people than typical 
a post card will be exposed to.
 
As to your third question, there are four (at least) WEDI 
listserves that cover various portions of the topics you 
mentioned:
   Privacy, Security, Transactions, and Code 
Sets.
Pick the ones that serve your needs the best.
 
The opinions expressed here are my own and not necessarily the opinion 
of LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the 
individual(s) and entity(s)  named as recipients in the message. If you 
are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Bentz-Miller, Judith 
  To: WEDI SNIP Privacy Workgroup 
  List 
  Sent: Monday, March 24, 2003 02:10 
  PM
  Subject: RE: New to this list, have 
  two questions.
  
  This was part of our privacy audit due to the 
  following reg:
  
  § 164.530 Administrative 
  requirements.
  (c)    
  (1) Standard: safeguards. A covered entity must have in 
  place appropriate administrative, technical, and physical 
  safeguards to protect the privacy of protected health 
  information.
   (2) 
  Implementation specification: safeguards. 
  
  (I) 
  A 
  covered entity must reasonably safeguard protected health information from 
  any intentional or unintentional use or d

Re: Separating financial and clinical data

[Doug Webb]

Noel,
I don't know of anything that requires financial and medical 
info to be separated (or merged).  I believe that the regs are silent on 
this issue.  Both types of information are PHI.  They would both 
be part of the Designated Record Set for the practice.  
 
If the records are electronic rather than paper, then 
role-based access controls should be able to limit who has access to what.  
You probably don't have that option with paper records, and keeping multiple 
paper folders regarding the same patient sounds like an invitation to chaos to 
me.
 
As Ted commented, the same document (such as a copy of the 
insurance card) may be necessary for both Treatment purposes such as 
pre-authorization, and Financial purposes (such as getting paid).  Also 
consider that getting the proper Diagnosis Code on a claim is a necessary 
merging of the two types of information.  
 
IMHO, not only is the separtion not mandated, it is also next 
to impossible.  If workflow separates them, it will probably require 
duplication of the information in both places.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Noel 
  Chang 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, March 24, 2003 08:48 
  PM
  Subject: Separating financial and 
  clinical data
  I had someone ask me a question the other day that I hadn't 
  heard before and it got me curious as to whether other people had 
  confronted this issue and what their outcome was.This person said 
  they were told by someone that HIPAA requires that providers keep 
  patient's medical records separate from their financial records.  Most 
  providers I deal with have the bulk of their financial data in whatever 
  software package they are using to file their claims.  The clinical 
  notes are kept in paper charts, however quite often they keep a copy of 
  the patient's insurance card in the chart and that specifically was the 
  "financial record" that they were concerned about being in the same place 
  as the "medical record".My immediate reaction was that there is no 
  specific requirement to do this in the Privacy rule but I then started to 
  think about what could possibly be the basis of such a statement?  
  The only thing I could come up with was the requirements under the minimum 
  necessary standard to identify who need access to what types of PHI, and 
  to then make reasonable efforts to limit access accordingly.  Upon 
  further thought I can see how someone might take the position that a 
  persons's insurance card or other insurance information should not be 
  necessary for the clinical staff to treat the patient.  Similarly, 
  the front office and billing personnel do not need any more clinical data 
  than what appears on the superbill so they should not have access to the 
  entire chart.  Perhaps this is where the conclusion that insurance 
  information cannot be kept in patient charts comes from?  Has anyone 
  else heard this opinion or possibly come to the same conclusion on their 
  own?In small office settings, quite often I have clients that are 
  taking the position that everyone in the office needs access to everything 
  because of the degree of job sharing and multi-tasking that goes on.  
  However (playing devil's advocate for a moment) just because you might 
  need access to a piece of PHI when you are asked to cover a job for a sick 
  co-worker, does that justify you always having access to that PHI 
  including when you are performing tasks that do not require that piece of 
  PHI?  I have not encountered one physician's office that uses paper 
  charts where the chart does not start out in the hands of the people at 
  the check-in window.  Do they really need access to the complete 
  chart (medical history, docotor's notes, lab results, etc.) to check in a 
  patient?The more I think about it the more I can understand how 
  someone might arrive at this position but talk about an impediment to work 
  flow!  Do we now need one set of charts for financial data that is 
  not in software systems (e.g. copies of insurance cards) and a separate 
  set of charts for clinical data?Someone please show me a convincing 
  out!Noel ChangNoel ChangIntegral Practice 
  Solutions--Open WebMail Project (http://openwebmail.org)---The 
  WEDI SNIP l

Re: section 164.514(d)(3)(iii)(B)

[Doug Webb]

