RE: business associate - yes or no?
Roger, the key difference in this scenario and which brought me to my conclusions is this statement by Wendy: . . . the contractor is providing this service on our behalf, for us, and are receiving money from us to provide these services. Therefore, the contractor is providing treatment services on behalf of Wendy's company and Wendy's company is paying the contractor for those services performed, not the patient. Neither is the contractor submitting a claim to a payer for reimbursement. While it's not totally clear, it does appear that Wendy's company is a healthcare provider and is contracting with another healthcare provider to perform treatment services to its patients on its behalf. Rachel Rachel Foerster Rachel Foerster Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] -Original Message- From: taway3 [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 1:18 PM To: Rachel Foerster; WEDI SNIP Privacy Workgroup List Subject: RE: business associate - yes or no? Rachel and Wendy, I'm going to respectfully disagree. If my physician sends me to an imaging facility for x-ray, would that not be a treatment relationship? My understanding is that two CE's collaborating on treatment do not require a BAA. What is different here? Regards, Roger Wernow RMW Associates (A Consulting Company) 321-956-0485 -Original Message- From: Rachel Foerster [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 1:38 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: business associate - yes or no? Wendy, based on your description of this activity I would conclude that your contractor is indeed your business associate. You have engaged this contractor to perform a function on your behalf using PHI. Rachel Foerster Rachel Foerster Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] -Original Message- From: Reynolds, Wendy J [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 12:06 PM To: WEDI SNIP Privacy Workgroup List Subject: business associate - yes or no? I am in the process of reviewing a contact which will entail an agreement between us (a covered entity) and the contractor (another covered entity) in which the contractor will provide cancer screening/diagnostic tests to a specific category of women (income guidelines, age, etc.) per grant parameters. I am having trouble with this one, because usually treatment reasons do not necessitate a business associate agreement between two covered entities. However, we are paying the contractor a per capita rate to provide the services (diagnostic tests) to these patients. If patients need further treatment, they are referred back to us to take care of. In this situation, I am not sure the contractor is really providing treatment to the patients. Furthermore, in this situation, the contractor is providing this service on our behalf, for us, and are receiving money from us to provide these services. This arrangement does not fit the business associate exceptions or examples as listed on the OCR website. I have read the definition of treatment in the regs, but really think this arrangement should have a BAA. But of course the contractor disagrees. Am I being too picky? Any opinions out there? Wendy J. Reynolds, MPA, CHP EVMS Director of Privacy Program EVMS HS Clinical Auditor Eastern Virginia Medical School Fairfax Hall, 1st floor 721 Fairfax Avenue Norfolk, VA 23507 (757) 446-0337 [EMAIL PROTECTED] --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.537 / Virus Database: 332 - Release Date: 11/6/2003 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
RE: Unnecessary BAAs
Rachel, if such an agreement was executed inappropriately or unnecessarily it should be terminated. The BAA should have term and termination provisions included. Most term/termination provisions allow for written termination with appropriate advance notice to the appropriate party. This would be the mechanism that should enable this party to terminate this or any other agreement. Rachel Rachel Foerster Rachel Foerster Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] -Original Message- From: rachelmcass [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 9:44 AM To: WEDI SNIP Privacy Workgroup List Subject: Unnecessary BAAs Does anyone have any suggestions on what to do when a Business Associate Agreement has been signed unnecessarily? For instance, a nursing facility has signed a BAA with a durable medical equipment provider, naming the nursing facility as the BA. As both entities are considered health care providers, and the nursing facility has been determined not to be providing services to the durable medical equipment provider, it is not necessary for the nursing facility to sign the BAA naming the facility as the BA. The facility did this, and now has a contractual obligation to do a number of things unnecessarily. For instance, the terms of the agreement state that the facility will notify the medical equipment provider within X number of days of a breach of