I tend to agree with your first point. I think that you should have some type of access controls set for any NEW implementations. Anything that your organization is going to do from the deadline on forward should have access and audit controls implemented. Even if that information was produced before hand, you are accessing it now and need to be compliant. When someone asks for medical records that is not covered under TPO, they should need to have an authorization, no matter when the data was recorded. That's my opinion on the matter. Hope it helps.
-----Original Message----- From: Mimi Hart [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 2:34 PM To: WEDI SNIP Security Workgroup List Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: HIPAA Security - Unique Access I probably sound like I am trying to parse on a thin line, but here goes (bear with me). I don't believe that patient's rights under Privacy & Security are retroactive - that is they can't ask us to run an audit trail or produce a disclosure log for data that accessed or disclosed before April 14, 2003. However, if I am buying an application that is ONLY going to contain data that was PRODUCED before April 14, 2003 (such as microfilm pull-up software for medical records produced in 1999-2000) must I have the ability to audit, use unique sign-ins, etc for when that data is accessed by staff as part of treatment, payment or healthcare operations? Mimi Hart Ó¿Õ* Research Analyst, HIPAA Iowa Health System 319-739-2430 (phone) 319-739-2594 (fax) 319-490-0637 (pager) [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org ************************************************************** ************************************************************** This email and any attachments addressed from [EMAIL PROTECTED] is intended for the exclusive use of [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] The information contained in this email may be proprietary, confidential, privileged, and exempt from disclosure under applicable law. If the reader of this email is not [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] or an agent responsible for delivering the message to the intended recipient, the reader is hereby put on notice that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If the reader has received this communication in error, please immediately notify [EMAIL PROTECTED] by email and delete all copies of this email along with any attachments. ************************************************************** ************************************************************** --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org