Leslie,
To build on what Leah said, I think that what you have in your 
NPP is OK, but possibly goes into unnecessary detail (Don't kill any more 
trees!).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Leah Hole-Curry 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Tuesday, March 25, 2003 03:03 
  PM
  Subject: Re: section 
  164.514(d)(3)(iii)(B)
  Leslie,In my opinion, while it would be good to apply 
  some minimum necessaryprincipals, I don't think you are required to do so 
  in this situation.Because these are providers (covered or not)  
  using, disclosing, andrequesting the PHI for treatment.  
  Under 164.502(b)(2) - min. necessary doesn't apply to disclosures to 
  orrequests by a health care provider for treatment.And under 
  164.506(c)(1) - covered entities can use/disclose PHI for itsown treatment 
  activities and (2) for treatment activities of (another)health care 
  provider.Regards, lhcLeah Hole-Curry, JDFOX Systems, 
  Inc.602.708.1045 Information transmitted is confidential and may be 
  proprietary to FOXSystems, Inc.  It is intended only for the person 
  or entity to which itis addressed.   Anyone else is prohibited 
  from disclosing, copying, ordisseminating the contents or 
  attachments.  If you receive this inerror, please notify sender 
  immediately, or us at www.foxsys.com 
  anddelete from your system.>>> "Harpe, Leslie" <[EMAIL PROTECTED]> 03/25/03 
  12:21 PM >>>Your opinions on the following scenario:A patient 
  is seen in the ER last night.  Dr. A ordered labs.  Dr. 
  Bcallsthe lab for the results today.  Lab only knows the ordering 
  doctor. Basedon the fact that Dr. B knows labs were ordered and 
  according to section164.514(d)(3)(iii)(B), we are going to release the lab 
  results withoutanauthorization.  We believe that this is 
  continuum of care and we arereleasing to another covered entity. (No 
  disclosure is required either.) Ifeach department identifies who 
  can release the info, the minimum theycanrelease for routine 
  disclosure and develop criteria for non-routinedisclosures, this should be 
  an acceptable practice. Page 82545 alsosupportsthis 
  interpretation.  My notice also informs the patient that we will 
  dothis as continuum of care.Once the chart is received by medical 
  records though, we will require anauthorization if the physician is not on 
  record.  I hope this is right, if not, we'd better start planting 
  more trees tosupport the tremendous mounds of paperwork.    
  Thanks,Leslie HarpePrivacy OfficialSouth Georgia Medical 
  CenterValdosta, GA  31603-1727[EMAIL PROTECTED]---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. 
  Thediscussions on this listserv therefore represent the views of 
  theindividual participants, and do not necessarily represent the views 
  ofthe WEDI Board of Directors nor WEDI SNIP. If you wish to receive 
  anofficial opinion, post your question to the WEDI SNIP Issues Database 
  athttp://snip.wedi.org/tracking/.   
  These listservs should not be used forcommercial marketing purposes or 
  discussion of specific vendor productsand services.  They also are 
  not intended to be used as a forum forpersonal disagreements or 
  unprofessional communication at any time.You are currently subscribed 
  to wedi-privacy as:[EMAIL PROTECTED]To 
  unsubscribe from this list, go to the Subscribe/Unsubscribe form athttp://subscribe.wedi.org or send a blank 
  email to[EMAIL PROTECTED]If 
  you need to unsubscribe but your current email address is not thesame as 
  the address subscribed to the list, please use theSubscribe/Unsubscribe 
  form at http://subscribe.wedi.org---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communic

Re: section 164.514(d)(3)(iii)(B)

[Doug Webb]

Dan,
I had overlooked Leslie's mention of requiring authorization 
after it hits Medical Records.  
 
I agree with you that authorization is not necessary for 
sending medical info for Treatment purposes to another Physician.  I would 
think that the older the information, the more questions I would ask before 
releasing the information (just to be sure that the inquirier is really involved 
in the patient's Treatment).
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Dan Kelsey 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, March 26, 2003 08:30 
  AM
  Subject: RE: section 
  164.514(d)(3)(iii)(B)
  Leslie - I agree with your approach.  However, let me play 
  devil's advocate on the last part of your message - Suppose I am a 
  cardiologist, and am seeing a new patient in my office.  In talking to 
  the patient I discover the patient was recently seen at your hospital - I call 
  over to the hospital and ask for a copy of the EKG.  I need this 
  information for treatment purposes - however, I was not involved in the 
  patient's recent hospitalization.  Based on your approach, I will 
  need to get an authorization from the patient, fax it over to HIM at the 
  hospital and then get the EKG.  I fully understand your reasoning.  
  But this is a covered entity requesting information for treatment.  The 
  commentary also states that information can be released to individuals to the 
  extent they are involved in the care of the patient.  Personally, I do 
  not think the authorization is necessary.My concern is that the 
  approach you outlined could potentially delay the delivery of care to 
  patients.  What if the roles were reversed?  What if I am a 
  physician and do not have staff privileges at your hospital and am not part of 
  an OHCA?  A patient of mine is hospitalized at your facility, and the 
  hospital calls my office asking about medical history, etc.  - I then 
  say, sorry you will have to get an authorization from the patient and fax it 
  over to get the information - It certainly will not make the busy RN or staff 
  physician very happy.Like I said, I am not disagreeing with your 
  approach, just playing devil's advocate.Dan KelseyPractice 
  AdvisorIndiana State Medical Association-Original 
  Message-From: Harpe, Leslie [mailto:[EMAIL PROTECTED]Sent: 
  Tuesday, March 25, 2003 3:15 PMTo: WEDI SNIP Privacy Workgroup 
  ListSubject: section 164.514(d)(3)(iii)(B)Your opinions on the 
  following scenario:A patient is seen in the ER last night.  Dr. A 
  ordered labs.  Dr. B callsthe lab for the results today.  Lab 
  only knows the ordering doctor.  Basedon the fact that Dr. B knows 
  labs were ordered and according to section164.514(d)(3)(iii)(B), we are 
  going to release the lab results without anauthorization.  We believe 
  that this is continuum of care and we arereleasing to another covered 
  entity. (No disclosure is required either.)  Ifeach department 
  identifies who can release the info, the minimum they canrelease for 
  routine disclosure and develop criteria for non-routinedisclosures, this 
  should be an acceptable practice. Page 82545 also supportsthis 
  interpretation.  My notice also informs the patient that we will 
  dothis as continuum of care.Once the chart is received by medical 
  records though, we will require anauthorization if the physician is not on 
  record.  I hope this is right, if not, we'd better start planting 
  more trees tosupport the tremendous mounds of paperwork.    
  Thanks,Leslie HarpePrivacy OfficialSouth Georgia Medical 
  CenterValdosta, GA  31603-1727[EMAIL PROTECTED]---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services.  They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You a

