Rx2000HIPAA Digest, Volume 33 #1 From: Patricia.Carter@gpmlaw.com Subject: RE: Transmitted vs. Stored - Covered Entities Only Need Apply #2 From: Tom.Ihlenfeldt@co.hennepin.mn.us Subject: Faxes and PID #3 From: ackerman@rx2000.org Subject: HCFA OPPS #4 From: paulsmith@dwt.com Subject: RE: Patient Privacy/Disclosure Permission for Foundation/Fundrais ing Depts #5 From: Sslazarus@aol.com Subject: Re: Faxes and PID #6 From: Woosleew@aol.com Subject: Re: Faxes and PID #7 From: Woosleew@aol.com Subject: Re: Patient Privacy/Disclosure Permission for Foundation/Fundraising Depts #8 From: ackerman@rx2000.org Subject: Fw: HIPAA Implementation Guides are Ready ********** Message #1 ********** From: Patricia.Carter@gpmlaw.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Transmitted vs. Stored - Covered Entities Only Need Apply Date: Wed, 28 Jun 2000 08:09:47 -0500 Just one final comment from me on this thread: I agree with the holistic approach to protected health information PROVIDED you are a covered entity. However, my original comments were related to the scope of the security regulations with regard to WHICH providers would be covered entities. That's where it can be important to dissect the language. While most providers will be covered, this does not necessarily mean all -- especially among small providers. And to say that all providers, whether they meet the definition of "covered entity" or not, should undertake this expensive compliance effort as if they were covered entities is, IMHO, not a recommendation that can be made without careful consideration of the provider's circumstances and resources. The provider may have very good security practices in place, that perhaps do not meet every element of the regulations. If they are not a covered entity, perhaps that is enough -- at least in terms of what they must do in the next 24 months. Patricia I. Carter Gray, Plant, Mooty, Mooty & Bennett 33 South Sixth Street 3400 City Center Minneapolis, MN 55402-3796 (612) 343-2800 patricia.carter@gpmlaw.com The opinions stated are mine and mine alone, and not necessarily those of my employer. I am a lawyer, but whatever I said above was not legal advice. :} ********** Message #2 ********** From: Tom.Ihlenfeldt@co.hennepin.mn.us To: Rx2000HIPAA@rx2000.org Subject: Faxes and PID Date: Wed, 28 Jun 2000 09:46:30 -0500 Hello: Our QA folks have reviewed the privacy guidelines and are of the opinion that faxing of patient identifiable information is high risk and would be effectively "prohibited" by the HIPAA privacy reg's. In at least one of our operations, we triage calls from members and then use fax to pass the relevant information on to the member's primary clinic. Under HIPAA, we are told that the faxing will need to stop, and we'll need to use something else like secured email to do this. Any help out there on 1) the premise that faxing of PID is prohibited under HIPAA, and 2) any technologies that would allow retaining the faxing but staying in HIPAA's good graces? Thanks. Tom Ihlenfeldt Metropolitan Health Plan Mpls, Minnesota ********** Message #3 ********** From: ackerman@rx2000.org To: rx2000hipaa@rx2000.org,rx2000ehealth@rx2000.org Subject: HCFA OPPS Date: Thu, 29 Jun 2000 09:15:44 -0500 Dear Rx2000HIPAA and Rx2000eHealth Listserv Reader, Rx2000 received a request from Joe Broseker, HCFA's Deputy Director, Provider Billing and Education Group, to help spread the word about HCFA OPPS listservs that may be helpful to your organization. These listservs provide for one-way communication from HCFA to listserv subscribers. HCFA will use the listservs to alert subscribers of new additions or changes to the HCFA OPPS website and to provide other information quickly to those affected by the OPPS. Directions for subscribing to HCFA's OPPS listservs can be found at www.hcfa.gov/medlearn/listserv.htm Joel Ackerman, Executive Director Rx2000 Institute ackerman@rx2000.org 612-595-7970 ********** Message #4 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Patient Privacy/Disclosure Permission for Foundation/Fundrais ing Depts Date: Wed, 28 Jun 2000 18:54:41 -0700 I think you are probably correct. I say "probably," because I think there is some question whether purely demographic information is "individually identifiable health information." The proposed regs say that IIHI is "health information, including demographic information collected from an individual" that relates to the health of the individual, the provision of health care to the individual, or payment for the individual's health care. (Proposed 164.504). The commentary to the regs says that a health care provider would need patient authorization to give demographic data to a drug company of patients with certain diagnoses so the drug company can market drugs to them (p. 59953). In this context, the demographic data clearly relates to the health of the individual. But if you simply gave demographic data without any indication of the health status of the individual, it's harder to characterize it as health-related. I suspect, however, that HHS would take the position that it is health-related, because it discloses that the person was in the hospital for something. (I note that under the proposed regs you would need individual authorization to include a patient in directory information, but this is not a clear parallel, because the directory information could include a general description of the patient's condition). Assuming purely demographic information is health information, the proposed regs would permit it to be used without patient consent for "health care operations," among other things. However, the commentary states specifically that this would not include the use or disclosure of information for fund-raising purposes. (p. 59941). As to the specifics, the consent has to name the organization receiving the information, and describe the purpose of the disclosure. There is a form in the proposed regs. I don't think the Foundation is necessarily your business partner--or at least it might be, depending on what it does, but I don't think the mere release of demographic information for fund-raising purposes pursuant to patient authorization would make it a business partner. Even with patient authorization, the foundation employee shouldn't have access to parts of the the data system that contain more than demographic information--the disclosure has to be limited to the scope of the authorization And, yes, you should keep a log of information disclosed or accessed pursuant to an authorization, both for internal compliance purposes, and because the patient is entitled to an accounting of such disclosures (including date, name and address of recipient, description of the information disclosed, and purpose of the disclosure) (proposed 164.515). Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com The foregoing is intended as commentary, not legal advice--please consult your own lawyer. -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Wednesday, June 28, 2000 4:30 AM To: Rx2000HIPAA@rx2000.org Subject: Patient Privacy/Disclosure Permission for Foundation/Fundraising Depts Please make sure I am interpreting this correctly...I am a newer member to the Listserv and apologize if these questions have previously been asked/answered. Under HIPAA, Hospital Foundations or Fund-raising Organizations for hospitals will require specific patient consent in order to receive any identifiable patient information such as basic demographics for mailings/solicitations etc. Is this true? Does the consent need to be specific enough that the patient is told to whom and for what the information will be disclosed? Our Foundation is a separate corporate entity, so I assume the Foundation is a Business Partner of the hospital. Currently, our Foundation employee has direct access to parts of our Information System. Might this "on demand" access to information continue under HIPAA? Must a log of all of this information "disclosed" or accessed be maintained? Thanks for your thoughts and expertise on this. Tina K. Zanis Good Samaritan Regional Medical Center Pottsville, PA tzanis@gsrmc.dcnhs.org 570-621-4101 ********** Message #5 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: Faxes and PID Date: Wed, 28 Jun 2000 23:56:01 EDT I suggest that you participate in the WEDI Strategic National Implementation Process (SNIP) , Security task group, to see how the industry approaches this issue and the alternatives. The WEDI site is www.wedi.org. The SNIP listservs are supposed to be operational next week and the SNIP Report #1 based on the June 15-16 discussions should be posted by July 7. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #6 ********** From: Woosleew@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: Faxes and PID Date: Thu, 29 Jun 2000 09:34:25 EDT Tom, QA folks are by nature very cautious people ... it's their job. But: FAX's are not prohibited under HIPAA. I am not aware of any method of transmission that is specifically prohibited under HIPAA. Just that transmissions must be secured and protected (and encrypted if over an open network). FAX machines can be password protected and FAX's encrypted, so I don't understand where they get the evidence for their stance. Also, FAX's sent from FAX machine to FAX machine are excluded in HIPAA. FAX's sent from computer to computer are included under HIPAA. Good luck The above comments are my opinion only and do not reflect the opinion of my employer or clients, nor is the above meant as HIPAA compliance advice. Errick Woosley 3X HCSG (513) 587-3100 ********** Message #7 ********** From: Woosleew@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: Patient Privacy/Disclosure Permission for Foundation/Fundraising Depts Date: Thu, 29 Jun 2000 09:46:44 EDT In a message dated 6/28/00 8:16:11 PM Eastern Daylight Time, Rx2000HIPAA@rx2000.org writes: Under HIPAA, Hospital Foundations or Fund-raising Organizations for hospitals will require specific patient consent in order to receive any identifiable patient information such as basic demographics for mailings/solicitations etc. Is this true? Does the consent need to be specific enough that the = patient is told to whom and for what the information will be disclosed? Tina, This is already covered under the JCAHO accreditation standards (and has been for years). Yes, they must obtain consent. The signed consent must be: Specific as to whom the information will be released. Time dated (not good for more than a certain number of days). State what information may be obtained. And for what purpose the information will be used. You won't go to jail for violation of a JCAHO standard, but the type 1 recommendation can be just as costly as a fine (lost revenue and preparation for a resurvey). The above comments are my opinion only and do not reflect the opinion of my employer or clients, nor is it meant as HIPAA compliance advice. Errick Woosley 3X HCSG errick.woosley@3x.com ********** Message #8 ********** From: ackerman@rx2000.org To: rx2000hipaa@rx2000.org Subject: Fw: HIPAA Implementation Guides are Ready Date: Thu, 29 Jun 2000 15:29:58 -0500 I received the following message from David Feinberg. He is encountering a problem in posting it to the listserv. We will work with him to figure out the problem, but in the interest of time I am forwarding it to the listserv for him so that you will have the information. Joel Ackerman, Executive Director Rx2000 Institute ackerman@rx2000.org 612-595-7970 ==================================================== > >From: "David A. Feinberg, C.D.P." > >To: "RX2000 HIPAA List Server" > >Sent: Thursday, June 29, 2000 8:34 AM > >Subject: Fw: HIPAA Implementation Guides are Ready > > > > > >The following message is for those of you who may not be subscribed to > >the Washington Publishing Company list. My apologies in advance for > >the duplicate notification to those who are. > > > > Dave Feinberg > > Co-Chair, HIPAA Implementation Work Group > > Insurance Subcommittee > > Accredited Standards Committee X12 > > Voting Member, HL7 and X12 > > Rensis Corporation [A Consulting Company] > > 206-617-1717 > > DAFeinberg@computer.org > > > >----- Original Message ----- > >From: > >Sent: Wednesday, June 28, 2000 5:11 PM > >Subject: HIPAA Implementation Guides > > > > TO: HIPAA Implementation Guide Users > >FROM: Steve Bass/Washington Publishing Company > > > >Approximately 9:00 PM EDT today, Wednesday, June 28, 2000, > >the Final ANSI ASC X12N HIPAA implementation guides will > >be available for download from: > >http://www.wpc-edi.com/hipaa > > > >The final guides, dated May 2000, replace all previous > >004010 HIPAA draft documents. > > > >If you've forgotten your WPC Username or Password, go > >here before attempting to download: > >http://hipaa.wpc-edi.com/hipaa/forgot.asp > > > >To modify your WPC Profile, which consists of your name, > >company name, contact information, and a list of E-mail > >notifications that you have signed up for, go here: > >http://208.230.183.33/lookup/ModifyProfile1.asp