Docstoc

Confidentiality Agreement Business Purchase

Document Sample
Confidentiality Agreement Business Purchase Powered By Docstoc
					            PRIVACY AND SECURITY                                                                                                                        Scenario 1. Patient Care Scenario A

                               Patient X presents to emergency room of General Hospital in State A. She has been in a serious car accident. The patient is an 89 year old widow who
                               appears very confused. Her adult daughter informed the ER staff that her mother has recently undergone treatment at a hospital in a neighboring state
            Scenario 1 -      and has a prescription for an antipsychotic drug. The emergency room physician determines there is a need to obtain information about Patient X’s prior
DRAFT       Patient Care A                                                        diagnosis and treatment during the inpatient stay.


               Business                                                                                                                                 Classification                                                                                                                                                            Specify Other
                                                                                                                                                                                                  Policy: Short                                                                                                 Stakeholder
      BP#    Practice Short                                  Business Practice Long Description                                          Scenario       (Barrier v. Not       Domain                                                                Policy: Long Description                                                      Stakeholder (if
                                                                                                                                                                                                   Description                                                                                                  Organization
                 Name                                                                                                                                     a Barrier)                                                                                                                                                                applicable)



                                                                                                                                                                                                                   Release to Health Care Providers: PHI may be released to other health care providers
                                                                                                                                                                                                                   without patient authorization to facilitate continued emergency patient care, only after
                                                                                                                                                                                                                   phone verification that the requestor is a health care professional calling from a health
                              Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we                                                                               care institution. Other requests from hospitals must be accompanied by a signed
                              would fax minimum necessary for treatment without an authorization. If PHI is in the record, we                                                                                      completed release. Reasonable steps will be taken to limit both routine and non-routine
                              would determine if the daughter was the medical power of attorney. If yes, we would validate her                                                                                     uses of, disclosure of, and requests for protected health information (PHI) to the minimum
                              signature and then have her sign a release to send the protected info. If not, we would have a                                                                                       necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.
                              physician or nurse sign authorization and send, after validating who we are speaking to at the other                                                                                 Exceptions include: Use or disclosure to or requests by provider for treatment purposes
                              facility by a call back. We use a rolebased access process in which Directors/Managers/IT                                                                    Uses & Disclosures of   Use or disclosure to the subject of the information (patient) Use or disclosure made under
                              Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with                                                                Protected Health        specific (detailed PHI) valid authorization Use or disclosure required for compliance with
                              2 other local facilities and share information for patient care purposes, however we do not release                                          3. Patient and Information & Disclosure HIPAA electronic transaction standards Use or disclosure required by other laws (such as
                              one anothers information to those outside of our OHCA. We do have audit capabilities on                   Scenario 1 -       Barrier to         provider     of PHI Minimum          victims of abuse, neglect, or domestic violence, and compliance with workers’
BP1         WV 001 S 1        systems. Random audits are performed. We use Tessa locks on doors.                                       Patient Care A   interoperability    identification Necessary               compensation—see policies III.080, III.085, III.090, III.095) Disclosure to DHHS.              Hospitals




                              Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we
                              would fax minimum necessary for treatment without an authorization. If PHI is in the record, we
                              would determine if the daughter was the medical power of attorney. If yes, we would validate her
                              signature and then have her sign a release to send the protected info. If not, we would have a
                              physician or nurse sign authorization and send, after validating who we are speaking to at the other
                              facility by a call back. We use a rolebased access process in which Directors/Managers/IT                                                    4. Information
                              Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with                                                transmission
                              2 other local facilities and share information for patient care purposes, however we do not release                                            security or
                              one anothers information to those outside of our OHCA. We do have audit capabilities on                   Scenario 1 -       Barrier to         exchange
BP1         WV 001 S 1        systems. Random audits are performed. We use Tessa locks on doors.                                       Patient Care A   interoperability      protocols




                              ER staff (nurse, doctor, or clerk) would call hospital and advise that they were faxing a request for                                        2. Information
                              medical records. If necessary,the staff would obtain authorization from POA of responsible party.                                            authorization                            Standard cover sheet with "Confidentiality Statement". Errors in transmission must be
                              Verbal confirmation by phone followed by faxed written request and authorization. There is security       Scenario 1 -    Not a barrier to    and access    Facsimile Machines and    corrected immediately and reported to Privacy Officer. If there is no POA or responsible
BP2         WV 002 S 1        of exchange protocols for faxing information. No encryption.                                             Patient Care A   interoperability       controls   PHI P&P                   party the physician would order appointment of a surrogate.                                   Hospitals
                                                                                                                                                                           3. Patient and
                                                                                                                                                        Not a barrier to       provider
BP2         WV 002 S 1                                                                                                                                  interoperability    identification
                                                                                                                                                                           4. Information
                                                                                                                                                                            transmission
                                                                                                                                                        Not a barrier to      security or
BP2         WV 002 S 1                                                                                                                                  interoperability       exchange
                                                                                                                                                                           5. Information
                                                                                                                                                                               protection
                                                                                                                                                        Not a barrier to        (against
BP2         WV 002 S 1                                                                                                                                  interoperability       improper
                                                                                                                                                                           6. Information
                                                                                                                                                                              audits that
                                                                                                                                                        Not a barrier to      record and
BP2         WV 002 S 1                                                                                                                                  interoperability   monitor activity
                                                                                                                                                        Not a barrier to    8. State law
BP2         WV 002 S 1                                                                                                                                  interoperability    restrictions
                                                                                                                                                                           9. Information
                                                                                                                                                        Not a barrier to       use and
BP2         WV 002 S 1                                                                                                                                  interoperability     disclosure


                                                                                                                                                                           5. Information
                              A clinician verifies the ER calling and verifies any restrictions placed on medical records that would                                         protection
                              cause barriers. If none, send records. Tracking forms/initials on all things in chart. Computer           Scenario 1 -    Not a barrier to       (against
BP3         WV 003 S 1        password.                                                                                                Patient Care A   interoperability      improper    HIPAA                     Hospital/ER covered entity HIPAA                                                              Clinicians



                              In correctional facilities, there is no release of info without the pt's informed consent or medical
                              power of attorney. It has to be verified by fax and phone and signatures are compared by case
                              manager. We do not release info without a court order. If you are a prisoner and have a WC                                                   9. Information
                              claim, you wont get paid. Corrections can only get the info thru a court order. There is no                                                      use and
                              electronic info in the prison system- all paper. WV has subcontracted this out to a company.              Scenario 1 -       Barrier to        disclosure                                                                                                                          Correctional
BP4         WV 004 S 1                                                                                                                 Patient Care A   interoperability        policy                                                                                                                            facilities




                                                                                                                                                                           9. Information
                                                                                                                                                                               use and                                                                                                                          Long term care
                              In long term care this process is very restrictive. We need authorization with everything involving       Scenario 1 -       Barrier to        disclosure                                                                                                                          facilities and
BP5         WV 005 S 1        Mental Health. The facilities verify this with fax and phone. Nothing is verified electronically.        Patient Care A   interoperability        policy                                                                                                                          nursing homes




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                                                                          Page 1 of 61                                                                                                                  99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                                                                                          Scenario 1. Patient Care Scenario A




DRAFT DRAFT                                                   DRAFT                                                                           DRAFT
                                                                                                                                                 Relevant Law (Legal Driver) -- Reference
      BP#                       Cause                                          Relevant Law (Legal Driver) -- Narrative
                                                                                                                                                              Code/Statute




            While we agree that the identified verification
            and security procedures represent barriers to
            interoperability, we do not agree that a
            signed authorization is required from either      Original: 'Federal Register §164.502 Uses and disclosures of protected health
            the patient or the medical power of attorney,     information: general rules; hospital policy
            and we do not agree that the minimum
            necessary standard applies in this situation.     One health care provider can disclose PHI of patient to another health care     45 C.F.R. §§ 164.310; 164.312; 164.502(a)(1)(ii);
            These should not be barriers to                   provider for treatment purposes as long as proper verification and security     164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);
BP1         interoperability.                                 procedures are followed, even when PHI contains mental health information.      W. Va. Code § 27-3-1(b)(5)
                                                              HIPAA Security Technical Safeguards                                             45 CFR § 164.312




BP1




            While we agree that the identified verification                                                                                   Original: HIPAA - Privacy and State Law -
            and security procedures represent barriers to                                                                                     Appointment of Health Care Decision Maker
            interoperability, we do not agree that a
            signed authorization is required from either                                                                                      45 C.F.R. §§ 164.310; 164.312; 164.502(a)(1)(ii);
            the patient or the medical power of attorney. One health care provider can disclose PHI of patient to another health care         164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);
            This should not be a barrier to                 provider for treatment purposes as long as proper verification and security       W. Va. Code § 27-3-1(b)(5)
BP2         interoperability.                               procedures are followed, even when PHI contains mental health information.



BP2



BP2



BP2



BP2


BP2


BP2

            We agree with the identified business
            practice, but believe that a barrier to          One health care provider can disclose PHI of patient to another health care      45 C.F.R. §§ 164.310; 164.312; 164.502(a)(1)(ii);
            interoperability exists for the verification and provider for treatment purposes as long as proper verification and security      164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);
BP3         security procedures.                             procedures are followed, even when PHI contains mental health information.       W. Va. Code § 27-3-1(b)(5)

            We believe the verification and security
            procedures do represent barriers to               One health care provider can disclose PHI of patient to another health care
            interoperability; we do not believe that a        provider for treatment purposes as long as proper verification and security
            signed authorization or court order is            procedures are followed, even when PHI contains mental health information.
            required to disclose PHI for treatment            Information on HIPAA Security regs was included, although BP does not       45 C.F.R. §§ 164.310; 164.312; 164.502(a)(1)(ii);
            purposes, and should not be viewed as             mention electronic PHI. However, we are aware that Corrections’ status as a 164.502(b)(2)(i); 164.506(c)(2); 164.512(k)(5);
BP4         barriers to interoperability.                     covered entity may vary.                                                    164.514(h)(1); W. Va. Code § 27-3-1(b)(5)

                                                              No legal barrier. We assume that State A is West Virginia. HIPAA allows       HIPAA Regulation § 164.506; West Virginia Code
                                                              release of such information for treatment purposes. West Virginia State Law ''27-3-2; 27-5-9(e).
                                                              only precludes the ―release‖ of mental health information, but does not place
                                                              any special restrictions on the collection of such data. Unless the
                                                              neighboring state law restricts the release of such information to the
BP5                                                           emergency room, this should not present a problem.




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                                                                         Page 2 of 61    99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
      PRIVACY AND SECURITY                                                                         Scenario 2. Patient Care Scenario B
                                       A specialty substance abuse treatment facility wants to refer client X to a primary care facility for a
                                   suspected medical problem. The client has a long history of using various drugs and alcohol relevant for
                                       medical diagnosis. The information is being sent to the primary care provider without the patient's
                                         authorization. The primary care provider refers the patient to a specialist and sends all of their
                 Scenario 2 -       information (without patient authorization) including the information received from the substance abuse
DRAFT            Patient Care B                                        treatment facility to the specialist.

                    Business                                                                                                      Classification
                                                                                                                                                                              Policy: Short                                                       Stakeholder
      BP#         Practice Short                    Business Practice Long Description                              Scenario      (Barrier v. Not        Domain                                            Policy: Long Description
                                                                                                                                                                              Description                                                         Organization
                      Name                                                                                                          a Barrier)


                                                                                                                                                                                                 Release to Health Care Providers: PHI may
                                                                                                                                                                                                 be released to other health care providers
                                                                                                                                                                                                 without patient authorization to facilitate
                                                                                                                                                                                                 continued emergency patient care, only
                                                                                                                                                                                                 after phone verification that the requestor is
                                                                                                                                                                                                 a health care professional calling from a
                                   In our hospital, if the patient is able to sign then we (clinician or clerk)                                      9. Information use                          health care institution. Other requests from
                                   would do that first. If patient is unable to make decisions on their own        Scenario 2 -     Barrier to         and disclosure                            hospitals must be accompanied by a signed
BP1              WV 001 S2         the durable power of attorney or surrogate can authorize.                      Patient Care B interoperability           policy      Uses & Disclosure of PHI completed release.                                Hospitals

                                                                                                                                                       3. Patient and
                                                                                                                                  Not a barrier to        provider
BP1              WV 001 S2                                                                                                        interoperability     identification




                                   In our hospital, clinical information is not released without a signed                                             6. Information
                                   authorization from the patient or guardian if patient is under the age of                                         audits that record
                                   12. State and Federal laws strictly outline procedures for sharing         Scenario 2 - Not a barrier to            and monitor
BP2              WV 002 S2         substance abuse patient information.                                      Patient Care B interoperability              activity                                                                                 Hospitals

                                                                                                                                                    7. Administrative
                                                                                                                                  Not a barrier to or physical security
BP2              WV 002 S2                                                                                                        interoperability     safeguards




                                                                                                                                     Barrier to         8. State law
BP2              WV 002 S2                                                                                                        interoperability      restrictions




                                                                                                                                                                                                If patient is unable to authorize release of
                                                                                                                                                                                                information, the physician orders that a
                                                                                                                                                     9. Information use                         health care surrogate be appointed per
                                   State Mental Health Law prevents transfer of mental health records              Scenario 2 -     Barrier to         and disclosure                           state mental health law. Authorization must          State
BP3              WV 003 S2         without the patient's authorization.                                           Patient Care B interoperability           policy      State Mental Health Law be obtained before release of information.        government




                                   In Corrections, if anything refers to substance abuse, we don’t release
                                   that info, but if we are going to refer the inmate, we can send a referral
                                   letter but we are limited to just the facts. Corrections keeps this info                                            2. Information
                                   forever- they are paper based. They are kept in a locked room for           Scenario 2 -     Barrier to           authorization and                                                                            Correctional
BP4              WV 004 S2         limited access and are accessed by a Med Records Clerk.                    Patient Care B interoperability         access controls                                                                              facilities




      RTI International
      Privacy and Security Contract No. 290-05-0015                                                                          Page 3 of 61                                                                    99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
      PRIVACY AND SECURITY                                                                           Scenario 2. Patient Care Scenario B




DRAFT                               DRAFTDRAFT                                                                            DRAFT                             DRAFT
                  Specify Other                                                                                               Relevant Law (Legal
      BP#         Stakeholder (if        Cause                  Relevant Law (Legal Driver) -- Narrative                      Driver) -- Reference
                    applicable)                                                                                                  Code/Statute
                                                                                                                                                            Solution
                                                        Confidentiality of Alcohol and Drug Abuse Patient                 42 CFR §§ 2.32 and 2.33
                                                        Records require patient consent for disclosure and
                                                        redisclosure of substance abuse records.




BP1



BP1




BP2




BP2
                                                        Consent is the key to releasing substance abuse information to    Substance Abuse Regs. 42          Maximize use of general
                                                        third parties, even to other providers. When a patient enters a   CFR, Part 2, Subpart B; HIPAA     consents for treatment, payment
                                                        state hospital, we try to get them to agree to a generalized      Regs. 45 CFR '''164,506(b);       and health care operations for
                                                        consent to release information treatment, payment and health      503(g); Belcher v. CAMC, 188      patients with substance abuse
                                                        care operations.                                                  W. Va. 105, 422 S.E.2d 827        and/or mental illness entering
                                                                                                                          (1992).                           healthcare facilities under
BP2                                                     As a general matter, substance abusers do not have personal                                         HIPAA Reg '164.506(b).
                                                        representatives whose consent is required to release substance

                                                        State law requires DHHR to obtain consent for                     WV Code § 27-5-9(e)               Repeal Section '27-5-9(e).
                                                        disclosure of mental health information for treatment.                                              Amend '27-3-1 to allow release
                                                        WV law also requires all providers to obtain patient                                                of mental health information to
                                                        consent for payment and operations.                                                                 treatment, payment and
                                                                                                                                                            healthcare operations without
                                                                                                                                                            patient consent. WV Code § 27-
                                                                                                                                                            3-1
BP3

                                    The identified      One health care provider cannot disclose PHI of patient to        45 C.F.R. §§ 164.310; 164.312;
                                    business practice   another health care provider for routine treatment purposes       164.512(k)(5); 42 C.F.R.
                                    does identify       without a signed authorization when drug or alcohol abuse         §§ 2.1; 2.2; 2.32; 2.51; W. Va.
                                    barriers to         treatment is involved; an authorized disclosure may not be re-    Code § 27-3-1(b)(5)
                                    interoperability.   disclosed; proper verification and security procedures must be
                                                        followed.
BP4




      RTI International
      Privacy and Security Contract No. 290-05-0015                                                                              Page 4 of 61                                                 99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
      PRIVACY AND SECURITY                                                                  Scenario 2. Patient Care Scenario B
                    Business                                                                                             Classification
                                                                                                                                                               Policy: Short                                  Stakeholder
      BP#         Practice Short                  Business Practice Long Description                       Scenario      (Barrier v. Not       Domain                          Policy: Long Description
                                                                                                                                                               Description                                    Organization
                      Name                                                                                                 a Barrier)



                                   In Workers Comp., we refer pts to specialists but our staff only send
                                   them what they need to know to treat the pt. WC makes the referral
                                   and sends all the info on a CD. We have electronic capabilities and                                       2. Information
                                   this can be reviewed on the internet. We provide an ID and password Scenario 2 -        Barrier to      authorization and
BP5              WV 005 S2         to the provider so they can access just what they need to on that pt. Patient Care B interoperability    access controls                                                      Payers




      RTI International
      Privacy and Security Contract No. 290-05-0015                                                                 Page 5 of 61                                                99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
      PRIVACY AND SECURITY                                                                 Scenario 2. Patient Care Scenario B
                  Specify Other                                                                           Relevant Law (Legal
      BP#         Stakeholder (if      Cause                Relevant Law (Legal Driver) -- Narrative      Driver) -- Reference
                    applicable)                                                                              Code/Statute
                                                                                                                                 Solution
                                                      Possibly Federal Substance Abuse Regulations     42 CFR Part 2




