Re: section 164.514(d)(3)(iii)(B)
Leslie, In my opinion, while it would be good to apply some minimum necessary principals, I don't think you are required to do so in this situation. Because these are providers (covered or not) using, disclosing, and requesting the PHI for treatment. Under 164.502(b)(2) - min. necessary doesn't apply to disclosures to or requests by a health care provider for treatment. And under 164.506(c)(1) - covered entities can use/disclose PHI for its own treatment activities and (2) for treatment activities of (another) health care provider. Regards, lhc Leah Hole-Curry, JD FOX Systems, Inc. 602.708.1045 Information transmitted is confidential and may be proprietary to FOX Systems, Inc. It is intended only for the person or entity to which it is addressed. Anyone else is prohibited from disclosing, copying, or disseminating the contents or attachments. If you receive this in error, please notify sender immediately, or us at www.foxsys.com and delete from your system. Harpe, Leslie [EMAIL PROTECTED] 03/25/03 12:21 PM Your opinions on the following scenario: A patient is seen in the ER last night. Dr. A ordered labs. Dr. B calls the lab for the results today. Lab only knows the ordering doctor. Based on the fact that Dr. B knows labs were ordered and according to section 164.514(d)(3)(iii)(B), we are going to release the lab results without an authorization. We believe that this is continuum of care and we are releasing to another covered entity. (No disclosure is required either.) If each department identifies who can release the info, the minimum they can release for routine disclosure and develop criteria for non-routine disclosures, this should be an acceptable practice. Page 82545 also supports this interpretation. My notice also informs the patient that we will do this as continuum of care. Once the chart is received by medical records though, we will require an authorization if the physician is not on record. I hope this is right, if not, we'd better start planting more trees to support the tremendous mounds of paperwork. Thanks, Leslie Harpe Privacy Official South Georgia Medical Center Valdosta, GA 31603-1727 [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Disclosures - NPP and tracking
Teri, I also agree - these are separate requirements that are not mutually exclusive. A covered entity must meet all requirements, relevant to a particular use or disclosure: A covered entity must have a notice of privacy practices which lists relevant disclosures and examples, among other things. 164.520 A covered entity Must use and disclose information only in accordance with its Notice. 164.502(i) A covered entity must ALSO have satisfactory assurances (generally in the form of the BA Contract) in place with its business associates. 164.502(e) A covered entity must ALSO obtain authorization when making disclosures that require an authorization (e.g. marketing communications). 164.508 A covered entity must ALSO track disclosures that are required to be accounted for to the individual (e.g. disclosures to public health authority). 164.528 A covered entity may ALSO get a consent for certain disclosures if it chooses to do so (e.g. for treatment, payment, and operations). 164.506. It is often difficult to prove a negative - meaning that there isn't a place in the regulation that specifically states that the requirements are cumulative, however when you read the accompanying comments, there isn't anything that I see that would lead you to think that you could leave out an accounting for certain disclosures if you include the disclosure in your notice - the comments and the regulation require you to do both. In discussing a governmental entities' choices with respect to hybrid, there is a comment and answer that touches on this, it states in part: Comment...Alternatively, it was suggested that a governmental hybrid entity be permitted to include in its notice of privacy practices the possibility that information may be shared with other divisions within the same government entity for specific purposes... Response ...Additionally, the Department encourages covered entities to develop a notice of privacy practices that is as specific as possible, which may include, for a government hybrid entity, a statement that information may be shared with other divisions within the government entity as permitted by the Rule. However, the notice of privacy practices is not an adequate substitute for, as appropriate, a memorandum of understanding; designation of business associate functions as partof of a health care component; or alternatively conditioning disclosures to such business associate functions on individuals' authorization. 