privacy, notify when accounting for an accountable disclosure, etc. This being the case, the agreement requires that the facility do such things as notify the organization every time it has a state inspection (which occurs no less than annually), because that is an accountable disclosure. This seems absolutely unnecessary; the facility does not provide any services to the other entity. If anything, it would be the other way around. What is the best way to terminate or modify these provisions? Can they just cancel the agreement, even though it has the termination provisions required by the Privacy Rule (return or destruction of PHI, etc.) What if the other entity is adverse to terminating or modifying the BAA? Has anyone else encountered this? On a completely unrelated note, I just had one of my previous health care providers (who is a covered entity, I received a NPP from them) leave a message on my answering machine informing me that their office is providing services to someone else with my name. They apparently haven't been checking birth dates, or other information, and they think they may have accidentally billed my insurance. They want my help in investigating/fixing this situation. Seems to me that there may have been a way to approach this without telling me that someone else named Rachel Cass is receiving services from them; anyone agree? (No, I really don't intend to contact OCR on this; just think it is an interesting Privacy scenario). It also make me wonder if another Rachel Cass has been told that I have been treated by that provider. Thanks - Rachel M. Cass (319) 430-6591 [EMAIL PROTECTED] IMPORTANT NOTICE: This e-mail, including attachments, may be confidential or privileged communication intended for the exclusive use of the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you think that you have received this e-mail in error, please advise the sender by reply e-mail of the error and then delete this e-mail immediately. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http
RE: Collection Accts.
Actually, if the patient requests non-release of PHI to the provider for its own TPO then the provider is well within its rights to determine how it will be paid for the services to be rendered. If the patient cannot provide adequate assurance to the provider that it will be paid for services rendered such that there would not be any disclosure of PHI in order to collect payment, the provider is not obligated to treatunless there might be an EMTALA issue. Rachel Rachel Foerster Rachel Foerster Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] -Original Message- From: Wellons, David L [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 4:19 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Collection Accts. then all I as a scoundrel patient need to do (particularly if self pay) is to request non-release of information without my permission and then just refuse to pay my bill. Sounds like the provider's only recourse would be to contact me directly - use of a collection agency would violate HIPAA since I haven't given my permission, as would posting a bad debt on my credit record. Sounds like a winner to me! As to my example about the parking lot accident - agreed that police are not HIPAA bound, but with the DOJ conclusion that anyone (not just CEs) who release PHI can be prosecuted (q.e.d.), it makes sense should they list my name and the physician office name publicly, someone could 'interpret' HIPAA as being applicable. (I know this won't happen, but just saying that under the current interpretations I've seen in these threads, there is merit to the example). Also, the issue of the CA having a BAA with the CE and thus can use PHI. From other threads (the one about overseas transcriptions), someone said that HIPAA only applies to CEs, and that if BAAs are used, the non-CE who gets the data is not bound by HIPAA, their only exposure would be breach of contract issues with the CE. As the CA and CRAs are not CEs, then any collection data they have, even the PHI you list (name, amount) is not covered under HIPAA once they have it in their hands (EVEN with BAAs in place). While this may be circular logic, that is what I come up with when combining a couple of issues into one. Don't read my comments as argumentative, not meant that way, just a bit frustrated that even professional (as you and the others are) who are well-versed as anyone in HIPAA can't seem to find common agreement on some key points. Not your fault, just the way it was all written. The views expressed are mine personally and do not necessarily represent the views of my employer. -Original Message- From: Sherriann Hamilton [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 4:13 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Collection Accts. David ~ PHI includes much more information than just specifics as to the treatment - it also includes information that Relates to ... the past, present, or future payment for the provision