BP5



BP1




      RTI International
      Privacy and Security Contract No. 290-05-0015                                                          Page 6 of 61                   99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                                     Scenario 3. Patient Care Scenario C
                                  At 5:30pm Dr. X, a psychiatrist, arrives at the skilled nursing facility to evaluate his patient, recently discharged from the hospital
                                    psych unit to the nursing home. At the time of the patient's transfer, the discharge summary and other pertinent records were
                                   electronically transmitted to the nursing home. Upon entering the facility Dr. X seeks assistance in locating his patient, gaining
                                   entrance to the locked psych unit and accessing her electronic health record to review her discharge summary, I&O, MAR and
                                   progress notes. Dr. X was able to enter the unit by showing a picture identification badge, but was not able to access the EHR.
                                  As it is Dr. X's first visit, he has no login or password to use their system. Dr. X completes his visit and prepares to complete his
                Scenario 3 -         documentation. Unable to access the long-term care facility EHR, Dr. X dictates his initial assessment via telephone to his
DRAFT           Patient Care C                                                     outsourced, offshore transcription service.
                                  The assessment is transcribed and posted to a secure web portal. The next morning, from his home computer, Dr. X checks his e-
                                  mail and receives notification that the assessment is available. Dr. X logs into the portal, reviews the assessment, and applies his
                                   electronic signature. Later that day, Dr X's Office Manager downloads this assessment from the web portal, saves the document
                                    in the patient's record in his office and forwards the now encrypted document to the long-term care facility via e-mail. The long-
                                       term care facility notifies Dr. X's office that they are unable to open the encrypted document because they do not have the
                                                                                                 encryption key.
                   Business                                                                                                      Classification
                                                                                                                                                                                Policy: Short
      BP#        Practice Short                   Business Practice Long Description                             Scenario        (Barrier v. Not          Domain
                                                                                                                                                                                Description
                     Name                                                                                                          a Barrier)




                                  In our hospital, all clinical staff are given log in and passwords to use
                                  applicable data systems. Passwords limit the users ability to read
                                  access only if they are not in a position to need to add, edit, or update
                                  information. Electronic user logs are maintained on the mainframe.
                                  Medical staff must use specific transcription resources to insure that
                                  security is maintained and acceptable document formatting is used.
                                  Individual-specific password and logins are used which limits access
                                  on a need to know basis. Staff are instructed not to share passwords
                                  and logins. All sensitive information is encrypted prior to exchange         Scenario 3 -         Barrier to       1. User and entity
BP1             WV 001 S3         over an electronic communications network.                                  Patient Care C     interoperability      authentication
                                                                                                                                                       2. Information
                                                                                                                                    Barrier to       authorization and
BP1             WV 001 S3                                                                                                        interoperability     access controls


                                                                                                                                    Barrier to       3. Patient and
BP1             WV 001 S3                                                                                                        interoperability provider identification

                                                                                                                                                      4. Information
                                                                                                                                                  transmission security
                                                                                                                                    Barrier to         or exchange
BP1             WV 001 S3                                                                                                        interoperability        protocols
                                                                                                                                                   7. Administrative or
                                                                                                                                    Barrier to       physical security
BP1             WV 001 S3                                                                                                        interoperability      safeguards
                                                                                                                                    Barrier to          8. State law
BP1             WV 001 S3                                                                                                        interoperability       restrictions
                                                                                                                                    Barrier to     9. Information use
BP1             WV 001 S3                                                                                                        interoperability and disclosure policy



       RTI International
       Privacy and Security Contract No. 290-05-0015                                                     Page 7 of 61                                                       99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                            Scenario 3. Patient Care Scenario C




DRAFT                                                                            DRAFT                                                                DRAFT



                                                               Specify Other
                                                Stakeholder
      BP#         Policy: Long Description                     Stakeholder (if                                Cause                                            Relevant Law (Legal Driver) -- Narrative
                                                Organization
                                                                 applicable)
                                                                                 The classification of privacy and security domains 1, 2, 3, 4, and   Psychiatrist without electronic access privileges and rights
                                                                                 7 as barriers to interoperability appear appropriate in this         requests review of patient’s EHR containing information from
                                                                                 scenario due to the numerous issues related to EHR access.           recent hospital stay. Use of psychiatrist’s picture identification
                                                                                 Classifying P&S domains 8 & 9 as barriers to interoperability        badge met physical control requirements for access to health
                                                                                                                                                      facility. The psychiatrist’s inability to access EHR systems
                                                                                 also seems reasonable and appropriate given the disclosure to
                                                                                                                                                      prompts him to use an outsourced offshore transcription service.
                                                                                 a third-party without patient/representative consent.                This scenario bypasses administrative and technical controls
                                                                                                                                                      required to limit access, encrypt and audit access to patient
                                                                                                                                                      EHR’s. Psychiatrist receives report via Web the information
                                                                                                                                                      security infrastructure, and management practices of the
                                                                                                                                                      transcription service are unclear. The psychiatrist sends these
                                                                                                                                                      results by encrypted email to the medical facility, although lack of
                                                                                                                                                      encryption key prevents delivery.

BP1                                               Hospitals



BP1



BP1




BP1


BP1


BP1


BP1



       RTI International
       Privacy and Security Contract No. 290-05-0015                                           Page 8 of 61                                                        99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                              Scenario 3. Patient Care Scenario C




DRAFT DRAFT



                    Relevant Law (Legal
      BP#           Driver) -- Reference
                       Code/Statute                Solution
                HIPAA Security Regs – 45 CFR       A national
                §§ 164.308(a) (1), 164.308(a)      federated
                (3), 164.308(a) (4), 164.310(a)    identification
                (1), 164.312(a) (1), 164.312(b),   management
                164.312(d), 164.312(e) (1),        system to validate
                164.506, 164.508, 164.512(a),      user identity to
                164.512(e). WV Code § 27-3-1,      allow system
                WV Code § 27-3-2, WV Code §        access may be a
                27-5-9, WV Code § 64-12-14,        potential solution.
                US Code § H.R. 4127




BP1



BP1



BP1




BP1


BP1


BP1


BP1



       RTI International
       Privacy and Security Contract No. 290-05-0015                                  Page 9 of 61             99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                                     Scenario 3. Patient Care Scenario C
                   Business                                                                                                     Classification
                                                                                                                                                                                Policy: Short
      BP#        Practice Short                   Business Practice Long Description                             Scenario       (Barrier v. Not          Domain
                                                                                                                                                                                Description
                     Name                                                                                                         a Barrier)




                                                                                                                                                     4. Information        Medical Staff By Laws
                                  Our hospital practice and policies are that physicians, or other                                               transmission security     Articles VI(Procedure for
                                  practitioners who are not credentialed by our facility, do not have           Scenario 3 -       Barrier to         or exchange          Appointment) and
BP2             WV 002 S3         access to patient care areas, or to the system.                              Patient Care C   interoperability        protocols          VII(Clinical Privileges)




                                  Long term care facilities do not usually have locked psych units.
                                  However, assuming that the physician entered the skilled nursing
                                  facility and attempted to view the patient's EHR, expected policies and
                                  procedures should address authorizing privileges, access to medical
                                  records, inoperative computer systems and building access prior to
                                  physician's first visit. There should be a Business Associate
                                  Agreement with any "offshore transcription service" ensuring
                                  compliance with Privacy and Security Laws with authorization for
                                  monitoring for compliance. No PHI should be transmitted without 128
                                  bit encryption capability with read only capability. Also, there should be    Scenario 3 -       Barrier to       1. User and entity     Business Associate
BP3             WV 003 S3         a P&P for use of physician's electronic signature.                           Patient Care C   interoperability      authentication       Agreements
                                                                                                                                                      2. Information
                                                                                                                                   Barrier to       authorization and
BP3             WV 003 S3                                                                                                       interoperability     access controls
                                                                                                                                   Barrier to        3. Patient and
BP3             WV 003 S3                                                                                                       interoperability provider identification
                                                                                                                                                     4. Information
                                                                                                                                                 transmission security
                                                                                                                                   Barrier to         or exchange
BP3             WV 003 S3                                                                                                       interoperability     5. protocols
                                                                                                                                                        Information
                                                                                                                                                   protection (against
                                                                                                                                   Barrier to           improper
BP3             WV 003 S3                                                                                                       interoperability      modification)
                                                                                                                                                   6. Information audits
                                                                                                                                Not a barrier to      that record and
BP3             WV 003 S3                                                                                                       interoperability      monitor activity
                                                                                                                                                   7. Administrative or
                                                                                                                                   Barrier to       physical security
BP3             WV 003 S3                                                                                                       interoperability       safeguards
                                                                                                                                Not a barrier to       8. State law
BP3             WV 003 S3                                                                                                       interoperability       restrictions



       RTI International
       Privacy and Security Contract No. 290-05-0015                                                    Page 10 of 61                                                      99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                                Scenario 3. Patient Care Scenario C
                                                                   Specify Other
                                                 Stakeholder
      BP#         Policy: Long Description                         Stakeholder (if                                Cause                                            Relevant Law (Legal Driver) -- Narrative
                                                 Organization
                                                                     applicable)
                                                                                     This business practice analysis only identifies privacy and          Psychiatrist without electronic access privileges and rights
                                                                                     security domain 4 as a barrier the exchange and encryption of        requests review of patient’s EHR containing information from
                                                                                     the information supports this classification. Given the complexity   recent hospital stay. Use of psychiatrist’s picture identification
                                                                                     of this scenario, the classification of privacy and security         badge met physical control requirements for access to health
                                                                                                                                                          facility. The psychiatrist’s inability to access EHR systems
                                                                                     domains 1, 2, 3, and 7 would also appear appropriate due to the
                                                                                                                                                          prompts him to use an outsourced offshore transcription service.
                                                                                     numerous issues related to EHR access. In addition, classifying      This scenario bypasses administrative and technical controls
                                                                                     P&S domains 8 & 9 as barriers to interoperability also seems         required to limit access, encrypt and audit access to patient
                                                                                     reasonable and appropriate given the disclosure to a third-party     EHR’s. Psychiatrist receives report via Web the information
                These describe the                                                   without patient/representative consent. This stakeholder’s           security infrastructure, and management practices of the
                procedures for applying to the                                       business practice highlights the issue of credentialing and the      transcription service are unclear. The psychiatrist sends these
                staff for membership and                                             administrative controls inherently contained within these            results by encrypted email to the medical facility, although lack of
                clinical privileges assigned                                         policies. In addition, this business practice points out the         encryption key prevents delivery
BP2             with such.                         Hospitals                         alternative of faxing, although physical and technical information
BP1
                                                                                                                                                          HIPAA Security regs require person or entity
                                                                                                                                                          authentication




                                                 Long term care
                                                  facilities and
BP3                                              nursing homes
                                                                                                                                                          HIPAA Security regs make encryption addressable.

BP3
                                                                                                                                                          HIPAA Security Rule
BP3
                                                                                                                                                          HIPAA Security Rule

BP3
                                                                                                                                                          HIPAA Security Rule

BP3



BP3
                                                                                                                                                          HIPAA Security regs make access control and validation
                                                                                                                                                          procedures addressable and require workstation security.
BP3                                                                                                                                                       The HIPAA Security and Privacy Regs require Business
                                                                                                                                                          Associate Agreements in certain situations for CE’s.

BP3



       RTI International
       Privacy and Security Contract No. 290-05-0015                                              Page 11 of 61                                                        99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                                Scenario 3. Patient Care Scenario C
                    Relevant Law (Legal
      BP#           Driver) -- Reference
                       Code/Statute                Solution
                HIPAA Security Regs – 45 CFR       A national             Original:H
                §§ 164.308(a) (1), 164.308(a)      federated              IPAA -
                (3), 164.308(a) (4), 164.310(a)    identification         164.506
                (1), 164.312(a) (1), 164.312(b),   management             TPO
                164.312(d), 164.312(e) (1),        system to validate     State Law
                164.506, 164.508, 164.512(a),      user identity to       - 64-CSR-
                164.512(e). WV Code § 27-3-1,      allow system
                                                                          12-14
                WV Code § 27-3-2, WV Code §        access may be a
                                                                          Professio
                27-5-9, WV Code § 64-12-14,        potential solution.
                US Code § H.R. 4127                In addition, closely   nal
                                                   linking this type of   Standard
                                                   solution with health   s-Medcal
                                                   facility               Staff
BP2                                                credentialing
BP1                                                practices may

                HIPAA Security Regs, 45
                CFR § 164.312




BP3
                HIPAA Security Regs, 45
                CFR § 164.312
BP3
                HIPAA Security Rule, 45
                CFR § 164 Part C
BP3
                HIPAA Security Rule, 45
                CFR § 164 Part C
BP3
                HIPAA Security Rule, 45
                CFR § 164 Part C
BP3



BP3
                HIPAA Security Regs 45
                CFR §§163.310(a)(2)(iii);
BP3             164.310(c); 164.308(b)(1).
                HIPAA Privacy Regs, 45

BP3



       RTI International
       Privacy and Security Contract No. 290-05-0015                                    Page 12 of 61            99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                                   Scenario 3. Patient Care Scenario C
                   Business                                                                                                  Classification
                                                                                                                                                                          Policy: Short
      BP#        Practice Short                   Business Practice Long Description                          Scenario       (Barrier v. Not        Domain
                                                                                                                                                                          Description
                     Name                                                                                                      a Barrier)

                                                                                                                                Barrier to     9. Information use
BP3             WV 003 S3                                                                                                    interoperability and disclosure policy




                                  In our physician group, as long as no HIPAA laws were broken and a
                                  No Restriction form was signed this procedure is under the covered                                              2. Information
                                  entity of patient care. Use Tracking form and initial all documents        Scenario 3 -       Barrier to      authorization and
BP4             WV 004 S3         placed in the chart. User ID and password is needed.                      Patient Care C   interoperability    access controls      HIPAA




                                  LTC has business associate agreements in effect for different services
                                  with state businesses. The BA agreement is a 1 page document that
                                  spells out how you limit the area of exchange and limits sharing of                                             4. Information
                                  information. Even temp employees must meet the credentialing                                                transmission security
                                  process. LTC has contracts with physicians but have no badges-             Scenario 3 -       Barrier to         or exchange
BP5             WV 005 S3         everyone knows everyone here- it’s small.                                 Patient Care C   interoperability        protocols




                                  Corrections has a BA agreement for billing purposes but not for
                                  sharing of information. Correctional Medical Services (in all WV
                                  prisons) have access to health records. The reliability of the info
                                  exchange is in the hands of the sender- we rely on what they say- no
                                  verification process. Temps at corrections have limited access to Med                                           4. Information
                                  Records- once he has left the place, he can’t get access to info again.                                     transmission security
                                  But they all get FBI background checks, photo ID, sign in and sign out.    Scenario 3 -       Barrier to         or exchange
BP6             WV 006 S3                                                                                   Patient Care C   interoperability        protocols




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                 Page 13 of 61                                                    99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                                Scenario 3. Patient Care Scenario C
                                                                   Specify Other
                                                 Stakeholder
      BP#         Policy: Long Description                         Stakeholder (if                                Cause                                            Relevant Law (Legal Driver) -- Narrative
                                                 Organization
                                                                     applicable)
                                                                                                                                                          HIPAA Security Rule
BP3


                                                                                     The business practice analysis generally asserts that this is a      Original: HIPAA privacy and covered entity, regulation of rules of
                                                                                     barrier to interoperability if HIPAA laws are broken. In addition,   nursing facility, Case -Psych-patient, Federal - overseas
                                                                                     the implication is that that this business practice would be         transmissions
                                                                                     covered by the HIPAA construct of TPO. However, there is
                                                                                                                                                          Psychiatrist without electronic access privileges and rights
                HER Transfer, personal                                               recognition within the business practice analysis that several
                                                                                                                                                          requests review of patient’s EHR containing information from
                identity, password failure,                                          issues arise from patient transfer, identity, password, and
                                                                                                                                                          recent hospital stay. Use of psychiatrist’s picture identification
                failure to provide encryption                                        encryption failures that are described within the scenario. As       badge met physical control requirements for access to health
BP4             code                            Physician groups                     such the classification by this stakeholder as a barrier based on    facility. The psychiatrist’s inability to access EHR systems
                                                                                     the numerous violations of HIPAA regulations pursuant to             prompts him to use an outsourced offshore transcription service.
BP1
                                                                                                                                                          Access to electronic information controlled by HIPAA Security
                                                                                                                                                          Rule Technical Safeguards.




                                                Long term care
                                                 facilities and
BP5                                             nursing homes

                                                                                     The business practice analysis does not identify any of the          Psychiatrist without electronic access privileges and rights
                                                                                     privacy and security domains as a barrier. The classification by     requests review of patient’s EHR containing information from
                                                                                     this stakeholder is unassigned. In fact, the likelihood of a         recent hospital stay. Use of psychiatrist’s picture identification
                                                                                     correctional system inmate being placed in a nursing home is         badge met physical control requirements for access to health
                                                                                                                                                          facility. The psychiatrist’s inability to access EHR systems
                                                                                     remote. In addition, the business practice long description
                                                                                                                                                          prompts him to use an outsourced offshore transcription service.
                                                                                     emphasized the application and importance of business                This scenario bypasses administrative and technical controls
                                                                                     associates agreements and the correctional systems reliance          required to limit access, encrypt and audit access to patient
                                                                                     on these agreements to ensure compliance. However, these             EHR’s. Psychiatrist receives report via Web the information
                                                                                     agreements are not designed to obviate the need for proper           security infrastructure, and management practices of the
                                                                                     administrative, technical, and physical controls for protected       transcription service are unclear. The psychiatrist sends these
                                                                                     health information. Given this observation the barriers              results by encrypted email to the medical facility, although lack of
                                                                                     previously identified for this scenario would have to be             encryption key prevents delivery
                                                                                     considered as barriers in this scenario.
                                                  Correctional
BP6                                                facilities




       RTI International
       Privacy and Security Contract No. 290-05-0015                                              Page 14 of 61                                                        99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
       PRIVACY AND SECURITY                                               Scenario 3. Patient Care Scenario C
                    Relevant Law (Legal
      BP#           Driver) -- Reference
                       Code/Statute                Solution
                HIPAA Security Rule, 45
                CFR § 164 Part C
BP3


                HIPAA Security Regs – 45 CFR       A national
                §§ 164.308(a) (1), 164.308(a)      federated
                (3), 164.308(a) (4), 164.310(a)    identification
                (1), 164.312(a) (1), 164.312(b),   management
                164.312(d), 164.312(e) (1),        system to validate
                164.506, 164.508, 164.512(a),      user identity to
                164.512(e). WV Code § 27-3-1,      allow system
                WV Code § 27-3-2, WV Code §        access may be a
BP4             27-5-9, WV Code § 64-12-14,        potential solution.
                US Code § H.R. 4127                In addition, closely
BP1
                HIPAA Security Rule – 45 CFR
                §164.312.




