Rx2000HIPAA Digest, Volume 17 > > #1 From: dafeinberg@home.com Subject: LOINC Public Meeting > #2 From: Patricia.Carter@gpmlaw.com Subject: RE: Paper faxes not covered under HIPAA > #3 From: tiffany.l.feuerborn@ac.com Subject: self-funded groups > #4 From: RTelesca@gigaweb.com Subject: RE: self-funded groups > #5 From: Patricia.Carter@gpmlaw.com Subject: RE: self-funded groups > #6 From: dafeinberg@home.com Subject: Re: self-funded groups > #7 From: paulsmith@dwt.com Subject: RE: Paper faxes not covered under HIPAA > #8 From: dafeinberg@home.com Subject: Re: Paper faxes not covered under HIPAA > > > ********** Message #1 ********** > From: dafeinberg@home.com > To: rx2000hipaa@rx2000.org > Subject: LOINC Public Meeting > Date: Tue, 09 May 2000 09:28:53 -0700 > > Logical Observation Identifier Names and Codes (LOINC) is the coding > system planned for use in identifying information included in HIPAA > Claims Attachments transactions. LOINC is a no-cost database of over > 26,000 names and codes that identify laboratory, clinical, and HIPAA > variables. > > Following is LOINC's invitation to attend their first public meeting. > > Dave Feinberg > Co-Chair, HIPAA Implementation Work Group > Insurance Subcommittee > Accredited Standards Committee X12 > Voting Member, HL7 and X12 > Rensis Corporation [A Consulting Company] > 206-617-1717 > DAFeinberg@computer.org > > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = > > Date: The Regenstrief Institute and the Laboratory LOINC Committee > invites all interested parties to the first Public Laboratory LOINC > meeting to be held in Indianapolis on June 13, 2000. > > Place: The meeting will be held in the Cancer Research Institute > Building, Lecture Room 101 (CR bldg on the map) in the Auditorium, > located on the first floor, 1044 W Walnut, on the campus of Indiana > University Purdue University at Indianapolis (IUPUI) at the Indiana > University Medical Center. > > The Cancer Research building is just south of the Regenstrief Health > Center. A map of the IU Medical Center at IUPUI can be found at > http://www.regenstrief/loinc/map.htm. Please pass this announcement on > to any other interested party and feel free to post on any appropriate > web server. > > Agenda: Is as follows (please note, Indianapolis is now on the same time > as Chicago, Central Daylight Savings): > > 8:00-8:30am Registration, coffee, and doughnuts > > 8:30-10:00am LOINC Tutorial 1 > > A. Overview: Rationale for, and market penetration of, LOINC laboratory > names and codes > B. Requests for new terms and new subject matter > C. Where LOINC fits within HL7 - result and laboratory automation > messages > D. Structure and content of LOINC database with emphasis on laboratory > content including molecular pathology, order sets, and tumor registry > E. Communicable disease reporting (Dwyer tables) > > 10:00-10:15am Break > > 10:15-12:00noon LOINC Tutorial 2 -Mapping LOINC to your local master > file > > A. Use of RELMA to find the right LOINC term > B. Extracting mapping information from HL7 messages > C. Strategies for semi-automatic mapping to LOINC codes > > 12:00-12:30pm Lunch > > 12:30-1:30pm LOINC exercises - Bring some of your own test code > information > > 2:00-5:00pm Laboratory LOINC Committee meeting (public invited) > > The committee will devote as much of the 2-5pm time as needed to > questions from public participants about any issue related to the LOINC > database, its use, structure, distribution, etc. The remainder of the > time will be used for regular LOINC term development activities. > > Registration: There will be no charge for attendance at the meeting. > Space may be limited, so please respond as early as possible, but in no > case later than May 31. Registrations will not be accepted after this > date. > > Please register, by one of the following methods: > > Registration online at: http://www.regenstrief.org/loinc/regform.html > > By any of the following methods, please include the following: > > Name: > Address: > Telephone/Fax: > E-Mail: > Company or organizational affiliation: > Your title: > Any special interests regarding LOINC: > > By E-mail to: loinc-meeting@regenstrief.org > > By surface mail to: > LOINC > c/o Regenstrief Institute > 1050 Wishard Blvd, 5th floor > Indianapolis IN 46202 > > Or by fax to: > LOINC > 317-630-6962 > > Hotel: The University Place (Doubletree) Conference Center and Hotel, is > located on the IU Medical Center campus very close to the meeting room. > Single occupancy at the hotel (if you give the group name of "LOINC") is > $99 + tax, and double occupancy is $114 + tax, per night. To ensure you > receive the special group rates, reservations must be made by 5:00 p.m. > on May 13, 2000. We suggest you make your reservation as early as > possible since Indianapolis is hosting the Indy Jazz Fest on > June 14-18. > > For hotel