Rx2000HIPAA Digest, Volume 36 Date: Mon, 17 Jul 2000 07:15:05 GMT #1 From: ackerman@rx2000.org Subject: New GovLink Section of Rx2000 Website #2 From: brider@jhmi.edu Subject: RE: Job Description for Privacy Officer #3 From: Ralph.Neeper@wang.com Subject: RE: Job Description for Privacy Officer #4 From: medimage@voicenet.com Subject: Re: Job Description for Privacy Officer #5 From: Rick.Ensenbach@childrenshc.org Subject: RE: Job Description for Privacy Officer #6 From: morristhompson@kpmg.com Subject: RE: Job Description for Privacy Officer #7 From: Woosleew@aol.com Subject: Transmitted x-rays #8 From: Steve.Boice@parkview.com Subject: RE: Job Description for Privacy ********** Message #1 ********** From: ackerman@rx2000.org To: rx2000hipaa@rx2000.org, rx2000ehealth@rx2000.org Subject: New GovLink Section of Rx2000 Website Date: Thu, 13 Jul 2000 01:40:42 -0500 Dear Rx2000HIPAA and Rx2000eHealth listserv readers, In our continuing efforts to keep you well informed, the Rx2000 Institute is constantly updating its website with news and materials from government agencies such as HCFA and HHS, and information about HIPAA and eHealth. We're now instituting a regular update service for Institute Members and subscribers to our Listservs. This service will consist of regular announcements identifying recent updates to the Rx2000 website at http://www.rx2000.org . We hope this will be useful for you. Additionally, we encourage you to give us comments, information and websites worth noting so we can make this information widely available to your professional colleagues. A key recent addition to the Rx2000 website is the GovLink section, designed to help you find answers to your questions about federal regulations and payment programs. Currently on GovLink: 1. An audio interview with Kevin Thurm, Deputy Secretary of the US Department of Health and Human Services 2. A video interview with Joseph Broseker, Deputy Director, Provider Billing and Education Group, Center for Health Plans and Providers, Health Care Financing Administration 3. Link to Joseph Broseker's presentation at the Rx2000 April Special interest Group Meeting titled HCFA's New Outreach/Education and Customer Service Initiatives for Providers 4. Update information on HCFA's proposed APC payment program 5. A new video on the workings of HCFA 6. A new HCFA video on Outpatient PPS 7. HIPAA-related audio interviews with representatives of WEDI, AFEHCT, Blue Cross Blue Shield Association, North Carolina Healthcare Information & Communications Alliance, EHNAC, CBSI, American Dental Association. And much, much more. We will be constantly updating the material in GovLink, and you will want to visit this portion of the site often. Thank you for your continued support of the Rx2000 Institute and your participation in our services! Joel Ackerman, Executive Director Rx2000 Institute ackerman@rx2000.org 612-595-9551 ********** Message #2 ********** From: brider@jhmi.edu To: Subject: RE: Job Description for Privacy Officer Date: Thu, 13 Jul 2000 09:02:24 -0400 Received an inquiry from one of our physicians....and would like to bounce if off this group before responding. Inquiry is as follows: If a digital image does not have text in it (e.g., a digitized x-ray, where the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall? Where he is going with the inquiry is, if you don't have readily identifiable patient information on the record...is it still subject to the privacy/confidentiality guidelines ? Thanks Bill Rider Johns Hopkins Hospital 1830 E. Monument St Baltimore, MD 21205 >>> 07/12/00 02:23PM >>> Agree with you there, and in addition, the position will need to have some background on Health Information Management and the states and feds regulations. As with salary, perhaps using industry standard would be a good start. Alvin Siagian Asiagian@ahs.llumc.edu Loma Linda University Medical Center Information Security Administrator Phone: 909.558.3265 ********** Message #3 ********** From: Ralph.Neeper@wang.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Job Description for Privacy Officer Date: Fri, 14 Jul 2000 06:46:12 -0400 This is the same sort of question that arises from the use of Social Security Numbers in a text data file. The intent of protecting private information is to ensure that the information cannot be associated with the owner, unless, of course, the owner gives his/her permission. The question in this case then becomes what was the intent in transmitting the information (x-ray)? If it was to get a "second opinion" then it must be identified, somehow, in transmission so that the physician can match it with the rest of the patient's records when he gets it back. That is, somehow the patient must be identified with the x-ray during transmission. This identification can be intercepted and the associated