Confidentiality Agreement Between Employer and Employ

Document Sample
Confidentiality Agreement Between Employer and Employ Powered By Docstoc
					            PRIVACY AND SECURITY                                                                                                                        Scenario 1. Patient Care Scenario A

                              Patient X presents to emergency room of General Hospital in State A. She has been in a serious car accident. The patient is an 89 year old widow who
                              appears very confused. Her adult daughter informed the ER staff that her mother has recently undergone treatment at a hospital in a neighboring state
            Scenario 1 -     and has a prescription for an antipsychotic drug. The emergency room physician determines there is a need to obtain information about Patient X’s prior
DRAFT       Patient Care A                                                       diagnosis and treatment during the inpatient stay.


              Business                                                                                                                                 Classification                                                                                                                                                               Specify Other
                                                                                                                                                                                                  Policy: Short                                                                                                   Stakeholder
      BP#   Practice Short                                  Business Practice Long Description                                          Scenario       (Barrier v. Not       Domain                                                                    Policy: Long Description                                                     Stakeholder (if
                                                                                                                                                                                                   Description                                                                                                    Organization
                Name                                                                                                                                     a Barrier)                                                                                                                                                                   applicable)


                                                                                                                                                                                                                      Release to Health Care Providers: PHI may be released to other health care providers
                                                                                                                                                                                                                      without patient authorization to facilitate continued emergency patient care, only after
                                                                                                                                                                                                                      phone verification that the requestor is a health care professional calling from a health
                                                                                                                                                                                                                      care institution. Other requests from hospitals must be accompanied by a signed
                             Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we                                                                                   completed release. Reasonable steps will be taken to limit both routine and non-routine
                             would fax minimum necessary for treatment without an authorization. If PHI is in the record, we                                                                                          uses of, disclosure of, and requests for protected health information (PHI) to the
                             would determine if the daughter was the medical power of attorney. If yes, we would validate her                                                                                         minimum necessary to accomplish the intended purpose of the use, disclosure, or
                             signature and then have her sign a release to send the protected info. If not, we would have a                                                                                           request of PHI. Exceptions include: Use or disclosure to or requests by provider for
                             physician or nurse sign authorization and send, after validating who we are speaking to at the                                                                                           treatment purposes Use or disclosure to the subject of the information (patient) Use or
                             other facility by a call back. We use a rolebased access process in which Directors/Managers/IT                                                                 Uses & Disclosures of    disclosure made under specific (detailed PHI) valid authorization Use or disclosure
                             Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with                                                                   Protected Health         required for compliance with HIPAA electronic transaction standards Use or disclosure
                             2 other local facilities and share information for patient care purposes, however we do not release                                          3. Patient and     Information & Disclosure required by other laws (such as victims of abuse, neglect, or domestic violence, and
                             one anothers information to those outside of our OHCA. We do have audit capabilities on                   Scenario 1 -       Barrier to         provider        of PHI Minimum           compliance with workers’ compensation—see policies III.080, III.085, III.090, III.095)
BP1         WV 001 S 1       systems. Random audits are performed. We use Tessa locks on doors.                                       Patient Care A   interoperability    identification    Necessary                Disclosure to DHHS.                                                                            Hospitals




                             Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we
                             would fax minimum necessary for treatment without an authorization. If PHI is in the record, we
                             would determine if the daughter was the medical power of attorney. If yes, we would validate her
                             signature and then have her sign a release to send the protected info. If not, we would have a
                             physician or nurse sign authorization and send, after validating who we are speaking to at the
                             other facility by a call back. We use a rolebased access process in which Directors/Managers/IT                                              4. Information
                             Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with                                                transmission
                             2 other local facilities and share information for patient care purposes, however we do not release                                            security or
                             one anothers information to those outside of our OHCA. We do have audit capabilities on                   Scenario 1 -       Barrier to         exchange
BP1         WV 001 S 1       systems. Random audits are performed. We use Tessa locks on doors.                                       Patient Care A   interoperability      protocols




                             ER staff (nurse, doctor, or clerk) would call hospital and advise that they were faxing a request for                                        2. Information
                             medical records. If necessary,the staff would obtain authorization from POA of responsible party.                                            authorization                                Standard cover sheet with "Confidentiality Statement". Errors in transmission must be
                             Verbal confirmation by phone followed by faxed written request and authorization. There is                Scenario 1 -    Not a barrier to    and access        Facsimile Machines and    corrected immediately and reported to Privacy Officer. If there is no POA or responsible
BP2         WV 002 S 1       security of exchange protocols for faxing information. No encryption.                                    Patient Care A   interoperability       controls       PHI P&P                   party the physician would order appointment of a surrogate.                                   Hospitals
                                                                                                                                                                          3. Patient and
                                                                                                                                                       Not a barrier to       provider
BP2         WV 002 S 1                                                                                                                                 interoperability    identification
                                                                                                                                                                          4. Information
                                                                                                                                                                          transmission
                                                                                                                                                       Not a barrier to     security or
BP2         WV 002 S 1                                                                                                                                 interoperability      exchange
                                                                                                                                                                          5. Information
                                                                                                                                                                             protection
                                                                                                                                                       Not a barrier to       (against
BP2         WV 002 S 1                                                                                                                                 interoperability      improper
                                                                                                                                                                          6. Information
                                                                                                                                                                            audits that
                                                                                                                                                       Not a barrier to     record and
BP2         WV 002 S 1                                                                                                                                 interoperability   monitor activity
                                                                                                                                                       Not a barrier to    8. State law
BP2         WV 002 S 1                                                                                                                                 interoperability     restrictions
                                                                                                                                                                          9. Information
                                                                                                                                                       Not a barrier to       use and
BP2         WV 002 S 1                                                                                                                                 interoperability     disclosure


                                                                                                                                                                          5. Information
                             A clinician verifies the ER calling and verifies any restrictions placed on medical records that                                               protection
                             would cause barriers. If none, send records. Tracking forms/initials on all things in chart.              Scenario 1 -    Not a barrier to       (against
BP3         WV 003 S 1       Computer password.                                                                                       Patient Care A   interoperability      improper        HIPAA                     Hospital/ER covered entity HIPAA                                                             Clinicians



                             In correctional facilities, there is no release of info without the pt's informed consent or medical
                             power of attorney. It has to be verified by fax and phone and signatures are compared by case
                             manager. We do not release info without a court order. If you are a prisoner and have a WC                                                   9. Information
                             claim, you wont get paid. Corrections can only get the info thru a court order. There is no                                                      use and
                             electronic info in the prison system- all paper. WV has subcontracted this out to a company.              Scenario 1 -       Barrier to        disclosure                                                                                                                             Correctional
BP4         WV 004 S 1                                                                                                                Patient Care A   interoperability        policy                                                                                                                                facilities




                                                                                                                                                                          9. Information
                                                                                                                                                                              use and                                                                                                                             Long term care
                             In long term care this process is very restrictive. We need authorization with everything involving       Scenario 1 -       Barrier to        disclosure                                                                                                                             facilities and
BP5         WV 005 S 1       Mental Health. The facilities verify this with fax and phone. Nothing is verified electronically.        Patient Care A   interoperability        policy                                                                                                                             nursing homes




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                                                                         Page 1 of 61                                                                                                                      061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                                                                                        Scenario 1. Patient Care Scenario A




DRAFT DRAFT                                                 DRAFT                                                                          DRAFT
                                                                                                                                             Relevant Law (Legal Driver) -- Reference
      BP#                       Cause                                        Relevant Law (Legal Driver) -- Narrative
                                                                                                                                                          Code/Statute




            While we agree that the identified
            verification and security procedures
            represent barriers to interoperability, we do
            not agree that a signed authorization is        Original: 'Federal Register §164.502 Uses and disclosures of protected
            required from either the patient or the         health information: general rules; hospital policy
            medical power of attorney, and we do not
            agree that the minimum necessary standard       One health care provider can disclose PHI of patient to another health care    45 C.F.R. §§ 164.310; 164.312;
            applies in this situation. These should not     provider for treatment purposes as long as proper verification and security    164.502(a)(1)(ii); 164.502(b)(2)(i); 164.506(c)(2);
BP1         be barriers to interoperability.                procedures are followed, even when PHI contains mental health information.     164.514(h)(1); W. Va. Code § 27-3-1(b)(5)
                                                            HIPAA Security Technical Safeguards                                            45 CFR § 164.312




BP1




            While we agree that the identified                                                                                             Original: HIPAA - Privacy and State Law -
            verification and security procedures                                                                                           Appointment of Health Care Decision Maker
            represent barriers to interoperability, we do
            not agree that a signed authorization is                                                                                       45 C.F.R. §§ 164.310; 164.312;
            required from either the patient or the         One health care provider can disclose PHI of patient to another health care    164.502(a)(1)(ii); 164.502(b)(2)(i); 164.506(c)(2);
            medical power of attorney. This should not      provider for treatment purposes as long as proper verification and security    164.514(h)(1); W. Va. Code § 27-3-1(b)(5)
BP2         be a barrier to interoperability.               procedures are followed, even when PHI contains mental health information.



BP2



BP2



BP2



BP2


BP2


BP2

            We agree with the identified business
            practice, but believe that a barrier to          One health care provider can disclose PHI of patient to another health care   45 C.F.R. §§ 164.310; 164.312;
            interoperability exists for the verification and provider for treatment purposes as long as proper verification and security   164.502(a)(1)(ii); 164.502(b)(2)(i); 164.506(c)(2);
BP3         security procedures.                             procedures are followed, even when PHI contains mental health information.    164.514(h)(1); W. Va. Code § 27-3-1(b)(5)

            We believe the verification and security
            procedures do represent barriers to             One health care provider can disclose PHI of patient to another health care
            interoperability; we do not believe that a      provider for treatment purposes as long as proper verification and security
            signed authorization or court order is          procedures are followed, even when PHI contains mental health information.     45 C.F.R. §§ 164.310; 164.312;
            required to disclose PHI for treatment          Information on HIPAA Security regs was included, although BP does not          164.502(a)(1)(ii); 164.502(b)(2)(i); 164.506(c)(2);
            purposes, and should not be viewed as           mention electronic PHI. However, we are aware that Corrections’ status as a    164.512(k)(5); 164.514(h)(1); W. Va. Code § 27-
BP4         barriers to interoperability.                   covered entity may vary.                                                       3-1(b)(5)

                                                            No legal barrier. We assume that State A is West Virginia. HIPAA allows       HIPAA Regulation § 164.506; West Virginia
                                                            release of such information for treatment purposes. West Virginia State Law Code ''27-3-2; 27-5-9(e).
                                                            only precludes the ―release‖ of mental health information, but does not place
                                                            any special restrictions on the collection of such data. Unless the
                                                            neighboring state law restricts the release of such information to the
BP5                                                         emergency room, this should not present a problem.




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                                                                        Page 2 of 61    061539f6-54e2-4c12-8e94-39a09b41810b.xls
      PRIVACY AND SECURITY                                                                         Scenario 2. Patient Care Scenario B
                                      A specialty substance abuse treatment facility wants to refer client X to a primary care facility for a
                                    suspected medical problem. The client has a long history of using various drugs and alcohol relevant
                                    for medical diagnosis. The information is being sent to the primary care provider without the patient's
                                        authorization. The primary care provider refers the patient to a specialist and sends all of their
                 Scenario 2 -      information (without patient authorization) including the information received from the substance abuse
DRAFT            Patient Care B                                        treatment facility to the specialist.

