RE: It is a violation: HIPAA? FERPA? in schools

[timmcguinness]

Except for State Law which may mandate HIPAA equivalent requirements.   Regards, Tim McGuinness, Ph.D. Email: [EMAIL PROTECTED] Alt Email: [EMAIL PROTECTED] Direct Phone: 1-727-787-9801 Certified Consulting Specialist and Forensic Regulatory Examiner in Regulatory Privacy, Security, and Application Compliance [HIPAA/FDA/GCP/21cfr11/CMS-HCFA/ICH/ADA & Section 508/DITSCAP/NIACAP/ISO17799/BS7799/NIST 800 C&A/COPPA/GLBA/Homeland Security] Founding Board Member & Executive Co-Chairman, HIPAA Conformance Certification Organization =========================================================================== IMPORTANT LEGAL NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. HIPAA NOTICE: It is acknowledged that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. The forgoing is provided for educational or discussion purposes only. The author accepts no responsibility for its accuracy, review, distribution, or use in any way. You assume responsibility for understanding this material and its applicability and/or use. The above may need to be interpreted by your attorney as needed to conform with federal or state law - you’re use of this information must always be reviewed and approved by your own attorney prior to use, application, or implementation. -----Original Message----- From: Doug Webb [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 10:18 AM To: WEDI SNIP Security Workgroup List Subject: Re: It is a violation: HIPAA? FERPA? in schools Dan, I agree. If the school is a HIPAA Covered Entity, it needs to draft a NPP and deliver it appropriately, but it does NOT need specific authorization for this type of activity.  If it is not a Covered Entity due to FERPA, HIPAA considerations are non-existant, and all data protections are specified by FERPA.   The opinions expressed here are my own and not necessarily the opinion of LCMH.   Douglas M. Webb Computer System Engineer Little Company of Mary Hospital & Health Care Centers [EMAIL PROTECTED]   "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s)  named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately,  delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you."     ----- Original Message ----- From: Aiken, Dan To: WEDI SNIP Security Workgroup List Sent: Tuesday, November 11, 2003 08:26 AM Subject: RE: It is a violation: HIPAA? FERPA? in schools Mike,   If the school in question is considered a covered entity (and it is not a HIPAA concern unless it is), disclosing protected health information (PHI) to a billing service without permission from the patient or patient’s representative (parents, in this case) is NOT a HIPAA violation. HIPAA permits disclosing PHI for treatment, PAYMENT, and health care operations without authorization. Therefore, this may be a violation of FERPA (I don’t know anything about FERPA), but it is certainly not a HIPAA violation.   Dan Aiken HIPAA Project Director (212) 774-2569 [EMAIL PROTECTED] HIPAA — It's not just the law, it's good patient care.   This e-mail message is intended only for the use of the individual or entity to whom it is addressed and may contain information that is privileged or confidential.  If the reader of this message is not the intended recipient or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify me immediately by telephone and also reply by e-mail, and then delete this e-mail message.   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 7:55 AM To: WEDI SNIP Security Workgroup List Subject: It is a violation: HIPAA? FERPA? in schools   Hi All:  I just wanted to let you know that it has been reported to me that the attorney for the Arizona Dept. of Education has found that the concerns expressed in my communication below are indeed in violation.  I do not know if he is referencing HIPAA or FERPA at this time.  I will try to find out so you know his legal reasoning.  The matter is reportedly being referred to the Arizona Attorney General's Office and to appropriate regulatory agencies for investigation. Thanks for your insights on this issue. Regards, Mike Cohn, Ed.D.,P.C. ----- Original Message ----- From: [EMAIL PROTECTED] To: WEDI SNIP Security Workgroup List Sent: Tuesday, November 04, 2003 10:56 AM Subject: HIPAA and Schools Hi All:)  I became aware of the billing practice of my nephew's school as described below.  I sent the e-mail below to a consultant at our State Dept. of Ed.  I am interested in your reactions. Regards, Mike Cohn, Ed.D.,P.C. Psychologist, retired for medical reasons Hi Dana -  The issue below was brought to my attention by my sister.  She reportedly received a prior written notice about changing the IEP to include billing medicaid for services such as nursing and classroom aids. I am quite familiar with HiPAA which went into effect in April 2003.  Covered entities are required to provide clients with Notice of Privacy Practices/signed acknowledgement.  Schools are likely covered entities as they receive federal funds and if they are providing healthcare services, such as nursing services. This is referred to as a Hybrid entity, one that not only provides healthcare, but other services as well. Since the agency is clearly billing AHCCS for health related services they are likely a covered entity. Personal Healthcare Information (PHI) includes name, address, diagnosis, social security or ID# etc. Violation of FERPA may also be involved here. If schools are disclosing a student's special education status to a billing agency or to AHCCS without written permission, they are disclosing something about a stuent's academic performance.  There are three issues as I see it.  1.  Are student's privacy rights being violated?  ( For example, If a school district is submitting 1000 special ed. students names to the billing service without appropriate consent, this would constitute 1000 violations per day). 2.  Is insurance fraud occurring?  Are schools receiving monies for services for students who are not AHCCS eligible? 3.  Who has the student's information and how is it being stored?  What arrangements do the school's have to insure that billing services are properly protecting the student's personal information (The provision in the HIPAA law is something called a Business Associates Agreement, which requires that the covered entity (school) ensure the privacy of the personal healthcare information (PHI). I hope you will follow up on these issues.  I will be contacting the Arizona Center for Disability Law regarding these matters, but if I am accurate, this has profound implications for schools in general. Regards, Mike Cohn Subj: Re: Medicaid in Public Schools Date: 11/3/03 3:42:42 PM US Mountain Standard Time From: MikePsych To: [EMAIL PROTECTED] CC: Jof601 Hello Ms. Pratt:  I am Josh's Uncle Mike.  I am concerned that the policy your billing service has implemented may be in violation of the Healthcare Information and Portability Act.  Without prior written consent, I don't believe it is permissible to disclose personal healthcare information to a billing service.  As you are submitting to medicaid/ahccs it appears you are submitting healthcare or health related information. To the best of my understanding HIPAA covered entities may include schools (hybrid entities) if they have a nurse on staff. I hope you will check this out so that student's privacy rights are protected. Sincerely yours, Michael J. Cohn, Ed.D.,P.C. In a message dated 11/3/03 2:05:07 PM US Mountain Standard Time, Jof601 writes: Hi Ms. Pratt,   Please be advised that Josh is NOT AHCCCS eligible.  Thanks for your response and information.   Jo   In a message dated 11/3/2003 9:10:51 AM US Mountain Standard Time, [EMAIL PROTECTED] writes: Medicaid in Public Schools is a program that allows school districts to be reimbursed for some of the services that are provided to students in special education and are AHCCCS eligible.  In the State of Arizona, children go on and off AHCCCS on a daily basis, so our billing company, Southwest Educational Billing Services, advises districts to include all special education students.  This is standard practice for school districts.  Only those students that are AHCCCS eligible on any given day are billed for. Ann Pratt Madison School District #38 [EMAIL PROTECTED] 602-664-7931 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org