Rx2000HIPAA Digest, Volume 19 #1 From: dafeinberg@home.com Subject: Re: Location of Draft HIPAA Privacy Rule #2 From: Steve.Boice@parkview.com Subject: Re: Paper faxes not covered unde #3 From: Patricia.Carter@gpmlaw.com Subject: RE: Paper faxes/website source for HIPAA regs #4 From: RMeinhardt@foleylaw.com Subject: RE: Paper faxes not covered under HIPAA #5 From: rneal@vhasecure.net Subject: RE: Don't split hairs #6 From: eellis@metalogics.com Subject: Re: Paper faxes not covered under HIPAA #7 From: ackerman@rx2000.org Subject: ** An important message for our listserv subscribers #8 From: Sslazarus@aol.com Subject: Re: Paper faxes not covered under HIPAA ********** Message #1 ********** From: dafeinberg@home.com To: Rx2000HIPAA@rx2000.org Subject: Re: Location of Draft HIPAA Privacy Rule Date: Thu, 11 May 2000 07:50:14 -0700 The complete draft HIPAA Privacy Rule can be found at: http://erm.aspe.hhs.gov/ora_web/plsql/erm_rule.rule?user_id=&rule_id=228 It can also be found in the Federal Register via the Government Printing Office web site. As I've noted previously, the following DHHS site contains an excellent 5.5 page summary of the draft HIPAA Privacy Rule: http://aspe.hhs.gov/admnsimp/pvcsumm.htm I recommend reading this summary before tackling the draft regulation in its entirety. Enjoy. Dave Feinberg Rensis Corporation [A Consulting Company] 206-617-1717 DAFeinberg@computer.org Rx2000HIPAA@rx2000.org wrote: Where can I read the preamble? Does anyone have the actual website for the entire document??? Thank you ********** Message #2 ********** From: Steve.Boice@parkview.com To: Rx2000HIPAA@rx2000.org Subject: Re: Paper faxes not covered unde Date: Thu, 11 May 2000 10:18:00 -0500 There are two sites that may be of interest to you. the first one, http://thomas.loc.gov/cgi-bin/query/z?c104:H.R.3103.ENR:, will give you the actual HIPAA law. The second one, http://aspe.os.dhhs.gov/admnsimp/, discusses the proposed privacy rules from which the HIPAA legislation requires. I hope this helps. Steve Boice Senior Business Analyst Information Services Parkview Health System 2200 Randallia Dr Fort Wayne, IN. 46805 Tel: (219) 484-6636 X25135 Pgr: (219) 470-6972 Fax: (219) 480-5026 ------------------( Forwarded letter 1 follows )-------------------- Date: Wed, 10 May 2000 12:31:45 EDT From: Rx2000HIPAA@rx2000.org Reply-To: Rx2000HIPAA@rx2000.org Subject: Re: Paper faxes not covered under HIPAA Where can I read the preamble? Does anyone have the actual website for the entire document??? Thank you ********** Message #3 ********** From: Patricia.Carter@gpmlaw.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Paper faxes/website source for HIPAA regs Date: Thu, 11 May 2000 10:51:46 -0500 Let's get back to the source. Available at http://aspe.os.dhhs.gov/admnsimp/index.htm The proposed privacy regulations say: "Under this definition [of "protected health information"], information that is "electronically transmitted" would include information exchanged with a computer using electronic media, even when the information is physically moved from one location to another using magnetic or optical media (e.g., copying information from one computer to another using a floppy disc). Transmissions over the Internet (i.e., open network), Extranet (i.e., using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, and private networks would all be included. Telephone voice response and "faxback" (i.e., a request for information from a computer made via voice or telephone keypad input with the requested information returned as a fax) systems would be included because these are computer output devices similar in function to a printer or video screen. This definition would not include "PAPER-TO-PAPER" faxes, or person-to-person telephone calls, video teleconferencing, or messages left on voice-mail. The key concept that determines if a transmission meets the definition is whether the source or target of the transmission is a computer. The medium or the machine through which the information is transmitted or rendered is irrelevant." However, let's be clear at about what it means to say that "paper-to-paper" faxes are not included in the definition of "electronically transmitted." First, as I previously observed, on the receiving end of the fax you may not know it is "paper to paper." So, then what do you do? Second, as others