                    Business                                                                                                      Classification
                                                                                                                                                                              Policy: Short                                                      Stakeholder
      BP#         Practice Short                    Business Practice Long Description                              Scenario      (Barrier v. Not         Domain                                            Policy: Long Description
                                                                                                                                                                               Description                                                       Organization
                      Name                                                                                                          a Barrier)

                                                                                                                                                                                                 Release to Health Care Providers: PHI
                                                                                                                                                                                                 may be released to other health care
                                                                                                                                                                                                 providers without patient authorization to
                                                                                                                                                                                                 facilitate continued emergency patient
                                                                                                                                                                                                 care, only after phone verification that the
                                                                                                                                                                                                 requestor is a health care professional
                                                                                                                                                                                                 calling from a health care institution. Other
                                   In our hospital, if the patient is able to sign then we (clinician or clerk)                                      9. Information use                          requests from hospitals must be
                                   would do that first. If patient is unable to make decisions on their own        Scenario 2 -     Barrier to         and disclosure                            accompanied by a signed completed
BP1              WV 001 S2         the durable power of attorney or surrogate can authorize.                      Patient Care B interoperability           policy      Uses & Disclosure of PHI release.                                         Hospitals

                                                                                                                                                       3. Patient and
                                                                                                                                 Not a barrier to         provider
BP1              WV 001 S2                                                                                                       interoperability       identification




                                   In our hospital, clinical information is not released without a signed                                             6. Information
                                   authorization from the patient or guardian if patient is under the age of                                         audits that record
                                   12. State and Federal laws strictly outline procedures for sharing         Scenario 2 - Not a barrier to            and monitor
BP2              WV 002 S2         substance abuse patient information.                                      Patient Care B interoperability               activity                                                                               Hospitals
                                                                                                                                                     7. Administrative
                                                                                                                                                        or physical
                                                                                                                                 Not a barrier to        security
BP2              WV 002 S2                                                                                                       interoperability       safeguards




                                                                                                                                     Barrier to         8. State law
BP2              WV 002 S2                                                                                                        interoperability       restrictions




                                                                                                                                                                                                If patient is unable to authorize release of
                                                                                                                                                                                                information, the physician orders that a
                                                                                                                                                     9. Information use                         health care surrogate be appointed per
                                   State Mental Health Law prevents transfer of mental health records              Scenario 2 -     Barrier to         and disclosure                           state mental health law. Authorization must        State
BP3              WV 003 S2         without the patient's authorization.                                           Patient Care B interoperability           policy      State Mental Health Law be obtained before release of information.       government




                                   In Corrections, if anything refers to substance abuse, we don’t release
                                   that info, but if we are going to refer the inmate, we can send a
                                   referral letter but we are limited to just the facts. Corrections keeps                                            2. Information
                                   this info forever- they are paper based. They are kept in a locked       Scenario 2 -     Barrier to              authorization and                                                                           Correctional
BP4              WV 004 S2         room for limited access and are accessed by a Med Records Clerk.        Patient Care B interoperability            access controls                                                                              facilities




      RTI International
      Privacy and Security Contract No. 290-05-0015                                                                          Page 3 of 61                                                                     061539f6-54e2-4c12-8e94-39a09b41810b.xls
      PRIVACY AND SECURITY                                                                           Scenario 2. Patient Care Scenario B




DRAFT                               DRAFTDRAFT                                                                            DRAFT                            DRAFT
                  Specify Other                                                                                              Relevant Law (Legal
      BP#         Stakeholder (if        Cause                  Relevant Law (Legal Driver) -- Narrative                     Driver) -- Reference
                    applicable)                                                                                                  Code/Statute
                                                                                                                                                           Solution
                                                        Confidentiality of Alcohol and Drug Abuse Patient                 42 CFR §§ 2.32 and 2.33
                                                        Records require patient consent for disclosure and
                                                        redisclosure of substance abuse records.




BP1



BP1




BP2




BP2
                                                        Consent is the key to releasing substance abuse information to    Substance Abuse Regs. 42         Maximize use of general
                                                        third parties, even to other providers. When a patient enters a   CFR, Part 2, Subpart B;          consents for treatment, payment
                                                        state hospital, we try to get them to agree to a generalized      HIPAA Regs. 45 CFR               and health care operations for
                                                        consent to release information treatment, payment and health      '''164,506(b); 503(g); Belcher   patients with substance abuse
                                                        care operations.                                                  v. CAMC, 188 W. Va. 105,         and/or mental illness entering
                                                                                                                          422 S.E.2d 827 (1992).           healthcare facilities under
BP2                                                     As a general matter, substance abusers do not have personal                                        HIPAA Reg '164.506(b).
                                                        representatives whose consent is required to release substance

                                                        State law requires DHHR to obtain consent for                     WV Code § 27-5-9(e)              Repeal Section '27-5-9(e).
                                                        disclosure of mental health information for treatment.                                             Amend '27-3-1 to allow release
                                                        WV law also requires all providers to obtain patient                                               of mental health information to
                                                        consent for payment and operations.                                                                treatment, payment and
                                                                                                                                                           healthcare operations without
                                                                                                                                                           patient consent. WV Code § 27-
                                                                                                                                                           3-1
BP3

                                    The identified      One health care provider cannot disclose PHI of patient to        45 C.F.R. §§ 164.310;
                                    business practice   another health care provider for routine treatment purposes       164.312; 164.512(k)(5);
                                    does identify       without a signed authorization when drug or alcohol abuse         42 C.F.R. §§ 2.1; 2.2; 2.32;
                                    barriers to         treatment is involved; an authorized disclosure may not be re-    2.51; W. Va. Code § 27-3-
                                    interoperability.   disclosed; proper verification and security procedures must be    1(b)(5)
                                                        followed.
BP4




      RTI International
      Privacy and Security Contract No. 290-05-0015                                                                               Page 4 of 61                                               061539f6-54e2-4c12-8e94-39a09b41810b.xls
      PRIVACY AND SECURITY                                                                  Scenario 2. Patient Care Scenario B
                    Business                                                                                             Classification
                                                                                                                                                               Policy: Short                                  Stakeholder
      BP#         Practice Short                  Business Practice Long Description                       Scenario      (Barrier v. Not       Domain                          Policy: Long Description
                                                                                                                                                                Description                                   Organization
                      Name                                                                                                 a Barrier)



                                   In Workers Comp., we refer pts to specialists but our staff only send
                                   them what they need to know to treat the pt. WC makes the referral
                                   and sends all the info on a CD. We have electronic capabilities and                                      2. Information
                                   this can be reviewed on the internet. We provide an ID and password Scenario 2 -        Barrier to      authorization and
BP5              WV 005 S2         to the provider so they can access just what they need to on that pt. Patient Care B interoperability    access controls                                                      Payers




      RTI International
      Privacy and Security Contract No. 290-05-0015                                                                 Page 5 of 61                                                061539f6-54e2-4c12-8e94-39a09b41810b.xls
      PRIVACY AND SECURITY                                                                 Scenario 2. Patient Care Scenario B
                  Specify Other                                                                           Relevant Law (Legal
      BP#         Stakeholder (if      Cause                Relevant Law (Legal Driver) -- Narrative      Driver) -- Reference
                    applicable)                                                                               Code/Statute
                                                                                                                                 Solution
                                                      Possibly Federal Substance Abuse Regulations     42 CFR Part 2




BP5



BP1




      RTI International
      Privacy and Security Contract No. 290-05-0015                                                          Page 6 of 61                   061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                                    Scenario 3. Patient Care Scenario C
                                 At 5:30pm Dr. X, a psychiatrist, arrives at the skilled nursing facility to evaluate his patient, recently discharged from the hospital
                                   psych unit to the nursing home. At the time of the patient's transfer, the discharge summary and other pertinent records were
                                  electronically transmitted to the nursing home. Upon entering the facility Dr. X seeks assistance in locating his patient, gaining
                                  entrance to the locked psych unit and accessing her electronic health record to review her discharge summary, I&O, MAR and
                                  progress notes. Dr. X was able to enter the unit by showing a picture identification badge, but was not able to access the EHR.
                                 As it is Dr. X's first visit, he has no login or password to use their system. Dr. X completes his visit and prepares to complete his
                Scenario 3 -        documentation. Unable to access the long-term care facility EHR, Dr. X dictates his initial assessment via telephone to his
DRAFT           Patient Care C                                                    outsourced, offshore transcription service.
                                 The assessment is transcribed and posted to a secure web portal. The next morning, from his home computer, Dr. X checks his
                                 e-mail and receives notification that the assessment is available. Dr. X logs into the portal, reviews the assessment, and applies
                                    his electronic signature. Later that day, Dr X's Office Manager downloads this assessment from the web portal, saves the
                                 document in the patient's record in his office and forwards the now encrypted document to the long-term care facility via e-mail.
                                 The long-term care facility notifies Dr. X's office that they are unable to open the encrypted document because they do not have
                                                                                            the encryption key.
                  Business                                                                                                      Classification
                                                                                                                                                                                Policy: Short
      BP#       Practice Short                   Business Practice Long Description                             Scenario        (Barrier v. Not          Domain
                                                                                                                                                                                 Description
                    Name                                                                                                          a Barrier)




                                 In our hospital, all clinical staff are given log in and passwords to use
                                 applicable data systems. Passwords limit the users ability to read
                                 access only if they are not in a position to need to add, edit, or update
                                 information. Electronic user logs are maintained on the mainframe.
                                 Medical staff must use specific transcription resources to insure that
                                 security is maintained and acceptable document formatting is used.
                                 Individual-specific password and logins are used which limits access
                                 on a need to know basis. Staff are instructed not to share passwords
                                 and logins. All sensitive information is encrypted prior to exchange         Scenario 3 -          Barrier to      1. User and entity
BP1             WV 001 S3        over an electronic communications network.                                  Patient Care C      interoperability     authentication
                                                                                                                                                     2. Information
                                                                                                                                    Barrier to      authorization and
BP1             WV 001 S3                                                                                                        interoperability    access controls


                                                                                                                                    Barrier to       3. Patient and
BP1             WV 001 S3                                                                                                        interoperability provider identification

                                                                                                                                                      4. Information
                                                                                                                                                       transmission
                                                                                                                                    Barrier to    security or exchange
BP1             WV 001 S3                                                                                                        interoperability         protocols
                                                                                                                                                   7. Administrative or
                                                                                                                                    Barrier to      physical security
BP1             WV 001 S3                                                                                                        interoperability        safeguards
                                                                                                                                    Barrier to         8. State law
BP1             WV 001 S3                                                                                                        interoperability       restrictions
                                                                                                                                    Barrier to     9. Information use
BP1             WV 001 S3                                                                                                        interoperability and disclosure policy



       RTI International
       Privacy and Security Contract No. 290-05-0015                                                    Page 7 of 61                                                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                            Scenario 3. Patient Care Scenario C




DRAFT                                                                            DRAFT                                                              DRAFT



                                                               Specify Other
                                                Stakeholder
      BP#         Policy: Long Description                     Stakeholder (if                                Cause                                          Relevant Law (Legal Driver) -- Narrative
                                                Organization
                                                                 applicable)
                                                                                 The classification of privacy and security domains 1, 2, 3, 4,     Psychiatrist without electronic access privileges and rights
                                                                                 and 7 as barriers to interoperability appear appropriate in this   requests review of patient’s EHR containing information from
                                                                                 scenario due to the numerous issues related to EHR access.         recent hospital stay. Use of psychiatrist’s picture identification
                                                                                 Classifying P&S domains 8 & 9 as barriers to interoperability      badge met physical control requirements for access to health
                                                                                                                                                    facility. The psychiatrist’s inability to access EHR systems
                                                                                 also seems reasonable and appropriate given the disclosure to
                                                                                                                                                    prompts him to use an outsourced offshore transcription
                                                                                 a third-party without patient/representative consent.              service. This scenario bypasses administrative and technical
                                                                                                                                                    controls required to limit access, encrypt and audit access to
                                                                                                                                                    patient EHR’s. Psychiatrist receives report via Web the
                                                                                                                                                    information security infrastructure, and management practices
                                                                                                                                                    of the transcription service are unclear. The psychiatrist sends
                                                                                                                                                    these results by encrypted email to the medical facility, although
                                                                                                                                                    lack of encryption key prevents delivery.

