Hi Traci:
Q: Are State Regulators and other government agencies that perform audits
considered business associates?
A: The Privacy Rule allows covered entities to disclose protected health
information to government agencies for health oversight activities and in
instances where it is required by law. Usually, CEs do not solicit audits by
government agencies as they are not performing a function or service on CE's
behalf - therefore they are not business associates.
A Health oversight agency means an agency or authority of the United States,
a State, a territory, a political subdivision of a State or territory, or an
Indian tribe, or a person or entity acting under a grant of authority from
or contract with such public agency, including the employees or agents of
such public agency or its contractors or persons or entities to whom it has
granted authority, that is authorized by law to oversee the health care
system (whether public or private) or government programs in which health
information is necessary to determine eligibility or compliance, or to
enforce civil rights laws for which health information is relevant.
§ 164.512 Uses and disclosures for which consent, an authorization, or
opportunity to agree or object is not required.
A covered entity may use or disclose protected health information without
the written consent or authorization of the individual as described in §§
164.506 and 164.508, respectively, or the opportunity for the individual to
agree or object as described in § 164.510, in the situations covered by this
section, subject to the applicable requirements of this section. When the
covered entity is required by this section to inform the individual of, or
when the individual may agree to, a use or disclosure permitted by this
section, the covered entity's information and the individual's agreement may
be given orally.
(d) Standard: uses and disclosures for health oversight activities.
(1) Permitted disclosures. A covered entity may disclose protected
health information to a health oversight agency for oversight activities
authorized by law, including audits; civil, administrative, or criminal
investigations; inspections; licensure or disciplinary actions; civil,
administrative, or criminal proceedings or actions; or other activities
necessary for appropriate oversight of:
(i) The health care system;
(ii) Government benefit programs for which health
information is relevant to beneficiary eligibility;
(iii) Entities subject to government regulatory programs for
which health information is necessary for determining compliance with
program standards; or
(iv) Entities subject to civil rights laws for which health
information is necessary for determining compliance.
I hope this helps
> -----Original Message-----
> From: Matthew Rosenblum [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, February 07, 2003 1:33 PM
> To: WEDI SNIP Privacy Workgroup List
> Cc: 'Bill MacBain'; 'Judy.Griffith'
> Subject: RE: Recording Disclosures (was BA Agreement Questions)
>
> Traci,
>
>
>
> I tend to view (at least some of) the "audit" activities performed by the
> State as being conducted on behalf of the CE-Health Plans (e.g., Medicaid)
> as opposed to the CE-providers. As such, those State-conducted "audit"
> activities are part of the Health Plan's "health care operations".
> Consequently, the State auditors would probably be construed as Business
> Associates of the Health Plan.
>
>
>
> How do others view this?
>
>
>
> I hope that this helps.
>
>
>
> Your questions are always welcome.
>
>
>
> Matt
>
>
>
> Matthew Rosenblum
>
> Chief Operations Officer
>
> Privacy, Quality Management & Regulatory Affairs
>
>
>
> CPI Directions, Inc.
>
> 10 West 15th Street, Suite 1922
>
> New York, NY 10011
>
>
>
> (212) 675-6367
>
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
>
>
> CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the
> individual or entity to which it is addressed and may contain information
> that is privileged, confidential and exempt from disclosure under
> applicable law. If you have received this communication in error, please
> do not distribute it. Please notify the sender by E-Mail at the address
> shown and delete the original message. Thank you.
>
>
>
> AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del
> individuo o la entidad a la cual se dirige y puede contener información
> privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si
> usted ha recibido esta comunicación por error, por favor no lo distribuya.
> Favor notificar al remitente del E-Mail a la dirección mostrada y elimine
> el mensaje original. Gracias.
>
>
>
> -----Original Message-----
> From: Traci.Jensen [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 06, 2003 11:15 AM
> To: WEDI SNIP Privacy Workgroup List
> Cc: 'Bill MacBain'; Judy.Griffith
> Subject: RE: Recording Disclosures (was BA Agreement Questions)
>
>
>
> I would like to introduce myself, as I am new to this listserv. I am the
> HIPAA Privacy Project Manager for a health plan in Illinois. Even though
> I am new to this listserv, several of your names are familar from the
> HIPAAlive listserv.