BP5

                1. HIPAA Security Regs – 45        A national
                CFR §§ 164.308(a) (1),             federated
                164.308(a) (3), 164.308(a) (4),    identification
                164.310(a) (1), 164.312(a) (1),    management
                164.312(b), 164.312(d),            system to validate
                164.312(e) (1), 164.506,           user identity to
                164.508, 164.512(a),               allow system
                164.512(e). WV Code § 27-3-1,      access may be a
                WV Code § 27-3-2, WV Code §        potential solution.
                27-5-9, WV Code § 64-12-14,        In addition, closely
                US Code § H.R. 4127                linking this type of
                                                   solution with health
                                                   facility
                                                   credentialing
                                                   practices may
                                                   provide a
BP6                                                methodology for




       RTI International
       Privacy and Security Contract No. 290-05-0015                                   Page 15 of 61            99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
        PRIVACY AND SECURITY                                                            Scenario 4. Patient Care Scenario D
                                Patient X is HIV positive and is having a complete physical and an outpatient mammogram done in the Women's
                              Imaging Center of General Hospital in State A. She had her last physical and mammogram in an outpatient clinic in a
               Scenario 4 -   neighboring state. Her physician in State A is requesting a copy of her records and the radiologist at General Hospital
               Patient Care   would like to review the digital images of the mammogram performed at the outpatient clinic in State B for comparison
DRAFT          D                 purposes. She also is having a test for the BrCa gene because other family members have had breast cancer.

                Business                                                                                            Classification
                                                                                                                                                                Policy: Short                                                      Stakeholder
      BP#       Practice                   Business Practice Long Description                      Scenario         (Barrier v. Not         Domain                                        Policy: Long Description
                                                                                                                                                                Description                                                        Organization
               Short Name                                                                                             a Barrier)


                              Our clinic follows state law which does not allow the transmittal
                              of HIV information without the consent of the patient. Also, this
                              information is not supposed to be kept in the patient chart. This
                              is problematic in paper records - because it causes providers to
                              keep a secret registry. In electronic records, this is handled in
                              some cases by a provider making a decision to make this
                              information available to other providers. The interface of the
                              electronic record should inform the patient of his/her rights under                                                                                Takes a global approach to medical
                              the law and allow the patient to designate which information                                                                                       information. Who has access to the
                              would be available. In paper systems this is incredibly hard to                                                                                    information. Who makes the decision to
                              enforce. In electronic systems, access can be granted to certain                                                                                   release the information. Consent forms
                              information - but users end up using common passwords                                                                                              for releases Special considerations for
                              because it is not always the provider who can ge the information     Scenario 4 -        Barrier to    1. User and entity Confidential Information certain laws governing HIV, Mental              Community clinics
BP1            WV 001 S4      needed and take care of the patient.                                Patient Care D    interoperability   authentication Policy                     Health etc                                      and health centers



                                                                                                                                      2. Information
                                                                                                  Scenario 4 -      Not a barrier to authorization and
BP1            WV 001 S4                                                                         Patient Care D     interoperability access controls
                                                                                                  Scenario 4 -      Not a barrier to      8. State law
BP1            WV 001 S4                                                                         Patient Care D     interoperability      restrictions



                                                                                                                                       9. Information use
                                                                                                  Scenario 4 -         Barrier to        and disclosure
BP1            WV 001 S4                                                                         Patient Care D     interoperability          policy




                                                                                                                                                                                   The presence of any behavioral medicine
                                                                                                                                                                                   patient at ourfacility and any and all
                                                                                                                                                                                   details of the treatment process of any
                                                                                                                                                                                   patient shall be maintained as
                              Our hospital staff, may include physician, nurse, clerk, NP,PA,                                                                                      confidential. For the purposes of
                              would release the minimum necessary information for treatment                                                                                        confidentiality, protected information i.e.
                              excluding the HIV information unless the pt provides                                                     9. Information use                          drug, ETOH, STD (HIV), and behavioral
                              authorization. If not emergent, we ask for signed authorization     Scenario 4 -         Barrier to        and disclosure                            health, and specific releases are
BP2            WV 002 S4      which includes HIV authorization.                                  Patient Care D     interoperability          policy      Confidentiality of PHI   required.                                         Hospitals




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                               Page 16 of 61                                                            99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
        PRIVACY AND SECURITY                                                      Scenario 4. Patient Care Scenario D



DRAFT                             DRAFT                DRAFT                                       DRAFT
                Specify Other
                                                                                                      Relevant Law (Legal Driver) --
      BP#       Stakeholder (if           Cause        Relevant Law (Legal Driver) -- Narrative
                                                                                                        Reference Code/Statute
                  applicable)
                                                       HIPAA Security Regs require person or       HIPAA Security Regs, 45 CFR §
                                                       entity authentication.                      164.312




BP1




BP1


BP1
                                                       Misinterpretation of state law. No          WV Code §§ 16-3C-2, 16-3C-3(a)(5),
                                                       consent is required for the disclosure of   and 16-3C-4.
                                                       the PHI for treatment purposes. WV law
                                                       specifically allows the disclosure of HIV
BP1                                                    PHI for treatment of the individual.



                                                       Misinterpretation of state law and HIPAA. WV Code §§ 16-3C-2, 16-3C-3(a)(5),
                                                       Minimum necessary requirement does         and 16-3C-4. HIPAA Privacy Regs 45
                                                       not apply to disclosures for treatment and CFR §§ 164.506 and 164.502(b).
                                                       there is no authorization requirement for
                                                       disclosure of the PHI for treatment
                                                       purposes in HIPAA or state law.



BP2




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                     Page 17 of 61                  99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
        PRIVACY AND SECURITY                                                          Scenario 4. Patient Care Scenario D
                Business                                                                                         Classification
                                                                                                                                                      Policy: Short                                   Stakeholder
      BP#       Practice                 Business Practice Long Description                      Scenario        (Barrier v. Not      Domain                          Policy: Long Description
                                                                                                                                                      Description                                     Organization
               Short Name                                                                                          a Barrier)




                            In the workers' compensation arena, by filing a claim and signing
                            the injury report form a patient authorizes any physician to
                            release to or orally discuss with the employer or authorized agent
                            of the carrier any medical records pertaining to the occupational
                            injury or illness for which he/she is claiming benefits and any
                            prior injury to or disease to the portion of the body for which
                            he/she is alleging a medical impairment. Only authorized carrier
                            staff, employer staff, providers and the patient have access to
                            the electronic record. We use a system with security parameters
                            set based on individual job-related need for access. Password
                            required. Claimant, employer and provider access limited to
                            specific claim information only. Provider access can be further
                            limited for specific period of time. Carrier employees required to                                     2. Information
                            sign security policy agreement. Employ transmission protection      Scenario 4 -        Barrier to    authorization and
BP3            WV 003 S4    such as VPN and encryption for outside network access.             Patient Care D    interoperability access controls                                                        Payers




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                            Page 18 of 61                                          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
        PRIVACY AND SECURITY                                                      Scenario 4. Patient Care Scenario D
                Specify Other
                                                                                                    Relevant Law (Legal Driver) --
      BP#       Stakeholder (if           Cause        Relevant Law (Legal Driver) -- Narrative
                                                                                                      Reference Code/Statute
                  applicable)
                                                       No legal requirements. WC provides         None.
                                                       privacy and security of information as a
                                                       corporate decision.




BP1




BP3




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                      Page 19 of 61              99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                                 Scenario 5. Payment Scenario
                                X Health Payer (third party, workers compensation, disability insurance, employee assistance programs) provides health
                               insurance coverage to many subscribers in the region the healthcare provider serves. As part of the insurance coverage,
                                it is necessary for the health plan case managers to approve/authorize all inpatient encounters. This requires access to
                                   the patient health information (e.g., emergency department records, clinic notes, etc.). The health care provider has
              Scenario 5 - Payment
                                  recently implemented an electronic health record (EHR) system. All patient information is now maintained in the EHR
                                 and is accessible to users who have been granted access through an approval process. Access to the EHR has been
                                   restricted to the healthcare provider's workforce members and medical staff members and their office staff. X Health
DRAFT                                Payer is requesting access to the EHR by its case management staff to approve/authorize inpatient encounters.

                 Business                                                                                                Classification
                                                                                                                                                                  Policy: Short
      BP#      Practice Short                  Business Practice Long Description                        Scenario       (Barrier v. Not a       Domain
                                                                                                                                                                  Description
                   Name                                                                                                     Barrier)




                                Our hospital security officer would allow the payer to have access to                                         2. Information
                                the EHR through a secure web portal. Only the requested records         Scenario 5 -        Barrier to      authorization and Information Security
BP1           WV 001 S 5        would be accessible and the minimum necessary information.               Payment         interoperability    access controls Policy & Remote Access




                                Our company would limit access to specific pieces of information
                                related to the payer's claim and would allow the needed transfer of
                                health information for payment purposes. User authentication, legal
                                agreement and hardware/software authentication would be required
                                to validate that access is provided only to the intended user.
                                Security parameters would further limit access to read only. Access
                                would be provided only to personnel of payer needing information
                                for job functions. Record linking methods required to match certain
                                information such as patient name, date of birth, date of service, to
                                allow payer access only to pertinent information. Transmission
                                protection such as VPN, encryption and network security required        Scenario 5 -        Barrier to        8. State law
BP2           WV 002 S 5        for access to information. Data use agreement would be in place.         Payment         interoperability     restrictions




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                              Page 20 of 61                                                  99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                                  Scenario 5. Payment Scenario




DRAFT                                                                                                                              DRAFT     DRAFT                           DRAFT
                                                                                                                 Specify Other                                                   Relevant Law (Legal
                                                                                                  Stakeholder                                   Relevant Law (Legal
      BP#                                Policy: Long Description                                                Stakeholder (if     Cause                                       Driver) -- Reference
                                                                                                  Organization                                   Driver) -- Narrative
                                                                                                                   applicable)                                                      Code/Statute
                                                                                                                                             Use and disclosure of           HIPAA Privacy Rule – 45 CFR
              Access to information in the possession or the control of our facility must be                                                 protected health information    §§164.502 (b)(1); 160.103;
              provided based on the need to know and the minimum necessary to perform                                                        for payment-related purposes    164.502 (e)(1); 164.504 (e)(1)
              essential functions. Information must be disclosed only to people or entities who                                              is subject to the HIPAA         and (e)(2). HIPAA Security
              have a legitimate need. The privileges granted to all users must be periodically                                               Privacy Rule “minimum           Rule – 45 CFR §164.312.
              reviewed. Unless it has specifically been deemed public, all internal information                                              necessary” standard, the
              must be protected from disclosure to third parties. Third parties may be given                                                 HIPAA Security Rule
              access to internal information only when a demonstrable need to know exists,                                                   Technical Safeguards, and may
              when a Data Use Agreement or Business Associate Agreement has been                                                             be subject to business
              signed, and when such a agreement has been expressly authorized by the                                                         associate contract
              relevant information Owner. If sensitive information is suspected of being lost                                                requirements.
              or disclosed to unauthorized parties, the information Owner and the Compliance
              Officer must be notified immediately. All third parties are responsible for
              securing their private networks from our network. In no case shall network-to-
              network connectivity be allowed without appropriate security technology. Some
              type of security mechanisms shall exist between our network and any third
BP1           party.                                                                               Hospitals




                                                                                                                                             Use and disclosure of           HIPAA Privacy Rule – 45 CFR
                                                                                                                                             protected health information    §§164.502 (b)(1); 160.103;
                                                                                                                                             for payment-related purposes    164.502 (e)(1); 164.504 (e)(1)
                                                                                                                                             is subject to the HIPAA         and (e)(2). HIPAA Security
                                                                                                                                             Privacy Rule “minimum           Rule – 45 CFR §164.312.
                                                                                                                                             necessary” standard, the
                                                                                                                                             HIPAA Security Rule
                                                                                                                                             Technical Safeguards, and may
                                                                                                                                             be subject to business
                                                                                                                                             associate contract
                                                                                                                                             requirements.


BP2                                                                                                 Payers




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                          Page 21 of 61                                             99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                                  Scenario 5. Payment Scenario
                 Business                                                                                                 Classification
                                                                                                                                                                 Policy: Short
      BP#      Practice Short                  Business Practice Long Description                         Scenario       (Barrier v. Not a       Domain
                                                                                                                                                                 Description
                   Name                                                                                                      Barrier)

                                Our business office personnel would request access to the EHR.
                                This would automate a process that is now manual. The system
                                needs to let us request and receive the minimum necessary
                                information for the situation. The provider would benefit by receiving
                                an automated approval/authorization from us. The more providers
                                connected to a common system/network, the more efficient the
                                process is for us and the providers. The patient benefits from the
                                faster approval/authorization of inpatient encounters, the provider
                                has less or no staff time involved in fulfilling the request, and we
                                have less burdensome processes in handling the
                                approval/authorization. This eliminates the problem of lost,                                                   2. Information
                                misrouted, or stolen records and reduces shipping and                    Scenario 5 -        Barrier to      authorization and
BP3           WV 003 S 5        transportation costs.                                                     Payment         interoperability    access controls




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                               Page 22 of 61                                            99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                  Scenario 5. Payment Scenario
                                                                                 Specify Other                                           Relevant Law (Legal
                                                                  Stakeholder                                 Relevant Law (Legal
      BP#                              Policy: Long Description                  Stakeholder (if   Cause                                 Driver) -- Reference
                                                                  Organization                                 Driver) -- Narrative
                                                                                   applicable)                                              Code/Statute
                                                                                                           HIPAA minimum necessary    HIPAA Privacy Regs, 45 CFR §
                                                                                                           requirements               514




BP3                                                                 Payers



BP1




            RTI International
            Privacy and Security Contract No. 290-05-0015                          Page 23 of 61                                      99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                              Scenario 6. RHIO Scenario
                                  The RHIO in your region wants to access data from all participating organizations (and their patients) to
                                      monitor the incidence and management of diabetic patients. The RHIO also intends to monitor
                 Scenario 6 - RHIOs
DRAFT                              participating providers to rank them for the provision of preventive services to their diabetic patients.


                   Business                                                                          Classification
                                                                                                                                                 Policy: Short
      BP#        Practice Short       Business Practice Long Description              Scenario       (Barrier v. Not           Domain                            Policy: Long Description
                                                                                                                                                  Description
                     Name                                                                              a Barrier)


                                  For our association, as long as the patient data
                                  is aggregate or non-personally identifiable,
                                  there would be not problem sharing with the
                                  RHIO. Providers would be notified and given
                                  the opportunity to participate. If personal
                                  identifiers were required, there would be an IRB
                                  approval process and a patient informing         Scenario 6 -     Barrier to         1. User and entity
BP1              WV 001 S 6       process.                                         RHIO             interoperability   authentication


                                                                                                                       2. Information
                                                                                                    Barrier to         authorization and
BP1              WV 001 S 6                                                                         interoperability   access controls

                                                                                                    Not a barrier to   3. Patient and
BP1              WV 001 S 6                                                                         interoperability   provider identification
                                                                                                                       5. Information
                                                                                                                       protection (against
                                                                                                    Not a barrier to   improper
BP1              WV 001 S 6                                                                         interoperability   modification)

                                                                                                                       6. Information audits
                                                                                                    Not a barrier to   that record and
BP1              WV 001 S 6                                                                         interoperability   monitor activity




                                                                                                    Barrier to         8. State law
BP1              WV 001 S 6                                                                         interoperability   restrictions




                                                                                                    Barrier to         9. Information use
BP1              WV 001 S 6                                                                         interoperability   and disclosure policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                      Page 24 of 61                                          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                  Scenario 6. RHIO Scenario


DRAFT                                                 DRAFT         DRAFT                                                                   DRAFT
                                    Specify Other
                  Stakeholder                                                                                                                  Relevant Law (Legal Driver) --
      BP#                           Stakeholder (if         Cause                  Relevant Law (Legal Driver) -- Narrative
                  Organization                                                                                                                   Reference Code/Statute
                                      applicable)
                                                                    HIPAA Security and Privacy Rules as a BA under contract                 45 CFR §§164, et seq.




                 Professional
                 associations and
BP1              societies
                                                                    HIPAA Security and Privacy Rules as a BA under contract. IRB approval 45 CFR §§164, et seq.; 21 CFR Parts
                                                                    is not required under law for disclosure to a BA for TPO.             50 and 56.