reservations please call 1-800-627-2700 or 317-269-9000 > > Group Name: LOINC > > Flying: If you are flying to Indianapolis, the Indianapolis > International Airport is located on the west side of Indianapolis, and > is a 15-20 minute drive to the IU Medical Center Campus which is close > to the center of the city. > > Taxi/limousine service available from the airport: > Yellow Cab: (317) 487-7777 > Indy Connection: (317) 241-7100 (out of state 800 888 INDY) > > Driving: If you are driving to Indianapolis or renting a car, the > Medical Center is about 3 hours from Chicago, 2 hours from > Cincinnati, and 2 hours from Louisville. A map of Indianapolis, with the > IU Medical Center highlighted is found at > http://www.iupui.edu/~cfs/html/indy_highway_map.html > > Acknowledgment: We gratefully acknowledge support from the National > Library of Medicine (representing the Department > of Health and Human Services), the Department of Defense, and the > Department of Veterans Affairs for this effort. > > Clement J. McDonald, MD > Distinguished Professor of Medicine, > Indiana University School of Medicine > Director, Regenstrief Institute > > ********** Message #2 ********** > From: Patricia.Carter@gpmlaw.com > To: "'Rx2000HIPAA@rx2000.org'" > Subject: RE: Paper faxes not covered under HIPAA > Date: Mon, 8 May 2000 10:08:13 -0500 > > The problem, of course, is that when you receive a fax on paper you don't > know if it was sent from paper or computer/faxmodem. So in practice, you > have to treat all faxes as protected, don't you? > > Pat Carter, JD > Gray Plant Mooty Mooty & Bennett, PA > > > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: May 05, 2000 3:45 PM > To: Rx2000HIPAA@rx2000.org > Subject: RE: Paper covered under HIPAA > > > > According to the DHHS preamble to the proposed privacy rule, a "paper to > paper" fax does not constitute an electronic transmission of the record for > purposes of HIPAA. On the other hand, a fax sent from or to a computer > would be considered electronic for HIPAA purposes. Of course, a document > that is sent by paper to paper fax could still be covered by HIPAA if it was > in electronic form either before or after it was faxed. > > _______________________________ > > > > Clark Stanton > > Davis Wright Tremaine LLP > > One Embarcadero Center, Suite 600 > > San Francisco 94111 > > phone (415) 276-6538 > > fax (415) 276-6599 > > clarkstanton@dwt.com > > http://www.ehealthlaw.com > > http://www.dwt.com/lawdir/WCStanton.htm > > _______________________________ > > > > -----Original Message----- > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > > Sent: Friday, May 05, 2000 10:10 AM > > To: Rx2000HIPAA@rx2000.org > > Subject: Paper covered under HIPAA > > > > > > In a message dated 5/5/00 11:06:02 AM Eastern Daylight Time, > > Rx2000HIPAA@rx2000.org writes: > > > > > Errick, an extention of your comments, it is my understanding HIPAA > > > "transactions" contemplate electronically produced paper. > > > > > > Pete Biagiotti > > > > > > > Pete, You're right. > > > > If an electronic transmission is used to create a hard copy, then that > > hard > > copy AND ALL of progeny are covered under the HIPAA regs. > > > > So if you FAX a record to someone, the FAX machine prints it out: the > > printout is covered under HIPAA. If that FAX printout is used to make > > copies, then those copies are ALSO covered under HIPAA, even though they > > were > > not technically "transmitted". > > > > > > Errick E. Woosley, MPA > > 3X HCSG > > (513) 587-3100 > > > > ********** Message #3 ********** > From: tiffany.l.feuerborn@ac.com > To: Rx2000HIPAA@rx2000.org > Subject: self-funded groups > Date: Mon, 8 May 2000 16:35:40 -0500 > > I have a question around how self-funded groups are affected by HIPAA. > Self-funded groups can request health information from a health insurer > (i.e., detailed claims information, etc.) who process the claims but pay > out of the self-funded groups account. Many people are having questions as > to whether the self-funded group would be subjected to HIPAA regulations or > if the group and the insurer could be considered one entity. Some have > thoughts about the way self-funded/payor deals are administered. There are > arguments that the HIPAA EDI transactions do not have to be ANSI standards > because it may be considered internal to the business arrangement. In > addition, how would Privacy issues play into this since it could be > considered normal business operations to share data? > > Any suggestions or do you know where I can find the answer? > > Thanks, > Tiffany Feuerborn > > > > ********** Message #4 ********** > From: RTelesca@gigaweb.com > To: "'Rx2000HIPAA@rx2000.org'" > Subject: RE: self-funded groups > Date: Tue, 9 May 2000 18:45:31 -0400 > > This is a very tricky question and I'm sure it will draw a number of > perspectives. My understanding is that the