>
> Noel, I want to be clear I understand your response. Are you saying that
> it is your opinion that audits performed by a State agency or someone on
> their behalf falls under disclosing information for our own activities
> related to "Conducting or arranging for medical review, legal services,
> and auditing functions, including fraud and abuse detection and compliance
> programs"?
>
> I am not convinced that we could constitute audits being performed by a
> State agency as part of our own health care operation. I believe this is
> something that we would have to track and provide an accounting for
> because it is "required by law" and the disclosures are made for "health
> oversight activities".
>
> Also, it is more than likely that the State agency requiring the audit is
> not a covered entity so the sharing PHI for "certain health care
> operations" wouldn't apply, and they would not be considered a business
> associate as they are not doing something on our behalf.
>
> However, I would like to be convinced that this would fall under our
> health care operations, because currently our system does not have a way
> to track disclosures made on multiple members, without manually
> documenting in each member record.
>
> I do agree in that I don't think by mentioning the possibility of a type
> of disclsoure in your NPP a covered entity can relieve themselves of the
> obligations to track and account for such disclosures.
>
> I welcome everyone's opinion.
>
> Traci Jensen
> Compliance Programs Manager/HIPAA Project Manager
> Health Alliance Medical Plans, Inc.
>
>
>
> -----Original Message-----
> From: Noel Chang [ <mailto:[EMAIL PROTECTED]>]
> Sent: Wednesday, February 05, 2003 8:37 AM
> To: WEDI SNIP Privacy Workgroup List
> Subject: Re: Recording Disclosures (was BA Agreement Questions)
>
>
>
> Under the definition of "health care operations", found in section
> 164.501,
> item (4) of that definition includes, "Conducting or arranging for medical
>
> review, legal services, and auditing functions, including fraud and abuse
> detection and compliance programs".
>
> I would take this to mean that the audit is part of TPO, and there for not
> a
> disclosure that needs to be accounted for.
>
> As a footnote, I'm not sure I agree with your implication that by
> mentioning
> the possibility of a type of disclsoure in your NPP you can relieve
> yourself
> of the obligations to account for such disclosures. The disclosures that
> should and should not be accounted for are ennumerated clearly in section
> 164.528(a)(1). I am not aware of any relief from these requirements
> through
> your NPP.
>
> Noel Chang
>
> --
> Open WebMail Project ( <http://openwebmail.org>)
>
>
>
> ---------- Original Message -----------
> From: "Jim Moores" <[EMAIL PROTECTED]>
> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> Sent: Wed, 05 Feb 2003 08:11:02 -0500
> Subject: Recording Disclosures (was BA Agreement Questions)
>
> > Hi All,
> >
> > I agree with Noel's interpretation....
> >
> > But, I would like to confirm a related Privacy implication: When you
> > disclose PHI to either the state or an auditing group that the state
> > hired, must you record that as a disclosure? Do you have to record the
> > disclosure at the individual level or can you just put a statement into
> > your NPP that this kind of disclosure could happen to the person's PHI?
> >
> > The main reason I ask the question really centers on what TPO consists
>
> > of. If the state audits, say an insurance company as a part of it's
> > oversight of all insurance companies, is that disclosure of PHI to
> > the state a part of TPO, since the insurance company doesn't have
> > any choice in the matter? Can the same be said for all regulatory
> > types of disclosures?
> >
> > All opinions expressed are my own and should not be construed to be
> > Medical Mutual or Antares Management Solutions official policy.
> >
> > Jim Moores - HIPAA Team Leader - Privacy
> > Antares Management Solutions
> > 23700 Commerce Park Road
> > Beachwood, Ohio 44122-5832
> >
> > [EMAIL PROTECTED]
> > Phone: (216)292-1605
> > Fax: (216)292-1619
> >
> >
> > >>> "Noel Chang" <[EMAIL PROTECTED]> 02/04/03 10:36PM >>>
> > Is the audit being done at your request or are you required to
> > submit to the audit by the state?
> >
> > If you are initiating the audit then I'd say you should have a BA
> > agreement.
> > If the audit is being imposed on you by the state then I'd say no BA
> > is required.