information, therefore, can be misused. If, on the other hand, the data is of general interest and is not associated nor ever will be associated with a patient (for example, a very unusual bone structure/injury/disease the occurrence of which should be brought to the attention of the community for research/comments) then I would think there would be no objection to transmitting it through a public medium. One guideline that can be used is that if the information can be published in a general circulation newspaper, then it can be transmitted unencrypted over the Internet. Ralph A Neeper Wang Government Services, Inc. -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, July 13, 2000 9:02 AM To: Rx2000HIPAA@rx2000.org Subject: RE: Job Description for Privacy Officer Received an inquiry from one of our physicians....and would like to bounce if off this group before responding. Inquiry is as follows: If a digital image does not have text in it (e.g., a digitized x-ray, where the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall? Where he is going with the inquiry is, if you don't have readily identifiable patient information on the record...is it still subject to the privacy/confidentiality guidelines ? Thanks Bill Rider Johns Hopkins Hospital 1830 E. Monument St Baltimore, MD 21205 ********** Message #4 ********** From: medimage@voicenet.com To: Subject: Re: Job Description for Privacy Officer Date: Fri, 14 Jul 2000 08:39:04 -0400 ----- Original Message ----- From: To: Sent: Thursday, July 13, 2000 9:02 AM Subject: RE: Job Description for Privacy Officer Received an inquiry from one of our physicians....and would like to bounce if off this group before responding. Inquiry is as follows: If a digital image does not have text in it (e.g., a digitized x-ray, where the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall? Where he is going with the inquiry is, if you don't have readily identifiable patient information on the record...is it still subject to the privacy/confidentiality guidelines ? Thanks Bill Rider Johns Hopkins Hospital 1830 E. Monument St Baltimore, MD 21205 The *no name or ID* workaround would save encryption effort and expense but could possibly indicate that he didn't know or have evidence of who the patient was (other than a recorded telephone log). The exam scout or fax might have to be digitally secured anyway. dk ********** Message #5 ********** From: Rick.Ensenbach@childrenshc.org To: Subject: RE: Job Description for Privacy Officer Date: Fri, 14 Jul 2000 09:25:19 -0500 Bill, The quick answer is no, you don't have to worry about encrypting it, however, you have to be very careful because sometimes information such as an xray that would seem to have nothing on it that identifies the patient, may indeed identify the patient. For example, lets say the xray belongs to someone who is well known and was involved in an accident that has been publicized in the local media. If the media was able to obtain that xray, they most likely could identify who it belongs too. I realize this may be stretching it a bit, but the point I am trying to state here is that what may be de-identified data to one person, may not be to another. Here is a short list of some of the information I have been hearing that needs to be stripped (de-identifing data) from patient record before transmitting it over the Internet: Name Full Address Relative's names Employer names Birth data Phone numbers Fax numbers Email addresses SSN Medical Record Number Plan beneficiary number Account number Certificate or license number Vehicle or device serial number Web URL IP address Biometric Photographic image Occupation (if unique) Any unique identifying code, number, or characteristic even if in public realm Rick Rick Ensenbach, CISSP Information Security Administrator Children's Hospitals & Clinics 2910 Centre Pointe Drive Roseville, MN 55113 W. 651.855.2598 Fax: 651.855.2570 Email: Rick.Ensenbach@childrenshc.org >>> 07/13/00 08:02AM >>> Received an inquiry from one of our physicians....and would like to bounce if off this group before responding. Inquiry is as follows: If a digital image does not have text in it (e.g., a digitized x-ray, where the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall? Where he is going with the inquiry is, if you don't have readily identifiable patient information on the record...is it still subject to the privacy/confidentiality guidelines ? Thanks Bill Rider Johns Hopkins Hospital 1830 E. Monument St Baltimore, MD 21205 ********** Message #6 ********** From: morristhompson@kpmg.