BP1                                               Hospitals



BP1



BP1




BP1


BP1


BP1


BP1



       RTI International
       Privacy and Security Contract No. 290-05-0015                                           Page 8 of 61                                                      061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                              Scenario 3. Patient Care Scenario C




DRAFT DRAFT



                   Relevant Law (Legal
      BP#          Driver) -- Reference
                       Code/Statute                Solution
                HIPAA Security Regs – 45 CFR       A national
                §§ 164.308(a) (1), 164.308(a)      federated
                (3), 164.308(a) (4), 164.310(a)    identification
                (1), 164.312(a) (1), 164.312(b),   management
                164.312(d), 164.312(e) (1),        system to validate
                164.506, 164.508, 164.512(a),      user identity to
                164.512(e). WV Code § 27-3-1,      allow system
                WV Code § 27-3-2, WV Code §        access may be a
                27-5-9, WV Code § 64-12-14,        potential solution.
                US Code § H.R. 4127




BP1



BP1



BP1




BP1


BP1


BP1


BP1



       RTI International
       Privacy and Security Contract No. 290-05-0015                                  Page 9 of 61             061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                                   Scenario 3. Patient Care Scenario C
                  Business                                                                                                   Classification
                                                                                                                                                                             Policy: Short
      BP#       Practice Short                   Business Practice Long Description                           Scenario       (Barrier v. Not          Domain
                                                                                                                                                                              Description
                    Name                                                                                                       a Barrier)




                                                                                                                                                 4. Information         Medical Staff By Laws
                                 Our hospital practice and policies are that physicians, or other                                                transmission           Articles VI(Procedure
                                 practitioners who are not credentialed by our facility, do not have         Scenario 3 -       Barrier to    security or exchange      for Appointment) and
BP2             WV 002 S3        access to patient care areas, or to the system.                            Patient Care C   interoperability       protocols           VII(Clinical Privileges)




                                 Long term care facilities do not usually have locked psych units.
                                 However, assuming that the physician entered the skilled nursing
                                 facility and attempted to view the patient's EHR, expected policies
                                 and procedures should address authorizing privileges, access to
                                 medical records, inoperative computer systems and building access
                                 prior to physician's first visit. There should be a Business Associate
                                 Agreement with any "offshore transcription service" ensuring
                                 compliance with Privacy and Security Laws with authorization for
                                 monitoring for compliance. No PHI should be transmitted without 128
                                 bit encryption capability with read only capability. Also, there should     Scenario 3 -       Barrier to       1. User and entity     Business Associate
BP3             WV 003 S3        be a P&P for use of physician's electronic signature.                      Patient Care C   interoperability      authentication       Agreements
                                                                                                                                                   2. Information
                                                                                                                                Barrier to       authorization and
BP3             WV 003 S3                                                                                                    interoperability     access controls
                                                                                                                                Barrier to       3. Patient and
BP3             WV 003 S3                                                                                                    interoperability provider identification
                                                                                                                                                 4. Information
                                                                                                                                                  transmission
                                                                                                                                Barrier to    security or exchange
BP3             WV 003 S3                                                                                                    interoperability        protocols
                                                                                                                                                 5. Information
                                                                                                                                               protection (against
                                                                                                                                Barrier to          improper
BP3             WV 003 S3                                                                                                    interoperability     modification)
                                                                                                                                                6. Information audits
                                                                                                                             Not a barrier to      that record and
BP3             WV 003 S3                                                                                                    interoperability       monitor activity
                                                                                                                                                7. Administrative or
                                                                                                                                Barrier to       physical security
BP3             WV 003 S3                                                                                                    interoperability       safeguards
                                                                                                                             Not a barrier to       8. State law
BP3             WV 003 S3                                                                                                    interoperability        restrictions



       RTI International
       Privacy and Security Contract No. 290-05-0015                                                   Page 10 of 61                                                    061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                                Scenario 3. Patient Care Scenario C
                                                                   Specify Other
                                                  Stakeholder
      BP#         Policy: Long Description                         Stakeholder (if                                Cause                                          Relevant Law (Legal Driver) -- Narrative
                                                  Organization
                                                                     applicable)
                                                                                     This business practice analysis only identifies privacy and        Psychiatrist without electronic access privileges and rights
                                                                                     security domain 4 as a barrier the exchange and encryption of      requests review of patient’s EHR containing information from
                                                                                     the information supports this classification. Given the            recent hospital stay. Use of psychiatrist’s picture identification
                                                                                     complexity of this scenario, the classification of privacy and     badge met physical control requirements for access to health
                                                                                                                                                        facility. The psychiatrist’s inability to access EHR systems
                                                                                     security domains 1, 2, 3, and 7 would also appear appropriate
                                                                                                                                                        prompts him to use an outsourced offshore transcription
                                                                                     due to the numerous issues related to EHR access. In addition,     service. This scenario bypasses administrative and technical
                                                                                     classifying P&S domains 8 & 9 as barriers to interoperability      controls required to limit access, encrypt and audit access to
                                                                                     also seems reasonable and appropriate given the disclosure to      patient EHR’s. Psychiatrist receives report via Web the
                These describe the                                                   a third-party without patient/representative consent. This         information security infrastructure, and management practices
                procedures for applying to the                                       stakeholder’s business practice highlights the issue of            of the transcription service are unclear. The psychiatrist sends
                staff for membership and                                             credentialing and the administrative controls inherently           these results by encrypted email to the medical facility, although
                clinical privileges assigned                                         contained within these policies. In addition, this business        lack of encryption key prevents delivery
BP2             with such.                          Hospitals                        practice points out the alternative of faxing, although physical
BP1
                                                                                                                                                        HIPAA Security regs require person or entity
                                                                                                                                                        authentication




                                                 Long term care
                                                  facilities and
BP3                                              nursing homes
                                                                                                                                                        HIPAA Security regs make encryption addressable.

BP3
                                                                                                                                                        HIPAA Security Rule
BP3
                                                                                                                                                        HIPAA Security Rule

BP3
                                                                                                                                                        HIPAA Security Rule

BP3



BP3
                                                                                                                                                        HIPAA Security regs make access control and validation
                                                                                                                                                        procedures addressable and require workstation
BP3                                                                                                                                                     security. The HIPAA Security and Privacy Regs require
                                                                                                                                                        Business Associate Agreements in certain situations for

BP3



       RTI International
       Privacy and Security Contract No. 290-05-0015                                              Page 11 of 61                                                      061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                                Scenario 3. Patient Care Scenario C
                   Relevant Law (Legal
      BP#          Driver) -- Reference
                       Code/Statute                Solution
                HIPAA Security Regs – 45 CFR       A national             Original:H
                §§ 164.308(a) (1), 164.308(a)      federated              IPAA -
                (3), 164.308(a) (4), 164.310(a)    identification         164.506
                (1), 164.312(a) (1), 164.312(b),   management             TPO
                164.312(d), 164.312(e) (1),        system to validate     State
                164.506, 164.508, 164.512(a),      user identity to       Law - 64-
                164.512(e). WV Code § 27-3-1,      allow system
                                                                          CSR-12-
                WV Code § 27-3-2, WV Code §        access may be a
                                                                          14
                27-5-9, WV Code § 64-12-14,        potential solution.
                US Code § H.R. 4127                In addition, closely   Professio
                                                   linking this type of   nal
                                                   solution with          Standard
                                                   health facility        s-Medcal
BP2                                                credentialing          Staff
BP1                                                practices may

                HIPAA Security Regs, 45
                CFR § 164.312




BP3
                HIPAA Security Regs, 45
                CFR § 164.312
BP3
                HIPAA Security Rule, 45
                CFR § 164 Part C
BP3
                HIPAA Security Rule, 45
                CFR § 164 Part C
BP3
                HIPAA Security Rule, 45
                CFR § 164 Part C
BP3



BP3
                HIPAA Security Regs 45
                CFR §§163.310(a)(2)(iii);
BP3             164.310(c); 164.308(b)(1).
                HIPAA Privacy Regs, 45

BP3



       RTI International
       Privacy and Security Contract No. 290-05-0015                                    Page 12 of 61            061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                                  Scenario 3. Patient Care Scenario C
                  Business                                                                                                  Classification
                                                                                                                                                                         Policy: Short
      BP#       Practice Short                   Business Practice Long Description                          Scenario       (Barrier v. Not        Domain
                                                                                                                                                                          Description
                    Name                                                                                                      a Barrier)

                                                                                                                               Barrier to     9. Information use
BP3             WV 003 S3                                                                                                   interoperability and disclosure policy




                                 In our physician group, as long as no HIPAA laws were broken and a
                                 No Restriction form was signed this procedure is under the covered                                             2. Information
                                 entity of patient care. Use Tracking form and initial all documents        Scenario 3 -       Barrier to      authorization and
BP4             WV 004 S3        placed in the chart. User ID and password is needed.                      Patient Care C   interoperability    access controls      HIPAA




                                 LTC has business associate agreements in effect for different
                                 services with state businesses. The BA agreement is a 1 page
                                 document that spells out how you limit the area of exchange and                                                4. Information
                                 limits sharing of information. Even temp employees must meet the                                               transmission
                                 credentialing process. LTC has contracts with physicians but have no       Scenario 3 -       Barrier to    security or exchange
BP5             WV 005 S3        badges- everyone knows everyone here- it’s small.                         Patient Care C   interoperability       protocols




                                 Corrections has a BA agreement for billing purposes but not for
                                 sharing of information. Correctional Medical Services (in all WV
                                 prisons) have access to health records. The reliability of the info
                                 exchange is in the hands of the sender- we rely on what they say- no
                                 verification process. Temps at corrections have limited access to Med                                          4. Information
                                 Records- once he has left the place, he can’t get access to info again.                                        transmission
                                 But they all get FBI background checks, photo ID, sign in and sign out.    Scenario 3 -       Barrier to    security or exchange
BP6             WV 006 S3                                                                                  Patient Care C   interoperability       protocols




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                Page 13 of 61                                                    061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                                Scenario 3. Patient Care Scenario C
                                                                   Specify Other
                                                 Stakeholder
      BP#         Policy: Long Description                         Stakeholder (if                                Cause                                            Relevant Law (Legal Driver) -- Narrative
                                                 Organization
                                                                     applicable)
                                                                                                                                                          HIPAA Security Rule
BP3


                                                                                     The business practice analysis generally asserts that this is a      Original: HIPAA privacy and covered entity, regulation of rules
                                                                                     barrier to interoperability if HIPAA laws are broken. In addition,   of nursing facility, Case -Psych-patient, Federal - overseas
                                                                                     the implication is that that this business practice would be         transmissions
                                                                                     covered by the HIPAA construct of TPO. However, there is
                                                                                                                                                          Psychiatrist without electronic access privileges and rights
                HER Transfer, personal                                               recognition within the business practice analysis that several
                                                                                                                                                          requests review of patient’s EHR containing information from
                identity, password failure,                                          issues arise from patient transfer, identity, password, and
                                                                                                                                                          recent hospital stay. Use of psychiatrist’s picture identification
                failure to provide encryption                                        encryption failures that are described within the scenario. As       badge met physical control requirements for access to health
BP4             code                            Physician groups                     such the classification by this stakeholder as a barrier based on    facility. The psychiatrist’s inability to access EHR systems
                                                                                     the numerous violations of HIPAA regulations pursuant to             prompts him to use an outsourced offshore transcription
BP1
                                                                                                                                                          Access to electronic information controlled by HIPAA Security
                                                                                                                                                          Rule Technical Safeguards.




                                                Long term care
                                                 facilities and
BP5                                             nursing homes

                                                                                     The business practice analysis does not identify any of the          Psychiatrist without electronic access privileges and rights
                                                                                     privacy and security domains as a barrier. The classification by     requests review of patient’s EHR containing information from
                                                                                     this stakeholder is unassigned. In fact, the likelihood of a         recent hospital stay. Use of psychiatrist’s picture identification
                                                                                     correctional system inmate being placed in a nursing home is         badge met physical control requirements for access to health
                                                                                                                                                          facility. The psychiatrist’s inability to access EHR systems
                                                                                     remote. In addition, the business practice long description
                                                                                                                                                          prompts him to use an outsourced offshore transcription
                                                                                     emphasized the application and importance of business                service. This scenario bypasses administrative and technical
                                                                                     associates agreements and the correctional systems reliance          controls required to limit access, encrypt and audit access to
                                                                                     on these agreements to ensure compliance. However, these             patient EHR’s. Psychiatrist receives report via Web the
                                                                                     agreements are not designed to obviate the need for proper           information security infrastructure, and management practices
                                                                                     administrative, technical, and physical controls for protected       of the transcription service are unclear. The psychiatrist sends
                                                                                     health information. Given this observation the barriers              these results by encrypted email to the medical facility, although
                                                                                     previously identified for this scenario would have to be             lack of encryption key prevents delivery
                                                                                     considered as barriers in this scenario.
                                                  Correctional
BP6                                                 facilities




       RTI International
       Privacy and Security Contract No. 290-05-0015                                              Page 14 of 61                                                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
       PRIVACY AND SECURITY                                               Scenario 3. Patient Care Scenario C
                   Relevant Law (Legal
      BP#          Driver) -- Reference
                       Code/Statute                Solution
                HIPAA Security Rule, 45
                CFR § 164 Part C
BP3


                HIPAA Security Regs – 45 CFR       A national
                §§ 164.308(a) (1), 164.308(a)      federated
                (3), 164.308(a) (4), 164.310(a)    identification
                (1), 164.312(a) (1), 164.312(b),   management
                164.312(d), 164.312(e) (1),        system to validate
                164.506, 164.508, 164.512(a),      user identity to
                164.512(e). WV Code § 27-3-1,      allow system
                WV Code § 27-3-2, WV Code §        access may be a
BP4             27-5-9, WV Code § 64-12-14,        potential solution.
                US Code § H.R. 4127                In addition, closely
BP1
                HIPAA Security Rule – 45 CFR
                §164.312.




