Mike,
If the school in question is considered a
covered entity (and it is not a HIPAA concern unless it is), disclosing protected
health information (PHI) to a billing service without permission from the patient
or patient’s representative (parents, in this case) is NOT a HIPAA violation.
HIPAA permits disclosing PHI for treatment, PAYMENT, and health care operations
without authorization. Therefore, this may be a violation of FERPA (I don’t
know anything about FERPA), but it is certainly not a HIPAA violation.
Dan Aiken
HIPAA Project Director
(212) 774-2569
[EMAIL PROTECTED]
HIPAA —
It's not just the law, it's good patient care.
This e-mail message is intended only for the use
of the individual or entity to whom it is addressed and may contain information
that is privileged or confidential. If
the reader of this message is not the intended recipient or an employee or
agent responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution, or copying of this
communication is strictly prohibited. If
you have received this communication in error, please notify me immediately by
telephone and also reply by e-mail, and then delete this e-mail message.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 11, 2003 7:55 AM
To: WEDI SNIP Security Workgroup
List
Subject: It is a violation: HIPAA?
FERPA? in schools
Hi All: I just wanted to let
you know that it has been reported to me that the attorney for the Arizona
Dept. of Education has found that the concerns expressed in my communication
below are indeed in violation. I do not know if
he is referencing HIPAA or FERPA at this time. I will try to find out so
you know his legal reasoning.
The matter is reportedly being referred to the Arizona Attorney General's
Office and to appropriate regulatory agencies for investigation.
Thanks for your insights on this issue.
Regards,
Mike Cohn, Ed.D.,P.C.
----- Original Message -----
From: [EMAIL PROTECTED]
To: WEDI SNIP Security Workgroup List
Sent: Tuesday, November 04,
2003 10:56 AM
Subject: HIPAA and Schools
Hi All:) I became aware of the billing practice of my nephew's school as
described below. I sent the e-mail below to a consultant at our State
Dept. of Ed. I am interested in your reactions.
Regards,
Mike Cohn, Ed.D.,P.C.
Psychologist, retired for medical reasons
Hi Dana - The issue below was brought to my attention by my sister.
She reportedly received a prior written notice about changing the IEP to
include billing medicaid for services such as nursing and classroom aids.
I am quite familiar with HiPAA which went into effect in April 2003.
Covered entities are required to provide clients with Notice of Privacy
Practices/signed acknowledgement. Schools are likely covered entities as
they receive federal funds and if they are providing healthcare services, such
as nursing services. This is referred to as a Hybrid entity, one that not only
provides healthcare, but other services as well. Since the agency is clearly
billing AHCCS for health related services they are likely a covered entity.
Personal Healthcare Information (PHI) includes name, address, diagnosis, social
security or ID# etc.
Violation of FERPA may also be involved here. If schools are disclosing a
student's special education status to a billing agency or to AHCCS without
written permission, they are disclosing something about a stuent's academic
performance.
There are three issues as I see it.
1. Are student's privacy rights being violated? ( For example, If a
school district is submitting 1000 special ed. students names to the billing
service without appropriate consent, this would constitute 1000 violations per
day).
2. Is insurance fraud occurring? Are schools receiving monies for
services for students who are not AHCCS eligible?
3. Who has the student's information and how is it being stored?
What arrangements do the school's have to insure that billing services are
properly protecting the student's personal information (The provision in the
HIPAA law is something called a Business Associates Agreement, which requires
that the covered entity (school) ensure the privacy of the personal healthcare
information (PHI).
I hope you will follow up on these issues. I will be contacting the Arizona Center for
Disability Law regarding these matters, but if I am accurate, this has profound
implications for schools in general.
Regards,
Mike Cohn
Subj: Re: Medicaid in Public Schools
Date: 11/3/03 3:42:42 PM US Mountain Standard Time
From: MikePsych
To: [EMAIL PROTECTED]
CC: Jof601
Hello Ms. Pratt: I am Josh's Uncle Mike. I am concerned that the
policy your billing service has implemented may be in violation of the
Healthcare Information and Portability Act. Without prior written
consent, I don't believe it is permissible to disclose personal healthcare
information to a billing service. As you are submitting to medicaid/ahccs
it appears you are submitting healthcare or health related information.
To the best of my understanding HIPAA covered entities may include schools
(hybrid entities) if they have a nurse on staff.
I hope you will check this out so that student's privacy rights are protected.
Sincerely yours,
Michael J. Cohn, Ed.D.,P.C.
In a message dated 11/3/03 2:05:07 PM US Mountain
Standard Time, Jof601 writes:
Hi Ms. Pratt,
Please be advised that Josh is NOT AHCCCS eligible. Thanks for your
response and information.
Jo
In a message dated 11/3/2003 9:10:51 AM US Mountain
Standard Time, [EMAIL PROTECTED] writes:
Medicaid in Public Schools is a program that allows school districts to be
reimbursed for some of the services that are provided to students in special
education and are AHCCCS eligible. In the State of Arizona,
children go on and off AHCCCS on a
daily basis, so our billing company, Southwest Educational Billing Services,
advises districts to include all special education students. This is
standard practice for school districts. Only those students that are
AHCCCS eligible on any given day
are billed for.
Ann Pratt
Madison School District #38
[EMAIL PROTECTED]
602-664-7931
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org
---