BP1


BP1



BP1



BP1
                                                                    West Virginia law requires that, with respect to the West Virginia Health West Virginia Code Section 16-29G-8.
                                                                    Information Network, the West Virginia Health Care authority ensure that
                                                                    protected health information is disclosed only in accordance with the
                                                                    patient’s authorization or best interest to those having a need to know, in
                                                                    compliance with state confidentiality laws and HIPAA.
BP1
                                                                    The HIPAA Privacy Rule does not specifically address the concept of     HIPAA Privacy Rule – 45 CFR Part
                                                                    Regional Health Information Organizations and how protected health      164, Subpart E; 45 CFR § 164.504(e).
                                                                    information can be used or disclosed in connection with such
                                                                    organizations absent patient authorization. However, the RHIO would
                                                                    operate as a business associate.
BP1




            RTI International
            Privacy and Security Contract No. 290-05-0015                                         Page 25 of 61                                                   99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                                 Scenario 6. RHIO Scenario
                   Business                                                                           Classification
                                                                                                                                                 Policy: Short
      BP#        Practice Short       Business Practice Long Description                  Scenario    (Barrier v. Not            Domain                          Policy: Long Description
                                                                                                                                                  Description
                     Name                                                                               a Barrier)




                                  QIOs can release this information with their
                                  CMS contracts, but if they have a research
                                  grant, they need to get IRB approval. They
                                  mostly give info out deidentified, if the contract   Scenario 6 -   Barrier to         9. Information use
BP2              WV 002 S 6       permits.                                             RHIO           interoperability   and disclosure policy




                                  Workers Comp has worked with a state agency
                                  to give this info out and also did work on a       Scenario 6 -     Barrier to         9. Information use
BP3              WV 003 S 6       National Level- but wouldn’t give out identifiers. RHIO             interoperability   and disclosure policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                        Page 26 of 61                                        99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                     Scenario 6. RHIO Scenario
                                   Specify Other
                  Stakeholder                                                                                                                              Relevant Law (Legal Driver) --
      BP#                          Stakeholder (if          Cause                    Relevant Law (Legal Driver) -- Narrative
                  Organization                                                                                                                               Reference Code/Statute
                                     applicable)

                                                                    The HIPAA Privacy Rule does not specifically address the concept of Regional        HIPAA Privacy Rule – 45 CFR Part 164,
                                                                    Health Information Organizations and how protected health information can be        Subpart E. West Virginia Code Section 16-
                                                                    used or disclosed in connection with such organizations absent patient              29G-8.
                                                                    authorization. West Virginia law requires that, with respect to the West Virginia
                                                                    Health Information Network, the West Virginia Health Care authority ensure that
                                                                    protected health information is disclosed only in accordance with the patient’s
                                                                    authorization or best interest to those having a need to know, in compliance with
                 Quality
                                                                    state confidentiality laws and HIPAA.
                 improvement
BP2              organizations
BP1

                                                                    No legal requirements. WC provides privacy and security of information              None.
                                                                    as a corporate decision.


BP3              Payers




            RTI International
            Privacy and Security Contract No. 290-05-0015                                              Page 27 of 61                                                           99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                         Scenario 7. Research Data Use Scenario
                           A research project on children younger than age 13 is being conducted in a double blind study for a new drug for ADD/ADHD. The
                               research project is being reviewed by the IRB that presides over research protocols at the major medical center where the
                            research investigators are located. The data being collected are all electronic and all responses from the subjects are completed
DRA           Scenario 7 - electronically in the same data base file. The principle investigator was asked by one of the investigators if they could use the raw
              Research         data to track the patients over an additional six months or use the raw data collected for a white paper that is not part of the
FT            Data Use                                     research protocols final document for his post doctoral fellow program.

               Business
                                                                                                                     Classification
               Practice                                                                                                                                              Policy: Short                                                  Stakeholder
      BP#                                Business Practice Long Description                          Scenario       (Barrier v. Not a           Domain                                       Policy: Long Description
                Short                                                                                                                                                Description                                                    Organization
                                                                                                                        Barrier)
                Name




                        Under home health law, the principle investigator would decline the
                        request because the use of the data was not included in the
                        original IRB. Home health law in WV is based on federal regulation
                        and agencies must be compliant with the federal regulations. At
                        times agencies participate in research activities and must remain
                        compliant with the federal privacy requirements and also the
                        requirements of the research entity with which they are involved.
                        Therefore the utilization of data as outlined in the IRB would             Scenario 7 -
                        necessitate the information only to be used in the manner which           Research Data         Barrier to                                                                                                  Homecare and
BP1           WV 001 S7 was described.                                                                Use            interoperability   8. State law restrictions                                                                     hospice



                                                                                                                                                                                     Authorization, among many other items,
                                                                                                                                                                                     includes: *The name or identification of the
                                                                                                                                                                                     persons or class of persons authorized to      Medical and
                                                                                                                                                                                     receive disclosures of PHI and to use the      public health
                                                                                                   Scenario 7 -                                                                      PHI for research-related purposes. *A          schools that
                        Additional tracking and use of data is not permitted unless a             Research Data      Not a barrier to    1. User and entity                          description of each purpose for the use or      undertake
BP2           WV 002 S7 second study has been approved through the IRB.                               Use            interoperability      authentication      HIPAA Research        disclosure.                                      research
                                                                                                                                           2. Information
                                                                                                                     Not a barrier to authorization and access
BP2           WV 002 S7                                                                                              interoperability          controls


                                                                                                                     Not a barrier to    3. Patient and provider
BP2           WV 002 S7                                                                                              interoperability         identification
                                                                                                                                             4. Information
                                                                                                                     Not a barrier to   transmission security or
BP2           WV 002 S7                                                                                              interoperability      exchange protocols

                                                                                                                                        5. Information protection
                                                                                                                     Not a barrier to       (against improper
BP2           WV 002 S7                                                                                              interoperability          modification)
                                                                                                                                        6. Information audits that
                                                                                                                     Not a barrier to       record and monitor
BP2           WV 002 S7                                                                                              interoperability             activity
                                                                                                                                          7. Administrative or
                                                                                                                     Not a barrier to      physical security
BP2           WV 002 S7                                                                                              interoperability         safeguards
                                                                                                                     Not a barrier to
BP2           WV 002 S7                                                                                              interoperability   8. State law restrictions




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                            Page 28 of 61                                                       99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                         Scenario 7. Research Data Use Scenario


DRA
FT                          DRAFT                     DRAFT                                                    DRAFT
                Specify
                 Other                                                                                            Relevant Law (Legal
      BP#     Stakeholder            Cause                  Relevant Law (Legal Driver) -- Narrative              Driver) -- Reference
                   (if                                                                                               Code/Statute
              applicable)
                                                      Human subject research pursuant to any federal           HIPAA Privacy Regs – 45 CFR
                                                      funding is controlled by federal law and regulation,     §§ 164.502 (g)(1--5), and
                                                      institutional policy, institutional review boards and    §164.508 and .512; US DHHS
                                                      state law overlays to protect participants’ safety and   Regs. governing human subject
                                                      privacy. Human subject research federal regulation       research: 45 CFR §46.101--
                                                      does not pre-empt state law but adds additional          §46.124; US FDA Regs.
                                                      federal requirements. HIPAA privacy law applies          governing human subject drug
                                                      irrespective of the source of funding for research. In   research: 21 CFR §
                                                      this scenario, we presume the research is pursuant to    50.50—50.56. WV Code § 16-
                                                      an approved FDA study. We also have the added            29-1; WV Code § 16-30-3(b);
                                                      legal driver of children for whom some authorized        Belcher v. CAMC , 188 W. Va.
                                                      adult must give consent.                                 105, 422 S.E.2d 827 (1992);



BP1




                                                                                                               HIPAA - Privacy Rule
                                                                                                               Other Federal Law - 45 CFR-
                                                                                                               46 Federal Human Subject
BP2                                                                                                            Protection Rules


BP2



BP2



BP2



BP2



BP2



BP2


BP2




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                               Page 29 of 61          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                      Scenario 7. Research Data Use Scenario
               Business
                                                                                                                Classification
               Practice                                                                                                                                     Policy: Short                                       Stakeholder
      BP#                               Business Practice Long Description                       Scenario      (Barrier v. Not a         Domain                                Policy: Long Description
                Short                                                                                                                                       Description                                         Organization
                                                                                                                   Barrier)
                Name




                                                                                                                   Barrier to      9. Information use and
BP2           WV 002 S7                                                                                         interoperability       disclosure policy


                        In our medical school, IRB approval must be sought (by the
                        Principal Investigator) for either scenario, however, the nature of
                        the request and the investigator responsibilities differ: To extend
                        data collection an additional six months for a purpose not covered
                        by the previously approved IRB protocol, the investigator must
                        submit a new protocol covering this new purpose to the IRB for
                        consideration. Since the proposal will be prospective, subjects will
                        need to give their consent (or assent for children under the age of
                        18) to collect data for this second purpose. The new protocol, like
                        the earlier protocol, would probably require a full-board review
                        because the target population is a protected population, i.e.,
                        children under 13 years of age. To analyze the raw data previously
                        collected under an approved IRB protocol, could make a new
                        protocol eligible for expedited consideration depending on whether                                                                                                                      Medical and
                        the raw data includes personal health information and sensitive                                                                                                                         public health
                        information that if released could potentially cause harm. It is        Scenario 7 -                          2. Information                                                            schools that
                        possible to request the IRB waive ―consenting‖ for existing data       Research Data       Barrier to    authorization and access                                                        undertake
BP3           WV 003 S7 and on the grounds that it would be impractical or unfeasible.             Use          interoperability          controls                                                                research




                        In our agency, the protected health information in the research
                        database would be covered by HIPAA, but HIPAA could be
                        addressed with appropriate business associate relationships. The
                        investigator would need to get approval of the additional research
                        from his/her institutional review board. The original IRB would
                        need to weigh whether granting access was permissible, and it
                        would likely depend on the disclosures in the original informed         Scenario 7 -
                        consent. In the worst case, the new research would require new         Research Data       Barrier to      9. Information use and                                                       Public Health
BP4           WV 004 S7 informed consent from the parents of all of the children.                  Use          interoperability       disclosure policy                                                          agencies




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                       Page 30 of 61                                               99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                               Scenario 7. Research Data Use Scenario
                Specify
                 Other                                                                                                  Relevant Law (Legal
      BP#     Stakeholder             Cause                     Relevant Law (Legal Driver) -- Narrative                Driver) -- Reference
                   (if                                                                                                     Code/Statute
              applicable)
                                                            Human subject research pursuant to any federal US DHHS Regs. governing
                                                            funding is controlled by federal law and       human subject research: 45
                                                            regulation, institutional policy,              CFR §46.101--§46.124; US
                                                                                                           FDA Regs. governing human
                                                                                                           subject drug research: 21
                                                                                                           CFR § 50.50—50.56.


BP2

                            Tight control of human          Human subject research pursuant to any federal           HIPAA Privacy Regs – 45 CFR
                            subject research with fully     funding is controlled by federal law and regulation,     §§ 164.502 (g)(1--5), and
                            informed consent is             institutional policy, institutional review boards and    §164.508 and .512; US DHHS
BP1                                                         state law overlays to protect participants’ safety and   Regs. governing human subject
                            current public policy.
                                                            privacy. Human subject research federal regulation       research: 45 CFR §46.101--
                            Sharing PHI data
                                                            does not pre-empt state law but adds additional          §46.124; US FDA Regs.
                            (whether for adults or          federal requirements. HIPAA privacy law applies          governing human subject drug
                            children) without specific      irrespective of the source of funding for research. In   research: 21 CFR §
                            consent is contrary to          this scenario, we presume the research is pursuant to    50.50—50.56. WV Code § 16-
                            current public policy           an approved FDA study. We also have the added            29-1; WV Code § 16-30-3(b);
                            governing research              legal driver of children for whom some authorized        Belcher v. CAMC , 188 W. Va.
                            protocols. ** Please see        adult must give consent.                                 105, 422 S.E.2d 827 (1992);
                            attached word document
                            for a fuller analysis of this
                            scenario.




BP3




                                                            Human subject research pursuant to any federal           HIPAA Privacy Regs – 45 CFR
                                                            funding is controlled by federal law and regulation,     §§ 164.502 (g)(1--5), and
                                                            institutional policy, institutional review boards and    §164.508 and .512; US DHHS
                                                            state law overlays to protect participants’ safety and   Regs. governing human subject
                                                            privacy. Human subject research federal regulation       research: 45 CFR §46.101--
                                                            does not pre-empt state law but adds additional          §46.124; US FDA Regs.
                                                            federal requirements. HIPAA privacy law applies          governing human subject drug
                                                            irrespective of the source of funding for research. In   research: 21 CFR §
                                                            this scenario, we presume the research is pursuant to    50.50—50.56. WV Code § 16-
                                                            an approved FDA study. We also have the added            29-1; WV Code § 16-30-3(b);
                                                            legal driver of children for whom some authorized        Belcher v. CAMC , 188 W. Va.
BP4
                                                            adult must give consent.                                 105, 422 S.E.2d 827 (1992);




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                     Page 31 of 61          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
             PRIVACY AND SECURITY                                             Scenario 8. Scenario For Access By Law Enforcement
                                   An injured nineteen (19) year old college student is brought to the ER following an automobile accident. It is
                                  standard to run blood alcohol and drug screens. The police officer arrives in the ER in addition to the patient's
                 Scenario 8 -     parents. The police officer requests a copy of the blood alcohol test results and the parents want to review the
                 Law                ER record and lab results to see if their child tested positive for drugs. These requests are made to the ER
DRAFT            Enforcement                    staff. The patient is covered under their parent's health and auto insurance policy.

                   Business                                                                                                       Classification
                                                                                                                                                                                Policy: Short                                   Stakeholder
       BP#       Practice Short                     Business Practice Long Description                             Scenario      (Barrier v. Not a          Domain                                  Policy: Long Description
                                                                                                                                                                                Description                                     Organization
                     Name                                                                                                            Barrier)



                                  The expected result would be that since the child is an adult, the parents
                                  are not privy to his protected health information without his consent per
                                  HIPAA privacy regulations. The police officer can obtain a copy of the
                                  report without specific patient consent for determining proper charges. A
                                  person who operates a motor vehicle implicitly consents to testing to
                                  determine intoxication if there is just cause to believe the person is
                                  intoxicated. If a paper copy is provided to law enforcement, proper
                                  identification should be provided for user authentication. Fax submissions
                                  should contain confidentiality statement and information on protocols if
                                  received by unintended user. Electronic submissions should be encrypted.       Scenario 8 -                      6. Information audits that
                                  If the provider and law enforcement agency exchange information                    Law          Not a barrier to record and monitor
BP 1             WV 001 S 8       frequently, a data use agreement could be entered into.                        Enforcement      interoperability activity                                                                        Payers
                                                                                                                                                   7. Administrative or
                                                                                                                                  Not a barrier to physical security
BP 1             WV 001 S 8                                                                                                       interoperability safeguards




                                                                                                                                     Barrier to    9. Information use and
BP 1             WV 001 S 8                                                                                                       interoperability disclosure policy




                                  In our agency, HIPAA and state confidentiality provisions would most likely
                                  prevent the parents obtaining the information without the adult patient's      Scenario 8 -
                                  consent. The police officer could obtain the results in conjunction with his       Law             Barrier to
BP2              WV 002 S 8       or her investigation of the accident                                           Enforcement      interoperability 8. State law restrictions                                                   State government


                                  In our hospital, law enforcement personnel are denied access to patients
                                  unless they have a court order. Software access is limited by password.
                                  Each password has restrictions as to information which may be accessed.
                                  Through the use of third party software, all information is encrypted when
                                  being sent over electronic communications network. Passwords have
                                  designated security clearances which define whether user has no access,
                                  view only access, or has an ability to add, delete or modify information. A
                                  master security log is maintained on line to determine user access and the
                                  processes completed. Staff are required to use the organizations network
                                  for all I.S. activity. The network includes up to date security measures
                                  which protects against unauthorized access, introduction of dangerous                              Barrier to    1. User and entity
BP3              WV 003 S 8       items such as worms, and attempts by users to enter unauthorized areas.                         interoperability authentication                                                                 Hospitals




             RTI International
             Privacy and Security Contract No. 290-05-0015                                                             Page 32 of 61                                                        99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
             PRIVACY AND SECURITY                                                 Scenario 8. Scenario For Access By Law Enforcement



DRAFT                               DRAFT                                         DRAFT                                                                DRAFT
                  Specify Other
                                                                                                                                                       Relevant Law (Legal Driver) -- Reference
       BP#        Stakeholder (if                     Cause                                 Relevant Law (Legal Driver) -- Narrative
                                                                                                                                                                   Code/Statute
                    applicable)




BP 1


BP 1
                                    We agree with the identified business          Parents of an adult “child” cannot access PHI without an            Original: W. Va. Code §§17C-5-4 & 17C-5-6
                                    practice, but believe that a barrier to        authorization signed by that adult “child,” while law enforcement
                                    interoperability exists when the disclosure is may gain such access as required by law.                            45 C.F.R. §§ 164.502(a)(1)(i); 164.502(g)(3)(i);
                                    to the parents, or when the disclosure to law                                                                      164.508(a)(1); 164.512(a); 164.512(f)(1)(i); 42
                                    enforcement is not required by law.                                                                                C.F.R. § 2.12(e); W. Va. Code §§ 16-29-1; 17C-
                                                                                                                                                       5-4; 17C-5-6
BP 1


                                                                                  As a 19 year old “child” is an adult, parents cannot access their    WV Code § 16-29-1; Belcher v. CAMC , 188
                                                                                  child’s PHI, without authorization, under state law and HIPAA.       W. Va. 105, 422 S.E.2d 827 (1992); HIPAA
                                                                                                                                                       Privacy Regs – 45 CFR §§ 164.502(a)(1)(i),
                                                                                                                                                       164.502 (g)(3)(i), and 164.508(a)(1).
BP2

                                    We agree that disclosure to law          HIPAA Security Regs requiring Administrative and                          HIPAA Security Regs, 45 CFR §§ 164.308,
                                    enforcement of the PHI in this Scenario Technical Safeguards                                                       164.312
                                    would require patient authorization,
                                    unless the tests were undertaken at the
                                    direction of law enforcement, in which
                                    case disclosure is required by law in
                                    West Virginia; federal laws governing
                                    the confidentiality of alcohol and drug
                                    treatment records would not apply in
                                    this circumstance, and would not
                                    represent a barrier to interoperability.

