Rx2000HIPAA Digest, Volume 28 #1 From: RHiggins@DDS.CA.GOV Subject: Re: ICF-DD #2 From: Sslazarus@aol.com Subject: Re: HIPAA and military hospitals #3 From: Timothy_Lyons@superiorconsultant.com Subject: RE: HIPAA and military hospitals #4 From: Mary.Cooley@rsacompanies.com Subject: RE: HIPAA and military hospitals #5 From: paulsmith@dwt.com Subject: RE: HIPAA and military hospitals #6 From: paulsmith@dwt.com Subject: RE: ICF-DD #7 From: paulsmith@dwt.com Subject: RE: HIPAA and military hospitals #8 From: LHarring@gw.dhs.state.ri.us Subject: HIPAA lives... ********** Message #1 ********** From: RHiggins@DDS.CA.GOV To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD Date: Mon, 12 Jun 2000 15:15:26 -0700 Who/what would be the ultimate/final decision maker to confirm if the ICF/DD, ICF/DD-H and ICF/DD-N facilities in california, also known as ICF/MR under the federal government fall under the HIPPA 06/12/00 07:51AM >>> In all states I know of Intermediate Care Facilities (ICF's) are licensed as healthcare providers. I would, therefore, think they would be covered under the HIPAA regs. Do you keep your vocational, recreational, social, and other habilitation records in the "medical record"? If you do, it would be part of the medical record and, again, I think would be covered by HIPAA (assuming your records are electronic and used in transactions). As I mentioned earlier, Don't split hairs. It really doesn't pay. Other's thoughts? Errick E. Woosley 3X HCSG (513) 587-3100 ********** Message #2 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA and military hospitals Date: Tue, 13 Jun 2000 00:46:28 EDT The Feds response to these questions off the record have been yes to both. All entities are covered by the Security Regulation if they store electronic patient data or computer generated reports. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #3 ********** From: Timothy_Lyons@superiorconsultant.com To: Rx2000HIPAA@rx2000.org Subject: RE: HIPAA and military hospitals Date: Tue, 13 Jun 2000 02:19:10 -0400 It is my understanding from reading the regs that they have been extended the reach of the regs past the "covered entities" by the Chain of trust and business partner agreements specifically to address the issues you have raised. If a covered entity creates or stores identifiable patient information and then sends a paper copy of that information, they had better have a written chain of trust or business partner agreement with the receiving party or they run afoul of the regs. Tim Lyons Group Leader HIPAA Planning and Strategy Superior Consultant Company -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Tuesday, May 30, 2000 12:15 PM To: Rx2000HIPAA@rx2000.org Subject: HIPAA and military hospitals Can anyone tell me whether or not military hospitals will be required to comply with HIPAA regulations? I have heard both yeah's and nay's. I have also read some of the proposed regs and found nothing that seemed to explicitly exclude military hospitals. Thanks for your help with this! Lane Hatcher Systems Engineer, Wilford Hall Medical Center Lackland AFB, San Antonio, TX rhatcher@flash.net ********* Message #4 ********** From: Mary.Cooley@rsacompanies.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA and military hospitals Date: Tue, 13 Jun 2000 03:55:17 -0600 The thought process of whether an entity is a "covered entity" or has a "business partner" relationship with a covered entity that would cause the HIPAA privacy regs to apply in the case of a paper MRI scan report is admirable but other than keeping a slew of lawyers busy defending an "entity" in court from application of the penalty provisions of the regs, it is probably begging the question. The privacy regs are there to protect an individual or group of patients/consumers from harm through the release and propagation of PHI to inappropriate persons. If you look at it from a data perspective rather than a format perspective (electronic versus non-electronic), it becomes simpler to deal with. The purpose of both the business partner relationship and the covered entity verbiage and the penalties for inappropriate action are meant to make each entity that deals with the PHI aware of and responsible for their internal and external propagation of the data. If you know that what you do with PHI is appropriate and what the entities you pass it to do with PHI, there will not be intent to cause the penalty to be applied. Common sense will go a long way here. I hope we are not going to go through the process of identifying whether a record should be covered or not based on transmission characteristics each time we send or receive PHI. Why expend the energy? From a business perspective, what is the cost/benefit of this activity? The resources used might be better spent to decide how to protect the PHI (i.e. encryption of the identifiable characteristics in every record) to eliminate the need to decide if it is covered or not in an individual delivery of the data. I know this causes major practical and data overhead concerns, but if the alternative is a person deciding on an individual case basis whether the regs apply, the data overhead is more manageable. For the purpose of day to day business rather than CYA to protect an entity from application of the penalty provisions, I would assume that the data received is "covered" because not that much happens to data today that is not electronic. Anyone a "covered entity" sends PHI to is at least a "business partner" and therefore the covered entity must be aware of the policies and procedures that are in place at the receiver end to protect the PHI. If the PHI is distributed inappropriately, the covered entity could be in violation of the regs. Is this oversimplifying? Mary Cooley RSA Companies Manager Strategic Solutions Healthcare Initiatives mary.cooley@rsacompanies.