BP5

                1. HIPAA Security Regs – 45        A national
                CFR §§ 164.308(a) (1),             federated
                164.308(a) (3), 164.308(a) (4),    identification
                164.310(a) (1), 164.312(a) (1),    management
                164.312(b), 164.312(d),            system to validate
                164.312(e) (1), 164.506,           user identity to
                164.508, 164.512(a),               allow system
                164.512(e). WV Code § 27-3-1,      access may be a
                WV Code § 27-3-2, WV Code §        potential solution.
                27-5-9, WV Code § 64-12-14,        In addition, closely
                US Code § H.R. 4127                linking this type of
                                                   solution with
                                                   health facility
                                                   credentialing
                                                   practices may
                                                   provide a
BP6                                                methodology for




       RTI International
       Privacy and Security Contract No. 290-05-0015                                   Page 15 of 61            061539f6-54e2-4c12-8e94-39a09b41810b.xls
        PRIVACY AND SECURITY                                                            Scenario 4. Patient Care Scenario D
                              Patient X is HIV positive and is having a complete physical and an outpatient mammogram done in the Women's
                            Imaging Center of General Hospital in State A. She had her last physical and mammogram in an outpatient clinic in a
               Scenario 4 - neighboring state. Her physician in State A is requesting a copy of her records and the radiologist at General Hospital
               Patient Care would like to review the digital images of the mammogram performed at the outpatient clinic in State B for comparison
DRAFT          D                purposes. She also is having a test for the BrCa gene because other family members have had breast cancer.

                Business                                                                                           Classification
                                                                                                                                                               Policy: Short                                                       Stakeholder
      BP#       Practice                  Business Practice Long Description                       Scenario        (Barrier v. Not        Domain                                           Policy: Long Description
                                                                                                                                                                Description                                                        Organization
               Short Name                                                                                            a Barrier)


                             Our clinic follows state law which does not allow the transmittal
                             of HIV information without the consent of the patient. Also, this
                             information is not supposed to be kept in the patient chart. This
                             is problematic in paper records - because it causes providers to
                             keep a secret registry. In electronic records, this is handled in
                             some cases by a provider making a decision to make this
                             information available to other providers. The interface of the
                             electronic record should inform the patient of his/her rights                                                                                         Takes a global approach to medical
                             under the law and allow the patient to designate which                                                                                                information. Who has access to the
                             information would be available. In paper systems this is                                                                                              information. Who makes the decision to
                             incredibly hard to enforce. In electronic systems, access can be                                                                                      release the information. Consent forms
                             granted to certain information - but users end up using common                                             1. User and                                for releases Special considerations for
                             passwords because it is not always the provider who can ge the       Scenario 4 -        Barrier to           entity         Confidential Information certain laws governing HIV, Mental            Community clinics
BP1            WV 001 S4     information needed and take care of the patient.                    Patient Care D    interoperability    authentication     Policy                   Health etc                                    and health centers



                                                                                                                                  2. Information
                                                                                                  Scenario 4 -  Not a barrier to authorization and
BP1            WV 001 S4                                                                         Patient Care D interoperability access controls
                                                                                                  Scenario 4 -  Not a barrier to        8. State law
BP1            WV 001 S4                                                                         Patient Care D interoperability         restrictions



                                                                                                                                       9. Information
                                                                                                  Scenario 4 -        Barrier to           use and
BP1            WV 001 S4                                                                         Patient Care D    interoperability   disclosure policy




                                                                                                                                                                                   The presence of any behavioral
                                                                                                                                                                                   medicine patient at ourfacility and any
                                                                                                                                                                                   and all details of the treatment process
                                                                                                                                                                                   of any patient shall be maintained as
                             Our hospital staff, may include physician, nurse, clerk, NP,PA,                                                                                       confidential. For the purposes of
                             would release the minimum necessary information for treatment                                                                                         confidentiality, protected information i.e.
                             excluding the HIV information unless the pt provides                                                      9. Information                              drug, ETOH, STD (HIV), and behavioral
                             authorization. If not emergent, we ask for signed authorization      Scenario 4 -        Barrier to           use and                                 health, and specific releases are
BP2            WV 002 S4     which includes HIV authorization.                                   Patient Care D    interoperability   disclosure policy Confidentiality of PHI     required.                                         Hospitals




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                              Page 16 of 61                                                              061539f6-54e2-4c12-8e94-39a09b41810b.xls
        PRIVACY AND SECURITY                                                      Scenario 4. Patient Care Scenario D



DRAFT                             DRAFT                DRAFT                                       DRAFT
                Specify Other
                                                                                                     Relevant Law (Legal Driver) --
      BP#       Stakeholder (if           Cause        Relevant Law (Legal Driver) -- Narrative
                                                                                                        Reference Code/Statute
                  applicable)
                                                       HIPAA Security Regs require person or       HIPAA Security Regs, 45 CFR §
                                                       entity authentication.                      164.312




BP1




BP1


BP1
                                                       Misinterpretation of state law. No          WV Code §§ 16-3C-2, 16-3C-3(a)(5),
                                                       consent is required for the disclosure of   and 16-3C-4.
                                                       the PHI for treatment purposes. WV law
                                                       specifically allows the disclosure of HIV
BP1                                                    PHI for treatment of the individual.



                                                       Misinterpretation of state law and HIPAA. WV Code §§ 16-3C-2, 16-3C-3(a)(5),
                                                        Minimum necessary requirement does       and 16-3C-4. HIPAA Privacy Regs
                                                       not apply to disclosures for treatment    45 CFR §§ 164.506 and 164.502(b).
                                                       and there is no authorization
                                                       requirement for disclosure of the PHI for
                                                       treatment purposes in HIPAA or state
                                                       law.


BP2




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                     Page 17 of 61                  061539f6-54e2-4c12-8e94-39a09b41810b.xls
        PRIVACY AND SECURITY                                                             Scenario 4. Patient Care Scenario D
                Business                                                                                            Classification
                                                                                                                                                         Policy: Short                                   Stakeholder
      BP#       Practice                 Business Practice Long Description                         Scenario        (Barrier v. Not      Domain                          Policy: Long Description
                                                                                                                                                          Description                                    Organization
               Short Name                                                                                             a Barrier)




                            In the workers' compensation arena, by filing a claim and
                            signing the injury report form a patient authorizes any physician
                            to release to or orally discuss with the employer or authorized
                            agent of the carrier any medical records pertaining to the
                            occupational injury or illness for which he/she is claiming
                            benefits and any prior injury to or disease to the portion of the
                            body for which he/she is alleging a medical impairment. Only
                            authorized carrier staff, employer staff, providers and the patient
                            have access to the electronic record. We use a system with
                            security parameters set based on individual job-related need for
                            access. Password required. Claimant, employer and provider
                            access limited to specific claim information only. Provider
                            access can be further limited for specific period of time. Carrier
                            employees required to sign security policy agreement. Employ                                              2. Information
                            transmission protection such as VPN and encryption for outside         Scenario 4 -        Barrier to    authorization and
BP3            WV 003 S4    network access.                                                       Patient Care D    interoperability access controls                                                        Payers




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                               Page 18 of 61                                          061539f6-54e2-4c12-8e94-39a09b41810b.xls
        PRIVACY AND SECURITY                                                      Scenario 4. Patient Care Scenario D
                Specify Other
                                                                                                    Relevant Law (Legal Driver) --
      BP#       Stakeholder (if           Cause        Relevant Law (Legal Driver) -- Narrative
                                                                                                       Reference Code/Statute
                  applicable)
                                                       No legal requirements. WC provides         None.
                                                       privacy and security of information as a
                                                       corporate decision.




BP1




BP3




       RTI International
       Privacy and Security Contract No. 290-05-0015                                                      Page 19 of 61              061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                                Scenario 5. Payment Scenario
                               X Health Payer (third party, workers compensation, disability insurance, employee assistance programs) provides health
                               insurance coverage to many subscribers in the region the healthcare provider serves. As part of the insurance coverage,
                                it is necessary for the health plan case managers to approve/authorize all inpatient encounters. This requires access to
                                   the patient health information (e.g., emergency department records, clinic notes, etc.). The health care provider has
              Scenario 5 - Payment
                                  recently implemented an electronic health record (EHR) system. All patient information is now maintained in the EHR
                                 and is accessible to users who have been granted access through an approval process. Access to the EHR has been
                                   restricted to the healthcare provider's workforce members and medical staff members and their office staff. X Health
DRAFT                                 Payer is requesting access to the EHR by its case management staff to approve/authorize inpatient encounters.

                 Business                                                                                              Classification
                                                                                                                                                             Policy: Short
      BP#      Practice Short                  Business Practice Long Description                       Scenario       (Barrier v. Not       Domain
                                                                                                                                                              Description
                   Name                                                                                                  a Barrier)




                                Our hospital security officer would allow the payer to have access
                                to the EHR through a secure web portal. Only the requested                                                2. Information
                                records would be accessible and the minimum necessary                  Scenario 5 -        Barrier to    authorization and Information Security
BP1           WV 001 S 5        information.                                                            Payment         interoperability access controls Policy & Remote Access




                                Our company would limit access to specific pieces of information
                                related to the payer's claim and would allow the needed transfer of
                                health information for payment purposes. User authentication, legal
                                agreement and hardware/software authentication would be required
                                to validate that access is provided only to the intended user.
                                Security parameters would further limit access to read only. Access
                                would be provided only to personnel of payer needing information
                                for job functions. Record linking methods required to match certain
                                information such as patient name, date of birth, date of service, to
                                allow payer access only to pertinent information. Transmission
                                protection such as VPN, encryption and network security required       Scenario 5 -        Barrier to      8. State law
BP2           WV 002 S 5        for access to information. Data use agreement would be in place.        Payment         interoperability    restrictions




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                             Page 20 of 61                                               061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                                 Scenario 5. Payment Scenario




DRAFT                                                                                                                             DRAFT     DRAFT                          DRAFT
                                                                                                                Specify Other                                                 Relevant Law (Legal
                                                                                                 Stakeholder                                   Relevant Law (Legal
      BP#                                Policy: Long Description                                               Stakeholder (if     Cause                                     Driver) -- Reference
                                                                                                 Organization                                   Driver) -- Narrative
                                                                                                                  applicable)                                                     Code/Statute
                                                                                                                                            Use and disclosure of          HIPAA Privacy Rule – 45 CFR
              Access to information in the possession or the control of our facility must be                                                protected health information   §§164.502 (b)(1); 160.103;
              provided based on the need to know and the minimum necessary to perform                                                       for payment-related purposes   164.502 (e)(1); 164.504 (e)(1)
              essential functions. Information must be disclosed only to people or entities                                                 is subject to the HIPAA        and (e)(2). HIPAA Security
              who have a legitimate need. The privileges granted to all users must be                                                       Privacy Rule “minimum          Rule – 45 CFR §164.312.
              periodically reviewed. Unless it has specifically been deemed public, all                                                     necessary” standard, the
              internal information must be protected from disclosure to third parties. Third                                                HIPAA Security Rule
              parties may be given access to internal information only when a demonstrable                                                  Technical Safeguards, and
              need to know exists, when a Data Use Agreement or Business Associate                                                          may be subject to business
              Agreement has been signed, and when such a agreement has been expressly                                                       associate contract
              authorized by the relevant information Owner. If sensitive information is                                                     requirements.
              suspected of being lost or disclosed to unauthorized parties, the information
              Owner and the Compliance Officer must be notified immediately. All third
              parties are responsible for securing their private networks from our network. In
              no case shall network-to-network connectivity be allowed without appropriate
              security technology. Some type of security mechanisms shall exist between our
BP1           network and any third party.                                                        Hospitals




                                                                                                                                            Use and disclosure of          HIPAA Privacy Rule – 45 CFR
                                                                                                                                            protected health information   §§164.502 (b)(1); 160.103;
                                                                                                                                            for payment-related purposes   164.502 (e)(1); 164.504 (e)(1)
                                                                                                                                            is subject to the HIPAA        and (e)(2). HIPAA Security
                                                                                                                                            Privacy Rule “minimum          Rule – 45 CFR §164.312.
                                                                                                                                            necessary” standard, the
                                                                                                                                            HIPAA Security Rule
                                                                                                                                            Technical Safeguards, and
                                                                                                                                            may be subject to business
                                                                                                                                            associate contract
                                                                                                                                            requirements.