BP3




             RTI International
             Privacy and Security Contract No. 290-05-0015                                                                     Page 33 of 61                                                              99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                 Scenario 8. Scenario For Access By Law Enforcement
                  Business                                                                                                             Classification
                                                                                                                                                                                     Policy: Short                                   Stakeholder
      BP#       Practice Short                       Business Practice Long Description                                 Scenario      (Barrier v. Not a          Domain                                  Policy: Long Description
                                                                                                                                                                                     Description                                     Organization
                    Name                                                                                                                  Barrier)

                                                                                                                                                        2. Information
                                                                                                                                          Barrier to    authorization and access
BP3             WV 003 S 8                                                                                                             interoperability controls
                                                                                                                                      Not a barrier to 3. Patient and provider
BP3             WV 003 S 8                                                                                                            interoperability identification
                                                                                                                                                        4. Information
                                                                                                                                          Barrier to    transmission security or
BP3             WV 003 S 8                                                                                                             interoperability exchange protocols

                                                                                                                                                        5. Information protection
                                                                                                                                          Barrier to    (against improper
BP3             WV 003 S 8                                                                                                             interoperability modification)
                                                                                                                                                        6. Information audits that
                                                                                                                                          Barrier to    record and monitor
BP3             WV 003 S 8                                                                                                             interoperability activity
                                                                                                                                                        7. Administrative or
                                                                                                                                          Barrier to    physical security
BP3             WV 003 S 8                                                                                                             interoperability safeguards


                                                                                                                                          Barrier to
BP3             WV 003 S 8                                                                                                             interoperability 8. State law restrictions


                                                                                                                                          Barrier to    9. Information use and
BP3             WV 003 S 8                                                                                                             interoperability disclosure policy




                                 In correctional facilities, parents can not get at the info - it is a state law. If   Scenario 8 -
                                 they are on parole, the parolees agree to monitoring while they are                       Law            Barrier to                                                                                  Correctional
BP4             WV 004 S 8       incarcerated- they don’t have a choice.                                               Enforcement     interoperability 8. State law restrictions                                                      facilities




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                   Page 34 of 61                                                        99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
             PRIVACY AND SECURITY                            Scenario 8. Scenario For Access By Law Enforcement
                  Specify Other
                                                                                                                            Relevant Law (Legal Driver) -- Reference
       BP#        Stakeholder (if                 Cause              Relevant Law (Legal Driver) -- Narrative
                                                                                                                                        Code/Statute
                    applicable)
                                                             HIPAA Security Regs requiring Administrative and               HIPAA Security Regs, 45 CFR §§ 164.308,
                                                             Technical Safeguards                                           164.312
BP3


BP3
                                                             HIPAA Security Regs require Technical Safeguards               HIPAA Security Regs, 45 CFR § 164.312

BP3
                                                             HIPAA Security Regs require Technical Safeguards               HIPAA Security Regs, 45 CFR § 164.312


BP3
BP 1
                                                             HIPAA Security Regs require Technical Safeguards               HIPAA Security Regs, 45 CFR § 164.312

BP3
                                                             HIPAA Security Regs require Administrative Safeguards          HIPAA Security Regs, 45 CFR § 164.308

BP3
                                                             Parents of an adult ―child‖ cannot access PHI without an       45 C.F.R. §§ 164.512(a); 164.512(f)(1)(i);
                                                             authorization signed by that adult ―child,‖ while law          42 C.F.R. § 2.12(e); W. Va. Code §§ 17C-5-
                                                             enforcement may gain such access when required by law.         4; 17C-5-6
BP3
                                                             Parents of an adult ―child‖ cannot access PHI without an       45 C.F.R. §§ 164.512(a); 164.512(f)(1)(i);
                                                             authorization signed by that adult ―child,‖ while law          42 C.F.R. § 2.12(e); W. Va. Code §§ 17C-5-
                                                             enforcement may gain such access when required by law.         4; 17C-5-6
BP3

                                                             Law enforcement desires access to blood alcohol test           WV Code § 16-29-1; 64 CSR 12-7.2
                                                             results of 19-year-old accident victim. Parents desire         (DHHR Hospital Licensure Rule); 42
                                                             access to 19-year-old childs’ ER record and lab results.       U.S.C.A. 290dd-3 (Public Health Service
                                                             Should the hospital tests result in showing of HIV or STD,     Act); 42 CFR 2.11(Federal Mental Health
                                                             those applicable infectious disease confidentiality            Record Confidentiality Rule); 45 CFR §§
                                                             provisions would also serve as a barrier. Parents of an        164.502 (g) and (j), 164.524 (HIPAA
                                                             adult ―child‖ cannot access PHI without an authorization       Privacy Regs). 45 C.F.R. §§ 164.512(a);
                                                             signed by that adult ―child,‖ while law enforcement may gain   164.512(f)(1)(i); 42 C.F.R. § 2.12(e); W. Va.
                                                             such access when required by law.                              Code §§ 17C-5-4; 17C-5-6
BP4




             RTI International
             Privacy and Security Contract No. 290-05-0015                                           Page 35 of 61                                                          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                                          Scenario 9. Pharmacy Benefit Scenario A
                                  The Pharmacy Benefit Manager (PBM) has a mail order pharmacy and also has a closed formulary. The PBM receives a prescription from
                                Patient X for the antipsychotic medication Geodon. The PBM’s preferred alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine
               Scenario 9 -         (Seroquel), and Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the PBM sends a request to the prescribing
               Pharmacy         physician to complete a prior authorization in order to fill and pay for the Geodon prescription. The PBM is in a different state than the provider’s
DRAFT          Benefit A                                                                           Outpatient Clinic.

                 Business                                                                                                                       Classification
                                                                                                                                                                                        Policy: Short
      BP#      Practice Short                      Business Practice Long Description                                     Scenario             (Barrier v. Not a       Domain                              Policy: Long Description
                                                                                                                                                                                        Description
                   Name                                                                                                                            Barrier)




                                In state govemment, we have a network established that connects the
                                PBMs with payers and physicians. Members choose to participate under
                                agreements with PBMs and PHI is transmitted with patient consent. User
                                authentication is an important component to ensure that it is the PBM              Scenario 9 - Pharmacy           Barrier to        8. State law
BP1            WV 001 S9        contacting the physician and the physician replying to the PBM.                          Benefit A              interoperability     restrictions




                                                                                                                   Scenario 9 - Pharmacy                           1. User and entity
BP2            WV 002 S9        Business practice is same as in the scenario.                                            Benefit A               Unassigned          authentication




                                As a workers' compensation insurer, we have a standard drug list and
                                require the use of generics where available. If a script is received and is not
                                on the list, authorization for the drug is withheld. The prescribing physician
                                may be contacted to write the script for an approved alternative drug for
                                authorization or to provide justification for the prescribed drug before
                                authorization is provided. If the claimant takes the script to a participating
                                pharmacy and it is not approved, the claimant or the pharmacist may
                                contact the claims adjuster for clarification. If a generic is available and the
                                doctor has not indicated the claimant cannot take the generic, it may be
                                authorized. Otherwise, the prescribing doctor will have to provide a new
                                script for a medication on the drug list or provide justification for the
                                prescribed drug. Further, W. Va. Code provides that if a generic medication
                                is available, it must be provided. If the claimant chooses to obtain the brand-    Scenario 9 - Pharmacy           Barrier to        8. State law
BP3a           WV 003a S9       name drug, he/she will be responsible for payment for the difference.                    Benefit A              interoperability     restrictions




                                In Workers Comp, the Point of Sale system is available only to those
                                employees needing access to perform business functions and participating
                                providers. Password authentication is required. Security
                                policies/confidentiality agreements in place with employees regarding
                                protection of information. End user agreements in place with participating
                                providers. Authentication required for access to system. Technology in
                                place to secure system from unintended users. Vendor used to implement
                                secure transmission of data. Vendor provides software that allows
BP3b           WV 003b S9       protection from data modification.


            RTI International
            Privacy and Security Contract No. 290-05-0015                                                              Page 36 of 61                                                         99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                            Scenario 9. Pharmacy Benefit Scenario A




DRAFT                                                 DRAFT         DRAFT                                                                                           DRAFT
                                    Specify Other
                 Stakeholder                                                                                                                                             Relevant Law (Legal Driver) --
      BP#                           Stakeholder (if         Cause                          Relevant Law (Legal Driver) -- Narrative
                 Organization                                                                                                                                              Reference Code/Statute
                                      applicable)                                                                                                                                                              Possible Solutions
                                                                    There is currently no WV law regulating PBMs. Public Employees Insurance Agency                 W.Va. Code § 5-16C-1, et seq.; W.Va.
                                                                    (―PEIA‖) does have statutory authority to manage the increase in prescription drug              Code § 30-5-1 et seq. and W.Va. C.S.R.
                                                                    cost and execute prescription drug purchasing agreements on behalf of the state of              § 15-1-1, et seq.; W.Va. Code § 60A-1-
                                                                    West Virginia with PBMs and other private sector arrangements, provided that ―no                101, et seq;
                                                                    private entity may be compelled to participate in the prescription drug purchasing
                                                                    pool,‖ and PEIA ―may not enter into a contract with a private entity‖ without
                                                                    Legislative approval. To the extent that the scenario anticipates that the
                                                                    communication occurs electronically, the electronic submission would violate West
                                                                    Virginia law and regs. First, the Board of Pharmacy regulation language indicates
                                                                    that a ―wet‖ signature is required and that a digital signature (either physical
                                                                                                                                                                                                               See report on e-Prescribing:
                                                                    digitalized signature or digital key signature) will not meet the requirement. Second,
                                                                                                                                                                                                               http://www.tygart.com/Eprescript
                                                                    the regs have ―non intermediary‖ requirements.
                                                                                                                                                                                                               ions.asp
BP1            State government


                   Community
               clinics and health
BP2                  centers



                                                                    1. Unique features of West Virginia workers’ compensation program governing and requiring       Original: State Law - W. Va. Code §23-4-
                                                                    the prescribing of generic drugs by pharmacy for a workers’ compensation claimant. The          3(a)(3)
                                                                    workers’ compensation law requires a pharmacist who is filing a prescription for a workers’     Regulation - 85 C.S.R. 20 - Medical
                                                                    compensation claimant to dispense the generic brand of the drug, if one exists. If a generic    Management of Claims
                                                                    does not exist then the pharmacist can dispense the name brand drug. Interoperability issues
                                                                    involve the failure of out of state providers and businesses that operate in West Virginia in   W.Va. Code § 23-4-3(a)(3) and W.Va.
                                                                    understand the unique requirements of the West Virginia workers’ compensation system.           C.S.R. § 85-20-1 et seq.




BP3a                Payers




BP3b


            RTI International
            Privacy and Security Contract No. 290-05-0015                                                  Page 37 of 61                                                                   99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
             PRIVACY AND SECURITY                                                        Scenario 9. Pharmacy Benefit Scenario A
                  Business                                                                                                                Classification
                                                                                                                                                                                     Policy: Short
       BP#      Practice Short                      Business Practice Long Description                                 Scenario          (Barrier v. Not a       Domain                                      Policy: Long Description
                                                                                                                                                                                     Description
                    Name                                                                                                                     Barrier)

                                 Workers' compensation programs are exempt from HIPAA. State law and
                                 regulations provide limits on prescription medication and medication
                                 management issues. Out of state providers may be unaware of these laws
                                 and regulations or may try to apply the laws and fee schedules from their
                                 state. We sometimes have difficulty getting out of state providers to accept
                                 workers' compensation patients and the established fee schedule on a non-
                                 emergent basis because of these issues. To address this problem, we
                                 contract with provider agencies that specialize in providing state-wide
                                 providers. By agreeing to accept WV Workers' Compensation patients,
                                 these providers agree to accept our fees and to abide by our laws and
BP3c            WV 003c S9       regulations



                                 As a clinician, we deal with out of state PBM's daily who request an                                                        7. Administrative
                                 authorization form or provide OV notes over the phone and fax. If the patient                                                  or physical                                Covered entity due to the
                                 does not meet the PBM formulary the Dr. changes the medication to               Scenario 9 - Pharmacy       Barrier to          security      Prior authorization, Office insurance of continuted care
BP4             WV 004 S9        preferred medication.                                                                 Benefit A          interoperability      safeguards     and HIPAA policy            for the patient.




                                 As a payer, we have a preferred drug list.The claimant needs
                                 preauthorization for drugs not preauthorized and if claimant wants one that
                                 is not, they have to pay. If the generic is available, State Law says we can    Scenario 9 - Pharmacy       Barrier to        8. State law
BP5             WV 005 S9        automatically give them the generic.                                                  Benefit A          interoperability     restrictions




                                 As a payer, we have a higher standard of security for behavioral health info
                                 and with administering these type of benefits. Care management personnel
                                 are specially trained and they have a higher level of permissions for this                                                    2. Information
                                 type of info. All this info is maintained in our database and reports can be    Scenario 9 - Pharmacy       Barrier to      authorization and
BP6             WV 006 S9        generated.                                                                            Benefit A          interoperability    access controls




             RTI International
             Privacy and Security Contract No. 290-05-0015                                                          Page 38 of 61                                                          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
             PRIVACY AND SECURITY                                           Scenario 9. Pharmacy Benefit Scenario A
                                   Specify Other
                  Stakeholder                                                                                                                                   Relevant Law (Legal Driver) --
       BP#                         Stakeholder (if           Cause                          Relevant Law (Legal Driver) -- Narrative
                  Organization                                                                                                                                    Reference Code/Statute
                                     applicable)                                                                                                                                                       Possible Solutions




BP3c

BP1
                                                                     Original: HIPAA, State, and Federal law                                               1. HIPAA 45 C.F.R. § 160.102; HIPAA 45
                                                                                                                                                           C.F.R. § 164.502(e)(1); HIPAA 45 C.F.R. §
                                                                     Determining the status of pharmacy benefit managers (―PBM‖) under the Privacy         164.506.
                                                                     Standards of the Health Insurance Portability and Accountability Act of 1996
BP4                 Clinicians                                       (―HIPAA‖) and whether PBMs are considered ―covered entities‖ or ―business
                                                                     associates.‖ Generally, PBMs do not meet the definition of a ―covered entity‖ under

                                                                     Workers Comp law requires generic prescribing where available                         W. Va. Code § 23-1-1 et seq.




BP5                  Payers


                                                                     The legal analysis differs depending upon whether the Pharmacy Benefit Manager or HIPAA Regulation §164.506; West
                                                                     the outpatient clinic is in West Virginia. HIPAA regulations allow the disclosure of Virginia Code § 27-3-1; 27-3-2; 27-5-9(e)
                                                                     protected health information for payment purposes. If the Pharmacy Benefit
                                                                     Manager is in West Virginia, there are no West Virginia Code provisions against
                                                                     seeking the collection of data. If the clinic is in West Virginia, it may not reveal
                                                                     mental health information beyond that which the Pharmacy Benefits Manager already
                                                                     knows because the clinic has already released the data to the payor. The clinic
                                                                     should also assure that Pharmacy Benefits Managers have a Business Associate
                                                                     Agreement with the insurers.


BP6                  Payers




             RTI International
             Privacy and Security Contract No. 290-05-0015                                                 Page 39 of 61                                                          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                                                                           Scenario 10. Pharmacy Benefit Scenario B
                                   A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the companies' employees’ prescription drug use and the
               Scenario 10 -       associated costs of the drugs prescribed. The objective would be to see if the PBM1 could save the company money on their prescription drug
               Pharmacy            benefit. Company A is self-insured and as part of their current benefits package, they have the prescription drug claims submitted through their
 DRAFT         Benefit B                      current PBM (PBM2). PBM1 has requested that Company A send their electronic claims to them to complete the review.

                  Business                                                                                                                       Classification
                                                                                                                                                                                         Policy: Short                              Stakeholder
      BP#       Practice Short                             Business Practice Long Description                                      Scenario      (Barrier v. Not        Domain                           Policy: Long Description
                                                                                                                                                                                          Description                               Organization
                    Name                                                                                                                           a Barrier)




                                 In our pharmacy, we recognize that HIPPA allows release of PHI for payment and
                                 treatment purposes but the review of that information without patient consent by another
                                 PBM would probably fall outside of that allowance. If the information was aggregate and not     Scenario 10 -                      9. Information use
                                 patient identifiable, then the review could probably be conducted. Very important the PBMs       Pharmacy          Barrier to        and disclosure
BP1            WV 001 S10        not be able to modify the data showing a prescription that has been processed and filled.         Benefit B     interoperability          policy                                                    Pharmacies


                                 From the perspective of our public health agency, using aggregate statistics would be all
                                 right, but if the scenario is as stated, Company A is already on very thin ice. Assuming that
                                 PBM2 and not Company A actually has the claims, then PBM2 could transmit the claims to
                                 PBM1 under HIPAA, provided it had a Business Associate agreement with PBM. There
                                 might be state law barriers related to disclosure of drugs used in specific conditions, e.g.    Scenario 10 -
                                 HIV/AIDS or psychiatric disorders.                                                               Pharmacy          Barrier to         8. State law                                                 Public Health
BP2            WV 002 S10                                                                                                          Benefit B     interoperability      restrictions                                                  agencies




                                 As a payer, we have Business Associate agreements in place. This is a standard
                                 agreement unless the other company has another form- we may use both. We build
                                 policies on what HIPAA requires- we have an index of BA policies. All the data we send is       Scenario 10 -                      9. Information use
                                 encrypted. PHI has to be encrypted and the receiver has the user ID and password to un-          Pharmacy          Barrier to        and disclosure
BP3            WV 003 S10        encrypt. Internally, that is not necessary because of our firewalls.                              Benefit B     interoperability           policy                                                     Payers
                                                                                                                                                                      4. Information
                                                                                                                                                                       transmission
                                                                                                                                 Scenario 10 -                           security or
                                                                                                                                  Pharmacy          Barrier to           exchange
BP3            WV 003 S10                                                                                                          Benefit B     interoperability         protocols                                                    Payers



                                 As a payer, we have a consultant oversee pharmacy benefits and the consultant can see
                                 info on pts- we have a BA agreement with them. We also have a procedure audit and they          Scenario 10 -                      9. Information use
                                 are reviewed by HIPAA as part of due diligence. We contract with a company to provide            Pharmacy          Barrier to        and disclosure
BP4            WV 004 S10        PHI. Every employee has signed a confidentiality agreement.                                       Benefit B     interoperability          policy                                                      Payers




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                Page 40 of 61                                                                    99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                                                                             Scenario 10. Pharmacy Benefit Scenario B



 DRAFT                             DRAFT                                         DRAFT                                                                                                DRAFT
                 Specify Other
                                                                                                                                                                                           Relevant Law (Legal Driver) -- Reference
      BP#        Stakeholder (if                     Cause                                                  Relevant Law (Legal Driver) -- Narrative
                                                                                                                                                                                                       Code/Statute
                   applicable)
                                   We generally agree that the identified          Employer who sponsors a self-insured group health plan may have only limited access to PHI, but may 45 C.F.R. §§ 164.502(b)(1); 164.504(e); 164.504(f)
                                   business practice presents barriers to          obtain summary health information (a type of de-identified PHI) to obtain premium bids or to modify
                                   interoperability, including the use of multiple or amend its group health plan.
                                   business associate agreements, the creation
                                   of summary health information (a type of de-
                                   identified PHI), and compliance with the
                                   minimum necessary standard.
BP1


                                                                                The HIPAA privacy and security rules.                                                                 WV Code § 16-29-1(b); HIPAA Privacy Regs. – 45
                                                                                                                                                                                      CFR §§ 164.312(e)(2), 164.501, 164.502(a)(1)(i),
                                                                                                                                                                                      164.502(e), 164.504(a), 164.504(e), 164.504(f),
                                                                                                                                                                                      164.504(f)(1)(ii), 164.504(f)(2)(ii)(C), 164.504(f)(2)(iii),
                                                                                                                                                                                      164.504(f)(3)(iv), 164.508(a)(1), 164.514(e)(4),
                                                                                                                                                                                      164.514(d)(3)
BP2


                                                                                Business associate agreements are required by the HIPAA privacy rule.                                 HIPAA Privacy Regs. – 45 CFR §§ 164.502(e),
                                                                                                                                                                                      164.504(e)




BP3
                                                                                Secure transmission of electronic PHI must be consistent with the HIPAA Security rule.                HIPAA Security Regs. – 45 CFR § 164.312



BP3
                                                                                Business associate agreements are required by the HIPAA privacy rule.                                  HIPAA Privacy Regs. – 45 CFR §§ 164.502(e),
                                                                                                                                                                                      164.504(e)




BP4




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                    Page 41 of 61                                                                                          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                            Scenario 11. Healthcare Operations and Marketing Scenario A
                               ABC Health Care is an integrated health delivery system comprised of ten critical access hospitals and one large tertiary
                               hospital, DEF Medical Center, which has served as the system's primary referral center. Recently, DEF Medical Center
                                 has expanded its rehab services and created a state-of-the-art, stand-alone rehab center. Six months into operation,
                                ABC Health Care does not feel that the rehab center is being fully utilized and is questioning the lack of rehab referrals
                              from the critical access hospitals.ABC Health Care has requested that its critical access hospitals submit monthly reports
                                to the system six-sigma team to analyze patient encounters and trends for the following rehab diagnoses/ procedures:
                Scenario 11 - Cerebrovascular Accident (CVA), Hip Fracture, Total Joint Replacement. Additionally, ABC Health Care is requesting that
                Operations        this same information, along with individual patient demographic information, be provided to the system Marketing
                and              Department. The Marketing Department plans to distribute to these individuals a brochure highlighting the new rehab
DRAFT           Marketing A                                           center and the enhanced services available.