> >
> > If the billing information you submit to the schools/nursing
> > homes/welfare
> > departments are for services you delivered to them, I don't see why
> > a BA
> >
> > agreement would be necessary. You are making a disclosure to obtain
> > payment. Such disclosures are specifically permitted, even if the
> > disclosure
> > is to the financially responsible party who is not the same person as
> > the
> > subject of the PHI.
> >
> > BA agreements are only necessary when you have a third party performing
> > a
> > covered function on your behalf.
> >
> > Noel Chang
> >
> > --
> > Open WebMail Project ( <http://openwebmail.org>)
> >
> > ---------- Original Message -----------
> > From: "Teri Baskett" <[EMAIL PROTECTED]>
> > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> > Sent: Tue, 4 Feb 2003 17:42:31 -0500
> > Subject: BA Agreement Questions
> >
> > > I've met with my CFO and our Purchasing Mgr and we've figured out
> > > most of our vendor list. But we had a couple of questions I hoped
> > > someone could help with:
> > >
> > > 1. What do we do about auditors that come on-site to review records
> > > for payment/compliance. If i read this right, if the auditor is a
> > > govt agency (Medicaid or Medicare) then we don't need an agreement.
> > > But our state contracts with another company to audit our state
> > > contract funds. Do we have to have the BA with that company for that?
>
> > >
> > > 2. We have service contract agreements with several schools/nursing
> > > homes/welfare depts. In addition to the treatment piece, we also
> > > (of course) submit bills that include patient identifiers (name, SSN,
> > > address). Do we need BA's for those relationships?
> > >
> > > Teri Baskett
> > > Information Officer
> > > LifeSpring Mental Health Services
> > >
> > > ---
> > > The WEDI SNIP listserv to which you are subscribed is not moderated.
> > > The discussions on this listserv therefore represent the views of
> > > the individual participants, and do not necessarily represent the
> > > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to
> > > receive an official opinion, post your question to the WEDI SNIP
> > > Issues Database at <http://snip.wedi.org/tracking/>. These listservs
>
> > > should not be used for commercial marketing purposes or discussion
> > > of specific vendor products and services. They also are not
> > > intended to be used as a forum for personal disagreements or
> > > unprofessional communication at any time.
> > >
> > > You are currently subscribed to wedi-privacy as:
> > > [EMAIL PROTECTED] To unsubscribe from this list, go to the
> > > Subscribe/Unsubscribe form at <http://subscribe.wedi.org> or send a
> > > blank email to [EMAIL PROTECTED] If you
> > > need to unsubscribe but your current email address is not the same
> > > as the address subscribed to the list, please use the
> > > Subscribe/Unsubscribe form at <http://subscribe.wedi.org>
> > ------- End of Original Message -------
> >
> > ---
> > The WEDI SNIP listserv to which you are subscribed is not moderated.
> > The discussions on this listserv therefore represent the views of
> > the individual participants, and do not necessarily represent the
> > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to
> > receive an official opinion, post your question to the WEDI SNIP
> > Issues Database at <http://snip.wedi.org/tracking/>. These listservs
> > should not be used for commercial marketing purposes or discussion
> > of specific vendor products and services. They also are not
> > intended to be used as a forum for personal disagreements or
> > unprofessional communication at any time.
> >
> > You are currently subscribed to wedi-privacy as:
> > [EMAIL PROTECTED]
> > To unsubscribe from this list, go to the Subscribe/Unsubscribe form
> > at <http://subscribe.wedi.org> or send a blank email to leave-wedi-
> > [EMAIL PROTECTED] If you need to unsubscribe but your
> > current email address is not the same as the address subscribed to
> > the list, please use the Subscribe/Unsubscribe form at
> <http://subscribe.wedi.org>
> >
> >
> --------------------------------------------------------------------------
> --
> --
> > CONFIDENTIALITY NOTICE: This message is intended only for the
> > use of the individual or entity to which it is addressed and may contain
>
> > information that is privileged, confidential or exempt from
> > disclosure under applicable law. If the reader of this message is
> > not the intended recipient or the employee or agent responsible for
> > delivering the message to the intended recipient, you are hereby
> > notified that you are strictly prohibited from printing, storing,
> > disseminating, distributing or copying this communication. If you
> > have received this communication in error, please notify us
> > immediately by replying to the message and deleting it from your
> > computer. Thank You, Antares Management Solutions.