BP2                                                                                                Payers




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                         Page 21 of 61                                            061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                                Scenario 5. Payment Scenario
                 Business                                                                                             Classification
                                                                                                                                                            Policy: Short
      BP#      Practice Short                 Business Practice Long Description                       Scenario       (Barrier v. Not       Domain
                                                                                                                                                             Description
                   Name                                                                                                 a Barrier)

                                Our business office personnel would request access to the EHR.
                                This would automate a process that is now manual. The system
                                needs to let us request and receive the minimum necessary
                                information for the situation. The provider would benefit by
                                receiving an automated approval/authorization from us. The more
                                providers connected to a common system/network, the more
                                efficient the process is for us and the providers. The patient
                                benefits from the faster approval/authorization of inpatient
                                encounters, the provider has less or no staff time involved in
                                fulfilling the request, and we have less burdensome processes in
                                handling the approval/authorization. This eliminates the problem of                                      2. Information
                                lost, misrouted, or stolen records and reduces shipping and           Scenario 5 -        Barrier to    authorization and
BP3           WV 003 S 5        transportation costs.                                                  Payment         interoperability access controls




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                            Page 22 of 61                                          061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                  Scenario 5. Payment Scenario
                                                                                 Specify Other                                          Relevant Law (Legal
                                                                  Stakeholder                                Relevant Law (Legal
      BP#                              Policy: Long Description                  Stakeholder (if   Cause                                Driver) -- Reference
                                                                  Organization                                Driver) -- Narrative
                                                                                   applicable)                                              Code/Statute
                                                                                                           HIPAA minimum necessary   HIPAA Privacy Regs, 45 CFR
                                                                                                           requirements              § 514




BP3                                                                 Payers



BP1




            RTI International
            Privacy and Security Contract No. 290-05-0015                          Page 23 of 61                                     061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                              Scenario 6. RHIO Scenario
                                 The RHIO in your region wants to access data from all participating organizations (and their patients) to
                                     monitor the incidence and management of diabetic patients. The RHIO also intends to monitor
                 Scenario 6 - RHIOs
DRAFT                              participating providers to rank them for the provision of preventive services to their diabetic patients.


                   Business                                                                          Classification
                                                                                                                                                 Policy: Short
      BP#          Practice           Business Practice Long Description              Scenario       (Barrier v. Not           Domain                            Policy: Long Description
                                                                                                                                                  Description
                  Short Name                                                                           a Barrier)


                                 For our association, as long as the patient data
                                 is aggregate or non-personally identifiable,
                                 there would be not problem sharing with the
                                 RHIO. Providers would be notified and given
                                 the opportunity to participate. If personal
                                 identifiers were required, there would be an
                                 IRB approval process and a patient informing     Scenario 6 -      Barrier to         1. User and entity
BP1              WV 001 S 6      process.                                         RHIO              interoperability   authentication


                                                                                                                       2. Information
                                                                                                    Barrier to         authorization and
BP1              WV 001 S 6                                                                         interoperability   access controls

                                                                                                    Not a barrier to   3. Patient and
BP1              WV 001 S 6                                                                         interoperability   provider identification
                                                                                                                       5. Information
                                                                                                                       protection (against
                                                                                                    Not a barrier to   improper
BP1              WV 001 S 6                                                                         interoperability   modification)

                                                                                                                       6. Information audits
                                                                                                    Not a barrier to   that record and
BP1              WV 001 S 6                                                                         interoperability   monitor activity




                                                                                                    Barrier to         8. State law
BP1              WV 001 S 6                                                                         interoperability   restrictions




                                                                                                    Barrier to         9. Information use
BP1              WV 001 S 6                                                                         interoperability   and disclosure policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                      Page 24 of 61                                          061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                  Scenario 6. RHIO Scenario


DRAFT                                                 DRAFT         DRAFT                                                                   DRAFT
                                    Specify Other
                  Stakeholder                                                                                                                  Relevant Law (Legal Driver) --
      BP#                           Stakeholder (if         Cause                  Relevant Law (Legal Driver) -- Narrative
                  Organization                                                                                                                    Reference Code/Statute
                                      applicable)
                                                                    HIPAA Security and Privacy Rules as a BA under contract                 45 CFR §§164, et seq.




                 Professional
                 associations and
BP1              societies
                                                                    HIPAA Security and Privacy Rules as a BA under contract. IRB approval 45 CFR §§164, et seq.; 21 CFR Parts
                                                                    is not required under law for disclosure to a BA for TPO.             50 and 56.


BP1


BP1



BP1



BP1
                                                                    West Virginia law requires that, with respect to the West Virginia Health West Virginia Code Section 16-29G-8.
                                                                    Information Network, the West Virginia Health Care authority ensure that
                                                                    protected health information is disclosed only in accordance with the
                                                                    patient’s authorization or best interest to those having a need to know, in
                                                                    compliance with state confidentiality laws and HIPAA.
BP1
                                                                    The HIPAA Privacy Rule does not specifically address the concept of     HIPAA Privacy Rule – 45 CFR Part
                                                                    Regional Health Information Organizations and how protected health      164, Subpart E; 45 CFR § 164.504(e).
                                                                    information can be used or disclosed in connection with such
                                                                    organizations absent patient authorization. However, the RHIO would
                                                                    operate as a business associate.
BP1




            RTI International
            Privacy and Security Contract No. 290-05-0015                                         Page 25 of 61                                                   061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                               Scenario 6. RHIO Scenario
                   Business                                                                         Classification
                                                                                                                                               Policy: Short
      BP#          Practice          Business Practice Long Description                 Scenario    (Barrier v. Not            Domain                          Policy: Long Description
                                                                                                                                                Description
                  Short Name                                                                          a Barrier)




                                QIOs can release this information with their
                                CMS contracts, but if they have a research
                                grant, they need to get IRB approval. They
                                mostly give info out deidentified, if the contract   Scenario 6 -   Barrier to         9. Information use
BP2              WV 002 S 6     permits.                                             RHIO           interoperability   and disclosure policy




                                Workers Comp has worked with a state agency
                                to give this info out and also did work on a       Scenario 6 -     Barrier to         9. Information use
BP3              WV 003 S 6     National Level- but wouldn’t give out identifiers. RHIO             interoperability   and disclosure policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                      Page 26 of 61                                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                     Scenario 6. RHIO Scenario
                                   Specify Other
                  Stakeholder                                                                                                                              Relevant Law (Legal Driver) --
      BP#                          Stakeholder (if          Cause                    Relevant Law (Legal Driver) -- Narrative
                  Organization                                                                                                                                Reference Code/Statute
                                     applicable)

                                                                    The HIPAA Privacy Rule does not specifically address the concept of Regional        HIPAA Privacy Rule – 45 CFR Part 164,
                                                                    Health Information Organizations and how protected health information can be        Subpart E. West Virginia Code Section
                                                                    used or disclosed in connection with such organizations absent patient              16-29G-8.
                                                                    authorization. West Virginia law requires that, with respect to the West Virginia
                                                                    Health Information Network, the West Virginia Health Care authority ensure that
                                                                    protected health information is disclosed only in accordance with the patient’s
                                                                    authorization or best interest to those having a need to know, in compliance with
                 Quality
                                                                    state confidentiality laws and HIPAA.
                 improvement
BP2              organizations
BP1

                                                                    No legal requirements. WC provides privacy and security of information              None.
                                                                    as a corporate decision.


BP3              Payers




            RTI International
            Privacy and Security Contract No. 290-05-0015                                              Page 27 of 61                                                           061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                         Scenario 7. Research Data Use Scenario
                             A research project on children younger than age 13 is being conducted in a double blind study for a new drug for ADD/ADHD.
                            The research project is being reviewed by the IRB that presides over research protocols at the major medical center where the
                           research investigators are located. The data being collected are all electronic and all responses from the subjects are completed
DRA           Scenario 7 - electronically in the same data base file. The principle investigator was asked by one of the investigators if they could use the raw
              Research        data to track the patients over an additional six months or use the raw data collected for a white paper that is not part of the
FT            Data Use                                    research protocols final document for his post doctoral fellow program.

               Business
                                                                                                                     Classification
               Practice                                                                                                                                                 Policy: Short                                                Stakeholder
      BP#                                 Business Practice Long Description                         Scenario        (Barrier v. Not            Domain                                          Policy: Long Description
                Short                                                                                                                                                    Description                                                 Organization
                                                                                                                       a Barrier)
                Name




                        Under home health law, the principle investigator would decline
                        the request because the use of the data was not included in the
                        original IRB. Home health law in WV is based on federal
                        regulation and agencies must be compliant with the federal
                        regulations. At times agencies participate in research activities
                        and must remain compliant with the federal privacy requirements
                        and also the requirements of the research entity with which they
                        are involved. Therefore the utilization of data as outlined in the         Scenario 7 -
                        IRB would necessitate the information only to be used in the              Research Data         Barrier to                                                                                                   Homecare and
BP1           WV 001 S7 manner which was described.                                                   Use            interoperability   8. State law restrictions                                                                      hospice



                                                                                                                                                                                        Authorization, among many other items,
                                                                                                                                                                                        includes: *The name or identification of
                                                                                                                                                                                        the persons or class of persons authorized   Medical and
                                                                                                                                                                                        to receive disclosures of PHI and to use     public health
                                                                                                   Scenario 7 -                                                                         the PHI for research-related purposes. *A    schools that
                        Additional tracking and use of data is not permitted unless a             Research Data      Not a barrier to      1. User and entity                           description of each purpose for the use or    undertake
BP2           WV 002 S7 second study has been approved through the IRB.                               Use            interoperability        authentication         HIPAA Research      disclosure.                                    research
                                                                                                                                             2. Information
                                                                                                                     Not a barrier to      authorization and
BP2           WV 002 S7                                                                                              interoperability       access controls


                                                                                                                     Not a barrier to   3. Patient and provider
BP2           WV 002 S7                                                                                              interoperability        identification
                                                                                                                                             4. Information
                                                                                                                     Not a barrier to   transmission security or
BP2           WV 002 S7                                                                                              interoperability      exchange protocols

                                                                                                                                        5. Information protection
                                                                                                                     Not a barrier to       (against improper
BP2           WV 002 S7                                                                                              interoperability          modification)
                                                                                                                                          6. Information audits
                                                                                                                     Not a barrier to   that record and monitor
BP2           WV 002 S7                                                                                              interoperability             activity
                                                                                                                                          7. Administrative or
                                                                                                                     Not a barrier to      physical security
BP2           WV 002 S7                                                                                              interoperability         safeguards
                                                                                                                     Not a barrier to
BP2           WV 002 S7                                                                                              interoperability   8. State law restrictions




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                             Page 28 of 61                                                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                         Scenario 7. Research Data Use Scenario


DRA
FT                           DRAFT                    DRAFT                                                    DRAFT
                Specify
                 Other                                                                                            Relevant Law (Legal
      BP#     Stakeholder            Cause                  Relevant Law (Legal Driver) -- Narrative              Driver) -- Reference
                   (if                                                                                                Code/Statute
               applicable)
                                                      Human subject research pursuant to any federal           HIPAA Privacy Regs – 45 CFR
                                                      funding is controlled by federal law and regulation,     §§ 164.502 (g)(1--5), and
                                                      institutional policy, institutional review boards and    §164.508 and .512; US DHHS
                                                      state law overlays to protect participants’ safety and   Regs. governing human
                                                      privacy. Human subject research federal regulation       subject research: 45 CFR
                                                      does not pre-empt state law but adds additional          §46.101--§46.124; US FDA
                                                      federal requirements. HIPAA privacy law applies          Regs. governing human
                                                      irrespective of the source of funding for research. In   subject drug research: 21 CFR
                                                      this scenario, we presume the research is pursuant to    § 50.50—50.56. WV Code §
                                                      an approved FDA study. We also have the added            16-29-1; WV Code § 16-30-
                                                      legal driver of children for whom some authorized        3(b); Belcher v. CAMC , 188
                                                      adult must give consent.                                 W. Va. 105, 422 S.E.2d 827
                                                                                                               (1992);

BP1




                                                                                                               HIPAA - Privacy Rule
                                                                                                               Other Federal Law - 45
                                                                                                               CFR-46 Federal Human
BP2                                                                                                            Subject Protection Rules


