HIPAA WEBINAR Q & A
Thank you for attending the AADOM webinar "Are Yor Read For the new HIPAA Privacy and Security Mandates", presented by Gerry Hinkley. Many AADOM members submitted questions for Mr. Hinkley before and after the webinar. His answers are presented below.
Nancy Mitchell to Q & A Group 10:20 AM
please explain covered entity
A: See the chart in the attached link:
Debbie Riley to Q & A Group 10:21 AM
Are dental labs considered BA's?
A: The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 does not require a Business Associate Agreement for "Laboratory Services" when "the service rendered is treatment only and does not include other administrative services provided on behalf of the dentist. The Lab is a HIPAA covered entity if the lab is electronically transmitting claims to health insurers.
Kimberly Adams to Q & A Group 10:21 AM
what is defintiion of rhio again?
A: See the attached link:
kristan spaulding to Q & A Group 10:21 AM
please repeat RHIO breakdown
A: See immediately preceding link
Mary Pat Langford to Q & A Group 10:32 AM
Specific definition of EHR
A: The Electronic Health Record (EHR) is a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates and streamlines the clinician's workflow. The EHR has the ability to generate a complete record of a clinical patient encounter - as well as supporting other care-related activities directly or indirectly via interface - including evidence-based decision support, quality management, and outcomes reporting.
Pamela Hopkins to Q & A Group 10:32 AM
Are dental labs considered BA's
A: See answer above.
Oscar King to Q & A Group 10:32 AM
Do the accounting for disclosures have to include all recipients in a chain = claim sent first to vendor, then clearinghouse, then another clearinghouse, then payor?
A: At this point we don't know because we are waiting for regulations. There is plenty of time to implement once the regulations are finalized.
Joanne Miles to Q & A Group 10:33 AM
What are some examples of extraneous information with Minimum Necessary?
A: A great summary and guide is found at this link:
Terri Stillman to Q & A Group 10:33 AM
WHERE CAN WE GET A COPY OF BA AGREEMENT THAT IS UPDATED.
Nancy Mitchell to Q & A Group 10:33 AM
who are the business associates?
Peggy Jordan Masselli to Q & A Group 10:33 AM
how do the new regulations affect computer support techs and companies such as Televox (confirming appts)
A: The new regulations affect business associates by making them directly obligated under HIPAA, including with respect to notices of data breaches and accounting of disclosures.
Nancy Mitchell to Q & A Group 10:35 AM
are we supposed to supply contracts to the business associates?
A: It is a better practice to use your own form, but many larger vendors will only use their forms.
Carmen Sotillo to Q & A Group 10:35 AM
On slide 13, does this change to a 3 year period mean we do not have to keep paper records for 7 years
A: You need to maintain your records for the legally required periods of time and in accordance with risk management policies and procedures.
Lisa Nickelson to Q & A Group 10:35 AM
Are dental labs considered CE?
A: Dental labs are typically HIPAA covered entities, but if they do administrative chores for the prescribing dentist, they would also be the dentist's business associate.
Bridgette Blackwood to Q & A Group 10:35 AM
What about PPO providers that are in the agreements stating they could request to see a patient's entire record, under HITECH they will no longer be able to require this information (including lab receipts and patient's medical records and patient notes, etc...)
A: See the response above regarding Minimum Necessary
Krishna Duncan to Q & A Group 10:37 AM
How should we go about becoming in compliance with HIPAA
A: Designate someone as the privacy officer and purchase training for that person.
Michelle Jordan to Q & A Group 10:37 AM
Must we have business agreements/signed by labs/for all labs,local and out of town?
A: See prior discussion about labs - depending on the work done for the referring dentists, the lab may or may not be a business associate
Mark Dunn to Q & A Group 10:38 AM
What exactly is considered a disclosure?
A: A disclosure occurs when an unauthorized third party acquires the ability to use protected health information.
Angie Russell to Q & A Group 10:39 AM
can we ask a patient for their social security number under any circumstance?
A. This is a matter of state law. Many states have outlawed the use of social security numbers as patient identifiers (Massachusetts, for example). Use of social security numbers as patient identifiers is not affected by HIPAA.
Sherry Turinsky to Q & A Group 10:40 AM
Most of our work is done in nursing homes and we still use paper charts. Are we breaking HIPAA law? How should this info be handled in the field? Will we be required to be electronic by 2010?
A: Paper charts generally are PHI subject to the HIPAA Privacy and Security Rules and state confidentiality laws. They should be shared with third parties only for treatment, payment or healthcare operations or to business associates and clearinghouses with appropriate documentation to protect privacy and ensure security. There is no requirement to convert to electronic records.
Angie Catmull to Q & A Group 10:40 AM
What do we do when mom brings in kids, mom and dad are divorced, do we give information to dad?