of health care to an individual... So, a name, an amount, and the creditor/provider/CE = PHI; and I would assume that debt collection would involve at least that much information. The reason that collection by, or on behalf of, a creditor/provider/CE is (potentially) handled differently is that the creditor/provider/CE is bound by HIPAA and the debt information is PHI. The creditor/provider/CE would need to have a BA agreement with the collection agency so that the CA can use/disclose the PHI on behalf of the creditor/provider/CE. The BA's disclosure of the information to the CRA is permitted because it's related to payment. As for the auto accident in the parking lot of the physician's office... the police are not bound by HIPAA. I don't know the rules about police reports being made public, but if they can't be made public... it's not because of HIPAA. Just my 2c. Sherriann Hamilton, Privacy Officer/Training Director The Christian Church Homes of KY 12700 Shelbyville Road, Ste. 1000 Louisville, KY 40243 (502) 254-4254 - phone (502) 396-4217 - cell (502) 254-5117 - fax Please check out our web site at www.cchk.org -Original Message- From: Wellons, David L [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 2:06 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Collection Accts. One more though on Leslie's last paragraph. Debt collection would not have specifics as to the treatment, so there should not be any PHI in the issue. Now a problem could arise, if for example an oncologist is trying to collect a bill from a guarantor (note I didn't say patient), and someone else sees that information, they can surmise the guarantor has cancer (apply this to any other medical situation). However, in collection activities, they are trying to collect money from a guarantor, who may or may not be a patient. I don't see where the fact you owe a debt to anyone BESIDES a healthcare provider would be treated
RE: *LAWYERS LIE IN WAIT FOR HIPAA REGS
Title: Message
Doug, I would agree that secure point-to-point
exchanges and not via the open Internet would also be reasonable - of course,
based on the CE's risk assessment and threat model. The key of course, is
assessing the other enterprise's security requirements to determine if they are
sufficient for the intended information exchange...In this scenario, of course,
then digital certs, signatures, etc. could be efficiently and effectively
managed as well, since one could assume that the number of end-points would be a
reasonable number.
Rachel Foerster
-Original Message-From: Doug Webb
[mailto:[EMAIL PROTECTED] Sent: Friday, April 11, 2003 11:04
AMTo: Rachel Foerster; WEDI SNIP Privacy Workgroup
ListSubject: Re: *LAWYERS LIE IN WAIT FOR HIPAA
REGS
Rachel,
The only other situation I can think of that would be secure
enough would b a point-to-point connection (not via anything other than the
phone company) from one secure enterprise to another with proper
authentication (if you have good reason to believe that both enterprises are
secure).
For instance, I would think that dialing into a
clearinghouse's server and directly sending claims to that server would be
secure enough (if you believe that the Clearinghouse issecure [if you
don't think it is, why are you using it in the first place?]). The
Clearinghouse would then have the same considerations with respect to wherever
the transactions get delivered. Delivering the same claim to the same
server via e-mail would not be.
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. WebbComputer System EngineerLittle Company of Mary
Hospital Health Care Centers[EMAIL PROTECTED]
"This electronic message may contain information that is confidential
and/or legally privileged. It is intended only for the use of the
individual(s) and entity(s) named as recipients in the message. If you
are not an intended recipient of the message, please notify the sender
immediately, delete the material from any computer, do not deliver,
distribute, or copy this message, and do not disclose its contents or take
action in reliance on the information it contains. Thank you."
- Original Message -
From:
Rachel
Foerster
To: WEDI SNIP Privacy Workgroup
List
Sent: Friday, April 11, 2003 10:13
AM
Subject: RE: *LAWYERS LIE IN WAIT FOR
HIPAA REGS
Chris, actually, I can't, since I too agree with you that
encryption isnecessary, and that those who try to rationalize their way
out of it areindeed treading on very thin ice. This wasn't my point in
pointing out theaddressability aspect of encryption. Most likely the
only email that mightnot require encryption would be that which stays
within the enterprise'ssecurity internal network, but that of course,
means that all due diligencemust be done to ensure the network's
security.Rachel-Original Message-From: Chris
Riley [mailto:[EMAIL PROTECTED] Sent: Friday, April 11, 2003 6:35
AMTo: Rachel FoersterCc: WEDI SNIP Privacy Workgroup
ListSubject: Re: *LAWYERS LIE IN WAIT FOR HIPAA
REGSRachel,Thank you for the point of clarification.