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Job Description for Privacy Officer Date: Fri, 14 Jul 2000 10:32:29 -0400 If the communication does not contain any individually identifiable patient information it in theory it does not have to be encrypted. However, the question that you are then faced with is who will make the call on what has to be encrypted and what doesn't. I don't think you want to leave it up to the users as to whether they encrypt or not because we know that as soon as they see the difference in the speed of delivery and the time to open the message they will choose to not encrypt. If they are receiving the message over a VPN or on a wireless device that provides a secure connection you may be able to not encrypt the traffic. But I would definitely make sure that all users are appropriately trained on how to handle the information and on the steps required before sending. (i.e. what must be removed before to meet the unidentifiable standard). One question that comes to mind, if the doctor is receiving multiple messages, is how the doctor will know which X-ray is for which patient. What happens if there are two patients with similar conditions. It seems to me that the risk goes up. Morris L. Thompson Senior Manager - KPMG Consulting 111 South Calvert Street Baltimore, MD 21202 -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, July 13, 2000 9:02 AM To: Rx2000HIPAA@rx2000.org Subject: RE: Job Description for Privacy Officer Received an inquiry from one of our physicians....and would like to bounce if off this group before responding. Inquiry is as follows: If a digital image does not have text in it (e.g., a digitized x-ray, where the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall? Where he is going with the inquiry is, if you don't have readily identifiable patient information on the record...is it still subject to the privacy/confidentiality guidelines ? Thanks Bill Rider Johns Hopkins Hospital 1830 E. Monument St Baltimore, MD 21205 ********** Message #7 ********** From: Woosleew@aol.com To: Rx2000HIPAA@rx2000.org Subject: Transmitted x-rays Date: Fri, 14 Jul 2000 13:50:43 EDT In a message dated 7/13/00 9:39:33 PM Eastern Daylight Time, Rx2000HIPAA@rx2000.org writes: the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall?< My opinion would be no, probably not. If there is no identifiable patient information then it is not covered under any confidentiality standards/laws I am aware of. Now, if you have only one person of a certain ethnic or other minority group and you disclose unidentified information on that person and anyone can tell who the individual is by looking at the information you should be comfortable in defending your actions and judgment in court. The court thing is just a benchmark to use. Chances are slim that it would ever go there ... unless the release of information caused harm to the individual. BTW I am not a lawyer, so... The above comments are my opinion only and do not reflect the opinion of my employer or clients, nor is it meant as HIPAA compliance advice. Errick Woosley 3X HCSG errick.woosley@3x.com ********** Message #8 ********** From: Steve.Boice@parkview.com To: Rx2000HIPAA@rx2000.org Subject: RE: Job Description for Privacy Date: Fri, 14 Jul 2000 13:09:00 -0500 This could be stretching it or it could very well apply to your question. And, this is just an opinion and should not be used or construed as me giving you any legal advice. On page 59937, under "22. Protected health information: " of the Federal Register Part IV Wednesday, Novermber 3, 1999 DHHS, it reads: We would create a new definition of "protected health information" to mean individually identifiable health information [IIHI] that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form. The phrase, "a picture is worth a thousand words" is appropriate here. Would this picture/image identify the patient and would the picture have been created because of or as a result of receiving or creating IIHI? I'm not sure. However, I would recommend you seek the advice of an attorney to determine if this "image" or picture is "protected" or not. Steve Boice Senior Business Analyst Information Services Parkview Health System 2200 Randallia Dr Fort Wayne, IN. 46805 Tel: (219) 484-6636 X25135 Fax: (219) 480-5026 ------------------( Forwarded letter 1 follows )--------------------- Date: Thu, 13 Jul 2000 09:02:24 -0400 To: Rx2000HIPAA@rx2000.org From: Rx2000HIPAA@rx2000.org Reply-To: Rx2000HIPAA@rx2000.org Reply-Copies-To: listhelp@rx2000.org Subject: RE: Job Description for Privacy Officer Received an inquiry from one of our physicians....and would like to bounce if off this group before responding. Inquiry is as follows: If a digital image does not have text in it (e.g., a digitized x-ray, where the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall? Where he is going with the inquiry is, if you don't have readily identifiable patient information on the record...is it still subject to the privacy/confidentiality guidelines ? Thanks Bill Rider Johns Hopkins Hospital 1830 E. Monument St Baltimore, MD 21205