Re: NPP and Disclosure

[Doug Webb]

Gregory,
Your client is wrong.  Accounting for Every disclosure if 
definately not required by the Privacy or Security regs.  Most transactions 
involving the Treatment of Patients and obtaining Payment are explicitly 
excluded from the need to report them (in very great detail as to what is 
excluded).  Get out your reading glasses, because it is all detailed in the 
Federal Register (small print, and lots of it!).
 
In our case, operating as a Billing Service, we have never in 
our history encountered a situation that would result in a release of 
information that would have to be reported.
The major categories of reporting would be releases related to 
responding to Audits and Sopoenas.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Gregory Park 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, March 27, 2003 11:10 
  AM
  Subject: NPP and Disclosure
  I have a client that has written within their NPP that the 
  patient candemand an audit of every (NOTE EVERY) disclosure of their PHI, 
  even if thisdisclosure is related to patient care and billing.It 
  is my understanding that this is not dictated as a requirement 
  withinPrivacy, and only is briefly mentioned in Security as something that 
  must beaccomplished for disclosure outside of patient care or billing (for 
  examplegovernmental disclosure, or legal).I need confirmation 
  because the particular client is stating that all of itsvendors now must 
  provide an audit trail of every action (print, copy, email)according to 
  the regulations.If I am wrong, then maybe this isn't 
  simplification?Thanks in advance.Greg ParkProduct 
  ManagerDB Technology 
  Inc.Office:  
  800-760-4096 
  x117Cell: 
  484-919-0392PA Office: 
  610-397-0288-Original Message-From: Bill Cushing 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, March 27, 2003 11:35 
  AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Patient Phone Calls 
  and NPPCan anyone please confirm the HHS/OCR phone number that 
  weshould be using for the NPP?Thanks, BillAt 09:25 AM 
  3/27/2003 -0600, KERBER, JEFF wrote:>Vicki,>>This is an 
  ongoing issue with HHS/OCR -- ask a question twice, get two>different 
  answers from different people.>>Jeff>>Jeff 
  Kerber>Director, HIPAA Compliance>Texoma Healthcare 
  System>903-416-5520>>>-Original 
  Message->From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]>Sent: Wednesday, March 26, 2003 3:55 
  PM>To: WEDI SNIP Privacy Workgroup List>Subject: Patient Phone 
  Calls and NPP>>>After 4/14, when a patient calls for a 
  prescription refill, or to ask a>medical question, are we obligated to 
  then mail them a copy of the NPP and>ask them to send us a signed 
  acknowledgement? A question like this wasasked>regarding 
  prescriptions at the Atlanta OCR conference in February and the>answer 
  that day was no, the next visit would be the occasion to give the>NPP. 
  Today, on the OCR conference call, a similar question was asked 
  andthe>answer was that the NPP needed to be mailed. Can anyone 
  direct me to a>reference or guidance on this?>>Vicki 
  Saunders>Compliance Manager/Privacy 
  Officer>[EMAIL PROTECTED]>>Confidentiality Notice: 
  The information contained in this e-mail>transmission is confidential 
  information and intended for the sole use of>the individual(s) or 
  entity named in the message header. If you are not the>intended 
  recipient, you are hereby notified that any dissemination, copying>or 
  taking any action in reliance on the contents of this information 
  is>strictly prohibited. If you receive this message in error, please 
  notifythe>sender of the error and delete this message, any 
  attachments and allcopies.>Thank 
  you.>>>--->The WEDI SNIP listserv to which you are 
  subscribed is not moderated. The>discussions on this listserv therefore 
  represent the views of theindividual>participants, and do not 
  necessarily represent the views of the WEDI Board>of Directors nor WEDI 
  SNIP. If you wish to receive an official opinion,post>your question 
  to the WEDI SNIP Issues Database 
  at>http://snip.wedi.org/tracking/.   These listservs should 
  not be used for>commercial marketing purposes or discussion of specific 
  vendor products and>services.  They also are not intended to

Re: NPP and Disclosure

[Doug Webb]

Judith,
Yes, such disclosures are also on the short list of what needs 
to be accounted for.  We try to keep all such as infrequent as 
possible.  So far, if they were logged in the past, the list would still be 
on its first page.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Bentz-Miller, 
  Judith 
  To: 'Doug Webb' 
  Sent: Thursday, March 27, 2003 02:03 
  PM
  Subject: RE: NPP and Disclosure
  
  Doug,
  What about releasing the incorrect information?  Faxing the wrong 
  file?  These are all disclosures that need to be accounted for, 
  right?
   