67 Fed. Reg. pages 53206, 53207. As noted, this isn't directly on point, but it does states that the the Notice is not a substitute for other requirements: you need both. Regards, lhc Leah Hole-Curry, JD FOX Systems, Inc. 602.708.1045 Information transmitted is confidential and may be proprietary to FOX Systems, Inc. It is intended only for the person or entity to which it is addressed. Anyone else is prohibited from disclosing, copying, or disseminating the contents or attachments. If you receive this in error, please notify sender immediately, or us at www.foxsys.com and delete from your system. Teri Baskett [EMAIL PROTECTED] 02/17/03 10:19 AM I hate to weigh in here one more time, but my understanding what that we have to provide the pt/client an accounting of all disclosures that were not specifically covered by an authorization (initially, it was interpreted that those had to be logged and tracked also, but that was amended in the final regs, since the argument was made that the pt would have knowledge of disclosures s/he had authorized in writing). I know another gentleman on this thread last week indicated that he planned to track those also, just to keep the disclosure log complete and to simplify the procedures for HIM staff; however, I do believe that authorized disclosures are not required to be tracked. So, our disclosure log must contain a record of all disclosures not covered by a written authorization and those that are not a part of treatment, payment and healthcare operations. Regardless of everything we list in the NPP (and it should list all these as possibilities), we have to track these and record them, providing them for a pt when requested. Have I confused different parts of the regs in this interpretation? Teri Baskett, CISO LifeSpring Mental Health Services [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently
Re: Covered Entity or Not
The answer is in the covered entity definition found at 160.103 Covered entity means...A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter So the transmission must be in connection with a standard transaction (e.g. claims, eligibility, encounter, claims status, referal certification and authorization, etc.) Regards, lhc Leah Hole-Curry, JD FOX Systems, Inc. 602.708.1045 Information transmitted is confidential and may be proprietary to FOX Systems, Inc. It is intended only for the person or entity to which it is addressed. Anyone else is prohibited from disclosing, copying, or disseminating the contents or attachments. If you receive this in error, please notify sender immediately, or us at www.foxsys.com and delete from your system. [EMAIL PROTECTED] 01/31/03 08:59 AM At a meeting yesterday of our parent organization's privacy officers we had a discussion I'd appreciate some feedback on. One of the organizations is a long-term care/retirement facility that indicated they do not bill electronically. Therefore they are not a covered entity. However, after further discussion they indicated they do in fact send via fax and/or email individual identifiable health information to other covered entities (ie hospitals, referral agencies, and referring agencies). Some contended because they did not use EDI, they didn't really need to comply, others indicated they were because they do send PHI via electronic media. Can anyone provide an insight? Thanks. Charles. Charles R. Carnahan, M.Div., M.B.A. Chief Operating Officer CAB Health and Recovery Services, Inc. 111 Middleton Road Danvers, MA 01923 Phone: 978-739-7600 FAX: 978-750-3620 www.cabhealth.org * --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: HIPAA EDI
42 U.S.C. Section 1320d-5 (General Penalty for Failure to comply with Requirements and Standards) The pre-codified version is on HHS' website at: http://aspe.hhs.gov/admnsimp/pl104191.htm Leah Hole-Curry, JD FOX Systems, Inc. 602.708.1045 Information transmitted is confidential and may be proprietary to FOX Systems, Inc. It is intended only for the person or entity to which it is addressed. Anyone else is prohibited from disclosing, copying, or disseminating the contents or attachments. If you receive this in error, please notify sender immediately, or us at www.foxsys.com and delete from your system. Sherry Lynn Burke [EMAIL PROTECTED] 01/30/03 04:56 AM I am trying to locate penalties for failure to comply with the EDI standards but am not having any luck. Advice? -Original Message- From: Boyle, Joan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 8:20 PM To: WEDI SNIP Privacy Workgroup List Subject: WEDI SNIP Privacy Policies and Procedures Workgroup Conference Ca ll - Correction of Time Importance: High Please note that our regular workgroup conference call will begin at 3:30 pm EST. The discussion of Security Safeguards for Privacy will begin at 4 pm EST. All other information is correct. Anyone wishing to discuss workgroup issues such as plans for future calls and for reviewing our existing documents in light of the 12/2002 Privacy Guidance and the final Security Rule (when published), please join us at 3:30 pm EST. Joan Joan Boyle HIPAA Compliance Manager The TriZetto Group, Inc. Voice: 970-627-1675 Fax: 970-627-1677 [EMAIL PROTECTED] *** Confidentiality Notice *** This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org * Scanned by net.work.Maryland Antivirus Service ... the Backbone of eMaryland, the Digital State. * * Scanned by net.work.Maryland Antivirus Service ... the Backbone of eMaryland, the Digital State. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services
Re: HIPAA privacy and telephone
The OCR guidance at http://www.hhs.gov/ocr/hipaa/privacy.html under incidental disclosures indicates that leaving information with family members or on an answering machine or mailing information is allowed, but also cautions that professional judgment should be used to assure that the information is limited to what is necessary and assure that its in the interests of the patient. Regards, lhc Leah Hole-Curry, JD FOX Systems, Inc. 602.708.1045 Information transmitted is confidential and may be proprietary to FOX Systems, Inc. It is intended only for the person or entity to which it is addressed. Anyone else is prohibited from disclosing, copying, or disseminating the contents or attachments. If you receive this in error, please notify sender immediately, or us at www.foxsys.com and delete from your system. Doug Webb [EMAIL PROTECTED] 01/17/03 06:38 AM An extension to this -- how do you handle answering machines? My gut feeling is that either a no-no (the machine more questionable than a family member) -- the information could only be released to the patient or his/her representative designated in a written authorizaton. Perhaps another signature on your main consent/authorization form to allow these types of communications is what's needed??? The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital Health Care Centers [EMAIL PROTECTED] This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you. - Original Message - From: [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 04:04 PM Subject: HIPAA privacy and telephone I would like the lists opinion on this topic. Patient comes to the office to have their potassium checked because they are on a diuretic. Later, the physician's nurse calls the patient at home with results but the patient is not home. Spouse answers the phone. Can you tell the spouse that the potassium was fine and that he/she should tell the spouse to continue the same dose of diuretic and potassium supplement? If you say no, this type of disclosure is not allowed, would it matter that we put a statment in our Notice of Privacy Practices that stated (in the section on Payment, treatment and health care operations) On occasion, we call test results to your home and leave the results with a family member if you are not present. Now, obviously, we would not do this with a HIV result but it seems like such a waste of everyone's time to play phone tag to accommodate the one patient in a million that is actually upset because you told the spouse what the potassium result was. Thank you. Rich Fairley, Dubuque, IA --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe
Re: What does it mean to have a separate authorization?
I have always considered this to mean that you did not necessarily need separate types of forms, but that certain authorizations must be limited to single purposes. However, if only one authorization form is created, it has to be designed carefully to meet all the different types of situations applicable to your business. I suspect that entities will find a generic form will work for most disclosures, but that certain disclosures, if applicable (like where you are allowed to condition treatment/enrollment or where, in research, it is combined with other information) would need a special form because the language will be different from the general circumstances where you cannot condition treatment or where it is combined with other types of permission/information. lhc Leah Hole-Curry, JD FOX Systems, Inc. 602.708.1045 Information transmitted is confidential and may be proprietary to FOX Systems, Inc. It is intended only for the person or entity to which it is addressed. Anyone else is prohibited from disclosing, copying, or disseminating the contents or attachments. If you receive this in error, please notify sender immediately, or us at www.foxsys.com and delete from your system. [EMAIL PROTECTED] 01/17/03 06:40 AM I realized that I may be confused over what it means to have a separate authorization. The privacy rules clearly state that a separate authorization is needed for psychotherapy disclosures, that you cannot combine an authorization for psychotherapy with an authorization for most other disclosures. I assumed that meant you actually had to draft a separate form for psychotherapy disclosures but someone recently pointed out to me that it meant you could use the same authorizations for all disclosures, as long you when you used it for disclosures for psychotherapy, it was just used for that purpose Thoughts? Also, the rules state that you cannot combine authorizations where the entity can condition treatment upon its signing (like disclosures to a third party) with disclosures that cannot be conditioned. I assumed that you again had to draft separate disclosures forms but am I mistaken? Jill Rubin, Esq. (617)388-2404 [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org