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Monday, June 12, 2000 10:29 AM To: Rx2000HIPAA@rx2000.org Subject: RE: HIPAA and military hospitals Interesting point. Two thoughts-- 1. HIPAA applies only to covered entities. It seems clear that if a provider does not transmit health information in electronic form in connection with a standard transaction (itself or through an agent), it is simply not covered by HIPAA, even if it receives information that would be protected by HIPAA in the hands of a covered entity. In other words, for HIPAA to apply, both the entity holding the information must be a covered entity, and the information must be protected. In your example, if the provider receiving the CT scan report is not a covered entity, the paper CT report is not covered in the hands of that provider. (This conclusion leaves out the possibility that the provider may have a business partner arrangement that would require it to protect the information.) 2. Suppose, however, that the provider receiving the paper CT report is a covered entity. Suppose that the CT report was maintained in electronic form by the provider producing the scan, and that the provider producing the scan is also a covered entity. The information in the paper CT report would be protected in the hands of the provider producing it, for the reasons you give. But would it also be protected in the hands of the entity receiving it, who never maintained or transmitted it in electronic form? The regs are not clear on this, but I think the answer has to be no, because a provider that receives paper records from another provider has no reliable way of knowing whether the other provider is a covered entity, or, if it is, whether the other provider (or perhaps some previous provider in the chain of transmission) maintained or transmitted the information in electronic form. I'd be interested in your thoughts on this. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com ********** Message #5 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA and military hospitals Date: Tue, 13 Jun 2000 09:49:08 -0700 I think this is too broad a reading of the business partner requirement. 1. An entity is a business partner only if the covered entity discloses information to it so that it can assist the covered entity in performing a function of the covered entity, or so that it can perform a function for the covered entity (see proposed reg. 164.504). The concept is that the business partner is performing a function on behalf of the covered entity, or providing a service to the covered entity (this is evident from the examples in the introduction to the regs). In the example we are talking about the provider receiving the CT scan (provider B) would not be the BP of the provider producing it (provider A), because (presumably) provider B is not providing a service to provider A, or to the patient on behalf of provider A--it is providing a service to the patient independently of provider A. In other words, I don't think that two providers are each other's business partners simply because they exchange information for purposes of treating the same patient. 2. In any event, even if you assume that provider A and provider B are business partners, a health care provider does not need a chain of trust agreement with another health care provider in order to disclose protected information for referral or consultation purposes (see proposed reg 164.507(e)(1)(i)). -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Monday, June 12, 2000 11:19 PM To: Rx2000HIPAA@rx2000.org Subject: RE: HIPAA and military hospitals It is my understanding from reading the regs that they have been extended the reach of the regs past the "covered entities" by the Chain of trust and business partner agreements specifically to address the issues you have raised. If a covered entity creates or stores identifiable patient information and then sends a paper copy of that information, they had better have a written chain of trust or business partner agreement with the receiving party or they run afoul of the regs. Tim Lyons Group Leader HIPAA Planning and Strategy Superior Consultant Company ********** Message #6 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: ICF-DD Date: Tue, 13 Jun 2000 09:52:35 -0700 You just have to look at the regs--do they (a) provide health care services in the ordinary course of business (yes), and (b) transmit health care information electronically in connection with a standard transaction (either directly or through an agent) (probably no). To be covered, the answer has to be yes to both. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Monday, June 12, 2000 3:15 PM To: Rx2000HIPAA@rx2000.org Cc: hcp-vocplus@worldnet.att.net Subject: Re: ICF-DD Who/what would be the ultimate/final decision maker to confirm if the ICF/DD, ICF/DD-H and ICF/DD-N facilities in california, also known as ICF/MR under the federal government fall under the HIPPA 06/12/00 07:51AM >>> In all states I know of Intermediate Care Facilities (ICF's) are licensed as healthcare providers. I would, therefore, think they would be covered under the HIPAA regs. Do you keep your vocational, recreational, social, and other habilitation records in the "medical record"? If you do, it would be part of the medical record and, again, I think would be covered by HIPAA (assuming your records are electronic and used in transactions). As I mentioned earlier, Don't split hairs. It really doesn't pay. Other's thoughts? Errick E. Woosley 3X HCSG (513) 587-3100 ********** Message #7 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA and military hospitals Date: Tue, 13 Jun 2000 10:00:29 -0700 I agree--for a covered entity with complex data systems, it is impracticable to try to distinguish protected information from non-protected information. This discussion thread started out dealing with intermediate care facilities for the developmentally disabled, and the question whether they are covered entities in the first place. The only point on which I would disagree with you is that the business partner concept is narrower than you say--not every entity to which a covered entity discloses information is a business partner, and not all business partners need chain of trust agreements. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Tuesday, June 13, 2000 2:55 AM To: Rx2000HIPAA@rx2000.org Subject: RE: HIPAA and military hospitals The thought process of whether an entity is a "covered entity" or has a "business partner" relationship with a covered entity that would cause the HIPAA privacy regs to apply in the case of a paper MRI scan report is admirable but other than keeping a slew of lawyers busy defending an "entity" in court from application of the penalty provisions of the regs, it is probably begging the question. The privacy regs are there to protect an individual or group of patients/consumers from harm through the release and propagation of PHI to inappropriate persons. If you look at it from a data perspective rather than a format perspective (electronic versus non-electronic), it becomes simpler to deal with. The purpose of both the business partner relationship and the covered entity verbiage and the penalties for inappropriate action are meant to make each entity that deals with the PHI aware of and responsible for their internal and external propagation of the data. If you know that what you do with PHI is appropriate and what the entities you pass it to do with PHI, there will not be intent to cause the penalty to be applied. Common sense will go a long way here. I hope we are not going to go through the process of identifying whether a record should be covered or not based on transmission characteristics each time we send or receive PHI. Why expend the energy? From a business perspective, what is the cost/benefit of this activity? The resources used might be better spent to decide how to protect the PHI (i.e. encryption of the identifiable characteristics in every record) to eliminate the need to decide if it is covered or not in an individual delivery of the data. I know this causes major practical and data overhead concerns, but if the alternative is a person deciding on an individual case basis whether the regs apply, the data overhead is more manageable. For the purpose of day to day business rather than CYA to protect an entity from application of the penalty provisions, I would assume that the data received is "covered" because not that much happens to data today that is not electronic. Anyone a "covered entity" sends PHI to is at least a "business partner" and therefore the covered entity must be aware of the policies and procedures that are in place at the receiver end to protect the PHI. If the PHI is distributed inappropriately, the covered entity could be in violation of the regs. Is this oversimplifying? Mary Cooley RSA Companies Manager Strategic Solutions Healthcare Initiatives mary.cooley@rsacompanies.com ********* Message #8 ********** From: LHarring@gw.dhs.state.ri.us To: Subject: HIPAA lives... Date: Tue, 13 Jun 2000 15:31:04 -0400 HIPAA was jointly sponsored by members of both parties in both houses of Congress. At one point prior to passage, HIPAA was known as either the Kennedy - Kassebaum bill [Ted Kennedy - Democrat, Mass.] Kassebaum - Kennedy bill [Nancy Kassebaum - Republican, Kan.] K2 bill. I just returned last night from two weeks of meetings at HL7 and, particularly, X12 on standards associated with HIPAA. There were active attendees [that I recognized or had reported to me] from the Health Care Financing Administration (HCFA), approximately 35 state Medicaids, Department of Defense, Veterans Administration, private industry [payers, providers, vendors], and the Department of Health and Human Services (DHHS). HIPAA will stand! The regulations are later than anybody wishes, but they will come, too. Barring some totally unexpected last moment tsunami in Congress to repeal, HIPAA is a GO! At this point, nobody I've been working with for the past four years has any doubt on whether -- just, at this moment, when. [And, if things go as HCFA and DHHS representatives stated at X12 this past Sunday, 'when' could be quite 'soon'.] Dave Feinberg Co-Chair, HIPAA Implementation Work Group Insurance Subcommittee Accredited Standards Committee X12 Voting Member, HL7 and X12 Rensis Corporation [A Consulting Company] 206-617-1717 DAFeinberg@computer.org=20 Rx2000HIPAA@rx2000.org wrote: In discussions at the hospital about preparations for HIPAA, one question keeps surfacing and wanted to see if any other organizations are having the same discussions. Since HIPAA is a compromise bill sponsored by Democrats, and since all formal rules have yet to be established, in the event of a Republican White House and Congress in 2001, how certain are we that this law will stand long enough for everyone to become compliant. Any thoughts? Phyllis Ingram Beebe Medical Center