                  Business                                                                                           Classification
                                                                                                                                                                Policy: Short
      BP#         Practice                  Business Practice Long Description                       Scenario        (Barrier v. Not        Domain
                                                                                                                                                                Description
                 Short Name                                                                                            a Barrier)




                            Our hospital policy permits Marketing to use PHI for marketing
                            purposes as permitted by HIPAA and other applicable Federal
                            and West Virginia laws. With limited exceptions, the Rule
                            requires an individual's written authorization before a use or         Scenario 11 -
                            disclosure of his or her PHI can be made for marketing. Based           Operatns &          Barrier to      1. User and entity Use of PHI for Marketing
BP1             WV 001 S 11 on the scenario they are IDS and would be appropriate.                   Mkting A        interoperability     authentication   Purposes




                                                                                                   Scenario 11 -                        9. Information use
                            As a payer, we would not supply PHI to anyone, esp in a                 Operatns &          Barrier to        and disclosure
BP2             WV 002 S 11 marketing campaign, esp now with HIPAA.                                  Mkting A        interoperability          policy




                                                                                                   Scenario 11 -                        9. Information use
                            As a long term care facility, we would not supply PHI to anyone,        Operatns &          Barrier to        and disclosure
BP3             WV 003 S 11 esp in a marketing campaign, esp now with HIPAA.                         Mkting A        interoperability          policy




                            As a QIO, we would not supply PHI to anyone, esp in a                  Scenario 11 -                        9. Information use
                            marketing campaign, esp now with HIPAA. In a QIO, we would              Operatns &          Barrier to        and disclosure
BP4             WV 004 S 11 be in violation of HIPAA and our CMS contracts                           Mkting A        interoperability          policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                  Page 42 of 61                                                  99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                               Scenario 11. Healthcare Operations and Marketing Scenario A




DRAFT                                                                                                                        DRAFT     DRAFT                                         DRAFT
                                                                                                          Specify Other                                                                 Relevant Law (Legal
                                                                                        Stakeholder                                        Relevant Law (Legal Driver) --
      BP#                           Policy: Long Description                                              Stakeholder (if      Cause                                                    Driver) -- Reference
                                                                                        Organization                                                 Narrative
                                                                                                            applicable)                                                                    Code/Statute
                                                                                                                                       1. With limited exceptions, activities that   Original: HIPAA - §164.501 -
                IDS may not sell PHI to a business associate or any other third                                                        fall within the HIPAA Privacy Rule’s          Definition - Marketing
                party for that party's own purposes. IDS may not sell lists of                                                         definition of marketing require
                patients or enrollees to third parties without obtaining                                                               authorization from the patient/patient’s      HIPAA Privacy Rule – 45 CFR
                authorization from each person on the list. Exceptions to the                                                          representative.                               §§ 164.501 and164.508(a)(3).
                definition of marketing fall into the following three categories: (1)
                A communication is not "marketing" if it is made to describe a
                health-related product or service (or payment for such product or
                service) that is provided by, or included in a plan of benefits of
                the covered entity making the communication, (2) A
                communication is not "marketing" if is made for treatment of the
                individual (3) A communication is not "marketing" if it is made for
                case management or care coordination for the individual, or to
                direct or recommend alternative treatments, therapies, health
BP1             care providers, or settings of care to the individual.                    Hospitals

                                                                                                                                       With limited exceptions, activities that fall HIPAA Privacy Rule – 45 CFR
                                                                                                                                       within the HIPAA Privacy Rule’s               §§ 164.501 and164.508(a)(3).
                                                                                                                                       definition of marketing require
                                                                                                                                       authorization from the patient/patient’s
BP2                                                                                         Payers                                     representative.


                                                                                                                                       With limited exceptions, activities that fall HIPAA Privacy Rule – 45 CFR
                                                                                                                                       within the HIPAA Privacy Rule’s               §§ 164.501 and164.508(a)(3).
                                                                                                                                       definition of marketing require
                                                                                        Long term care
                                                                                         facilities and                                authorization from the patient/patient’s
BP3                                                                                     nursing homes                                  representative.


                                                                                                                                       With limited exceptions, activities that fall HIPAA Privacy Rule – 45 CFR
                                                                                                                                       within the HIPAA Privacy Rule’s               §§ 164.501 and164.508(a)(3).
                                                                                                                                       definition of marketing require
                                                                                           Quality
                                                                                        improvement                                    authorization from the patient/patient’s
BP4                                                                                     organizations                                  representative.




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                    Page 43 of 61                                      99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                 Scenario 11. Healthcare Operations and Marketing Scenario A




DRAFT
      BP#
                Solution
                1. In this scenario, limiting marketing to communications that
                specifically describe a health-related product or service provided by
                the covered entity itself should cause it to fall within the permitted
                communications exception of the HIPAA Privacy Rule’s definition of
                marketing.




BP1




BP2

                In this scenario, limiting marketing to communications that
                specifically describe a health-related product or service provided by
                the covered entity itself should cause it to fall within the permitted
                communications exception of the HIPAA Privacy Rule’s definition of
BP3             marketing.


                In this scenario, limiting marketing to communications that
                specifically describe a health-related product or service provided by
                the covered entity itself should cause it to fall within the permitted
                communications exception of the HIPAA Privacy Rule’s definition of
BP4             marketing.




            RTI International
            Privacy and Security Contract No. 290-05-0015                                 Page 44 of 61                        99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                               Scenario 12. Healthcare Operations and Marketing Scenario B
                                     ABC hospital has approximately 3,600 births/year. The hospital Marketing Department is
                                        requesting PHI on all deliveries including mother's demographic information and birth
                                     outcome (to ensure that contact is made only with those deliveries that resulted in healthy
                                       live births). The Marketing Department has explained that they will use the PHI for the
                                    following purposes: 1. To provide information on the hospital's new pediatric wing/services;
                  Scenario 12 -       2. To solicit registration for the hospital's parenting classes; 3. To request donations for
                  Operations &        construction of the proposed neonatal intensive care unit; 4. They will sell the data to a
DRAFT             Marketing B                                             local diaper company.
                     Business                                                                                    Classification
                                                                                                                                                           Policy: Short
      BP#          Practice Short            Business Practice Long Description                    Scenario      (Barrier v. Not         Domain
                                                                                                                                                           Description
                       Name                                                                                        a Barrier)




                                    Our hospital practice requires an authorization for
                                    release of PHI for marketing except for: 1. Face-to-face
                                    communication between our hospital and the patient; or
                                    2. A promotional gift of nominal value provided by our      Scenario 12 -                        9. Information use
                                    hospital. Therefore, our hospital would not sell the data    Operatns &         Barrier to         and disclosure Use and Disclosure
BP1               WV 001 S 12       to a local diaper company without patient authorization.      Mkting B       interoperability           policy      of PHI for Marketing




                                                                                                Scenario 12 -                        9. Information use
                                                                                                 Operatns &         Barrier to         and disclosure Use of PHI for
BP2               WV 002 S 12       Our hospital would not allow this practice.                   Mkting B       interoperability           policy      Marketing Purposes

                                    As a payer, we would have to sign a form with all
                                    involved persons to release any info- we do not sell any
                                    data. We used to be able to acquire lists, but now we
                                    would have to ask them to sign a form to release info-
                                    HIPAA has not been a Barrier to this because we can
                                    use permission forms. The info would be transferred         Scenario 12 -                        9. Information use
                                    electronically and encrypted.                                Operatns &         Barrier to         and disclosure
BP3               WV 003 S12                                                                      Mkting B       interoperability           policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                       Page 45 of 61                                                  99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                 Scenario 12. Healthcare Operations and Marketing Scenario B




DRAFT                                                                                                                  DRAFT          DRAFT                                  DRAFT
                                                                                                     Specify Other                                                              Relevant Law (Legal
                                                                                      Stakeholder                                      Relevant Law (Legal Driver) --
      BP#                           Policy: Long Description                                         Stakeholder (if          Cause                                             Driver) -- Reference
                                                                                      Organization                                               Narrative
                                                                                                       applicable)                                                                 Code/Statute
                                                                                                                                      With limited exceptions, activities    HIPAA Privacy Rule – 45
                                                                                                                                      that fall within the HIPAA Privacy     CFR §§ 164.501
                                                                                                                                      Rule’s definition of marketing         and164.508(a)(3).
                                                                                                                                      require authorization from the
                                                                                                                                      patient/patient’s representative.


                  Our hospital requires an authorization for release of PHI for
                  marketing except for: 1. Face-to-face communication between
                  our hospital and the patient; or 2. A promotional gift of nominal
BP1               value provided by our hospital.                                      Hospitals



                                                                                                                                                                             HIPAA Privacy Rule – 45 CFR
                                                                                                                                      With limited exceptions, activities §§ 164.501 and164.508(a)(3).
                  1) Communication about a product or service that encourages                                                         that fall within the HIPAA Privacy
                  recipients of the communication to purchase or use the                                                              Rule’s definition of marketing
                  product or service, or (2) An arrangement between our                                                               require authorization from the
                  hospital and another third party, whereby our hospital                                                              patient/patient’s representative. In
                  discloses PHI to the third party in exchange for direct or                                                          this scenario, limiting marketing to
                  indirect remuneration as the result of the other party or its                                                       communications that specifically
                  affiliate making a communication about its own product or                                                           describe a health-related product
                  service that encourages recipients of the communication to                                                          or service provided by the covered
                  purchase or use that product or service. our hospital may not                                                       entity itself should cause it to fall
                  sell PHI to a business associate or any other third party for                                                       within the permitted
                  that party's own purposes. our hospital may not sell lists of                                                       communications exception of the
                  patients or enrollees to third parties without obtaining                                                            HIPAA Privacy Rule’s definition of
BP2               authorization from each person on the list.                          Hospitals                                      marketing.

                                                                                                                                      With limited exceptions, activities that HIPAA Privacy Rule – 45 CFR
                                                                                                                                      fall within the HIPAA Privacy Rule’s     §§ 164.501 and164.508(a)(3).
                                                                                                                                      definition of marketing require
                                                                                                                                      authorization from the patient/patient’s
                                                                                                                                      representative.



BP3                                                                                     Payers




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                     Page 46 of 61                                              99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                 Scenario 12. Healthcare Operations and Marketing Scenario B




DRAFT
      BP#
                  Solution




BP1



                  1. In this scenario, limiting marketing to
                  communications that specifically describe
                  a health-related product or service
                  provided by the covered entity itself
                  should cause it to fall within the permitted
                  communications exception of the HIPAA
                  Privacy Rule’s definition of marketing.




BP2

                  In this scenario, limiting marketing to
                  communications that specifically describe
                  a health-related product or service
                  provided by the covered entity itself
                  should cause it to fall within the permitted
                  communications exception of the HIPAA
                  Privacy Rule’s definition of marketing.

BP3




            RTI International
            Privacy and Security Contract No. 290-05-0015                                 Page 47 of 61                        99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                                                                                                     Scenario 13. Bioterrorism Event
                                 A provider sees a person who has anthrax, as determined through lab tests. The lab submits a report on this case to the
                               local public health department. The public health department in the adjacent county has been contacted and has confirmed
                                that it is also seeing anthrax cases, and therefore it could be a possible bioterrorism event. Further investigation confirms
                                that this is a bioterrorism event, and the State declares an emergency. This then shifts responsibility to a designated state
                               authority to oversee and coordinate a response, and involves alerting law enforcement, hospitals, hazmat teams, and other
                                  partners, as well informing the regional media to alert public to symptoms and seek treatment if feel affected. The State
                                 also notifies the Feds of the event, and some federal agencies may have direct involvement in the event. All parties may
                 Scenario 13 -     need to be notified of specific identifiable demographic and medical details of each case as they arise to identify the
                 Bioterrorism   source of the anthrax, locate and prosecute the parties responsible for distributing the anthrax, and protect the public from
 DRAFT           Event                                                                  further infection.

                   Business                                                                                               Classification
                                                                                                                                                                   Policy: Short                                                                 Specify Other Stakeholder
       BP#         Practice                      Business Practice Long Description                          Scenario     (Barrier v. Not       Domain                                   Policy: Long Description   Stakeholder Organization
                                                                                                                                                                    Description                                                                        (if applicable)
                  Short Name                                                                                                a Barrier)
                                                                                                                                                              Guidelines Pertaining to
                                                                                                                                                              Disclosures for Law
                                                                                                                                                              Enforcement Purposes
                                                                                                                                                              Without Written
                                                                                                           Scenario 13 -                     9. Information Authorization, Court
                                Our hospital privacy officer would disclose as required using the          Bioterrorism     Barrier to           use and      Order, Subpoena or
BP1              WV 001 S13     minimum necessary rule.                                                       Event      interoperability   disclosure policy Other Process                                                 Hospitals



                                Once our lab would submit a report to the local public health dept or to
                                the State as per those regs. governing anthrax and other public health
                                threats, then it would be in the hands of the State and Federal agencies.
                                If all parties would need to obtain additional information from our lab,
                                then that agency would notify our corporate compliance dept. via proper Scenario 13 -                        9. Information
                                documentation or request.                                                 Bioterrorism    Barrier to             use and
BP2              WV 002 S13                                                                                  Event     interoperability     disclosure policy                                                             Laboratories



                             Public health law is state-specific. I do not know the extent to which
                             Federal anti-terrorism legislation has attempted to pre-empt state law,
                             but I’m doubtful such pre-emption would be effective in a case like this
                             that does not appear to involve interstate commerce. Therefore, I
                             believe the state disease control laws would have primacy. Under state
                             law, the health director is generally authorized to disclose information
                             needed to control the spread of contagious disease. All information
                             exchange originating under the direction of the state health director or
                             his/her designate is probably permissible, even if it discloses PHI to the
                             public. There may be limits on the health director’s discretion, but I
                             doubt they would be significant under the scenario described. The one
                             important question is whether the public health director has authority to
                             disclose PHI to law enforcement agencies. Customarily, public health          Scenario 13 -
                             agencies have not done so, because of the chilling effect it is believed      Bioterrorism     Barrier to        8. State law
BP3a             WV 003a S13 to have on ongoing disease investigation.                                        Event      interoperability     restrictions                                                           Public Health agencies
                             I don’t know if current law in West Virginia mandates such disclosure, as
                             it may; if it does not, then the disclosure would fall under the discretion
                             of the public health director. Therefore the major barrier might be in the
                             event individual institutions or health professionals were not aware of
                             their duty to report information in a public health emergency, or if they
                             obstructed transmission of sensitive data to the health agency out of a       Scenario 13 -                     9. Information
                             perceived risk of liability for disclosure. If they have read HIPAA, they     Bioterrorism     Barrier to           use and
BP3b             WV 003b S13 won’t have such fears.                                                           Event      interoperability   disclosure policy




                                As a federal health facility, we would not be allowed to give out any info
                                under the Laws of Confidentiality. Although, in an act of terrorism, there
                                are some exceptions. Your individual identity can not be revealed and
                                we could give them demographics and we could contact others about
                                the situation. But if the person has a contagious disease and he
                                knowingly infects others, he is then considered a criminal and he has no
                                rights. We would: Send the info by an authorized courier in a sealed
                                envelope or thru data secure telephone lines or thru scrambled,            Scenario 13 -                   2. Information
                                encrypted email                                                            Bioterrorism     Barrier to    authorization and
BP4              WV 004 S13                                                                                   Event      interoperability access controls                                                            Federal health facilities




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                                 Page 48 of 61                                                                                       99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                                                                                               Scenario 13. Bioterrorism Event




 DRAFT DRAFT                               DRAFT                                    DRAFT
                                                                                       Relevant Law (Legal
                                                Relevant Law (Legal Driver) --
       BP#                Cause                                                        Driver) -- Reference
                                                          Narrative
                                                                                          Code/Statute

                                          HIPAA Privacy Regs require a CE to        HIPAA Privacy Rule, 45
                                          review the disclosure request to see if   CFR § 164.514(d)(3)(iii)(A);
                                          the public official represents that the   WV Code § 15-5-1 et seq .;
                                          information requested is the minimum      64 CSR § 7 (regs regarding
                                          necessary for the stated purpose          reportable diseases)

BP1



                                          HIPAA Privacy Regs require a CE to        HIPAA Privacy Rule, 45
                                          review the disclosure request to see if   CFR § 164.514(d)(3)(iii)(A);
                                          the public official represents that the   WV Code § 15-5-1 et seq .;
                                          information requested is the minimum      64 CSR § 7 (regs regarding
                                          necessary for the stated purpose          reportable diseases)

BP2


                                          No legal barrier to public health’s       W. Va. Code §§ 15-5-1 et
                                          disclosure to law enforcement. State      seq ., 16-3-1 and 15-5-6; 64
                                          Homeland Security provisions, the         CSR § 7 (regs regarding
                                          general and emergency powers of the       reportable diseases)
                                          Governor under the legislation, along
                                          with the State Director of Health’s
                                          authority allow for these disclosures




BP3a
                                          Stakeholder cites perception issues.      1. WV Code § 15-5-1 et
                                                                                    seq.