Although the rules are intentionally technology neutral in the spirit of
scalability, as a practical matter organizations are going to have
to pass the ultimate test of "Due Care". Could you give a few
examples of technologies other than encryption that could be considered
industry best practices or due care?Thanks,-- Chris
Riley, CISSPInformation Tool Designers Inc.!-- SANS Top 20
Vulnerability Scanning Tool --!-- http://vdt.info-tools.com/--Rachel
Foerster wrote:Chris, a point of correctionthe HIPAA
Electronic Transaction Final Rule does not require encryption for
data transmission, and actually the rule does not discuss
transmission/transport at all.Rather, the need for
encryption is in the final security rule and is an addressable
implementation specification.Rachel
Foerster-Original Message-From: Chris Riley
[mailto:[EMAIL PROTECTED]Sent: Thursday, April 10, 2003 6:42
AMTo: WEDI SNIP Privacy Workgroup ListSubject: FYI: *LAWYERS
LIE IN WAIT FOR HIPAA REGSAttorneys nationwide
reportedly plan to deploy decoy patients at health care
organizations to see if doctors, dentists, hospitals and insurance
companies have the policies, procedures and protections that ensure
patients' privacy, as required by the federal Health Insurance
Portability and Accountability Act (HIPAA).The
long-awaited privacy rule goes into effect Monday. Health care
organizations that don't comply risk hefty fines, possible criminal
prosecution and costly civil lawsuits. Companies have had two years
to educ
RE: faxes
Title: Message Inappropriate of insufficient to what purpose and to what goal. If to eliminate potential legal liability, and you end of up in court as a defendant, it would not provide you with any protection whatsoever. So, what are you trying to accomplish by using such a disclaimeravoid legal liability or receive reduce liability insurance premium rates? Rachel Foerster -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 11, 2003 12:45 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Re: faxesTo me, this is an appropriate safeguard for faxes. I work in the pharmacy and higher education industries. This message, or something similar, is pretty much the industry standard, for at least the independent pharmacies, skilled nursing facilities, assisted living facilities, consultant pharmacists, and universities that I am affiliated with. A similar disclaimer is at the signature line of the emails at my university and also emails of the businesses with which I work. Are you suggesting that each time a fax is sent from say our pharmacy to a nursing home we do business with that we have to send and receive a confirmation of some sort before we send PHI. If that is the case, it does not preclude a person who received the message in error from confirming that they are indeed the intended receiver of the email or fax message. We do not utilize fax service, we do however use the fax as our primary means of transmitting physician orders, face sheets, and prescription refills to the pharmacy.Please, let me know if this disclaimer is inappropriate or insufficient.Deborah LarisonPharmacy Consultant SolutionsFort Lauderdale, FLPH 954-649-2903In a message dated 4/10/2003 5:21:22 PM Eastern Standard Time, [EMAIL PROTECTED] writes: In my mind, this is not an appropriate privacy safeguard. The question I propose to the group is whether a CE should implement a process to first validate fax numbers before transmitting documents.---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Security Requirements
Title: Message Yes Rachel Foerster Rachel Foerster Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] http://www.rfa-edi.com # This transmission may be confidential or protected from disclosure and is only for review and use by the intended recipient. Access by anyone else is unauthorized. Any unauthorized reader is hereby notified that any review, use, dissemination, disclosure or copying of this information, or any act or omission taken in reliance on it, is prohibited and may be unlawful. If you received this transmission in error, please notify the sender immediately. Thank you.From: Daryn Thompson [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2003 12:18 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Security Requirements In the final security document, you have standards. Some standards have implementation specifications and others do not. On the standards that do have them, they are REQUIRED or ADDRESSABLE. On the ones that do not have specifications, are they Required? Daryn Thompson Network/I.S. Coordinator (801) 468-2123 ---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Amendment Questions
And just to reinforce Dave's comments at today's CMS/OCR Privacy meeting in Chicago an OCR attorney explicitly stated that health information held by a covered entity that was created or received prior to 4/14/03 IS subject to all of the privacy rule's requirements on and AFTER 4/14/03. In other words, the CE must account for all disclosures of health information that occur after 4/14/03 to health information it had in its possession prior to 4/14/03, and likewise, health information in its possession prior to 4/14/03 is subject to a request for an amendment by the individual on and after 4/14/03 as well as the individual having the right of access to that health information. The same OCR attorney also cautioned the audience that if the CE modified its NPP subsequent to its original NPP that must be provided on and after 4/14/03 it should take care to ensure that there is language in the modified NPP to indicate that the NPP applies not only to health information created or received after the new NPP but also to ALL health held by the CE prior to the newly