Rx2000HIPAA Digest, Volume 31 #1 From: paulsmith@dwt.com Subject: RE: Accountability of Insurance Companies #2 From: angiocor@redynet.com.ar Subject: unsuscribe #3 From: Woosleew@aol.com Subject: Re: Transmitted vs. Stored #4 From: Woosleew@aol.com Subject: Re: Transmitted vs. Stored #5 From: Steve.Boice@parkview.com Subject: RE: Accountability of Insurance #6 From: Sslazarus@aol.com Subject: Re: unsuscribe #7 From: Ralph.Neeper@wang.com Subject: Soft HIPAA #8 From: paulsmith@dwt.com Subject: RE: Accountability of Insurance ********** Message #1 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Accountability of Insurance Companies Date: Wed, 21 Jun 2000 10:28:18 -0700 Assuming you don't pay for the cost of medical care, you would not be a covered entity yourself (I know this is not what you were asking). I also agree with your conclusion that you would not be the business partner of the health care provider from whom you received medical information. If you look at the commentary to the regs (page 59947), you will discern two types of business partner: (1) those who assist the covered entity in performing its functions (the commentary lists lawyers, auditors, consultants, TPAs, health care clearing houses, data processing firms, billing firms); and (2) those who perform some service for the covered entity (the example in the commentary is accreditation organizations). I agree that a disability insurer would not be functioning in either of these roles with respect to the covered entity from which it obtains medical information about an insured. There is no basis in the proposed regs for the idea that an otherwise non-covered entity is somehow covered because its client is the patient of a covered entity. In order to supply you with protected health information the covered entity would have to get patient authorization (because you are not paying for the health care services). However, once the information is in your possession, I don' t believe it would be subject to HIPAA protection. Are you getting medical information from an employee health benefit plan? There could conceivably be an issue there if the disability insurance is also offered under an employee benefit plan. The obligation to identify business partners and secure appropriate agreements is the covered entity's, not the business partner's, but it's understandable that you should be concerned. Obviously, you shouldn't rely on this without getting confirmation from your own attorneys. Paul Smith Davis Wright Tremain LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Wednesday, June 21, 2000 9:03 AM To: Rx2000HIPAA@rx2000.org Subject: Accountability of Insurance Companies I have a question that I hope someone has an opinion on. I work for a large insurance company that, among other products, does a large disability insurance business. One of the key components in evaluating a disability claim is the claimants medical information. Obviously this information is coming from a covered entity (e.g. Doctor, Hospital, etc). However, we are not obtaining this information in order to ".....carry out, assist with the performance of, or perform on behalf of, a function or activity..." for this covered entity. We are performing a service for the client of the covered entity. My question is are we considered a business partner by extension because our client is a client of the covered entity? Or is this addressed in the regulation and I have simply overlooked it (it seems that this situation would be covered in some fashion since it involves the transfer of information)? Any opinions or facts would be greatly appreciated! Thanks John Poole 423-755-3316 John_Poole@Providentcompanies.com ********** Message #2 ********** From: Woosleew@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: Transmitted vs. Stored Date: Thu, 22 Jun 2000 14:01:31 EDT I am in agreement with Patricia, but ... Can we get a "final answer"? ~~~~~~~~~~~ Also, in regard to transmission and security: as I understand it, HIPAA differentiates between an "open network" (the Internet) and a closed network (an entity's internal network). Transmission over an open network must be encrypted. If transmitted over a closed net, the network and transmission must meet other security standards, but the data does not necessarily have to be encrypted. At least this is my understanding, and my opinion. Not that of my employer, and not meant as legal advise. Errick Woosley 3X Corp. ********** Message #3 ********** From: Woosleew@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: Transmitted vs. Stored Date: Thu, 22 Jun 2000 14:12:07 EDT In a message dated 6/21/00 6:22:12 AM Eastern Daylight Time, Rx2000HIPAA@rx2000.org writes: The HIPAA security requirements apply to electronic health information whether or NOT the information has been transmitted electronically between covered entities. If this is true, why are the HIPAA regs so particular about the type of "transactions" that would invoke the HIPAA coverage of the data. There are more than just these 7 transactions in healthcare. Again, I bring up the exempt status of FAX's and data/information used for provider consultation (to exempt them seems silly and contradictory, but seems to be the case). Errick Woosley 3X HCSG ********** Message #4 ********** From: Steve.Boice@parkview.com To: Rx2000HIPAA@rx2000.org Subject: RE: Accountability of Insurance Date: Thu, 22 Jun 2000 13:54:00 -0500 What about these scenarios concerning disability insurance and the proper means to obtain medical information: What if the disability insurance is through (or provided as a benefit of) the clients employer? Does this mean that the employer must obtain client authorization from the employee(s) to supply the insurance company the necessary information? Is this information still covered by HIPAA? What if the client's employer is a covered-entity? Does the employer/covered entity need to obtain client/employee authorization for "those who perform some service for the covered entity (the example in the commentary is accreditation organizations)" as stated by Paul Smith? Is this information still covered by HIPAA since the covered entity is now an employer? (In other