BP3b


                                          HIPAA Security and Privacy Rules          HIPAA Security Rule, 45
                                          together require the CE to safeguard      CFR Part 164, Subpart C
                                          protected health information,             and HIPAA Privacy Rule §
                                          electronic and hard copy                  164.530(c)




BP4




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                 Page 49 of 61          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
             PRIVACY AND SECURITY                                                   Scenario 14. Employee Health Information Scenario
                              An employee (of any company) presents in the local emergency department for treatment of a chronic condition
                               that has exacerbated which is not work-related. The employee's condition necessitates a four-day leave from
                Scenario 14 - work for illness. The employer requires a "return to work" document for any illness requiring more than 2 days
                 Employee      leave. The hospital ED has an EHR and their practice is to cut and paste patient information directly from the
DRAFT            Health Info                       EHR and transmit the information electronically to the HR department.

                 Business                                                                                                          Classification
                                                                                                                                                                                Policy: Short
       BP#       Practice                      Business Practice Long Description                                 Scenario         (Barrier v. Not           Domain                                  Policy: Long Description
                                                                                                                                                                                Description
                Short Name                                                                                                           a Barrier)


                              As a payer, our business practice is to allow employees a certain
                              number of paid time off (PTO) days. No detailed reason is needed for
                              using those days. Short-term disability/long-term disability are also
                              provided for certain medical issues and do require documentation to
                              justify the disability. In this scenario, there are a couple of options. One,
                              if the employer and hospital frequently exchange information, a
                              confidentiality agreement or data use agreement needs to be entered
                              into. The HR department could adjust it's form to require only certain,
                              non-specific medical information required only to justify the disability
                              period. The hospital would then be responsible for providing the
                              minimally necessary medical information as needed. It should be the
                              hospital's policy to not provide more information than requested or
                              needed per HIPAA privacy regulations so the cut and paste practice
                              may be a violation. The second option, one employed by the state of
                              WV, would be for the return to work document to require only the
                WV 001a S     disability period, the diagnosi and the treating doctor's signature.              Scenario 14 -         Barrier to    9. Information use and
BP1a            14                                                                                            Employee Hlth Info   interoperability disclosure policy

                              No specific medical information would be needed. End user should be
                              limited to HR department employees. No access should be provided
                              outside that unit. Data use agreement/confidentiality agreement should
                              be in place to prevent unnecessary dissemination of protected health
                              information.End user should be limited to HR department employees.
                              No access should be provided outside that unit. Data use
                              agreement/confidentiality agreement should be in place to prevent                                                     6. Information audits
                WV 001b S     unnecessary dissemination of protected health information.                                           Not a barrier to that record and monitor
BP1b            14                                                                                                                 interoperability activity
                                                                                                                                                    4. Information
                WV 001c S     Transmission protections would be implemented between the sender                                        Barrier to    transmission security or
BP1c            14            and end user such as encryption of information.                                                      interoperability exchange protocols


                WV 001d S     End user should be provided read only access to information. One-way                                 Not a barrier to 9. Information use and
BP1d            14            transmission (ED to HR department only) should be considered.                                        interoperability disclosure policy
                              Only HR department employees should have access to the transmitted
                              information. Information should be limited by ED to that minimally
                              necessary to fulfill HR's need. Once transmitted, information should be
                WV 001e S     contained within employee's personnel file and not be subject to view
BP1e            14            by outside parties.


                WV 001f S     Special precautions for psychiatric/HIV information - patient must                                   Not a barrier to
BP1f            14            authorize release of information.                                                                    interoperability 8. State law restrictions




                            Our hospital would prepare a leave of absence note for the employer
                            which would limit information to the name of the employee, date seen
                            by medical facility/physician, estimated time to be away from work, and             Scenario 14 -         Barrier to    1. User and entity
BP2             WV 002 S 14 signature of physician or other appropriate medical personnel.                    Employee Hlth Info   interoperability authentication
             RTI International
             Privacy and Security Contract No. 290-05-0015                                                                Page 50 of 61                                                         99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
             PRIVACY AND SECURITY                                             Scenario 14. Employee Health Information Scenario



DRAFT                                                                       DRAFT                                             DRAFT                                                                    DRAFT
                                                                                                                                                                                                          Relevant Law (Legal
                                                Specify Other Stakeholder
       BP#        Stakeholder Organization                                                     Cause                                      Relevant Law (Legal Driver) -- Narrative                        Driver) -- Reference
                                                      (if applicable)
                                                                                                                                                                                                             Code/Statute
                                                                            The identified business practice involves         A health care provider may not disclose PHI to a third party without     45 C.F.R. §§ 164.502(a)(1);
                                                                            multiple barriers to interoperability, but we     patient authorization unless for treatment, payment, or health care      164.508(a)(1); 164.310;
                                                                            disagree with the rationale employed;             operations; a “return to work” document is not treatment, payment, or    164.312; 164.502(b)(2)(iii);
                                                                            disclosure of PHI from existing health care       health care operations; if PHI is included in this document, patient     160.103
                                                                            records to the employer requires a signed         authorization would be required; when disclosure is authorized, proper
                                                                            authorization from the patient; once              security procedures must be followed when transmitting PHI
                                                                            authorization is signed, disclosures made         electronically.
                                                                            thereunder are not subject to the minimum
                                                                            necessary standard; once such information is
                                                                            lodged in employment files, it is no longer
                                                                            considered PHI; however, electronic
                                                                            transmission of the information to the employer
                                                                            must follow proper verification and security
                                                                            procedures.



BP1a                        Payers




BP1b
                                                                                                                              HIPAA Security Technical Safeguards                                      HIPAA Security Rule, 45
                                                                                                                                                                                                       CFR § 164.312
BP1c



BP1d




BP1e
                                                                                                                              WV State law regarding HIV test results                                  W. Va. Code §§ 16-3C-2, 3,
                                                                                                                                                                                                       4; W. Va. Code § 27-3-1
BP1f



                                                                            We agree with the identified business practice, A health care provider may not disclose PHI to a third party without       45 C.F.R. §§ 164.502(a)(1);
                                                                            and believe that it constitutes a barrier to    patient authorization unless for treatment, payment, or health care        164.508(a)(1); 164.310;
                                                                            interoperability.                               operations; a “return to work” document is not treatment, payment, or      164.312; 164.502(b)(2)(iii);
                                                                                                                            health care operations; if PHI is included in this document, patient       160.103
                                                                                                                            authorization would be required; when disclosure is authorized, proper
                                                                                                                            security procedures must be followed when transmitting PHI
                                                                                                                            electronically.
BP2                        Hospitals
             RTI International
             Privacy and Security Contract No. 290-05-0015                                                             Page 51 of 61                                                                       99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                               Scenario 14. Employee Health Information Scenario
                Business                                                                                                    Classification
                                                                                                                                                                                Policy: Short
      BP#       Practice                     Business Practice Long Description                            Scenario         (Barrier v. Not            Domain                                         Policy: Long Description
                                                                                                                                                                                Description
               Short Name                                                                                                     a Barrier)




                           As a correctional facility, our business practice/procedure is we have
                           our own form to fill out for a return to work. Electronic transfer of                                                                                                    Employee off more than 3
                           emergency room data would not be accepted. The return to work form                                                                                                       days submits for FMLA under
                           may eventually be able to be emailed and then completed for return.                                                                                                      the Family and Medical Leave
                           Additional ER info would not be necessary or desired. Password                                                                                                           Act (FMLA) of 1993. At the
                           protected on secure lines. Limited access to the computer itself.                                                                                                        end of leave must submit a
                           Passwords must be changed on an irregular basis. Would need patient                                                                                                      'return to work form" that has
                           consent. The multiple information systems would need this patient                                                        2. Information                                  been completed by the
                           consent prior to allowing access to the personal health information.          Scenario 14 -         Barrier to         authorization and                                 physician - not by cut and
BP3            WV 003 S 14 Would need development of special programs for the encryption.              Employee Hlth Info   interoperability       access controls         return to work form      paste in the ER.


                           As a physician group, our office physician can release a RTW date to
                           the employer but any medical information would need a release of
                           records from the patient. The HIPAA and State Laws would override                                                      4. Information
                           the ER Policy. We use tracking forms in each chart to show info that          Scenario 14 -         Barrier to    transmission security or                               Patient release must be
BP4            WV 004 S 14 was copied /faxed, who sent it, and where it went and the date sent.        Employee Hlth Info   interoperability    exchange protocols    Covered entity                signed to release records.
                                                                                                                                             7. Administrative or
                                                                                                                            Not a barrier to physical security
BP4            WV 004 S 14                                                                                                  interoperability safeguards


                                                                                                                            Not a barrier to
BP4            WV 004 S 14                                                                                                  interoperability   8. State law restrictions


                           As a payer, under the State System we had PEIA Coverage and they
                           required the forms for being out for 3 days. Dr filled out the info and a
                           RTW notice- all done paper- no electronic version of this- This can also
                           be faxed and whoever is on the receiving end of the fax can view the          Scenario 14 -      Not a barrier to
BP5            WV 005 S 14 info.                                                                       Employee Hlth Info   interoperability   8. State law restrictions

                             In our payer organization, the employer can not get at the info unless
                             the employee signs an agreement. This is done on a paper basis. Our
                             organization has an imaging process. This info is QUARANTINED-
                             meaning only the appropriate person can get at the info. All have a
                             secure storage place for records- we have an onsite storage place and
                             to get entrance, you have to have special permissions- there is a
                             keyless entry.                                                              Scenario 14 -         Barrier to
BP6            WV 006 S 14                                                                             Employee Hlth Info   interoperability   8. State law restrictions

                                                                                                                               Barrier to      9. Information use and
BP6            WV 006 S 14                                                                                                  interoperability       disclosure policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                          Page 52 of 61                                                                 99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
            PRIVACY AND SECURITY                                             Scenario 14. Employee Health Information Scenario
                                                                                                                                                                                                           Relevant Law (Legal
                                               Specify Other Stakeholder
      BP#        Stakeholder Organization                                                      Cause                                       Relevant Law (Legal Driver) -- Narrative                        Driver) -- Reference
                                                     (if applicable)
                                                                                                                                                                                                              Code/Statute



                                                                           We agree with the identified business practice,     A health care provider may not disclose PHI to a third party without     Original: Other Federal Law -
                                                                           and agree that it involves multiple barriers to     patient authorization unless for treatment, payment, or health care      Family and Medical Leave Act
                                                                           interoperability, including patient authorization   operations; a “return to work” document is not treatment, payment, or    1993 Other - Company FMLA
                                                                           and use of proper security procedures.              health care operations; if PHI is included in this document, patient     and Time & Attendance Policy
                                                                                                                               authorization would be required; when disclosure is authorized, proper
                                                                                                                               security procedures must be followed when transmitting PHI               45 C.F.R. §§ 164.502(a)(1);
                                                                                                                               electronically.                                                          164.508(a)(1); 164.310;
                                                                                                                                                                                                        164.312; 164.502(b)(2)(iii);
                                                                                                                                                                                                        160.103




BP3                 Correctional facilities

BP1a
                                                                           We agree with the identified business practice, Original: HIPAA                                                              45 C.F.R. §§ 164.502(a)(1);
                                                                           and believe that it constitutes a barrier to                                                                                 164.508(a)(1); 164.310;
                                                                           interoperability.                               A health care provider may not disclose PHI to a third party                 164.312; 164.502(b)(2)(iii);
                                                                                                                           without patient authorization unless for treatment, payment, or              160.103
BP4                   Physician groups                                                                                     health care operations; a ―return to work‖ document is not
                                                                                                                           treatment, payment, or health care operations; if PHI is included

BP4



BP4




BP5                        Payers

                                                                           We agree with the identified business practice, A health care provider may not disclose PHI to a third party without         45 C.F.R. §§ 164.502(a)(1);
                                                                           and believe that it constitutes a barrier to    patient authorization unless for treatment, payment, or health care          164.508(a)(1); 164.310;
                                                                           interoperability.                               operations; a “return to work” document is not treatment, payment, or        164.312; 164.502(b)(2)(iii);
                                                                                                                           health care operations; if PHI is included in this document, patient         160.103
                                                                                                                           authorization would be required; when disclosure is authorized, proper
                                                                                                                           security procedures must be followed when transmitting PHI
                                                                                                                           electronically.
BP6                        Payers


BP6




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                               Page 53 of 61                                                                       99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                                                                                                             Scenario 15. Public Health Scenario A

                                 Active TB Patient has decided to move to a desert community that focuses on spiritual healing. The TB is classified MDR (multi-drug
                Scenario 15 -      resistant). Patient purchases a bus ticket - the bus ride will take a total of nine hours with two rest stops. State A is made aware of
                Public Health    Patient's intent two hours after the bus with Patient leaves. State now needs to contact the bus company and State B with the relevant
 DRAFT          A                                                   information. State A may need to contact every state along the route.

                  Business                                                                                                                 Classification
                                                                                                                                                                                  Policy: Short                                                                  Specify Other Stakeholder
      BP#         Practice                            Business Practice Long Description                                    Scenario       (Barrier v. Not         Domain                           Policy: Long Description        Stakeholder Organization
                                                                                                                                                                                  Description                                                                          (if applicable)
                 Short Name                                                                                                                  a Barrier)



                            Since TB is a publicly reported disease the home health agency nurse would
                            report the information to the public health department and allow the public health
                            department to take action. At the present time there are very few systems in which
                            home health agencies share electronic personal health information and the
                            system for public reporting electronically such as would be needed in this instance
                            is not presently available. Would be necessary to assure integrity of the
                            communication between only those entities who had necessity of receiving the
                            data. In present home health electronic information systems only those personnel                                                                                      All home health agencies have
                            who have been trained can access patient data. In general there are few who can                                                                                       in place within their infection
                            access the entire data base and changes/modifications can only be made by                                                           2. Information                    control policies and
                            those with certain security/access abilities. While most agencies have internal                                                     authorization                     procedures for the reporting of
                            policies that dictate the utilization of electronic data within the agency and most  Scenario 15 -                Barrier to         and access                       publicly reported
BP1a            WV 001a S15 often that shared with a fiscal intermediary and the state data collection agency.  Public Health A            interoperability         controls
                                                                                                                                                                5. Information                    communicable diseases.             Homecare and hospice
                                                                                                                                                                  protection
                                                                                                                                                                    (against
                                                                                                                          Scenario 15 -       Barrier to           improper
BP1a            WV 001a S15                                                                                              Public Health A   interoperability     modification)



                            Very few, if any of the home health agencies are presently sharing electronic
                            health data with other health care entities. Most exchange of information between
                            entities currently takes place by paper exhange or oral exchange. WV home                                                           4. Information
                            health agencies comply with federal regulation as outlined in the HIPPA standards                                                   transmission
                            and the home health conditions of participation as set forth by CMS at the federal                                                    security or
                            level. The WV Office of Health Facilities Licensure and Certification are           Scenario 15 -                 Barrier to          exchange
BP1b            WV 001b S15 responsible for the oversite of agency compliance.                                 Public Health A             interoperability        protocols




                                I would think that State A is made aware of the TB patient's location, and would
                                need to locate both the bus company as well as other State along the route.                                                     3. Patient and
                                Each State dept. of health would be involved in this process until the patient is         Scenario 15 -    Not a barrier to        provider
BP2             WV 002 S15      located for additional follow-up.                                                        Public Health A   interoperability      identification                                                           Laboratories




                                This is a pure public health response, clearly authorized under law. Since the
                                state already has a report of a case, there is no barrier to reporting the case in the
                                first place. Since the patient has absconded, the state health director may use
                                state quarantine law and ask the police to halt the bus before it leaves the state.
                                Failing that, the health director will inform the Centers for Disease Control, which
                                will inform the other states. The state health director’s discretionary authority also    Scenario 15 -       Barrier to         8. State law
BP3             WV 003 S15      allows him or her to notify adjacent states.                                             Public Health A   interoperability      restrictions                                                        Public Health agencies




                                As a federal health facility, we would consider this to be a wanted person and
                                someone that is violating others rights. He would be considered a bio-hazard. We
                                could send the info to the media and to other states and health care providers for
                                instance we could say that John Doe is a wanted criminal or is a suspect. He
                                loses all of his rights under the Privacy Act. We would first check out to see if he
                                was dangerous to others and/or to himself. We would contact the health                Scenario 15 -           Barrier to         8. State law
BP4             WV 004 S15      authorities, and state police via phone.                                             Public Health A       interoperability      restrictions                                                        Federal health facilities




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                                                 Page 54 of 61                                                                                            99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                                                                                                       Scenario 15. Public Health Scenario A



 DRAFTDRAFT                              DRAFT                                                            DRAFT
                                                                                                             Relevant Law (Legal
      BP#               Cause                       Relevant Law (Legal Driver) -- Narrative                 Driver) -- Reference
                                                                                                                Code/Statute

                                         HIPAA Security regs require that PHI be safeguarded by           HIPAA Security Regs, 45
                                         covered entities, if a covered entity were sharing information   CFR § 164.302 et seq .
                                         with the state in this scenario




BP1a
                                         HIPAA Security regs require that PHI be safeguarded by           HIPAA Security Regs, 45
                                         covered entities, if a covered entity were sharing information   CFR § 164.302 et seq .
                                         with the state in this scenario
BP1a
                                         HIPAA Security regs require that PHI be safeguarded by           HIPAA Security Regs, 45
                                         covered entities, if a covered entity were sharing information   CFR § 164.302 et seq .
                                         with the state in this scenario




BP1b




BP2



                                         Home state public health department of active TB patient         WV Code § 16-3D-3 to 9; 64
                                         moving via bus to another city may, upon its order or order of   CSR §§ 7-3.4, 12.1.a.4, and
                                         state court of record, disclose patients TB status to law        19-17-19; HIPAA Privacy
                                         enforcement and other state public health departments. Law       Regs § 164.512(b).
                                         enforcement access poses no barrier if assisting public health
                                         department to enforce state or court order. The patient is an
                                         active TB carrier spreading and subject to public health
                                         department isolation, quarantine, etc.