> >
> >
> ==========================================================================
> ====
> >
> > ---
> > The WEDI SNIP listserv to which you are subscribed is not moderated.
> > The discussions on this listserv therefore represent the views of
> > the individual participants, and do not necessarily represent the
> > views of the WEDI Board of Directors nor WEDI SNIP. If you wish to
> > receive an official opinion, post your question to the WEDI SNIP
> > Issues Database at <http://snip.wedi.org/tracking/>. These listservs
> > should not be used for commercial marketing purposes or discussion
> > of specific vendor products and services. They also are not
> > intended to be used as a forum for personal disagreements or
> > unprofessional communication at any time.
> >
> > You are currently subscribed to wedi-privacy as:
> > [EMAIL PROTECTED] To unsubscribe from this list, go to the
> > Subscribe/Unsubscribe form at <http://subscribe.wedi.org> or send a
> > blank email to [EMAIL PROTECTED] If you
> > need to unsubscribe but your current email address is not the same
> > as the address subscribed to the list, please use the
> > Subscribe/Unsubscribe form at <http://subscribe.wedi.org>
> ------- End of Original Message -------
>
>
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The
> discussions on this listserv therefore represent the views of the
> individual participants, and do not necessarily represent the views of the
> WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official
> opinion, post your question to the WEDI SNIP Issues Database at
> <http://snip.wedi.org/tracking/>. These listservs should not be used for
> commercial marketing purposes or discussion of specific vendor products
> and services. They also are not intended to be used as a forum for
> personal disagreements or unprofessional communication at any time.
>
> You are currently subscribed to wedi-privacy as:
> [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
> <http://subscribe.wedi.org> or send a blank email to
> [EMAIL PROTECTED]
>
> If you need to unsubscribe but your current email address is not the same
> as the address subscribed to the list, please use the
> Subscribe/Unsubscribe form at <http://subscribe.wedi.org>
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The
> discussions on this listserv therefore represent the views of the
> individual participants, and do not necessarily represent the views of the
> WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official
> opinion, post your question to the WEDI SNIP Issues Database at
> http://snip.wedi.org/tracking/. These listservs should not be used for
> commercial marketing purposes or discussion of specific vendor products
> and services. They also are not intended to be used as a forum for
> personal disagreements or unprofessional communication at any time.
>
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
> http://subscribe.wedi.org or send a blank email to
> [EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same
> as the address subscribed to the list, please use the
> Subscribe/Unsubscribe form at http://subscribe.wedi.org
>
> ---
> The WEDI SNIP listserv to which you are subscribed is not moderated. The
> discussions on this listserv therefore represent the views of the
> individual participants, and do not necessarily represent the views of the
> WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official
> opinion, post your question to the WEDI SNIP Issues Database at
> http://snip.wedi.org/tracking/. These listservs should not be used for
> commercial marketing purposes or discussion of specific vendor products
> and services. They also are not intended to be used as a forum for
> personal disagreements or unprofessional communication at any time.
>
> You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
> http://subscribe.wedi.org or send a blank email to
> [EMAIL PROTECTED]
> If you need to unsubscribe but your current email address is not the same
> as the address subscribed to the list, please use the
> Subscribe/Unsubscribe form at http://subscribe.wedi.org
This electronic message transmission, including any attachments, contains information
from PacifiCare Health Systems Inc. which may be confidential or privileged. The
information is intended to be for the use of the individual or entity named above. If
you are not the intended recipient, be aware that any disclosure, copying,
distribution or use of the contents of this information is prohibited.
If you have received this electronic transmission in error, please notify the sender
immediately by a "reply to sender only" message and destroy all electronic and hard
copies of the communication, including attachments.
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions
on this listserv therefore represent the views of the individual participants, and do
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If
you wish to receive an official opinion, post your question to the WEDI SNIP Issues
Database at http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and services.
They also are not intended to be used as a forum for personal disagreements or
unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the
address subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org