words, has the dynamics of the process changed the compliance requirements of the covered entity with the insurance company regarding what is and what is not covered by HIPAA?) Just a thought: Wouldn't it be better if Congress modified the HIPAA legislation to protect ALL health care information regardless of who has it? If this were done, I believe many "what-if's" could be eliminated and guessing who would have to comply with HIPAA would not necessarily be a problem. However, the timing to achieve compliance by all could be longer, depending on the impact of protecting all healthcare information by any and all entities. Steve Boice Senior Business Analyst Information Services Parkview Health System 2200 Randallia Dr Fort Wayne, IN. 46805 Tel: (219) 484-6636 X25135 Fax: (219) 480-5026 ------------------( Forwarded letter 1 follows )--------------------- Date: Wed, 21 Jun 2000 10:28:18 -0700 To: Rx2000HIPAA@rx2000.org From: Rx2000HIPAA@rx2000.org Reply-To: Rx2000HIPAA@rx2000.org Reply-Copies-To: listhelp@rx2000.org Subject: RE: Accountability of Insurance Companies Assuming you don't pay for the cost of medical care, you would not be a covered entity yourself (I know this is not what you were asking). I also agree with your conclusion that you would not be the business partner of the health care provider from whom you received medical information. If you look at the commentary to the regs (page 59947), you will discern two types of business partner: (1) those who assist the covered entity in performing its functions (the commentary lists lawyers, auditors, consultants, TPAs, health care clearing houses, data processing firms, billing firms); and (2) those who perform some service for the covered entity (the example in the commentary is accreditation organizations). I agree that a disability insurer would not be functioning in either of these roles with respect to the covered entity from which it obtains medical information about an insured. There is no basis in the proposed regs for the idea that an otherwise non-covered entity is somehow covered because its client is the patient of a covered entity. In order to supply you with protected health information the covered entity would have to get patient authorization (because you are not paying for the health care services). However, once the information is in your possession, I don' t believe it would be subject to HIPAA protection. Are you getting medical information from an employee health benefit plan? There could conceivably be an issue there if the disability insurance is also offered under an employee benefit plan. The obligation to identify business partners and secure appropriate agreements is the covered entity's, not the business partner's, but it's understandable that you should be concerned. Obviously, you shouldn't rely on this without getting confirmation from your own attorneys. Paul Smith Davis Wright Tremain LLP paulsmith@dwt.com ********** Message #5 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: unsuscribe Date: Fri, 23 Jun 2000 11:45:09 EDT In part this issue should be addressed in the patient's written authorization to release this information to you. There may be other issues as well. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #6 ********** From: Ralph.Neeper@wang.com To: "'Rx2000HIPAA@rx2000.org'" Subject: Soft HIPAA Date: Fri, 23 Jun 2000 13:36:50 -0400 Do you know of a way I can get a soft copy of the HIPAA? I recently received a hard copy from my congressman, but would like to have it in either .txt or .doc format. Thank you. Ralph ********** Message #7 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Accountability of Insurance Date: Fri, 23 Jun 2000 11:44:40 -0700 If the employer operates one of the 3 types of group health plans that are covered as "health plans" it would need employee consent before disclosing health information to a disability insurer. In my view, the information would not thereafter be covered by HIPAA, because the disability insurer would not be a covered entity, and it would not be the employer's business partner. I think this is the reason the Secretary agrees with your final thought, and wants Congress to climb back in. On your second paragraph, I don't think disclosures to business partners require individual authorization: they should fall under the rubric of use or disclosure for health care operations. The absence of individual authorization is the reason why the business partner agreement is required. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Thursday, June 22, 2000 11:54 AM To: Rx2000HIPAA@rx2000.org Subject: RE: Accountability of Insurance What about these scenarios concerning disability insurance and the proper means to obtain medical information: What if the disability insurance is through (or provided as a benefit of) the clients employer? Does this mean that the employer must obtain client authorization from the employee(s) to supply the insurance company the necessary information? Is this information still covered by HIPAA? What if the client's employer is a covered-entity? Does the employer/covered entity need to obtain client/employee authorization for "those who perform some service for the covered entity (the example in the commentary is accreditation organizations)" as stated by Paul Smith? Is this information still covered by HIPAA since the covered entity is now an employer? (In other words, has the dynamics of the process changed the compliance requirements of the covered entity with the insurance company regarding what is and what is not covered by HIPAA?) Just a thought: Wouldn't it be better if Congress modified the HIPAA legislation to protect ALL health care information regardless of who has it? If this were done, I believe many "what-if's" could be eliminated and guessing who would have to comply with HIPAA would not necessarily be a problem. However, the timing to achieve compliance by all could be longer, depending on the impact of protecting all healthcare information by any and all entities. Steve Boice Senior Business Analyst Information Services Parkview Health System 2200 Randallia Dr Fort Wayne, IN. 46805 Tel: (219) 484-6636 X25135 Fax: (219) 480-5026