self-funded group could be > viewed as "acting" as a health plan by paying the cost of health care > services rather than premiums for health services. In such a case the health > plan could be considered a clearinghouse. So, both would be covered by > HIPAA. The two could also be considered business partners. Again, both would > be covered by HIPAA. In no instance could I see them considered as a single > entity. That may all be irrelevant because if the self-funded group does in > fact deal with any of the standard electronic transactions or protected > data, they must comply with HIPAA. One point of clarification -- under > these rules it is likely that only the area within the self-funded group > that actually handles the data would be subject to HIPAA. This could be a > single unit or department. > > Richard J. Telesca > ePractices Research > Giga Information Group > 54 Lavender Lane > Rocky Hill, CT 06067 > 860.257.8527 (phone) > > > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: Monday, May 08, 2000 5:36 PM > To: Rx2000HIPAA@rx2000.org > Subject: self-funded groups > > > > I have a question around how self-funded groups are affected by HIPAA. > Self-funded groups can request health information from a health insurer > (i.e., detailed claims information, etc.) who process the claims but pay > out of the self-funded groups account. Many people are having questions as > to whether the self-funded group would be subjected to HIPAA regulations or > if the group and the insurer could be considered one entity. Some have > thoughts about the way self-funded/payor deals are administered. There are > arguments that the HIPAA EDI transactions do not have to be ANSI standards > because it may be considered internal to the business arrangement. In > addition, how would Privacy issues play into this since it could be > considered normal business operations to share data? > > Any suggestions or do you know where I can find the answer? > > Thanks, > Tiffany Feuerborn > > > > > > ********** Message #5 ********** > From: Patricia.Carter@gpmlaw.com > To: "'Rx2000HIPAA@rx2000.org'" > Subject: RE: self-funded groups > Date: Tue, 9 May 2000 18:14:16 -0500 > > When you use the term "self-funded group," it is not clear if you are > referring to the plan or to the employer. This is a critical distinction > (though the terms are often blurred in common usage). I will assume you > mean the Plan itself. > > HIPAA's definition of "health plan" includes: > "a. "Group health plan" (as currently defined by Section 2791(a) of the PHS > Act). A group health plan is a plan that has 50 or more participants (as > the term "participant" is currently defined by section 3(7) of ERISA) or is > administered by an entity other than the employer that established and > maintains the plan. This definition includes both insured and self-insured > plans." > > Therefore, IMHO, as I read the regulations: > > 1) A self-funded, employer-sponsored, health plan is a "covered entity" for > purposes of the HIPAA regulations. > > 2) If the health plan contracts with an insurance company for administrative > (ASO) services or with a third party administrator, that entity is a > "business partner" of the covered entity/health plan. With regard to the > proposed privacy regulations, this clearly invokes the "business partner" > requirements. With regard to the security regulations, at a minimum, a > "chain of trust" agreement with the administrator would be warranted. In my > view, the concept of business partner extends from the privacy regs to the > security regs. This may be explicit in the final security regulations; but, > in any event, the privacy regulations, in effect, incorporate the security > standards, and therein lies the argument that the security standards are > part of the privacy protections required from "business partners" under the > privacy regulations. > > I WOULD BE VERY INTERESTED IN HEARING/READING OTHER VIEWS ON THIS ISSUE. > > My best advice, for any entity that is involved directly or indirectly in > health care (or the payment for it), and thinks they might NOT be subject > directly or indirectly to the HIPAA Administrative Simplification > regulations, talk to your legal counsel. DHHS made the reach of these regs > as wide as they could within the scope of the statute. Get good legal > advice as to the specifics of your situation before you decide you don't > need to comply. > > Pat Carter, JD > Gray, Plant, Mooty, Mooty & Bennett, PA > patricia.carter@gpmlaw.com > > > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: May 08, 2000 4:36 PM > To: Rx2000HIPAA@rx2000.org > Subject: self-funded groups > > > > I have a question around how self-funded groups are affected by HIPAA. > Self-funded groups can request health information from a health insurer > (i.e., detailed claims information, etc.) who process the claims