  
  Judith Bentz-Miller 
  Privacy Officer Arnett Clinic 765-448-8843 
  
-Original Message-From: Doug Webb 
[mailto:[EMAIL PROTECTED]Sent: Thursday, March 27, 2003 3:01 
PMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: NPP 
and Disclosure
Gregory,
Your client is wrong.  Accounting for Every 
disclosure if definately not required by the Privacy or Security regs.  
Most transactions involving the Treatment of Patients and obtaining Payment 
are explicitly excluded from the need to report them (in very great detail 
as to what is excluded).  Get out your reading glasses, because it is 
all detailed in the Federal Register (small print, and lots of 
it!).
 
In our case, operating as a Billing Service, we have never 
in our history encountered a situation that would result in a release of 
information that would have to be reported.
The major categories of reporting would be releases 
related to responding to Audits and Sopoenas.
 
The opinions expressed here are my own and not necessarily the opinion 
of LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the 
individual(s) and entity(s)  named as recipients in the message. If you 
are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Gregory Park 
  
  To: WEDI SNIP Privacy Workgroup 
  List 
  Sent: Thursday, March 27, 2003 11:10 
  AM
  Subject: NPP and Disclosure
  I have a client that has written within their NPP that the 
  patient candemand an audit of every (NOTE EVERY) disclosure of their 
  PHI, even if thisdisclosure is related to patient care and 
  billing.It is my understanding that this is not dictated as a 
  requirement withinPrivacy, and only is briefly mentioned in Security 
  as something that must beaccomplished for disclosure outside of 
  patient care or billing (for examplegovernmental disclosure, or 
  legal).I need confirmation because the particular client is 
  stating that all of itsvendors now must provide an audit trail of 
  every action (print, copy, email)according to the 
  regulations.If I am wrong, then maybe this isn't 
  simplification?Thanks in advance.Greg ParkProduct 
  ManagerDB Technology 
  Inc.Office:  
  800-760-4096 
  x117Cell: 
  484-919-0392PA Office: 
  610-397-0288-Original Message-From: Bill Cushing 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, March 27, 2003 11:35 
  AMTo: WEDI SNIP Privacy Workgroup ListSubject: RE: Patient Phone 
  Calls and NPPCan anyone please confirm the HHS/OCR phone 
  number that weshould be using for the NPP?Thanks, BillAt 
  09:25 AM 3/27/2003 -0600, KERBER, JEFF 
  wrote:>Vicki,>>This is an ongoing issue with HHS/OCR 
  -- ask a question twice, get two>different answers from different 
  people.>>Jeff>>Jeff Kerber>Director, 
  HIPAA Compliance>Texoma Healthcare 
  System>903-416-5520>>>-Original 
  Message->From: [EMAIL PROTECTED] 
  [mailto:[EMAIL P

Re: Multiagency authorizations

[Doug Webb]

Title: Message



Gregory
There is a difference between compound authorizations (one 
authorization for several things, which is prohibited) and several 
authorizations on the same piece of paper (which is OK, just so long as each one 
has an indication that it was individually considered).  To make it clear 
that each authorization is separate, you could enclose each in a 
box.
 
Previous discusson on this listserve asked the question if the 
piece of paper could be signed once, and then each other area initialed, and the 
conclusion seemed to be 'Yes' (to my understanding, anyhow).  It would be a 
good idea to allow for Patient and Subscriber signatures and/or initials 
separately.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Gregory Park 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, March 28, 2003 08:35 
  AM
  Subject: RE: Multiagency 
  authorizations
  
  I know a 
  lot of hospitals that are disregarding this point.  More often than not I 
  understand that many of my clients have decided to piggy-back the NPP receipt 
  verification along with their existing Treatment Authorization forms, but I 
  suppose this is a matter of how you look at it.  The treatment 
  authorization form may not have information regarding your notice of privacy, 
  but can your notice of privacy include a consent for treatment?  
  
   
  I suppose 
  this argument could be made?
   
  Again, the 
  spirit of these regulations is to simplify healthcare, and protect patient 
  rights.  
   
  Greg ParkProduct ManagerDB 
  Technology 
  Inc.Office:  
  800-760-4096 
  x117Cell: 
  484-919-0392PA Office: 610-397-0288 
  www.dbtech.com 
  
-Original Message-From: Schmitt, Laura A. 
[mailto:[EMAIL PROTECTED]Sent: Thursday, March 27, 
2003 8:49 PMTo: WEDI SNIP Privacy Workgroup 
ListSubject: Multiagency authorizations
Several people on our HIPAA implementation team are 
hoping others input might help in resolving our question 
about HIPAA's instructions to avoid compound authorizations and how 
that relate to the use of multi-agency authorization 
forms.  
 
The final HIPAA Privacy regulations - 164.508 (b)(3) 
- prohibit the use of compound authorizations (i.e., combining with any 
other document an authorization for use or disclosure of phi...except for 
limited and specific exceptions).  
 
We are a county-operated yet multi-jurisdictional 
behavioral health organization that plans, contracts, and directly 
provides treatment & prevention services. We are one 
of several covered health care components of our County government's 
hybrid entity. Much of the clinical work we do is as part 
of collaborative teams with other organizations (i.e., court 
staff, county social service staff, coordinating offices that serve as 
fundors, and other community groups, agencies & service providers). 