have pointed out, all this "exclusion" does is say that faxing, in itself, does not make the information "electronically transmitted" and therefore PHI. You still have to look at the history of the information contained in the fax to make that determination. And while, in some respects, "protection is the key to all of this," in my view, compliance with the law is the key. From a public policy, ethical and/or practical standpoint, you may want to treat all the health information you control or receive as PHI. However, there will be instances where you will want to distinguish what protections you offered because you thought it was the right thing to do, and what protections your offered (or failed to offer) that were legal obligations. There are no penalties/sanctions under HIPAA for failing to protect information that does not come within HIPAA's definition of PHI. I'd apologize for the long-winded answer, but if you got this far, you must not have minded too much. Pat Carter Gray Plant Mooty Mooty & Bennett, PA patricia.carter@gpmlaw.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: May 10, 2000 5:45 PM To: Rx2000HIPAA@rx2000.org Subject: Re: Paper faxes not covered under HIPAA Folks, lest you forget -fax is electronic transmission. As a matter of fact, it's easier to intercept fax than it is to hack a computer. Isn't protection the key to all of this? Jeff Stutzman Healthcare ISAC www.info-security.net From: Rx2000HIPAA@rx2000.org Organization: Rensis Corporation [A Consulting Company] Reply-To: Rx2000HIPAA@rx2000.org Date: Wed, 10 May 2000 07:13:24 -0700 To: Rx2000HIPAA@rx2000.org Subject: Re: Paper faxes not covered under HIPAA I suspect that a paper-to-paper fax could also be interpreted to be (at least partially) covered by HIPAA privacy if the information entered on the original paper was even manually copied out of an electronic record. "HIPAA protects the information itself, not the record in which the information appears." So as Pat Carter so aptly noted: "So in practice, you have to treat all faxes as protected, don't you?" Dave Feinberg Rensis Corporation [A Consulting Company] 206-617-1717 DAFeinberg@computer.org Rx2000HIPAA@rx2000.org wrote: The problem, of course, is that when you receive a fax on paper you don't know if it was sent from paper or computer/faxmodem. So in practice, you have to treat all faxes as protected, don't you? Pat Carter, JD Gray Plant Mooty Mooty & Bennett, PA -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: May 05, 2000 3:45 PM To: Rx2000HIPAA@rx2000.org Subject: RE: Paper covered under HIPAA According to the DHHS preamble to the proposed privacy rule, a "paper to paper" fax does not constitute an electronic transmission of the record for purposes of HIPAA. On the other hand, a fax sent from or to a computer would be considered electronic for HIPAA purposes. Of course, a document that is sent by paper to paper fax could still be covered by HIPAA if it was in electronic form either before or after it was faxed. _______________________________ Clark Stanton Davis Wright Tremaine LLP One Embarcadero Center, Suite 600 San Francisco 94111 phone (415) 276-6538 fax (415) 276-6599 clarkstanton@dwt.com http://www.ehealthlaw.com http://www.dwt.com/lawdir/WCStanton.htm _______________________________ -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Friday, May 05, 2000 10:10 AM To: Rx2000HIPAA@rx2000.org Subject: Paper covered under HIPAA In a message dated 5/5/00 11:06:02 AM Eastern Daylight Time, Rx2000HIPAA@rx2000.org writes: Errick, an extention of your comments, it is my understanding HIPAA "transactions" contemplate electronically produced paper. Pete Biagiotti Pete, You're right. If an electronic transmission is used to create a hard copy, then that hard copy AND ALL of progeny are covered under the HIPAA regs. So if you FAX a record to someone, the FAX machine prints it out: the printout is covered under HIPAA. If that FAX printout is used to make copies, then those copies are ALSO covered under HIPAA, even though they were not technically "transmitted". Errick E. Woosley, MPA 3X HCSG (513) 587-3100 ********** Message #4 ********** From: RMeinhardt@foleylaw.