modified NPP. Rachel Foerster Rachel Foerster Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] http://www.rfa-edi.com # This transmission may be confidential or protected from disclosure and is only for review and use by the intended recipient. Access by anyone else is unauthorized. Any unauthorized reader is hereby notified that any review, use, dissemination, disclosure or copying of this information, or any act or omission taken in reliance on it, is prohibited and may be unlawful. If you received this transmission in error, please notify the sender immediately. Thank you. -Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Sunday, March 02, 2003 1:18 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Amendment Questions Matt -- The QA demonstrates that HHS intends that the Privacy Rule generally apply to all PHI that the CE maintains as of 4/14/03. If HHS had intended to exempt from the access and amendment rights PHI created before 4/14/03 it would have said so in the § 164.524 and § 164.526 of the Rule. The Privacy Rule is a law. Administrative rules are interpreted in accordance with the standards of statutory construction. The U.S. Supreme Court has ruled that When Congress [or another law maker -- here HHS] includes particular language in one section of a statute [here the pre-4/14/03 disclosure exception from the accounting for disclosures section] but omits it from another section of the same Act [or other law -- here §§ 164.524 and 164.526], it is generally presumed that Congress [or the pertinent law maker] acts intentionally and purposefully in the disparate inclusion or exclusion. Bates v. United States, 522 U.S. 23, 29-30 (1997). In my opinion, a CE cannot just create additional exceptions to the amendment right because they might make sense. I personally don't think that access and amendment rights are particularly onerous to implement as there are a number of fairly broad, express exceptions to the amendment right. The amendment right, by the way, was the subject of a Seinfeld episode in which Kramer unsuccessfully tried to get Elaine's medical records from her doctor who had noted that Elaine was a troublemaker. As for the BA transition rule, if after 4/14/03 a CE receives an amendment request, and the CE believes that the amendment request should be granted, it must pass that information to the business associate. If the contract provisions are not in place, I imagine that a BA could refuse to process the amendment. I don't know why a BA would refuse to do so, but in that case, the CE should hold onto the amendment request, and once the BA contract provisions are in place, then it should require the BA to process the amendment in accordance with the contract and the Privacy Rule. I agree with you that there are a lot of ambiguities in this complex Rule, but I don't think that the amendment question falls into this category. Remember under the law, you don't get into a reasonableness analysis when the language of the regulation is unambiguous. I do appreciate all the prompt advice that you give CE's on this list serv and this exchange in particular. if HHS provides more guidance, let us know. Best regards, Dave Ermer Gordon Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com [EMAIL PROTECTED] 03/01/03 12:15AM Dave, I must respectfully disagree with your application of the QA that you cited (below). Clearly that QA was intended to convey HHS' intent that on and after the compliance date the Privacy Rule will protect all PHI that a CE creates or maintains about an individual, regardless of when that PHI was created. No one would disagree with that intent. However, the Privacy Rule is imbued with reasonableness
RE: medical vendors as Business Associates
It's more likelythis activity/role falls under a DME provider activity and thus may make this function/role a provider type. If they then seek reimbursement from a payer/health plan, this constitutes acting as a provider, doesn't it? I'm aware of at least one major orthopaedic mfgr that has already determined its activity in directly providing to the patient their DME classified products and for which they then submit a claim for reimbursement makes this activity/role a covered entity. Rachel Foerster CEO PresidentRachel Foerster Associates, Ltd. Professionals in Health Care EDI, Privacy Security39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com ## This transmission may be confidential or protected from disclosure and is only for review and use by the intended recipient. Access by anyone else is unauthorized. Any unauthorized reader is hereby notified that any review, use, dissemination, disclosure or copying of this information, or any act or omission taken in reliance on it, is prohibited and may be unlawful. If you received this transmission in error, please notify the sender immediately. Thank you -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Wednesday, February 26, 2003 6:42 AMTo: WEDI SNIP Privacy Workgroup ListSubject: medical vendors as Business AssociatesAre medical vendors that supply products like prosthesis, wheelchairs, etc., considered BA? I have been researching this and can't seem to come up with clear answer...Thanks in advanceJill Rubin, Esq.(617)388-2404[EMAIL PROTECTED] ---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Covered Entity or Not