 
In 
the past, the local human service organizations that staffed such 
efforts agreed to use a multi-agency "Universal" authorization form. 
This form includes checkboxes for the various organizations involved, and 
then all of the other listed elements of a valid 
authorization. The clinical staff point out the obvious 
benefit that staff and the client need only sign one 
form. 
 
The other point of view is that proffered by our MIS vendor and 
endorsed by several groups similar to ours in the state is the single 
purpose release forms, which allow for only one-on-one exchanges of 
information between entities. This option assuries that the system 
records the limits of each release individually. Primarily the 
technical staff consider the single agent/purpose release form to conform to 
the spirit of the regulations...but clinicians believe that they will create 
an overwhelming paperwork burden on staff & clients.  

 
I've found the language of this section confusing, and would be 
interested in knowing how others have interpreted this section and resolved 
the issue of handling releases of information when working with clients 
involved with numerous organizations.  
 
Thanks in advance for any insights you can of

Re: Receipt of PHI

[Doug Webb]

Marcus,
The Covered Entity is the one taking the risk here, not 
you.  You do not have responsibility for the PHI until it enters your 
system.
 
Some hungry lawyer may try to put some responsibility on your 
door, since you did not not refuse to accept unencrypted information.  I 
don't think the suit would win, but it might be expensive to fight.
 
You should (as forcefully as you deem appropriate) point out 
the risk to the CE and proactively work to correct the situation.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Marcus 
  E. McCrory 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, March 28, 2003 01:13 
  PM
  Subject: Receipt of PHI
  
  I would appreciate any suggestions on how a 
  business associate should address the receipt of PHI from a covered entity 
  that has been sent across an open network (without encryption) after the 
  Privacy Rule is enforceable.
   
  Thank you.
   
  Marcus McCrory
  ---The WEDI SNIP listserv to which you are 
  subscribed is not moderated. The discussions on this listserv therefore 
  represent the views of the individual participants, and do not necessarily 
  represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish 
  to receive an official opinion, post your question to the WEDI SNIP Issues 
  Database at http://snip.wedi.org/tracking/. These listservs should not be used 
  for commercial marketing purposes or discussion of specific vendor products 
  and services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED]If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: developing pictures

[Doug Webb]

Noel,
I agree with the thrust of the earlier thread on this list -- 
the additional inscription makes it PHI.
 
I just had a thought, though.  Could the autographed 
picture itself be a kind of authorization for use?  I know it's not on a 
document that has the proper words, but could the intent be derived its 
content?  I don't know -- any ideas out there?  I suspect that the 
formalists will say "no", but let's pick our collective brains.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Noel 
  Chang 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, April 04, 2003 12:44 
  AM
  Subject: Re: developing pictures
  Interesting question.I'd back up and first reconsider 
  are the pictures in and of themselves PHI?  If the picture includes 
  enough of an individual's face then I guess it is possible that someone 
  could identify the subject of the picture if they recognized them by their 
  face.  But just a person's identity by itself is not PHI.  There 
  has to be something else disclosed that involves the past, present, or 
  future, medical condition, treatment, etc.  Even if the picture does 
  show the patient's face, does the person developing the picture know they 
  are developing picutres from a health care provider and that they are 
  specifically developing pictures of a patient?The same goes for 
  the pictures that are developed at the local pharmacy by the nursing 
  staff.  How does anyone know that the pictures being developed are of 
  patients and not the nurse's children or nieces and nephews?This is 
  similar to a question I asked this list serv a while ago about pictures of 
  patients on the walls of doctor's offices.  I have a few clients who 
  have treated atheletes or astronauts and they have been given pictures by 
  these patients to hang on their office walls.  Some of the picture 
  have nothing other than the patient's signature/autograph.  Others 
  have inscirptions such as "Dear Doctor Smith, thanks for the excellent 
  care".If the picture only has an autograph or signature, I think it is 
  OK.  People might assume from the picture that the photograph is of a 
  patient but how do they know it is not just a friend or in the case of 
  atheletes, maybe the doctor is just a fan?  If the picture has an 
  inscription like the one I cited above, that specifically recognizes the 
  doctor-patient relationship, then I think it crosses the line and becomes 
  a disclosure of PHI.  Those pictures should come down or have the 
  patient sign an authorization. Noel ChangIntegral Practice 
  Solutions--Open WebMail Project (http://openwebmail.org)-- 
  Original Message ---From: "Oriol, Albert" <[EMAIL PROTECTED]>To: 
  "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>Sent: 
  Thu, 3 Apr 2003 19:17:19 -0700Subject: developing pictures> 
  Here's a good one I had not heard to date.  We often take photos. 
  > Most of the ones that are taken for medical reasons require quality 
  > developing and thus are developed in-house or taken to a top notch 
  shop> > (with whom, I'd think if needed we could have a BA 
  agreement in > place) -- Question, what do you all think, assuming the 
  pictures > will show identifying information? >  > 
  The other situation is that of pictures taken for projects for our > 
  kids, or for some newsletter. We're a kid's hospital and for > instance 
  we might want to have kids build something with their > picture to give 
  mom for mother's day. These types of pictures most > likely just get 
  developed at whatever pharmacy happens to be on the > way of a nurse's 
  or other professional's way home.  How should we > handle 
  those?  Take all our pictures to the place(s) we have BA's in > 
  place and only there? >  > a.> >  
  > > DISCLAIMER:> CONFIDENTIALITY NOTICE:  The 
  information contained in this message > is legally privileged and 
  confidential information intended for the > use of the individual or 
  entity named above. If the reader of this > message is not the intended 
  recipient, or the employee or agent > responsible to deliver it to the 
  intended recipient, you are hereby > notified that any release, 
  dissemination, distribution, or copying > of this communication is 
  strictly prohibited.  If you have received > th

Re: Collection Accts.