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Paper faxes not covered under HIPAA Date: Thu, 11 May 2000 11:27:12 -0500 Yes, except that a fax is not an electronic transmission when DHHS says it's not -- and they do say it's not: "this definition would not include paper-to-paper faxes, or person-to person telephone calls, videoteleconferencing, or messages left on voice-mail. the key concept that determines if a transmission meets the definition is whether the source or target of the transmission is a computer." Fed.Reg. 11/3/99, p. 59938, col.2 Of course, because "computer" is not a defined term under HIPAA, we are left to conjecture. Is it anything with a microchip? Robyn A. Meinhardt Foley & Lardner Denver, CO 303-294-4414 -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Wednesday, May 10, 2000 4:45 PM To: Rx2000HIPAA@rx2000.org Subject: Re: Paper faxes not covered under HIPAA Folks, lest you forget -fax is electronic transmission. As a matter of fact, it's easier to intercept fax than it is to hack a computer. Isn't protection the key to all of this? Jeff Stutzman Healthcare ISAC www.info-security.net From: Rx2000HIPAA@rx2000.org Organization: Rensis Corporation [A Consulting Company] Reply-To: Rx2000HIPAA@rx2000.org Date: Wed, 10 May 2000 07:13:24 -0700 To: Rx2000HIPAA@rx2000.org Subject: Re: Paper faxes not covered under HIPAA I suspect that a paper-to-paper fax could also be interpreted to be (at least partially) covered by HIPAA privacy if the information entered on the original paper was even manually copied out of an electronic record. "HIPAA protects the information itself, not the record in which the information appears." So as Pat Carter so aptly noted: "So in practice, you have to treat all faxes as protected, don't you?" Dave Feinberg Rensis Corporation [A Consulting Company] 206-617-1717 DAFeinberg@computer.org Rx2000HIPAA@rx2000.org wrote: The problem, of course, is that when you receive a fax on paper you don't know if it was sent from paper or computer/faxmodem. So in practice, you have to treat all faxes as protected, don't you? Pat Carter, JD Gray Plant Mooty Mooty & Bennett, PA -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: May 05, 2000 3:45 PM To: Rx2000HIPAA@rx2000.org Subject: RE: Paper covered under HIPAA According to the DHHS preamble to the proposed privacy rule, a "paper to paper" fax does not constitute an electronic transmission of the record for purposes of HIPAA. On the other hand, a fax sent from or to a computer would be considered electronic for HIPAA purposes. Of course, a document that is sent by paper to paper fax could still be covered by HIPAA if it was in electronic form either before or after it was faxed. _______________________________ Clark Stanton Davis Wright Tremaine LLP One Embarcadero Center, Suite 600 San Francisco 94111 phone (415) 276-6538 fax (415) 276-6599 clarkstanton@dwt.com http://www.ehealthlaw.com http://www.dwt.com/lawdir/WCStanton.htm _______________________________ -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Friday, May 05, 2000 10:10 AM To: Rx2000HIPAA@rx2000.org Subject: Paper covered under HIPAA In a message dated 5/5/00 11:06:02 AM Eastern Daylight Time, Rx2000HIPAA@rx2000.org writes: Errick, an extention of your comments, it is my understanding HIPAA "transactions" contemplate electronically produced paper. Pete Biagiotti Pete, You're right. If an electronic transmission is used to create a hard copy, then that hard copy AND ALL of progeny are covered under the HIPAA regs. So if you FAX a record to someone, the FAX machine prints it out: the printout is covered under HIPAA. If that FAX printout is used to make copies, then those copies are ALSO covered under HIPAA, even though they were not technically "transmitted". Errick E. Woosley, MPA 3X HCSG (513) 587-3100 ********** Message #5 ********** From: rneal@vhasecure.net To: Subject: RE: Don't split hairs Date: Thu, 11 May 2000 12:36:54 -0500 I would have to agree with Errick on this one. The more you try to break down what is included and what is not, the more complicated and confusing it is going to get... Work within the contraints of HIPAA, but try and generalize the renditions of confidentiality...be it pager, fax, etc. Just my two-cents... Roger Neal, MSTM Director, Information Systems Jackson Co. Memorial Hospital Altus, OK. http://www.jcmh.