but pay > out of the self-funded groups account. Many people are having questions as > to whether the self-funded group would be subjected to HIPAA regulations or > if the group and the insurer could be considered one entity. Some have > thoughts about the way self-funded/payor deals are administered. There are > arguments that the HIPAA EDI transactions do not have to be ANSI standards > because it may be considered internal to the business arrangement. In > addition, how would Privacy issues play into this since it could be > considered normal business operations to share data? > > Any suggestions or do you know where I can find the answer? > > Thanks, > Tiffany Feuerborn > > > > > ********** Message #6 ********** > From: dafeinberg@home.com > To: Rx2000HIPAA@rx2000.org > Subject: Re: self-funded groups > Date: Tue, 09 May 2000 16:16:53 -0700 > > "Sponsors" of health care insurance [usually employers, whether > self-funded or not] are not covered by the HIPAA legislation. It is a > critical omission! > > Thus, any EDI transactions between [non-covered] sponsors and "health > plans" [which are covered entities] can not be explicitly subject to any > HIPAA regulations. Most folks think using HIPAA transactions between > sponsors and health plans would be smart, but under the law this can not > be mandated by DHHS. Additionally, HIPAA is quite explicit in that only > transactions between covered entities, but not solely within any entity > [covered or not], must comply. > > Since health plans are covered by HIPAA, they will most likely be > required to have Business Partner Agreements in effect for any > non-covered entity (e.g. again, a sponsor) to whom they will be sending > HIPAA privacy protected information. The precise wording of any > Business Partner Agreement remains unspecified at this time; however in > addition to requiring a non-covered entity to appropriately protect > private information, such an agreement could theoretically contract the > business partner to also implement HIPAA transactions. > > Does this help a bit? > > Dave Feinberg > Rensis Corporation [A Consulting Company] > 206-617-1717 > DAFeinberg@computer.org > > > > Rx2000HIPAA@rx2000.org wrote: > > > > I have a question around how self-funded groups are affected by HIPAA. > > Self-funded groups can request health information from a health insurer > > (i.e., detailed claims information, etc.) who process the claims but pay > > out of the self-funded groups account. Many people are having questions as > > to whether the self-funded group would be subjected to HIPAA regulations or > > if the group and the insurer could be considered one entity. Some have > > thoughts about the way self-funded/payor deals are administered. There are > > arguments that the HIPAA EDI transactions do not have to be ANSI standards > > because it may be considered internal to the business arrangement. In > > addition, how would Privacy issues play into this since it could be > > considered normal business operations to share data? > > > > Any suggestions or do you know where I can find the answer? > > > > Thanks, > > Tiffany Feuerborn > > > > ********** Message #7 ********** > From: paulsmith@dwt.com > To: "'Rx2000HIPAA@rx2000.org'" > Subject: RE: Paper faxes not covered under HIPAA > Date: Tue, 9 May 2000 21:51:19 -0700 > > One could say much the same about voicemail messages, which DHHS says are > not covered because the target of the transmission is not a computer, even > though they can show up in an e-mail inbox. Are they protected because you > listen to them by clicking an icon on your computer screen, rather than > punching keys on your telephone? I would say not, because the target of the > message was your voicemail system, not your computer; but as systems become > increasingly integrated, distinctions of this kind become less and less > workable. > > As to faxes, a practical approach might be to treat them as paper-to-paper > unless one has some reason to believe they're not--it's hard to see how this > would get one into trouble, and one would at least escape the worst > penalties of the act, which require a knowing violation. > > > Paul T. Smith > Davis Wright Tremaine LLP > One Embarcadero Center, Suite 600 > San Francisco, CA 94111 > (415) 276-6532 > paulsmith@dwt.com > > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: Monday, May 08, 2000 8:08 AM > To: Rx2000HIPAA@rx2000.org > Subject: RE: Paper faxes not covered under HIPAA > > > > The problem, of course, is that when you receive a fax on paper you don't > know if it was sent from paper or computer/faxmodem. So in practice, you > have to treat all faxes as protected, don't you? > > Pat Carter, JD > Gray Plant Mooty Mooty & Bennett, PA > > > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: May 05, 2000 3:45 PM > To: Rx2000HIPAA@rx2000.org > Subject: RE: Paper covered under