[Doug Webb]

Leslie,
Thank you for a timely and 
well-written analysis.
 
So many bad things happen when 
HIPAA is mis-read to restrict information exchange it really isn't 
restrict.
The "may" in the regulations 
also opens a can of worms, but it has to be emphasized that if the release that 
HIPAA says may happen is denied, HIPAA cannot be used as an excuse for the 
denial.  The denial is either based on the prohibitions of some 
other law, or the CE's paranoia.
 
The opinions expressed here are my own and not 
necessarily the opinion of LCMH.
 
Douglas M. WebbComputer System EngineerLittle 
Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that 
is confidential and/or legally privileged. It is intended only for the use of 
the individual(s) and entity(s)  named as recipients in the message. If you 
are not an intended recipient of the message, please notify the sender 
immediately,  delete the material from any computer, do not deliver, 
distribute, or copy this message, and do not disclose its contents or take 
action in reliance on the information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Lbender 
  To: WEDI SNIP Privacy Workgroup List 
  
  Cc: B BURGESS ; [EMAIL PROTECTED] 
  
  Sent: Thursday, October 30, 2003 10:06 
  AM
  Subject: Re: Collection Accts.
  
  Charles et al.: 
   
  Funny you should raise this issue in light of the terse cover page story 
  in this morning's Wall Street Journal entitled, "Hospitals Try Extreme 
  Measures to Collect Their Overdue Debts."  Maybe worth a read if your 
  blood pressure is lower than you'd like this a.m.
   
  Your issue underscores the intersection of the federal Fair Debt 
  Collection Practices Act ("FDCPA"), the Fair Credit Reporting Act ("FCRA"), 
   and HIPAA.  A quick trek to the preamble of the HIPAA privacy rule 
  and its modifications reveals that the Office for Civil Rights has indicated 
  in no uncertain terms (despite what the so called "credit repair" websites 
  reveal) that debt collections, locational activities (skip tracing), and 
  credit reporting consistent with the FCRA (which data elements HIPAA tracks in 
  describing what can be credit reported) all fall within the "P" in TPO 
  (treatment, payment and health care operations) -- whether undertaken directly 
  by a covered entity or by its collection agency business associate.  
  OCR's position on this is also in a number of the FAQs on their website.
   
  Marcallee is correct - if a debtor contacts a credit reporting agency 
  ("CRA") and states that they dispute a debt reported either by a healthcare 
  provider or its collection agency because it has been paid, the CRA must, 
  under the FCRA, have the data furnisher ("data furnisher" is either the 
  provider or collection agency who reported the delinquent account to the CRA), 
  research it and respond within thirty (30) days (15 U.S.C. Section 
  1681i).  The CRA must also mark the account as "disputed" on any credit 
  reports released before the verification is complete.  If the CRA makes a 
  business decision not to investigate the consumer's dispute, or alternatively 
  investigates but the "data furnisher" does not respond, the CRA must remove 
  the reported delinquency from the patient's credit report within that same 30 
  day period.  Section 611 of the FCRA (15 U.S.C. Section 1681i) is rather 
  detailed on the specifics of how information is to flow in response to a 
  consumer's dispute.  Of course if the CRA determines that the dispute is 
  frivolous or irrelevant it need not undertake an investigation.  A data 
  furnisher has an obligation under the FCRA to furnish accurate and complete 
  information as well as to correct and update information from time to time as 
  new information becomes available to it (certainly such as payment in full of 
  a delinquent account).  See, FCRA at Section 623.
   
  The use and disclosure of "payment" information between CRA, 
  provider, collection agency, and debtor/patient is potentially governed by 
  each of these three federal consumer information protection oriented laws 
  (i.e., FDCPA, FCRA, and HIPAA -- as well as potentially Section 5 of the 
  Federal Trade Commission Act) -- in fact it may be mandated.  If a CRA 
  received a consumer dispute, contacted a hospital or collection agency for 
  verification, and the hospital or collection agency refused to respond 
  (remember that 164.512(a) "permits" a covered entity to make "disclosures 
  required by law"  -- but HIPAA itself would not mandate the disclosure) - 
  the refusal would be at odds with their legal requirement under the FCRA to 
  report accurate and complete information.
   
  It would not seem then that Judith's debtor or the credit repair helpsite 
  are accurately interpreting HIPAA -- or the FCRA.  HIPAA does not require 
  a hospital to obtain a debtor's written permission to use a business associat

Re: Collection Accts.

[Doug Webb]

David,
Even if it were covered by HIPAA (I don't 
think the info the collector gets is truly PHI), it would still be a permitted 
release of PHI, since it's for Payment.
I think even OCR has said that derivable 
"releases" are not really releases of PHI, any more than seeing the patient's 
car in the doctor's parking lot really releases anything.
 
As for that bill from the Oncologist that 
implies a cancer diagnosis -- the true diagnosis could be just the opposite 
(people will consult a specialist to verify that they don't have a condition, in 
addition to seeking treatment for the condition).
 