Fax is considered an electronic transaction by CMS if the document originated as an electronic document in a computer system and is faxed from that computer system. Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com -Original Message- From: Noel Chang [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 01, 2003 8:19 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: Covered Entity or Not Charles, The definition of a covered entity entails more than just filing electronic claims. There are several covered transactions and if you conduct any of them electronically then you are a CE and must comply with HIPAA. For a complete list of covered transactions refer to the Transaction and Code Set Standards. I would also note that the definition of conducting a transaction electronically is often debated. I know HHS has indicated in the preamble to the Privacy Rule that a fax does not count as electronic transmission. Noel Chang -- Open WebMail Project (http://openwebmail.org) -- Original Message --- From: [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Fri, 31 Jan 2003 10:57:47 -0500 Subject: Covered Entity or Not At a meeting yesterday of our parent organization's privacy officers we had a discussion I'd appreciate some feedback on. One of the organizations is a long-term care/retirement facility that indicated they do not bill electronically. Therefore they are not a covered entity. However, after further discussion they indicated they do in fact send via fax and/or email individual identifiable health information to other covered entities (ie hospitals, referral agencies, and referring agencies). Some contended because they did not use EDI, they didn't really need to comply, others indicated they were because they do send PHI via electronic media. Can anyone provide an insight? Thanks. Charles. Charles R. Carnahan, M.Div., M.B.A. Chief Operating Officer CAB Health and Recovery Services, Inc. 111 Middleton Road Danvers, MA 01923 Phone: 978-739-7600 FAX: 978-750-3620 www.cabhealth.org * --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- End of Original Message --- --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services
RE: HIPAA EDI
Section 1176 of the HIPAA statute addresses penalties. Section 1176 of the Act establishes civil monetary penalties for violation of the provisions in part C of title XI of the Act, subject to several limitations. Penalties may not be more than $100 per person per violation of a provision, and not more than $25,000 per person per violation of an identical requirement or prohibition for a calendar year. With certain exceptions, the procedural provisions in section 1128A of the Act, ''Civil Monetary Penalties,'' are applicable to imposition of these penalties. Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com -Original Message- From: Sherry Lynn Burke [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 6:58 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA EDI I am trying to locate penalties for failure to comply with the EDI standards but am not having any luck. Advice? -Original Message- From: Boyle, Joan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 8:20 PM To: WEDI SNIP Privacy Workgroup List Subject: WEDI SNIP Privacy Policies and Procedures Workgroup Conference Ca ll - Correction of Time Importance: High Please note that our regular workgroup conference call will begin at 3:30 pm EST. The discussion of Security Safeguards for Privacy will begin at 4 pm EST. All other information is correct. Anyone wishing to discuss workgroup issues such as plans for future calls and for reviewing our existing documents in light of the 12/2002 Privacy Guidance and the final Security Rule (when published), please join us at 3:30 pm EST. Joan Joan Boyle HIPAA Compliance Manager The TriZetto Group, Inc. Voice: 970-627-1675 Fax: 970-627-1677 [EMAIL PROTECTED] *** Confidentiality Notice *** This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org * Scanned by net.work.Maryland Antivirus Service ... the Backbone of eMaryland, the Digital State. * * Scanned by net.work.Maryland Antivirus Service ... the Backbone of eMaryland, the Digital State. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org attachment: winmail.dat--- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do
RE: Medical Records
Furthermore, any action of this nature should/would be the responsibility of the deceased physician's executor and not the practice. The practice appears not to own the med recs, etc. Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com -Original Message- From: Patricia Conroe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 7:43 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: Medical Records There are specific requirements in state laws that say what happens when a practice closes. I wish I could give you a direct reference, but I can't. I believe that PA law says you must post a notice at the office and in the newspaper informing patients of the closure and tell them how they can obtain their records if they want to. I'm not sure how long the notice must be posted and for how long the records must be stored somewhere in this instance. Patients can be given their original medical records in this case as well as far as I know. Please someone out there feel free to correct me. Cathy Campbell [EMAIL PROTECTED] 01/28/03 02:48PM I have an interesting question that I need some help with. We had an office manager call today inquiring about a problem that I don't know how to respond to her. She is in a practice where a physician shared expenses and leased space from her practice (he was his own entity). The physician passed away over the weekend. They are unsure of what to do with the medical records. They do not belong to the practice, the belonged to the physician who passed away. Can the manager give the original charts to the patients? Thanks for any and all input! Cathy A. Campbell HIPAA Compliance Specialist Healthcare Compliance Group (317)575-1041 (800)816-1161 (317)575-1043 (fax) --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Is HIPAA Individually Liable?