HIPAA > > > > According to the DHHS preamble to the proposed privacy rule, a "paper to > paper" fax does not constitute an electronic transmission of the record for > purposes of HIPAA. On the other hand, a fax sent from or to a computer > would be considered electronic for HIPAA purposes. Of course, a document > that is sent by paper to paper fax could still be covered by HIPAA if it was > in electronic form either before or after it was faxed. > > _______________________________ > > > > Clark Stanton > > Davis Wright Tremaine LLP > > One Embarcadero Center, Suite 600 > > San Francisco 94111 > > phone (415) 276-6538 > > fax (415) 276-6599 > > clarkstanton@dwt.com > > http://www.ehealthlaw.com > > http://www.dwt.com/lawdir/WCStanton.htm > > _______________________________ > > > > -----Original Message----- > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > > Sent: Friday, May 05, 2000 10:10 AM > > To: Rx2000HIPAA@rx2000.org > > Subject: Paper covered under HIPAA > > > > > > In a message dated 5/5/00 11:06:02 AM Eastern Daylight Time, > > Rx2000HIPAA@rx2000.org writes: > > > > > Errick, an extention of your comments, it is my understanding HIPAA > > > "transactions" contemplate electronically produced paper. > > > > > > Pete Biagiotti > > > > > > > Pete, You're right. > > > > If an electronic transmission is used to create a hard copy, then that > > hard > > copy AND ALL of progeny are covered under the HIPAA regs. > > > > So if you FAX a record to someone, the FAX machine prints it out: the > > printout is covered under HIPAA. If that FAX printout is used to make > > copies, then those copies are ALSO covered under HIPAA, even though they > > were > > not technically "transmitted". > > > > > > Errick E. Woosley, MPA > > 3X HCSG > > (513) 587-3100 > > > > ********** Message #8 ********** > From: dafeinberg@home.com > To: Rx2000HIPAA@rx2000.org > Subject: Re: Paper faxes not covered under HIPAA > Date: Wed, 10 May 2000 07:13:24 -0700 > > I suspect that a paper-to-paper fax could also be interpreted to be (at > least partially) covered by HIPAA privacy if the information entered on > the original paper was even manually copied out of an electronic > record. "HIPAA protects the information itself, not the record in which > the information appears." > > So as Pat Carter so aptly noted: "So in practice, you have to treat all > faxes as protected, don't you?" > > Dave Feinberg > Rensis Corporation [A Consulting Company] > 206-617-1717 > DAFeinberg@computer.org > > > > Rx2000HIPAA@rx2000.org wrote: > > > > The problem, of course, is that when you receive a fax on paper you don't > > know if it was sent from paper or computer/faxmodem. So in practice, you > > have to treat all faxes as protected, don't you? > > > > Pat Carter, JD > > Gray Plant Mooty Mooty & Bennett, PA > > > > -----Original Message----- > > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > > Sent: May 05, 2000 3:45 PM > > To: Rx2000HIPAA@rx2000.org > > Subject: RE: Paper covered under HIPAA > > > > According to the DHHS preamble to the proposed privacy rule, a "paper to > > paper" fax does not constitute an electronic transmission of the record for > > purposes of HIPAA. On the other hand, a fax sent from or to a computer > > would be considered electronic for HIPAA purposes. Of course, a document > > that is sent by paper to paper fax could still be covered by HIPAA if it was > > in electronic form either before or after it was faxed. > > > _______________________________ > > > > > > Clark Stanton > > > Davis Wright Tremaine LLP > > > One Embarcadero Center, Suite 600 > > > San Francisco 94111 > > > phone (415) 276-6538 > > > fax (415) 276-6599 > > > clarkstanton@dwt.com > > > http://www.ehealthlaw.com > > > http://www.dwt.com/lawdir/WCStanton.htm > > > _______________________________ > > > > > > -----Original Message----- > > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > > > Sent: Friday, May 05, 2000 10:10 AM > > > To: Rx2000HIPAA@rx2000.org > > > Subject: Paper covered under HIPAA > > > > > > > > > In a message dated 5/5/00 11:06:02 AM Eastern Daylight Time, > > > Rx2000HIPAA@rx2000.org writes: > > > > > > > Errick, an extention of your comments, it is my understanding HIPAA > > > > "transactions" contemplate electronically produced paper. > > > > > > > > Pete Biagiotti > > > > > > > > > > Pete, You're right. > > > > > > If an electronic transmission is used to create a hard copy, then that > > > hard > > > copy AND ALL of progeny are covered under the HIPAA regs. > > > > > > So if you FAX a record to someone, the FAX machine prints it out: the > > > printout is covered under HIPAA. If that FAX printout is used to make > > > copies, then those copies are ALSO covered under HIPAA, even though they > > > were > > > not technically "transmitted". > > > > > > > > > Errick E. Woosley, MPA > > > 3X HCSG > > > (513) 587-3100 > > >