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Monday, May 01, 2000 12:03 PM To: Rx2000HIPAA@rx2000.org Subject: Do't split hairs Over the past 2X years in healthcare management I have been involved with several licensure and accreditation surveys by various states, accrediting bodies, and the Feds. I have learned two things: 1. Not to split hairs. If you do you'll eventually miss and get burned. 2. The most stringent standard applies, be it state, federal, or accrediting body (like JCAHO, NCQA, CLEA, or CARF). If you just bite the bullet and do it right the surveyors will appreciate it and tend to give you the benefit of the on some other things you may have been questionable on. A general rule you may want to consider. If it is sent in electronic form, contains information that identifies a patient and something about their medical or financial profile it is covered under HIPAA. Whether it is Cell phone, Palm Pilot (or other PDA), land line, alpha pager, LAN, WAN, FAX, or some other medium of transmission. HIPAA is not the only law out there governing confidentiality of patient records/information. Also, it is easier on the staff to have one uniform policy and procedure for honoring confidentiality than to have them second guess as to whether or not it is a covered transmission. Don't make the foolish mistake of, "spending a dollar to save a dime." These words, are mine and do not represent my employer or clients. Errick Woosley, MPA Senior Consultant 3X HCSG errick.woosley@3x.com ********** Message #6 ********** From: eellis@metalogics.com To: Rx2000HIPAA@rx2000.org Subject: Re: Paper faxes not covered under HIPAA Date: Thu, 11 May 2000 19:31:06 -0400 True, fax is an eletronic submission. But it doesn't fall into the record compliance part of the HIPAA field definitions. That is why it's under discussion. A fax becomes progeny if information is derived from or becomes electronically stored. ernie ellis eellis@metalogics.com Rx2000HIPAA@rx2000.org wrote: Folks, lest you forget -fax is electronic transmission. As a matter of fact, it's easier to intercept fax than it is to hack a computer. Isn't protection the key to all of this? Jeff Stutzman Healthcare ISAC www.info-security.net From: Rx2000HIPAA@rx2000.org Organization: Rensis Corporation [A Consulting Company] Reply-To: Rx2000HIPAA@rx2000.org Date: Wed, 10 May 2000 07:13:24 -0700 To: Rx2000HIPAA@rx2000.org Subject: Re: Paper faxes not covered under HIPAA I suspect that a paper-to-paper fax could also be interpreted to be (at least partially) covered by HIPAA privacy if the information entered on the original paper was even manually copied out of an electronic record. "HIPAA protects the information itself, not the record in which the information appears." So as Pat Carter so aptly noted: "So in practice, you have to treat all faxes as protected, don't you?" Dave Feinberg Rensis Corporation [A Consulting Company] 206-617-1717 DFeinberg@computer.org Rx2000HIPAA@rx2000.org wrote: The problem, of course, is that when you receive a fax on paper you don't know if it was sent from paper or computer/faxmodem. So in practice, you have to treat all faxes as protected, don't you? Pat Carter, JD Gray Plant Mooty Mooty & Bennett, PA -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: May 05, 2000 3:45 PM To: Rx2000HIPAA@rx2000.org Subject: RE: Paper covered under HIPAA According to the DHHS preamble to the proposed privacy rule, a "paper to paper" fax does not constitute an electronic transmission of the record for purposes of HIPAA. On the other hand, a fax sent from or to a computer would be considered electronic for HIPAA purposes. Of course, a document that is sent by paper to paper fax could still be covered by HIPAA if it was in electronic form either before or after it was faxed. _______________________________ Clark Stanton Davis Wright Tremaine LLP One Embarcadero Center, Suite 600 San Francisco 94111 phone (415) 276-6538 fax (415) 276-6599 clarkstanton@dwt.com http://www.ehealthlaw.com http://www.dwt.com/lawdir/WCStanton.htm _______________________________ -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Friday, May 05, 2000 10:10 AM To: Rx2000HIPAA@rx2000.org Subject: Paper covered under HIPAA In a message dated 5/5/00 11:06:02 AM Eastern Daylight Time, Rx2000HIPAA@rx2000.org writes: Errick, an extention of your comments, it is my understanding HIPAA "transactions" contemplate electronically produced paper. Pete Biagiotti Pete, You're right. If an electronic transmission is used to create a hard copy, then