Angie Catmull to Q & A Group 10:40 AM
Or steps? mom or dad?
A: The privacy rule provides:
-
A covered entity may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's care or payment related to the individual's health care.
-
A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (3), or (4) of this section, as applicable. \
If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it:
-
Obtains the individual's agreement;
-
Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or
-
Reasonably infers from the circumstances, based the exercise of professional judgment, that the individual does not object to the disclosure.
If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.
Terri Stillman to Q & A Group 10:41 AM
HOW CAN WE OBTAIN A SAMPLE OFUPDATED BUSINESS AGREEMENT TO INCLUDE NEW REQUIREMENTS.
Angie Catmull to Q & A Group 10:43 AM
Is it legal to e-mail an x-ray?
A: You should encrypt PHI including x-rays or make them available through a secure portal.
Michelle Jordan to Q & A Group 10:57 AM
What about state medicaid offices auditing charts?
A; This is permtited under HIPAA.
Michelle Jordan to Q & A Group 11:03 AM
I am concerned regarding treatment plan and xrays e-mailed to a patient per their request. Is this okay?
A: If the patient authorizes you to use unsecured or unencrypted email, it is OK.
Angie Russell to Q & A Group 11:04 AM
If a patient asks to have a treatment plan emailed, can we do so if the email is not encrypted?
A: The patient can authorize you to do so, but without authorization it should be encrypted or made available to the patient through a secure portal.
Angie Catmull to Q & A Group 11:06 AM
So when we are coordinating with other medical facilities, can we give out a SS#?
A: Yes
Kristine Uravich to Q & A Group 11:08 AM
Please give the expanded version of HITECH again.
A: Health Information Technology for Economic and Clinical Health Act
Carmen Sotillo to Q & A Group 11:11 AM
If we have utube videos from patients do we need a separate HIPPA form from patient?
A: HIPAA does not require this. The patient controls his/her PHI and can choose to transmit it to you in any form. When you receive it, it is PHI and is covered by the HIPAA Privacy and Security Rules.
Michelle Jordan to Q & A Group 11:16 AM
Please clarify self-pay care disclosure
A: If a patient pays for a procedure and no claim is made for payment for the service to a third party payor, on request by the patient, the provider cannot disclose the fact of the procedure to a health insurer.
Cynthia Burstadt to Q & A Group 11:16 AM
do we need to have email of xrays encrypted - sending to referral office or new office at pt request?
A: Xrays should be encrypted or made available through a patient portal where the viewing is secure.
Maria Dawson to Q & A Group 11:17 AM
does hippa cover the red flag alert, or anything new wit the red flag alert that you know of?
A: HIPAA is distinct from Red Flag rules; the effective date of the Reg Flag rules for health care providers has recently been extended to June 1, 2010.
Pamela Hopkins to Q & A Group 11:17 AM
would an email that contained a patients name, appointment date,and an x-ray need to be encrypted
A: Yes: it is PHI; however, the patient can authorize you to send data in an unencrypted form.
Davin Williams to Q & A Group 11:18 AM
Is it okay to have cameras in the operating room If we have video consent forms?
A: Yes, but the video is PHI that is subject to HIPAA
Oscar King to Q & A Group 11:20 AM
Is it true that PHI mistakenly sent to the wrong CE is not a breach as the CE is trained in handling PHI and they assured that the PHI was deleted (say a fax was sent to the wrong provider)?
A: No: if the CE recipient is not involved in treatment of the patient, it is a breach
Michelle Jordan to Q & A Group 11:20 AM
Please clarify the plan for any breach by our office/ state/federal
A: Not much to add to what I have in the slide.
Jerry Ziegner to Q & A Group 11:23 AM
what is TPO?
A: Treatment, Payment, Healthcare Operations
Vicki Anderson to Q & A Group 11:24 AM
Do these new standards apply to all HIPAA CE or only those that are using or plan to use the EHR?
A: The only part that is NOT applicable to all CEs is the accounting of disclosure rules.
Elizabeth Markiewicz to Q & A Group 11:25 AM
can you discuss a treatment plan verbally to a daughter of an elderly patient?
A: Yes. Disclosures to family members are permitted under HIPAA; some state laws require the patient to expressly authorize such conversations.
Barbara Ames to Q & A Group 11:26 AM
I have a business associate agreement that I would be willing to share.
babs_ames@yahoo.com with request
Bridgette Blackwood to Q & A Group 11:31 AM
what is the link to view this presentation again?
Gerry Hinkley | Co-Chair, Health Care Industry Team
Pillsbury Winthrop Shaw Pittman LLP ————————————————————————————————
V: 415.983-1135 | F: 415.983-1200 | M: 415.202-4374
50 Fremont Street | San Francisco, CA 94105-2228
Email: gerry.hinkley@pillsburylaw.com
www.pillsburylaw.com