BP2



BP2



BP2



BP2



BP2



BP2


BP2




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                Page 29 of 61         061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                      Scenario 7. Research Data Use Scenario
               Business
                                                                                                              Classification
               Practice                                                                                                                                   Policy: Short                                       Stakeholder
      BP#                               Business Practice Long Description                      Scenario      (Barrier v. Not           Domain                               Policy: Long Description
                Short                                                                                                                                      Description                                        Organization
                                                                                                                a Barrier)
                Name




                                                                                                                 Barrier to      9. Information use and
BP2           WV 002 S7                                                                                       interoperability       disclosure policy

                        In our medical school, IRB approval must be sought (by the
                        Principal Investigator) for either scenario, however, the nature of
                        the request and the investigator responsibilities differ: To extend
                        data collection an additional six months for a purpose not covered
                        by the previously approved IRB protocol, the investigator must
                        submit a new protocol covering this new purpose to the IRB for
                        consideration. Since the proposal will be prospective, subjects
                        will need to give their consent (or assent for children under the
                        age of 18) to collect data for this second purpose. The new
                        protocol, like the earlier protocol, would probably require a full-
                        board review because the target population is a protected
                        population, i.e., children under 13 years of age. To analyze the
                        raw data previously collected under an approved IRB protocol,
                        could make a new protocol eligible for expedited consideration
                        depending on whether the raw data includes personal health                                                                                                                            Medical and
                        information and sensitive information that if released could                                                                                                                          public health
                        potentially cause harm. It is possible to request the IRB waive        Scenario 7 -                         2. Information                                                            schools that
                        ―consenting‖ for existing data and on the grounds that it would be    Research Data      Barrier to        authorization and                                                           undertake
BP3           WV 003 S7 impractical or unfeasible.                                                Use         interoperability      access controls                                                             research




                        In our agency, the protected health information in the research
                        database would be covered by HIPAA, but HIPAA could be
                        addressed with appropriate business associate relationships. The
                        investigator would need to get approval of the additional research
                        from his/her institutional review board. The original IRB would
                        need to weigh whether granting access was permissible, and it
                        would likely depend on the disclosures in the original informed        Scenario 7 -
                        consent. In the worst case, the new research would require new        Research Data      Barrier to      9. Information use and                                                       Public Health
BP4           WV 004 S7 informed consent from the parents of all of the children.                 Use         interoperability       disclosure policy                                                          agencies




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                      Page 30 of 61                                              061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                                Scenario 7. Research Data Use Scenario
                Specify
                 Other                                                                                                   Relevant Law (Legal
      BP#     Stakeholder               Cause                    Relevant Law (Legal Driver) -- Narrative                Driver) -- Reference
                   (if                                                                                                       Code/Statute
               applicable)
                                                             Human subject research pursuant to any federal US DHHS Regs. governing
                                                             funding is controlled by federal law and       human subject research: 45
                                                             regulation, institutional policy,              CFR §46.101--§46.124; US
                                                                                                            FDA Regs. governing
                                                                                                            human subject drug
                                                                                                            research: 21 CFR §
                                                                                                            50.50—50.56.
BP2

                             Tight control of human          Human subject research pursuant to any federal           HIPAA Privacy Regs – 45 CFR
                             subject research with           funding is controlled by federal law and regulation,     §§ 164.502 (g)(1--5), and
                             fully informed consent is       institutional policy, institutional review boards and    §164.508 and .512; US DHHS
BP1                                                          state law overlays to protect participants’ safety and   Regs. governing human
                             current public policy.
                                                             privacy. Human subject research federal regulation       subject research: 45 CFR
                             Sharing PHI data
                                                             does not pre-empt state law but adds additional          §46.101--§46.124; US FDA
                             (whether for adults or          federal requirements. HIPAA privacy law applies          Regs. governing human
                             children) without specific      irrespective of the source of funding for research. In   subject drug research: 21 CFR
                             consent is contrary to          this scenario, we presume the research is pursuant to    § 50.50—50.56. WV Code §
                             current public policy           an approved FDA study. We also have the added            16-29-1; WV Code § 16-30-
                             governing research              legal driver of children for whom some authorized        3(b); Belcher v. CAMC , 188
                             protocols. ** Please see        adult must give consent.                                 W. Va. 105, 422 S.E.2d 827
                             attached word document                                                                   (1992);
                             for a fuller analysis of this
                             scenario.




BP3




                                                             Human subject research pursuant to any federal           HIPAA Privacy Regs – 45 CFR
                                                             funding is controlled by federal law and regulation,     §§ 164.502 (g)(1--5), and
                                                             institutional policy, institutional review boards and    §164.508 and .512; US DHHS
                                                             state law overlays to protect participants’ safety and   Regs. governing human
                                                             privacy. Human subject research federal regulation       subject research: 45 CFR
                                                             does not pre-empt state law but adds additional          §46.101--§46.124; US FDA
                                                             federal requirements. HIPAA privacy law applies          Regs. governing human
                                                             irrespective of the source of funding for research. In   subject drug research: 21 CFR
                                                             this scenario, we presume the research is pursuant to    § 50.50—50.56. WV Code §
                                                             an approved FDA study. We also have the added            16-29-1; WV Code § 16-30-
                                                             legal driver of children for whom some authorized        3(b); Belcher v. CAMC , 188
BP4
                                                             adult must give consent.                                 W. Va. 105, 422 S.E.2d 827




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                       Page 31 of 61         061539f6-54e2-4c12-8e94-39a09b41810b.xls
             PRIVACY AND SECURITY                                             Scenario 8. Scenario For Access By Law Enforcement
                                   An injured nineteen (19) year old college student is brought to the ER following an automobile accident. It is
                                  standard to run blood alcohol and drug screens. The police officer arrives in the ER in addition to the patient's
                 Scenario 8 -     parents. The police officer requests a copy of the blood alcohol test results and the parents want to review the
                 Law                ER record and lab results to see if their child tested positive for drugs. These requests are made to the ER
DRAFT            Enforcement                     staff. The patient is covered under their parent's health and auto insurance policy.

                   Business                                                                                                       Classification
                                                                                                                                                                                Policy: Short                                   Stakeholder
       BP#       Practice Short                     Business Practice Long Description                             Scenario       (Barrier v. Not            Domain                                 Policy: Long Description
                                                                                                                                                                                 Description                                    Organization
                     Name                                                                                                           a Barrier)



                                  The expected result would be that since the child is an adult, the parents
                                  are not privy to his protected health information without his consent per
                                  HIPAA privacy regulations. The police officer can obtain a copy of the
                                  report without specific patient consent for determining proper charges. A
                                  person who operates a motor vehicle implicitly consents to testing to
                                  determine intoxication if there is just cause to believe the person is
                                  intoxicated. If a paper copy is provided to law enforcement, proper
                                  identification should be provided for user authentication. Fax submissions
                                  should contain confidentiality statement and information on protocols if
                                  received by unintended user. Electronic submissions should be encrypted.        Scenario 8 -                     6. Information audits
                                  If the provider and law enforcement agency exchange information                     Law         Not a barrier to that record and monitor
BP 1             WV 001 S 8       frequently, a data use agreement could be entered into.                         Enforcement     interoperability activity                                                                        Payers
                                                                                                                                                   7. Administrative or
                                                                                                                                  Not a barrier to physical security
BP 1             WV 001 S 8                                                                                                       interoperability safeguards




                                                                                                                                      Barrier to    9. Information use and
BP 1             WV 001 S 8                                                                                                        interoperability disclosure policy




                                  In our agency, HIPAA and state confidentiality provisions would most likely
                                  prevent the parents obtaining the information without the adult patient's       Scenario 8 -
                                  consent. The police officer could obtain the results in conjunction with his        Law             Barrier to
BP2              WV 002 S 8       or her investigation of the accident                                            Enforcement      interoperability 8. State law restrictions                                                  State government


                                  In our hospital, law enforcement personnel are denied access to patients
                                  unless they have a court order. Software access is limited by password.
                                  Each password has restrictions as to information which may be accessed.
                                  Through the use of third party software, all information is encrypted when
                                  being sent over electronic communications network. Passwords have
                                  designated security clearances which define whether user has no access,
                                  view only access, or has an ability to add, delete or modify information. A
                                  master security log is maintained on line to determine user access and the
                                  processes completed. Staff are required to use the organizations network
                                  for all I.S. activity. The network includes up to date security measures
                                  which protects against unauthorized access, introduction of dangerous                               Barrier to    1. User and entity
BP3              WV 003 S 8       items such as worms, and attempts by users to enter unauthorized areas.                          interoperability authentication                                                                Hospitals




             RTI International
             Privacy and Security Contract No. 290-05-0015                                                             Page 32 of 61                                                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
             PRIVACY AND SECURITY                                                 Scenario 8. Scenario For Access By Law Enforcement



DRAFT                              DRAFT                                          DRAFT                                                               DRAFT
                 Specify Other
                                                                                                                                                      Relevant Law (Legal Driver) -- Reference
       BP#       Stakeholder (if                      Cause                                 Relevant Law (Legal Driver) -- Narrative
                                                                                                                                                                   Code/Statute
                   applicable)




BP 1


BP 1
                                   We agree with the identified business          Parents of an adult “child” cannot access PHI without an          Original: W. Va. Code §§17C-5-4 & 17C-5-6
                                   practice, but believe that a barrier to        authorization signed by that adult “child,” while law enforcement
                                   interoperability exists when the disclosure    may gain such access as required by law.                          45 C.F.R. §§ 164.502(a)(1)(i);
                                   is to the parents, or when the disclosure to                                                                     164.502(g)(3)(i); 164.508(a)(1); 164.512(a);
                                   law enforcement is not required by law.                                                                          164.512(f)(1)(i); 42 C.F.R. § 2.12(e); W. Va.
                                                                                                                                                    Code §§ 16-29-1; 17C-5-4; 17C-5-6
BP 1


                                                                                  As a 19 year old “child” is an adult, parents cannot access their   WV Code § 16-29-1; Belcher v. CAMC , 188
                                                                                  child’s PHI, without authorization, under state law and HIPAA.      W. Va. 105, 422 S.E.2d 827 (1992); HIPAA
                                                                                                                                                      Privacy Regs – 45 CFR §§ 164.502(a)(1)(i),
                                                                                                                                                      164.502 (g)(3)(i), and 164.508(a)(1).
BP2

                                   We agree that disclosure to law          HIPAA Security Regs requiring Administrative and                          HIPAA Security Regs, 45 CFR §§ 164.308,
                                   enforcement of the PHI in this Scenario Technical Safeguards                                                       164.312
                                   would require patient authorization,
                                   unless the tests were undertaken at the
                                   direction of law enforcement, in which
                                   case disclosure is required by law in
                                   West Virginia; federal laws governing
                                   the confidentiality of alcohol and drug
                                   treatment records would not apply in
                                   this circumstance, and would not
                                   represent a barrier to interoperability.

