Rx2000HIPAA digest, Volume 37 #1 From: DSiva@chw.edu Subject: RE: Job Description for Privacy Officer #2 From: medimage@voicenet.com Subject: Re: Transmitted x-rays #3 From: Mary.Cooley@rsacompanies.com Subject: RE: Job Description for Privacy Officer #4 From: DB0853@aol.com Subject: Re: Job Description for Privacy #5 From: anaveira@mercymiami.org Subject: Re: Job Description for Privacy #6 From: LHenderson@ghsystem.com Subject: Chain of Trust #7 From: KOWALCWE@sysadm.suny.edu Subject: RE: Chain of Trust #8 From: Sslazarus@aol.com Subject: Re: Chain of Trust ********** Message #1 ********** From: DSiva@chw.edu To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Job Description for Privacy Officer Date: Mon, 17 Jul 2000 07:18:55 -0700 I am not sure, but this may be a possible solution to the identification of these types of data transmissions. All images would be transmitted and stripped of any identifying marks as much as possible. By some means of a standardized naming convention, each of these records would be assigned a code (I.E. number,alpha,etc.) and tagged on the tranmission. In a separate message, an index of patients sensitive patient information could be transmitted in an encrypted format. This way, you could have the best of both worlds. Being able to trasmit the image unencumbered by encryption, and protecting the patient data. David Siva Biomedical Engineer 650-991-6774 ----- Original Message ----- From: To: Sent: Thursday, July 13, 2000 9:02 AM Subject: RE: Job Description for Privacy Officer Received an inquiry from one of our physicians....and would like to bounce if off this group before responding. Inquiry is as follows: If a digital image does not have text in it (e.g., a digitized x-ray, where the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall? Where he is going with the inquiry is, if you don't have readily identifiable patient information on the record...is it still subject to the privacy/confidentiality guidelines ? Thanks Bill Rider Johns Hopkins Hospital 1830 E. Monument St Baltimore, MD 21205 The *no name or ID* workaround would save encryption effort and expense but could possibly indicate that he didn't know or have evidence of who the patient was (other than a recorded telephone log). The exam scout or fax might have to be digitally secured anyway. dk ********** Message #2 ********** From: medimage@voicenet.com To: Subject: Re: Transmitted x-rays Date: Mon, 17 Jul 2000 22:18:56 -0400 You might want to read up on DICOM and also scanned image headers. Just encrypt it so IT and the other under-compensated computer techs don't have to be counted on to take heat. Dave Koster PACS FSE ----- Original Message ----- From: To: Sent: Friday, July 14, 2000 1:50 PM Subject: Transmitted x-rays In a message dated 7/13/00 9:39:33 PM Eastern Daylight Time, Rx2000HIPAA@rx2000.org writes: the box with the patient's name and number have been excluded)---does it need to be encrypted if it's going outside the firewall?< My opinion would be no, probably not. If there is no identifiable patient information then it is not covered under any confidentiality standards/laws I am aware of. ********** Message #3 ********** From: Mary.Cooley@rsacompanies.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Job Description for Privacy Officer Date: Tue, 18 Jul 2000 09:25:39 -0600 There are many ways to protect the PHI when transmitting a file across a public, "open" network without impinging on the Physicians' ability to deal with the patient. The PHI (usually name and Social Security Number on x-rays) could be replaced with a numeric string by the sending physician. The information could be rematched to the original name and Social Security Number when the report comes back to the sending physician. If the receiving physician needs the PHI, then the two physicians could avail themselves of one of the many encryption packages that would protect the entire transmission. A longer term stategy might be to get the "radiology center" to discontinue putting PHI on the films when they are created. If the patient is always identified with a mutually accepted key rather than the PHI, the protection of the patient's privacy in a clinical setting becomes much easier. Mary Cooley RSA Companies Manager Strategic Solutions mary.cooley@rsacompanies.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Friday, July 14, 2000 4:46 AM To: Rx2000HIPAA@rx2000.org Subject: RE: Job Description for Privacy Officer This is the same sort of question that arises from the use of Social Security Numbers in a text data file. The intent of protecting private information is to ensure that the information cannot be associated with the owner, unless, of course, the owner gives his/her permission. The question in this case then becomes what was the intent in transmitting the information (x-ray)? If it was to get a "second opinion" then it must be identified, somehow, in transmission so that the physician can match it with the rest of the patient's records when he gets it back. That is, somehow the patient must be identified with the x-ray during transmission. This identification can be intercepted and the associated information, therefore, can be misused. If, on the other hand, the data is of general interest and is not associated nor ever will be associated with a patient (for example, a very unusual bone structure/injury/disease the occurrence of which should be brought to the attention of the community for research/comments) then I would think there would be no objection to transmitting it through a public medium. One guideline that can be used is that if the information can be published in a general circulation newspaper, then it can be transmitted unencrypted over the Internet. Ralph A Neeper Wang Government Services, Inc. ********** Message #4 ********** From: DB0853@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: Job Description for Privacy Date: Tue, 18 Jul 2000 22:02:46 EDT can you direct me to where i can get the actual document. Is it broken down by the different sectors of health care, I.e. long term care, home health, acute care etc. Please advise. ********** Message #5 ********** From: anaveira@mercymiami.org To: Subject: Re: Job Description for Privacy Date: Wed, 19 Jul 2000 11:21:30 -0400 You can find the 1999 Salary Survey at: http://www.sans.org/sal99.htm = You should have Acrobat Reader in order to read the PDF file. If not, it = is available from http://www.adobe.com. This survey reports the results of the responses of over 11,000 groups = from across the world to the annual SANS compensation survey. It is = broken down by regions, education, experience, industry, etc. But it does = not break down Healthcare any further. For a further break down you may visit the CHIME or AHIMA web sites, but = try this other link: http://jobsmart.org/tools/salary/salhelth.htm#Info = you might find what you need. Good luck! Alex Naveira Information Systems Mercy Hospital of Miami anaveira@mercymiami.org >>> 07/18/00 10:02PM >>> can you direct me to where i can get the actual document. Is it broken down by the different sectors of health care, I.e. long term care, home health, acute care etc. Please advise. ********** Message #6 ********** From: LHenderson@ghsystem.com To: "'rx2000HIPAA@rx2000.org'" Subject: Chain of Trust Date: Wed, 19 Jul 2000 11:17:08 -0500 Does anyone have a Chain of Trust policy and/or agreement that you would be willing to share with our organization? We are in the process of developing a Chain of Trust agreement and policy. Thanks Lisa Henderson EPR Coordinator Gateway Health System Clarksville, TN 37043 lhenderson@crhs.com ********** Message #7 ********** From: KOWALCWE@sysadm.suny.edu To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Chain of Trust Date: Thu, 20 Jul 2000 10:56:26 -0400 I would be interesting in seeing one as well. Thanks. Wendy Kowalczyk State University of New York Office of University Counsel State University Plaza Albany, NY 12246 [kowalcwe@sysadm.suny.edu] -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Wednesday, July 19, 2000 12:17 PM To: Rx2000HIPAA@rx2000.org Subject: Chain of Trust Does anyone have a Chain of Trust policy and/or agreement that you would be willing to share with our organization? We are in the process of developing a Chain of Trust agreement and policy. Thanks Lisa Henderson EPR Coordinator Gateway Health System Clarksville, TN 37043 lhenderson@crhs.com ********** Message #8 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: Chain of Trust Date: Thu, 20 Jul 2000 11:18:08 EDT Look to www.wedi.org under SNIP and www.afehct.org for developments in this area. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com