that hard copy AND ALL of progeny are covered under the HIPAA regs. So if you FAX a record to someone, the FAX machine prints it out: the printout is covered under HIPAA. If that FAX printout is used to make copies, then those copies are ALSO covered under HIPAA, even though they were not technically "transmitted". Errick E. Woosley, MPA 3X HCSG (513) 587-3100 ********** Message #7 ********** From: ackerman@rx2000.org To: rx2000hipaa@rx2000.org,rx2000ehealth@rx2000.org Subject: ** An important message for our listserv subscribers Date: Fri, 12 May 2000 15:56:12 -0500 --=====================_27246739==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Dear Rx2000 Listserv Subscriber, We've received suggestions from many of you over the past several months regarding list serve etiquette. While the following is not "written in stone" we believe adherence to some or all of these suggestions will make this listserv experience a better one for all participants. 1. Please identify yourself by name, position and employer or affiliation in the text of each message you post, whether it's an original message or a reply. Participants like to know who they're talking to and your affiliation or position adds "weight" to your opinions. Many email programs let you set up an automatic signature block for your messages. Please keep it brief but descriptive. You are encouraged to also include your email address, thereby allowing other listserv subscribers to contact you directly if they have a question they feel is not appropriate for the total readership or they wish to initiate an "off-line" dialogue with you. Of course, you are certainly welcome to remain anonymous. Someday soon, however, Rx2000 will switch to new listserv software that will, by default, include return address information. If you have a message for our listservs and still need to be assured of anonymity, please send it directly to me and I will see that it is scrubbed of all identifying information before posting. Our goal is to foster the communication and distribution of good information. 2. Use a descriptive subject line. Consider modifying the automatic subject line to reflect the real topic of your message. When a topic has changed after a series of replies and comments, change the subject to show what it's really about. 3. Please keep personal messages off the list. Also please post your responses to the listserv, unless there's a good reason to restrict dissemination of your reply. 4. Please avoid posting messages that simply say "I agree", "Me too" or similar messages that do not significantly add to the discussion of the topic. A Word about "Moderation" The Rx2000 listservs are moderated to ensure that advertising, useless fighting and totally inappropriate messages are not forwarded to the list. We do not try to censor. Rather, we are working to ensure a standard of quality for all. Additionally, in order to minimize risk and avoid flooding your mailboxes, we do not forward postings with attachments. An exception would be if we received an important posting with an attachment from a very trusted source (e.g., the FDA). Our moderator has already intercepted messages that were designed to deliver a new computer virus to you! If this had been an unmoderated service without any quality control, all of you would have received the virus. Of course, given the current state of computing, there is no guarantee of totally safe computing, but we will continue to do all we can to keep a safe, virtual meeting place for healthcare. The Rx2000 Institute provides this listserv and many other important services to healthcare free of charge to users. We appreciate all of your support and encourage you to make the greatest possible use of these free services. You can help to support the activities of the Institute and gain access to our members-only services by becoming a member of the Institute. Please see our website at http://www.rx2000.org for additional information about the benefits of membership. Thank you! Joel Ackerman Executive Director, Rx2000 Institute ackerman@rx2000.org 952-595-9551 ********* Message #8 ********** rom: Sslazarus@aol.com o: Rx2000HIPAA@rx2000.org ubject: Re: Paper faxes not covered under HIPAA ate: Sun, 14 May 2000 20:33:02 EDT This issue is covered in the Security regulation. Steven Lazarus Boundary Information Group