BP3




             RTI International
             Privacy and Security Contract No. 290-05-0015                                                                     Page 33 of 61                                                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                 Scenario 8. Scenario For Access By Law Enforcement
                  Business                                                                                                            Classification
                                                                                                                                                                                   Policy: Short                                   Stakeholder
      BP#       Practice Short                       Business Practice Long Description                                 Scenario      (Barrier v. Not           Domain                                 Policy: Long Description
                                                                                                                                                                                    Description                                    Organization
                    Name                                                                                                                a Barrier)

                                                                                                                                                       2. Information
                                                                                                                                         Barrier to    authorization and
BP3             WV 003 S 8                                                                                                            interoperability access controls
                                                                                                                                      Not a barrier to 3. Patient and provider
BP3             WV 003 S 8                                                                                                            interoperability identification
                                                                                                                                                       4. Information
                                                                                                                                         Barrier to    transmission security or
BP3             WV 003 S 8                                                                                                            interoperability exchange protocols

                                                                                                                                                       5. Information protection
                                                                                                                                         Barrier to    (against improper
BP3             WV 003 S 8                                                                                                            interoperability modification)
                                                                                                                                                       6. Information audits
                                                                                                                                         Barrier to    that record and monitor
BP3             WV 003 S 8                                                                                                            interoperability activity
                                                                                                                                                       7. Administrative or
                                                                                                                                         Barrier to    physical security
BP3             WV 003 S 8                                                                                                            interoperability safeguards


                                                                                                                                         Barrier to
BP3             WV 003 S 8                                                                                                            interoperability 8. State law restrictions


                                                                                                                                         Barrier to    9. Information use and
BP3             WV 003 S 8                                                                                                            interoperability disclosure policy




                                 In correctional facilities, parents can not get at the info - it is a state law. If   Scenario 8 -
                                 they are on parole, the parolees agree to monitoring while they are                       Law           Barrier to                                                                                 Correctional
BP4             WV 004 S 8       incarcerated- they don’t have a choice.                                               Enforcement    interoperability 8. State law restrictions                                                      facilities




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                   Page 34 of 61                                                      061539f6-54e2-4c12-8e94-39a09b41810b.xls
             PRIVACY AND SECURITY                            Scenario 8. Scenario For Access By Law Enforcement
                 Specify Other
                                                                                                                          Relevant Law (Legal Driver) -- Reference
       BP#       Stakeholder (if                  Cause              Relevant Law (Legal Driver) -- Narrative
                                                                                                                                       Code/Statute
                   applicable)
                                                             HIPAA Security Regs requiring Administrative and             HIPAA Security Regs, 45 CFR §§ 164.308,
                                                             Technical Safeguards                                         164.312
BP3


BP3
                                                             HIPAA Security Regs require Technical Safeguards             HIPAA Security Regs, 45 CFR § 164.312

BP3
                                                             HIPAA Security Regs require Technical Safeguards             HIPAA Security Regs, 45 CFR § 164.312


BP3
BP 1
                                                             HIPAA Security Regs require Technical Safeguards             HIPAA Security Regs, 45 CFR § 164.312

BP3
                                                             HIPAA Security Regs require Administrative Safeguards        HIPAA Security Regs, 45 CFR § 164.308

BP3
                                                             Parents of an adult ―child‖ cannot access PHI without an     45 C.F.R. §§ 164.512(a); 164.512(f)(1)(i);
                                                             authorization signed by that adult ―child,‖ while law        42 C.F.R. § 2.12(e); W. Va. Code §§ 17C-
                                                             enforcement may gain such access when required by law.       5-4; 17C-5-6
BP3
                                                             Parents of an adult ―child‖ cannot access PHI without an     45 C.F.R. §§ 164.512(a); 164.512(f)(1)(i);
                                                             authorization signed by that adult ―child,‖ while law        42 C.F.R. § 2.12(e); W. Va. Code §§ 17C-
                                                             enforcement may gain such access when required by law.       5-4; 17C-5-6
BP3

                                                             Law enforcement desires access to blood alcohol test         WV Code § 16-29-1; 64 CSR 12-7.2
                                                             results of 19-year-old accident victim. Parents desire       (DHHR Hospital Licensure Rule); 42
                                                             access to 19-year-old childs’ ER record and lab results.     U.S.C.A. 290dd-3 (Public Health Service
                                                             Should the hospital tests result in showing of HIV or STD,   Act); 42 CFR 2.11(Federal Mental Health
                                                             those applicable infectious disease confidentiality          Record Confidentiality Rule); 45 CFR §§
                                                             provisions would also serve as a barrier. Parents of an      164.502 (g) and (j), 164.524 (HIPAA
                                                             adult ―child‖ cannot access PHI without an authorization     Privacy Regs). 45 C.F.R. §§ 164.512(a);
                                                             signed by that adult ―child,‖ while law enforcement may      164.512(f)(1)(i); 42 C.F.R. § 2.12(e); W.
                                                             gain such access when required by law.                       Va. Code §§ 17C-5-4; 17C-5-6
BP4




             RTI International
             Privacy and Security Contract No. 290-05-0015                                           Page 35 of 61                                                     061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                          Scenario 9. Pharmacy Benefit Scenario A
                                 The Pharmacy Benefit Manager (PBM) has a mail order pharmacy and also has a closed formulary. The PBM receives a prescription from
                               Patient X for the antipsychotic medication Geodon. The PBM’s preferred alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine
               Scenario 9 -        (Seroquel), and Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the PBM sends a request to the prescribing
               Pharmacy        physician to complete a prior authorization in order to fill and pay for the Geodon prescription. The PBM is in a different state than the provider’s
DRAFT          Benefit A                                                                          Outpatient Clinic.

                  Business                                                                                                                     Classification
                                                                                                                                                                                       Policy: Short
      BP#         Practice                        Business Practice Long Description                                     Scenario              (Barrier v. Not         Domain                              Policy: Long Description
                                                                                                                                                                                        Description
                 Short Name                                                                                                                      a Barrier)




                               In state govemment, we have a network established that connects the
                               PBMs with payers and physicians. Members choose to participate under
                               agreements with PBMs and PHI is transmitted with patient consent. User
                               authentication is an important component to ensure that it is the PBM              Scenario 9 - Pharmacy           Barrier to        8. State law
BP1            WV 001 S9       contacting the physician and the physician replying to the PBM.                          Benefit A              interoperability      restrictions




                                                                                                                  Scenario 9 - Pharmacy                           1. User and entity
BP2            WV 002 S9       Business practice is same as in the scenario.                                            Benefit A                Unassigned         authentication




                               As a workers' compensation insurer, we have a standard drug list and
                               require the use of generics where available. If a script is received and is not
                               on the list, authorization for the drug is withheld. The prescribing physician
                               may be contacted to write the script for an approved alternative drug for
                               authorization or to provide justification for the prescribed drug before
                               authorization is provided. If the claimant takes the script to a participating
                               pharmacy and it is not approved, the claimant or the pharmacist may
                               contact the claims adjuster for clarification. If a generic is available and the
                               doctor has not indicated the claimant cannot take the generic, it may be
                               authorized. Otherwise, the prescribing doctor will have to provide a new
                               script for a medication on the drug list or provide justification for the
                               prescribed drug. Further, W. Va. Code provides that if a generic medication
                               is available, it must be provided. If the claimant chooses to obtain the           Scenario 9 - Pharmacy           Barrier to        8. State law
BP3a           WV 003a S9      brand-name drug, he/she will be responsible for payment for the difference.              Benefit A              interoperability      restrictions




                               In Workers Comp, the Point of Sale system is available only to those
                               employees needing access to perform business functions and participating
                               providers. Password authentication is required. Security
                               policies/confidentiality agreements in place with employees regarding
                               protection of information. End user agreements in place with participating
                               providers. Authentication required for access to system. Technology in
                               place to secure system from unintended users. Vendor used to implement
                               secure transmission of data. Vendor provides software that allows
BP3b           WV 003b S9      protection from data modification.


            RTI International
            Privacy and Security Contract No. 290-05-0015                                                             Page 36 of 61                                                          061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                            Scenario 9. Pharmacy Benefit Scenario A




DRAFT                                               DRAFT           DRAFT                                                                                           DRAFT
                                  Specify Other
                 Stakeholder                                                                                                                                            Relevant Law (Legal Driver) --
      BP#                         Stakeholder (if           Cause                          Relevant Law (Legal Driver) -- Narrative
                 Organization                                                                                                                                              Reference Code/Statute
                                    applicable)                                                                                                                                                                Possible Solutions
                                                                    There is currently no WV law regulating PBMs. Public Employees Insurance Agency                 W.Va. Code § 5-16C-1, et seq.; W.Va.
                                                                    (―PEIA‖) does have statutory authority to manage the increase in prescription drug              Code § 30-5-1 et seq. and W.Va. C.S.R.
                                                                    cost and execute prescription drug purchasing agreements on behalf of the state of              § 15-1-1, et seq.; W.Va. Code § 60A-1-
                                                                    West Virginia with PBMs and other private sector arrangements, provided that ―no                101, et seq;
                                                                    private entity may be compelled to participate in the prescription drug purchasing
                                                                    pool,‖ and PEIA ―may not enter into a contract with a private entity‖ without
                                                                    Legislative approval. To the extent that the scenario anticipates that the
                                                                    communication occurs electronically, the electronic submission would violate West
                                                                    Virginia law and regs. First, the Board of Pharmacy regulation language indicates
                                                                    that a ―wet‖ signature is required and that a digital signature (either physical
                                                                                                                                                                                                               See report on e-Prescribing:
                                                                    digitalized signature or digital key signature) will not meet the requirement. Second,
                                                                                                                                                                                                               http://www.tygart.com/Eprescript
                                                                    the regs have ―non intermediary‖ requirements.
                                                                                                                                                                                                               ions.asp
BP1            State government


                  Community
                  clinics and
BP2              health centers



                                                                    1. Unique features of West Virginia workers’ compensation program governing and requiring       Original: State Law - W. Va. Code §23-4-
                                                                    the prescribing of generic drugs by pharmacy for a workers’ compensation claimant. The          3(a)(3)
                                                                    workers’ compensation law requires a pharmacist who is filing a prescription for a workers’     Regulation - 85 C.S.R. 20 - Medical
                                                                    compensation claimant to dispense the generic brand of the drug, if one exists. If a generic    Management of Claims
                                                                    does not exist then the pharmacist can dispense the name brand drug. Interoperability issues
                                                                    involve the failure of out of state providers and businesses that operate in West Virginia in   W.Va. Code § 23-4-3(a)(3) and W.Va.
                                                                    understand the unique requirements of the West Virginia workers’ compensation system.           C.S.R. § 85-20-1 et seq.




BP3a                Payers




BP3b


            RTI International
            Privacy and Security Contract No. 290-05-0015                                                  Page 37 of 61                                                                   061539f6-54e2-4c12-8e94-39a09b41810b.xls
             PRIVACY AND SECURITY                                                         Scenario 9. Pharmacy Benefit Scenario A
                   Business                                                                                                              Classification
                                                                                                                                                                                   Policy: Short
       BP#         Practice                        Business Practice Long Description                                  Scenario          (Barrier v. Not        Domain                                    Policy: Long Description
                                                                                                                                                                                    Description
                  Short Name                                                                                                               a Barrier)

                                Workers' compensation programs are exempt from HIPAA. State law and
                                regulations provide limits on prescription medication and medication
                                management issues. Out of state providers may be unaware of these laws
                                and regulations or may try to apply the laws and fee schedules from their
                                state. We sometimes have difficulty getting out of state providers to accept
                                workers' compensation patients and the established fee schedule on a non-
                                emergent basis because of these issues. To address this problem, we
                                contract with provider agencies that specialize in providing state-wide
                                providers. By agreeing to accept WV Workers' Compensation patients,
                                these providers agree to accept our fees and to abide by our laws and
BP3c            WV 003c S9      regulations



                                As a clinician, we deal with out of state PBM's daily who request an                                                        7. Administrative
                                authorization form or provide OV notes over the phone and fax. If the                                                          or physical                              Covered entity due to the
                                patient does not meet the PBM formulary the Dr. changes the medication to        Scenario 9 - Pharmacy      Barrier to          security      Prior authorization,      insurance of continuted care
BP4             WV 004 S9       preferred medication.                                                                  Benefit A         interoperability      safeguards     Office and HIPAA policy   for the patient.




                                As a payer, we have a preferred drug list.The claimant needs
                                preauthorization for drugs not preauthorized and if claimant wants one that
                                is not, they have to pay. If the generic is available, State Law says we can     Scenario 9 - Pharmacy      Barrier to        8. State law
BP5             WV 005 S9       automatically give them the generic.                                                   Benefit A         interoperability      restrictions




                                As a payer, we have a higher standard of security for behavioral health info
                                and with administering these type of benefits. Care management
                                personnel are specially trained and they have a higher level of permissions                                                  2. Information
                                for this type of info. All this info is maintained in our database and reports   Scenario 9 - Pharmacy      Barrier to      authorization and
BP6             WV 006 S9       can be generated.                                                                      Benefit A         interoperability    access controls




             RTI International
             Privacy and Security Contract No. 290-05-0015                                                          Page 38 of 61                                                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
             PRIVACY AND SECURITY                                           Scenario 9. Pharmacy Benefit Scenario A
                                   Specify Other
                  Stakeholder                                                                                                                                      Relevant Law (Legal Driver) --
       BP#                         Stakeholder (if           Cause                          Relevant Law (Legal Driver) -- Narrative
                  Organization                                                                                                                                        Reference Code/Statute
                                     applicable)                                                                                                                                                           Possible Solutions




BP3c

BP1
                                                                     Original: HIPAA, State, and Federal law                                                   1. HIPAA 45 C.F.R. § 160.102; HIPAA 45
                                                                                                                                                               C.F.R. § 164.502(e)(1); HIPAA 45 C.F.R. §
                                                                     Determining the status of pharmacy benefit managers (―PBM‖) under the Privacy             164.506.
                                                                     Standards of the Health Insurance Portability and Accountability Act of 1996
BP4                 Clinicians                                       (―HIPAA‖) and whether PBMs are considered ―covered entities‖ or ―business
                                                                     associates.‖ Generally, PBMs do not meet the definition of a ―covered entity‖ under

                                                                     Workers Comp law requires generic prescribing where available                             W. Va. Code § 23-1-1 et seq.