Here's what I believe is the real deal: 1. The HIPAA law and regulations do not give the individual any statutory rights. This means that an individual who feels his/her individual privacy rights have been violated cannot bring suit in Federal Court. The recourse open to an individual under HIPAA is to file a complaint with the OCR which should then investigate. OCR could then refer to the Department of Justice would could bring suit against the violator. 2. HIPAA does not take away any individual's statutory rights under state law. These, of course, vary by state. Lawyers out there - did I get this right? Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com -Original Message- From: Nancy Jones [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:40 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: Is HIPAA Individually Liable? I would like to add to this question . . . I have been to several HIPAA workshops, each taught by a different attorney or team of attorneys. One group will tell you that the entity can't be sued for damages if a HIPAA violation occurs . . . . that sanctions from the OCR is punishment enough for the covered entity and that patients may not expect damages. Others have said that plaintiff's attorneys are circling like buzzards and buying the back covers of telephone books all over America with the big question . . HAS YOUR MEDICAL PRIVACY BEEN VIOLATED? I havent' gotten a straight answer yet! And now I hear that THIPAA - the Texas version of HIPAA that goes in to effect in 9/03 not only allows the entity to be sued, but the individual can be held personally liable. I am a patient advocate and believe in the fundamental principals of protecting health information, but this is really getting out of hand. Patricia Conroe wrote: I apologize if this is listed somewhere real obvious, but I was wondering if there was a definite answer as to who's liable when HIPAA has been violated? In a hospital situation, if HIPAA's violated and jail time and fines are distributed who gets that fun time? Is it the CEO, the Privacy Officer, the employee who violated the rule, all of the above, etc? Thank you! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: archive@mail-archive.com To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: When to have the patient sign an authorization
I believe that HIPAA requires any authorization to expire either on a specific date or at a specific event. An event expiration could in fact, be upon the individual's demise. Unfortunately I don't have a specific cite from the rag on this. Rachel Foerster Principal Rachel Foerster Associates, Ltd. Professionals in Health Care EDI 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] http://www.rfa-edi.com -Original Message- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 1:25 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: When to have the patient sign an authorization I do not believe that HIPAA mandates that an authorization can only be valid for 60 days. Such a limitation might be a part of state law, or an organization's own standard. I think that if you can foresee the need for the disclosure when the patient is admitted, then you can have it signed at that time. If the need does not become apparent until later, then you have the patient sign it then. In either case, of course, the authorization has to meet all off the other HIPAA (and other applicable) requirements. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. -Original Message- From: Klayer Geni [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 11:59 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: When to have the patient sign an authorization As the need arises. The authorization is only valid for 60 days. -Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 1:20 PM To: WEDI SNIP Privacy Workgroup List Subject:When to have the patient sign an authorization How are providers in particular handling the singing of authorizations? Are practices having patients sign it when they first come in, for future disclosures, or as the specific situations arise (i.e., they later decide their atty. should see the medical records and sign an applicable authorization). Thanks as always for your input. Jill Rubin, Esq. (617)388-2404 [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional