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message ----- 
  From: 
  Wellons, David L 
  To: 'Doug Webb' ; WEDI SNIP Privacy Workgroup List 
  
  Sent: Thursday, October 30, 2003 01:05 
  PM
  Subject: RE: Collection Accts.
  
  One more though on Leslie's last 
  paragraph.
   
  Debt collection would not have specifics 
  as to the treatment, so there should not be any PHI in the issue.  Now a 
  problem could arise, if for example an oncologist is trying to collect a bill 
  from a guarantor (note I didn't say patient), and someone else sees that 
  information, they can surmise the guarantor has cancer (apply this to any 
  other medical situation).
  However, in collection activities, they are trying to collect money 
  from a guarantor, who may or may not be a patient.  I don't see where the 
  fact you owe a debt to anyone BESIDES a healthcare provider would be treated 
  one way, and the collection for a health provider would be handled differently 
  (or not permitted).  Too many scoundrels will hide behind that 
  loophole.
   
  So, the question/point is - 
  Collection activities are between creditor and guarantor.  HIPAA 
  therefore shouldn't apply.  One cannot accurately assume the guarantor is 
  the patient.  And except for (possibly) the fact that the name of 
  the service provider MAY indicate the type of diagnosis the patient had, there 
  is not necessarily a direct correlation.  Following the original logic, 
  if I were involved in a parking lot auto accident at a physician office, the 
  police report could not be made public under HIPAA since it may indicate that 
  I have a certain medical condition.
   
   
  -Original Message-From: Doug Webb 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, October 30, 2003 11:27 
  AMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: 
  Collection Accts.
  Leslie,
  Thank you for a timely and 
  well-written analysis.
   
  So many bad things happen when 
  HIPAA is mis-read to restrict information exchange it really isn't 
  restrict.
  The "may" in the regulations 
  also opens a can of worms, but it has to be emphasized that if the release 
  that HIPAA says may happen is denied, HIPAA cannot be used as an excuse 
  for the denial.  The denial is either based on the prohibitions of 
  some other law, or the CE's paranoia.
   
  The opinions expressed here are my own and not 
  necessarily the opinion of LCMH.
   
  Douglas M. WebbComputer System EngineerLittle 
  Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED]
   
  "This electronic message may contain information that 
  is confidential and/or legally privileged. It is intended only for the use of 
  the individual(s) and entity(s)  named as recipients in the message. If 
  you are not an intended recipient of the message, please notify the sender 
  immediately,  delete the material from any computer, do not deliver, 
  distribute, or copy this message, and do not disclose its contents or take 
  action in reliance on the information it contains. Thank you."
   
   
  
- Original Message - 
From: 
Lbender 
To: WEDI SNIP Privacy Workgroup 
List 
Cc: B BURGESS ; [EMAIL PROTECTED] 

Sent: Thursday, October 30, 2003 10:06 
AM
Subject: Re: Collection Accts.

Charles et al.: 
 
Funny you should raise this issue in light of the terse cover page 
story in this morning's Wall Street Journal entitled, "Hospitals Try Extreme 
Measures to Collect Their Overdue Debts."  Maybe worth a read if your 
blood pressure is lower than you&#

Re: Use of the Privacy Notice

[Doug Webb]

Catherine,
You have to give them an opportunity to opt out.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Catherine Lohmeier 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, October 31, 2003 10:21 
  AM
  Subject: Use of the Privacy Notice
  
  
  I need opinions on whether or not 
  one can use the Privacy Notice acknowledgment as evidence of agreement to the 
  disclosures listed in 164.510 (Facility directory-disclosure to family and 
  friends) if those disclosures are listed in the 
  Notice.
   
  Catherine 
  Lohmeier
  Implementations 
  Project Lead
  OD 
  Professional™ Team
  888.621.5751 
  x 
  15
  402.423.6509 
  x 
  15
   
   
   ---The 
  WEDI SNIP listserv to which you are subscribed is not moderated. The 
  discussions on this listserv therefore represent the views of the individual 
  participants, and do not necessarily represent the views of the WEDI Board of 
  Directors nor WEDI SNIP. If you wish to receive an official opinion, post your 
  question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. 
  These listservs should not be used for commercial marketing purposes or 
  discussion of specific vendor products and services. They also are not 
  intended to be used as a forum for personal disagreements or unprofessional 
  communication at any time.You are currently subscribed to wedi-privacy 
  as: [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Unnecessary BAAs

[Doug Webb]

Rachel,
Consider how much PHI the facility has acquired from the DME 
provider while offering the services specified in the BAA to the DME provider 
(none!).  PHI acquired by other means is not 
affected by this particular BAA.  The notification of breaches, and 
accountable disclosures, etc. only applies to that PHI (none!).
 
Yes, it is an unnecessary contract, but, since the thrust of 
the contract is to protect information that doesn't exist, it doesn't really 
have an effect.  Check with your attorney to determine the best approach to 
get rid of this annoyance.  (and yes, you will destroy the non-existant PHI 
when the contract is terminated -- destruction of nothing happens real 
fast).  Watch out for terms in the BAA that do things other than a 
proper HIPAA-complient BAA should!
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  rachelmcass 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, November 07, 2003 09:43 
  AM
  Subject: Unnecessary BAAs
  Does anyone have any suggestions on what to do when a Business 
  AssociateAgreement has been signed unnecessarily?  For instance, a 
  nursing facilityhas signed a BAA with a durable medical equipment 
  provider, naming thenursing facility as the BA.  As both entities are 
  considered health careproviders, and the nursing facility has been 
  determined not to be providingservices to the durable medical equipment 
  provider, it is not necessary forthe nursing facility to sign the BAA 
  naming the facility as the BA.The facility did this, and now has a 
  contractual obligation to do a numberof things unnecessarily.  For 
  instance, the terms of the agreement statethat the facility will notify 
  the medical equipment provider within X numberof days of a breach of 
  privacy, notify when accounting for an accountabledisclosure, etc.  
  This being the case, the agreement requires that thefacility do such 
  things as notify the organization every time it has a stateinspection 
  (which occurs no less than annually), because that is anaccountable 
  disclosure.This seems absolutely unnecessary; the facility does not 
  provide anyservices to the other entity.  If anything, it would be 
  the other wayaround.  What is the best way to terminate or modify 
  these provisions?  Canthey just cancel the agreement, even though it 
  has the terminationprovisions required by the Privacy Rule (return or 
  destruction of PHI, etc.)What if the other entity is adverse to 
  terminating or modifying the BAA?Has anyone else encountered 
  this?On a completely unrelated note, I just had one of my previous 
  health careproviders (who is a covered entity, I received a NPP from them) 
  leave amessage on my answering machine informing me that their office is 
  providingservices to someone else with my name.  They apparently 
  haven't beenchecking birth dates, or other information, and they think 
  they may haveaccidentally billed my insurance.  They want my help in 
  investigating/fixingthis situation.  Seems to me that there may have 
  been a way to approach thiswithout telling me that someone else named 
  Rachel Cass is receiving servicesfrom them; anyone agree?  (No, I 
  really don't intend to contact OCR on this;just think it is an interesting 
  Privacy scenario).  It also make me wonderif another Rachel Cass has 
  been told that I have been treated by thatprovider.Thanks 
  -Rachel M. Cass(319) 430-6591[EMAIL PROTECTED]IMPORTANT 
  NOTICE: This e-mail, including attachments, may be confidential 
  orprivileged communication intended for the exclusive use of the person 
  orentity to which it is addressed.  If the reader of this e-mail is 
  not theintended recipient, the reader is hereby notified that any 
  dissemination,distribution or copying of this e-mail is strictly 
  prohibited.  If you thinkthat you have received this e-mail in error, 
  please advise the sender byreply e-mail of the error and then delete this 
  e-mail immediately.---The WEDI SNIP listserv to which you are 
  subscribed is not moderated. The discussions on this listserv therefore 
  represent the views of the individual participants, and do not necessarily 
  represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish 
  to receive an official opinion, post your question

Re: Post-enrollment kits

[Doug Webb]

Diana,
With respect to Privacy, your mailer would be equivalent to a 
sealed envelope IF the layout was such that no PHI were visable without breaking 
one of your seals.
 
Now with respect to Security, it seems to be pretty weak 
security.  I would not recommend this as a long-term solution.
 
Consider -- would you appreciate your credit card statement 
coming in this manner?  I do not think that a large segment of the public 
would.
 
Our water bill comes on a postcard.  I don't like it, but 
since I don't have an option, I gave up griping.
 
The opinions expressed here are my own and not necessarily the opinion of 
LCMH.
 
Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital & Health Care Centers[EMAIL PROTECTED]
 
"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s)  named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately,  
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."
 
 

  - Original Message - 
  From: 
  Dana 
  Frank 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Friday, November 07, 2003 03:18 
  PM
  Subject: Post-enrollment kits
  
  
  Since my last question received 
  such thorough and educated answers, I would like to pose another question to 
  the group.
   
  We are considering changing our 
  method of mailing our post-enrollment dental plan booklets, which include the 
  member’s insurance certificate and ID card.  (There is no social security 
  number listed on the ID card or anywhere in the booklet – just a member ID 
  number, group number, and plan name.)  Currently, the booklets are sent 
  in a sealed envelope.  We are considering not using an envelope, but 
  rather stickers on each of the three edges of the booklet to keep it sealed. 
   
   
  Any thoughts on Privacy issues 
  with this?
   
  Dana M 
  Frank
  Sales Administration 
  Manager
  Dental 
  Select
  (800) 
  999-9789
   
  CONFIDENTIALITY 
  This email and 
  any attachments are confidential and also may be privileged.  If you are 
  not the named recipient, or have otherwise received this communication in 
  error, please delete it from your inbox, notify the sender immediately, and do 
  not disclose its contents to any other person, use them for any purpose, or 
  store or copy them in any medium.  Thank you for your 
  cooperation.
   
   ---The WEDI SNIP 
  listserv to which you are subscribed is not moderated. The discussions on this 
  listserv therefore represent the views of the individual participants, and do 
  not necessarily represent the views of the WEDI Board of Directors nor WEDI 
  SNIP. If you wish to receive an official opinion, post your question to the 
  WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs 
  should not be used for commercial marketing purposes or discussion of specific 
  vendor products and services. They also are not intended to be used as a forum 
  for personal disagreements or unprofessional communication at any 
  time.You are currently subscribed to wedi-privacy as: 
  [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org