BP3



                                                                                                          WV Code § 16-3D-3 to 9; 64
                                         Home state public health department of active TB patient,        CSR §§ 7-3.4, 12.1.a.4, and 19-
                                         moving via bus to another city may, upon its order or order of   17-19.
                                         state court of record, disclose patients TB status to law
                                         enforcement and other state public health departments. Law
                                         enforcement access poses no barrier if assisting public health
                                         department to enforce state or court order. The patient is an
                                         active TB carrier spreading and subject to public health
                                         department isolation, quarantine, etc. LWG unable to find any
                                         federal law dealing with TB and believe issue is left to the
BP4                                      States.




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                               Page 55 of 61          99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY
                                                                     Scenario 16. Public Health Scenario B
                                  A newborn’s screening test comes up positive for a rare genetic disorder and the state lab test results are made available to
                                   the child’s physicians and specialty care centers specializing in the disorder via an Interactive Voice Response system. The
                                    state lab also enters the information in its registry, and tracks the child over time through the child’s physicians. The state
                                  public health department provides services for this rare genetic disorder and notifies the physician that the child is eligible for
                 Scenario 16 -      those programs. One of the services that the mother uses from the state is regularly purchasing special food products for
DRAFT Public Health B                                                                       persons with PKU.

                   Business                                                                                                     Classification
                                                                                                                                                                         Policy: Short
      BP#        Practice Short                   Business Practice Long Description                            Scenario        (Barrier v. Not        Domain
                                                                                                                                                                         Description
                     Name                                                                                                         a Barrier)



                                  Generally, the provider and the clinical staff will make several phone
                                  calls to find assistance and support for the parent or child. In all my
                                  years of practice, I have never witnessed this scenario in the clinical
                                  setting - the closest to this scenario is the reportable infectious
                                  disease process - which is pretty effective. Also, not all providers are
                                  aware of mandated requirements to reports certain genetic or other
                                  disorders to the state - some labs are out of state, so do not know all     Scenario 16 -        Barrier to        8. State law
BP1              WV 001 S16       the state reporting requirements either.                                   Public Health B    interoperability     restrictions




                                  Office of Maternal Child and Family Health - WV Code 16-22-3
                                  mandates that abnormal labs in newborn children be reported to the
                                  Bureau for Public Health. It also permits identification, follow-up
                                  treatment with physicians and other resources provided by BPH.              Scenario 16 -     Not a barrier to     8. State law
BP2              WV 002 S16       Communication involving PII/PHI is conducted by phone and faxing.          Public Health B    interoperability     restrictions




                                  It may be necessary to identify this child with special codes so not to
                                  release the name of the child to outside entities, other than the
                                  physician and state health officials.                                       Scenario 16 -        Barrier to        8. State law
BP3              WV 003 S16                                                                                  Public Health B    interoperability     restrictions




RTI International
Privacy and Security Contract No. 290-05-0015                                                   Page 56 of 61                                                    99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY
                                                          Scenario 16. Public Health Scenario B




DRAFT                                                                                  DRAFT             DRAFT                            DRAFT
                                                                     Specify Other                                                         Relevant Law (Legal
                                                   Stakeholder                                              Relevant Law (Legal
      BP#              Policy: Long Description                      Stakeholder (if             Cause                                     Driver) -- Reference
                                                   Organization                                              Driver) -- Narrative
                                                                       applicable)                                                            Code/Statute




                                                                                                         No legal driver. (WV
                                                                                                         mandates reporting in WV
                                                                                                         Code § 16-22-1 et seq.
                                                    Professional                                         which disclosure is
                                                  associations and                                       permitted under the HIPAA
BP1                                                  societies                                           Privacy Rule.)




                                                   Public Health
BP2                                                  agencies




                                                                                                         No legal requirement to
                                                                                                         identify patient with specific
                                                                                                         codes, direct identifiers are
BP3                                                 Laboratories                                         allowed.




RTI International
Privacy and Security Contract No. 290-05-0015                                    Page 57 of 61                                            99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                                                                                                   Scenario 17. Public Health Scenario C

                                 A homeless man arrives at a county shelter and is found to be a drug addict and in need of medical care. The person does have a
                                 primary provider, and is sent there for the medical care, and is referred to a hospital-affiliated drug treatment clinic for his addiction
               Scenario 17 -    under a county program. The addiction center must report treatment information back to the county for program reimbursement, and
               Public Health        back to the shelter to verify that the person is in treatment. Someone claiming to be a relation of the homeless man requests
 DRAFT
     C                                                  information from the homeless shelter on all the health services the man has received.

                 Business                                                                                                                  Classification                                                                                                                 Specify Other
                                                                                                                                                                                Policy: Short                                                            Stakeholder
      BP#        Practice                             Business Practice Long Description                                   Scenario        (Barrier v. Not       Domain                                         Policy: Long Description                                  Stakeholder (if
                                                                                                                                                                                Description                                                              Organization
                Short Name                                                                                                                   a Barrier)                                                                                                                     applicable)




                               As a public health agency, we recognize that under 42CFR Federal Law the patient
                               must authorize release of medical records. Chapter 27 of state mental health law on
                               the other hand requires that the spouse, or next of kin be notified of admission to
                               our state psychiatric facilities. Exceptions to patient authorization require a court  Scenario 17 -           Barrier to      8. State law                                                                               Public Health
BP1            WV 001 S17      order.                                                                                Public Health C       interoperability   restrictions                                                                                 agencies



                               Home health providers would not release this Information to this individual. All
                               home health providers are required by federal law to comply with HIPPA
                               regulations. Compliance with the transfer of electronic information in HIPPA
                               approved formats will in 2007 be required in order for agencies to receive
                               reimbursement. Administrations are designing and implementing programs that
                               meet these privacy standards. Also within the requirements for participation in the
                               Medicare/Medicaid program agencies must meet patient privacy standards as
                               outlined by the Centers for Medicare and Medicaid Services. Home health agencies
                               are regulated by federal regulation which are monitored and enforced by the WV                                                                                         All home health agencies have policies that
                               Office of Health Facilities Licensure and Certification. In this scenario also                                                                                         dictate to whom private information can be
                               applicable would be WV state law concerning next of kin and Medical Power of                                                                                           released. These policies are compliant with
                               Attorney which would only be utilized if the patient were incapacitated and could not Scenario 17 -            Barrier to      8. State law                            federal regulations outlined in the HIPPA and      Homecare and
BP2            WV 002 S17      relate his own wishes and desires for the handling of this health care information.   Public Health C       interoperability   restrictions                            home health conditions of participation.             hospice




                                                                                                                                                                                                      Our facility may only disclose behavioral
                                                                                                                                                                                                      health records, drug and alcohol abuse
                                                                                                                                                                           Guidelines Pertaining to   treatment records and HIV and AIDS related
                                                                                                                                                                           Disclosures Made           testing and treatment records under certain
                               Our hospital employees may only disclose behavioral health records, drug and                                                                Without Written            circumstances that are set forth in state or
                               alcohol abuse treatment records and HIV and AIDS related testing and treatment                                                              Authorization But          federal statutes. These specially protected
                               records under certain circumstances that are set forth in state or federal statutes.                                         9. Information Pursuant To A Court        records shall never be disclosed without the
                               These specially protected records shall never be disclosed without the express                                                   use and    Orders, Subpoena,          express written authorization of the patient
                               written authorization of the patient unless there is a specific court order requiring     Scenario 17 -        Barrier to      disclosure Search Warrant or            unless there is a specific court order requiring
BP3            WV 003 S17      their disclosure.                                                                        Public Health C    interoperability      policy    Discovery Request          their disclosure.                                    Hospitals

                               As a federal health facility, we would not provide any info unless the vet says it is
                               ok. The family member would have to leave their contact info with us, and the case
                               manager would contact the Vet and give it to them- it is then their choice. If another
                               facility wants the info, the Privacy Act can release info if it is medically necessary.
                               The Vet would be able to release that to another facility- they have to sign the
                               waiver and it has to be signed in front of our employee. The Vet has to show
                               proper ID. The release form is specific to the info that they want to release. Info is
                               transmitted via letter, fax, or internet- and is encrypted. The only time PHI can be
                               released without the pts authorization is if it is a medical emergency- in other words,
                               if the vet would die if someone didn’t know the PHI. The privacy act protects us in
                               that they cant come back and sue us for giving out info unless they said we can and                                          2. Information
                               then it hinders the quick release of info if it is an emergency. It is so much easier to                                     authorization
                               share info between our facilities because of our EHRS. We all follow the same             Scenario 17 -                       and access                                                                                  Federal health
BP4            WV 004 S17      criteria.                                                                                Public Health C      Unassigned         controls                                                                                   facilities
                                                                                                                                                            9. Information
                                                                                                                                                                use and
                                                                                                                         Scenario 17 -        Barrier to      disclosure
BP4            WV 004 S17                                                                                               Public Health C    interoperability      policy




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                                    Page 58 of 61                                                                                                 99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                                                                                                         Scenario 17. Public Health Scenario C




 DRAFTDRAFT                              DRAFT                                                                                   DRAFT
                                                                                                                                 Relevant Law (Legal Driver) -- Reference
      BP#               Cause                                Relevant Law (Legal Driver) -- Narrative
                                                                                                                                             Code/Statute
                                                                                                                                                                                 Solution
                                         Again, consent is the key to release of information. A homeless shelter is not a        Original: HIPAA - Notice of Privacy Practices   Have all patients with substance abuse problems and/or
                                         covered entity under substance abuse regs or HIPAA regs., but is covered under WV       State Law - Chapter 27                          mental illness sign general consents to release information for
                                         Code '27-3-1. It may release substance abuse information to the primary care            Other Federal Law - 42 CFR Federal Law          treatment, payment and healthcare operation under HIPAA
                                         provider. Such provider is not covered by substance abuse regs. and can refer patient   Substance Abuse Regs 42 CFR, Part 2, Subpart    Reg. 164.506(b) upon entering the facility; repeal WV Code
                                         to drug treatment clinic. The clinic is covered by the substance abuse regulations.     D; HIPAA Regs 45 CFR '164.506; 522(a); WV       '27-5-9(e). Amend '27-3-1 to allow release of mental health
                                         The clinic cannot release information for reimbursement purposes absent consent. It     Code ''27-3-1; 27-5-9(e)                        information for treatment, payment and healthcare operations
                                         can release such information to the shelter, who already knows he/she is an addict.                                                     without patient consent.
                                         The person claiming to be a relation cannot receive any substance abuse information
                                         absent patient consent. DHHR may not release any information outside DHHR
                                         without patient consent.
BP1

                                         Relative of drug addict individual in need of treatment cannot access individuals’ PHI, WV Code § § 16-30-8, 27-1A-11, 27-3-1 and 2,
                                         without authorization, under state law, HIPAA, and other federal laws,                  27-5-9, 27-7-1 thru 3, 16-29-1; HIPAA Privacy
                                                                                                                                 Regs – 45 CFR §§ 164.512 (a,b,e, and j),
                                                                                                                                 164.506, 164.508, 164.510, 164.512(e),
                                                                                                                                 164.514(a); 42 U.S.C.A. §§ 290dd-3, 290ee-3;
                                                                                                                                 42 CFR §§ 2.1 et. seq.




BP2




                                         A homeless shelter is not a covered entity under substance abuse regs or
                                         HIPAA regs., but is covered under WV Code '27-3-1. It may release
                                         substance abuse information to the primary care provider. Such provider is
                                         not covered by substance abuse regs. and can refer patient to drug treatment
                                         clinic. The clinic is covered by the substance abuse regulations. The clinic
                                         cannot release information for reimbursement purposes absent consent. It
                                         can release such information to the shelter, who already knows he/she is an             HIPAA - Notice of Privacy Practices State
                                         addict. The person claiming to be a relation cannot receive any substance               Law - Chapter 27 . Other Federal Law - 42
                                         abuse information absent patient consent. DHHR may not release any                      CFR Federal Law. Substance Abuse Regs
                                         information outside DHHR without patient consent. The notification of next of           42 CFR, Part 2, Subpart D; HIPAA Regs 45
                                         kin only applies after involuntary commitment to a mental health facility. If           CFR §164.506; 522(a); WV Code § 27-3-1;
BP3                                      the patient objects, the information cannot be released.                                27-5-9(e)
                                         The HIPAA Privacy Rule provides for uses and disclosures of protected health            HIPAA Privacy Rule – 45 CFR §164.510 (b).
                                         information that require an opportunity for the individual to agree or to object.




BP4



BP4




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                                       Page 59 of 61                                                                                  99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                     Scenario 18. Health Oversight: legal compliance/government accountability
                               The Governor's office has expressed concern about compliance with immunization and lead screening
                              requirements among low income children who do not receive consistent health care. The state agencies
                              responsible for public health, child welfare and protective services, Medicaid services, and education are
                              asked to share identifiable patient level health care data on an ongoing basis to determine if the children
               Scenario 18 - are getting the healthcare they need. Because of the complexity of the task, the Governor has asked each
               Health        agency to provide these data to faculty at the state university medical campus who will design a system for
DRAFT          Oversight                                           integrating and analyzing the data.

                Business                                                                       Classification
                                                                                                                                              Policy: Short
      BP#       Practice        Business Practice Long Description              Scenario       (Barrier v. Not            Domain                              Policy: Long Description
                                                                                                                                              Description
               Short Name                                                                        a Barrier)


                            Our clinic would not participate in this project
                            until patients had been informed and gave
                            permission to share this information. We
                            would however, provide this information
                            without personal identifiers or addresses for a    Scenario 18 -
               WV 001 S     study to determine where there may be                 Health          Barrier to       1. User and entity
BP1            18           problems.                                           Oversight      interoperability      authentication
                                                                                                                     2. Information
               WV 001 S                                                                           Barrier to    authorization and access
BP1            18                                                                              interoperability          controls

               WV 001 S                                                                        Not a barrier to   3. Patient and provider
BP1            18                                                                              interoperability        identification
                                                                                                                       4. Information
               WV 001 S                                                                           Barrier to    transmission security or
BP1            18                                                                              interoperability    exchange protocols
                                                                                                                6. Information audits that
               WV 001 S                                                                           Barrier to        record and monitor
BP1            18                                                                              interoperability            activity
                                                                                                                    7. Administrative or
               WV 001 S                                                                           Barrier to         physical security
BP1            18                                                                              interoperability         safeguards
               WV 001 S                                                                           Barrier to
BP1            18                                                                              interoperability   8. State law restrictions
               WV 001 S                                                                           Barrier to      9. Information use and
BP1            18                                                                              interoperability       disclosure policy



                            As a payer, our research staff would need to
                            set this up as a designated research process.
                            Medicaid would be able to disclose PHI but
                            would have to deidentify the info. We are          Scenario 18 -
               WV 002 S     asked by HCA all the time to give them info-          Health          Barrier to      9. Information use and
BP2            18           we have a BA with them.                             Oversight      interoperability       disclosure policy




RTI International
Privacy and Security Contract No. 290-05-0015                                                       Page 60 of 61                                               99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls
PRIVACY AND SECURITY                    Scenario 18. Health Oversight: legal compliance/government accountability




DRAFT                                                 DRAFT     DRAFT                           DRAFT
                                    Specify Other                                                  Relevant Law (Legal
                  Stakeholder                                      Relevant Law (Legal
      BP#                           Stakeholder (if     Cause                                      Driver) -- Reference
                  Organization                                      Driver) -- Narrative
                                      applicable)                                                     Code/Statute
                                                                                                                             Solution
                                                                1. HIPAA permits disclosure 1. HIPAA Privacy Rule – 45       Enactment of state law that authorizes
                                                                of protected health             CFR §§ 164.501 and 164.512   a public health authority as defined in
                                                                information for public health (b)(1)                         the HIPAA Privacy Rule to collect or
                                                                activities only to a public                                  receive protected health information for
                                                                health authority that is                                     the defined purpose described in the
                                                                authorized by law to collect or                              scenario.
               Community clinics                                receive such information.
BP1            and health centers


BP1


BP1



BP1


BP1



BP1


BP1


BP1



                                                                HIPAA BAA and Research          HIPAA Privacy Rule           1. Enactment of state law that authorizes a
                                                                requirements. HIPAA de-                                      public health authority as defined in the
                                                                identification option is also                                HIPAA Privacy Rule to collect or receive
                                                                an option without getting a                                  protected health information for the defined
                                                                                                                             purpose described in the scenario.
                                                                BAA or IRB approval.
BP2                  Payers




RTI International
Privacy and Security Contract No. 290-05-0015                                      Page 61 of 61                                                             99c3b8d4-12e8-4982-9a25-25fe9e5b64a3.xls

				
DOCUMENT INFO
Description: Confidentiality Agreement Business Purchase document sample