BP5                  Payers


                                                                     The legal analysis differs depending upon whether the Pharmacy Benefit Manager            HIPAA Regulation §164.506; West
                                                                     or the outpatient clinic is in West Virginia. HIPAA regulations allow the disclosure of   Virginia Code § 27-3-1; 27-3-2; 27-5-9(e)
                                                                     protected health information for payment purposes. If the Pharmacy Benefit
                                                                     Manager is in West Virginia, there are no West Virginia Code provisions against
                                                                     seeking the collection of data. If the clinic is in West Virginia, it may not reveal
                                                                     mental health information beyond that which the Pharmacy Benefits Manager
                                                                     already knows because the clinic has already released the data to the payor. The
                                                                     clinic should also assure that Pharmacy Benefits Managers have a Business
                                                                     Associate Agreement with the insurers.


BP6                  Payers




             RTI International
             Privacy and Security Contract No. 290-05-0015                                                 Page 39 of 61                                                              061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                                                                           Scenario 10. Pharmacy Benefit Scenario B
                                   A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the companies' employees’ prescription drug use and the
               Scenario 10 -       associated costs of the drugs prescribed. The objective would be to see if the PBM1 could save the company money on their prescription drug
               Pharmacy            benefit. Company A is self-insured and as part of their current benefits package, they have the prescription drug claims submitted through their
 DRAFT         Benefit B                      current PBM (PBM2). PBM1 has requested that Company A send their electronic claims to them to complete the review.

                  Business                                                                                                                       Classification
                                                                                                                                                                                         Policy: Short                              Stakeholder
      BP#       Practice Short                             Business Practice Long Description                                      Scenario      (Barrier v. Not         Domain                          Policy: Long Description
                                                                                                                                                                                          Description                               Organization
                    Name                                                                                                                           a Barrier)



                                 In our pharmacy, we recognize that HIPPA allows release of PHI for payment and
                                 treatment purposes but the review of that information without patient consent by another
                                 PBM would probably fall outside of that allowance. If the information was aggregate and
                                 not patient identifiable, then the review could probably be conducted. Very important the       Scenario 10 -                      9. Information use
                                 PBMs not be able to modify the data showing a prescription that has been processed and           Pharmacy          Barrier to        and disclosure
BP1            WV 001 S10        filled.                                                                                           Benefit B     interoperability          policy                                                    Pharmacies


                                 From the perspective of our public health agency, using aggregate statistics would be all
                                 right, but if the scenario is as stated, Company A is already on very thin ice. Assuming that
                                 PBM2 and not Company A actually has the claims, then PBM2 could transmit the claims to
                                 PBM1 under HIPAA, provided it had a Business Associate agreement with PBM. There
                                 might be state law barriers related to disclosure of drugs used in specific conditions, e.g.    Scenario 10 -
                                 HIV/AIDS or psychiatric disorders.                                                               Pharmacy          Barrier to         8. State law                                                 Public Health
BP2            WV 002 S10                                                                                                          Benefit B     interoperability       restrictions                                                  agencies




                                 As a payer, we have Business Associate agreements in place. This is a standard
                                 agreement unless the other company has another form- we may use both. We build
                                 policies on what HIPAA requires- we have an index of BA policies. All the data we send is       Scenario 10 -                    9. Information use
                                 encrypted. PHI has to be encrypted and the receiver has the user ID and password to un-          Pharmacy          Barrier to      and disclosure
BP3            WV 003 S10        encrypt. Internally, that is not necessary because of our firewalls.                              Benefit B     interoperability         policy                                                       Payers
                                                                                                                                                                    4. Information
                                                                                                                                                                     transmission
                                                                                                                                 Scenario 10 -                         security or
                                                                                                                                  Pharmacy          Barrier to         exchange
BP3            WV 003 S10                                                                                                          Benefit B     interoperability       protocols                                                      Payers



                                 As a payer, we have a consultant oversee pharmacy benefits and the consultant can see
                                 info on pts- we have a BA agreement with them. We also have a procedure audit and               Scenario 10 -                      9. Information use
                                 they are reviewed by HIPAA as part of due diligence. We contract with a company to               Pharmacy          Barrier to        and disclosure
BP4            WV 004 S10        provide PHI. Every employee has signed a confidentiality agreement.                               Benefit B     interoperability          policy                                                      Payers




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                Page 40 of 61                                                                    061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                                                                              Scenario 10. Pharmacy Benefit Scenario B



 DRAFT                             DRAFT                                         DRAFT                                                                                               DRAFT
                 Specify Other
                                                                                                                                                                                         Relevant Law (Legal Driver) -- Reference
      BP#        Stakeholder (if                     Cause                                                  Relevant Law (Legal Driver) -- Narrative
                                                                                                                                                                                                      Code/Statute
                   applicable)
                                   We generally agree that the identified        Employer who sponsors a self-insured group health plan may have only limited access to PHI, but may 45 C.F.R. §§ 164.502(b)(1); 164.504(e); 164.504(f)
                                   business practice presents barriers to        obtain summary health information (a type of de-identified PHI) to obtain premium bids or to modify
                                   interoperability, including the use of        or amend its group health plan.
                                   multiple business associate agreements, the
                                   creation of summary health information (a
                                   type of de-identified PHI), and compliance
                                   with the minimum necessary standard.
BP1


                                                                                 The HIPAA privacy and security rules.                                                               WV Code § 16-29-1(b); HIPAA Privacy Regs. – 45
                                                                                                                                                                                     CFR §§ 164.312(e)(2), 164.501, 164.502(a)(1)(i),
                                                                                                                                                                                     164.502(e), 164.504(a), 164.504(e), 164.504(f),
                                                                                                                                                                                     164.504(f)(1)(ii), 164.504(f)(2)(ii)(C),
                                                                                                                                                                                     164.504(f)(2)(iii), 164.504(f)(3)(iv), 164.508(a)(1),
                                                                                                                                                                                     164.514(e)(4), 164.514(d)(3)
BP2


                                                                                 Business associate agreements are required by the HIPAA privacy rule.                               HIPAA Privacy Regs. – 45 CFR §§ 164.502(e),
                                                                                                                                                                                     164.504(e)




BP3
                                                                                 Secure transmission of electronic PHI must be consistent with the HIPAA Security rule.              HIPAA Security Regs. – 45 CFR § 164.312



BP3
                                                                                 Business associate agreements are required by the HIPAA privacy rule.                                HIPAA Privacy Regs. – 45 CFR §§ 164.502(e),
                                                                                                                                                                                     164.504(e)




BP4




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                     Page 41 of 61                                                                                       061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                            Scenario 11. Healthcare Operations and Marketing Scenario A
                              ABC Health Care is an integrated health delivery system comprised of ten critical access hospitals and one large tertiary
                              hospital, DEF Medical Center, which has served as the system's primary referral center. Recently, DEF Medical Center
                                has expanded its rehab services and created a state-of-the-art, stand-alone rehab center. Six months into operation,
                               ABC Health Care does not feel that the rehab center is being fully utilized and is questioning the lack of rehab referrals
                                 from the critical access hospitals.ABC Health Care has requested that its critical access hospitals submit monthly
                                 reports to the system six-sigma team to analyze patient encounters and trends for the following rehab diagnoses/
                Scenario 11 - procedures: Cerebrovascular Accident (CVA), Hip Fracture, Total Joint Replacement. Additionally, ABC Health Care is
                 Operations   requesting that this same information, along with individual patient demographic information, be provided to the system
                and             Marketing Department. The Marketing Department plans to distribute to these individuals a brochure highlighting the
DRAFT           Marketing A                                    new rehab center and the enhanced services available.

                  Business                                                                                          Classification
                                                                                                                                                             Policy: Short
      BP#         Practice                  Business Practice Long Description                       Scenario       (Barrier v. Not          Domain
                                                                                                                                                              Description
                 Short Name                                                                                           a Barrier)




                            Our hospital policy permits Marketing to use PHI for marketing
                            purposes as permitted by HIPAA and other applicable Federal
                            and West Virginia laws. With limited exceptions, the Rule
                            requires an individual's written authorization before a use or         Scenario 11 -
                            disclosure of his or her PHI can be made for marketing. Based           Operatns &          Barrier to    1. User and entity Use of PHI for
BP1             WV 001 S 11 on the scenario they are IDS and would be appropriate.                   Mkting A        interoperability   authentication   Marketing Purposes




                                                                                                   Scenario 11 -                        9. Information use
                            As a payer, we would not supply PHI to anyone, esp in a                 Operatns &          Barrier to        and disclosure
BP2             WV 002 S 11 marketing campaign, esp now with HIPAA.                                  Mkting A        interoperability          policy




                                                                                                   Scenario 11 -                        9. Information use
                            As a long term care facility, we would not supply PHI to anyone,        Operatns &          Barrier to        and disclosure
BP3             WV 003 S 11 esp in a marketing campaign, esp now with HIPAA.                         Mkting A        interoperability          policy




                            As a QIO, we would not supply PHI to anyone, esp in a                  Scenario 11 -                        9. Information use
                            marketing campaign, esp now with HIPAA. In a QIO, we would              Operatns &          Barrier to        and disclosure
BP4             WV 004 S 11 be in violation of HIPAA and our CMS contracts                           Mkting A        interoperability          policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                  Page 42 of 61                                               061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                               Scenario 11. Healthcare Operations and Marketing Scenario A




DRAFT                                                                                                                         DRAFT     DRAFT                                         DRAFT
                                                                                                          Specify Other                                                                  Relevant Law (Legal
                                                                                         Stakeholder                                       Relevant Law (Legal Driver) --
      BP#                           Policy: Long Description                                              Stakeholder (if       Cause                                                    Driver) -- Reference
                                                                                         Organization                                                Narrative
                                                                                                            applicable)                                                                      Code/Statute
                                                                                                                                        1. With limited exceptions, activities that   Original: HIPAA - §164.501 -
                IDS may not sell PHI to a business associate or any other third                                                         fall within the HIPAA Privacy Rule’s          Definition - Marketing
                party for that party's own purposes. IDS may not sell lists of                                                          definition of marketing require
                patients or enrollees to third parties without obtaining                                                                authorization from the patient/patient’s      HIPAA Privacy Rule – 45
                authorization from each person on the list. Exceptions to the                                                           representative.                               CFR §§ 164.501
                definition of marketing fall into the following three categories: (1)                                                                                                 and164.508(a)(3).
                A communication is not "marketing" if it is made to describe a
                health-related product or service (or payment for such product
                or service) that is provided by, or included in a plan of benefits
                of the covered entity making the communication, (2) A
                communication is not "marketing" if is made for treatment of the
                individual (3) A communication is not "marketing" if it is made
                for case management or care coordination for the individual, or
                to direct or recommend alternative treatments, therapies, health
BP1             care providers, or settings of care to the individual.                     Hospitals

                                                                                                                                        With limited exceptions, activities that      HIPAA Privacy Rule – 45
                                                                                                                                        fall within the HIPAA Privacy Rule’s          CFR §§ 164.501
                                                                                                                                        definition of marketing require               and164.508(a)(3).
                                                                                                                                        authorization from the patient/patient’s
BP2                                                                                         Payers                                      representative.


                                                                                                                                        With limited exceptions, activities that      HIPAA Privacy Rule – 45
                                                                                                                                        fall within the HIPAA Privacy Rule’s          CFR §§ 164.501
                                                                                                                                        definition of marketing require               and164.508(a)(3).
                                                                                        Long term care
                                                                                         facilities and                                 authorization from the patient/patient’s
BP3                                                                                     nursing homes                                   representative.


                                                                                                                                        With limited exceptions, activities that      HIPAA Privacy Rule – 45
                                                                                                                                        fall within the HIPAA Privacy Rule’s          CFR §§ 164.501
                                                                                                                                        definition of marketing require               and164.508(a)(3).
                                                                                            Quality
                                                                                         improvement                                    authorization from the patient/patient’s
BP4                                                                                      organizations                                  representative.




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                     Page 43 of 61                                      061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                  Scenario 11. Healthcare Operations and Marketing Scenario A




DRAFT
      BP#
                Solution
                1. In this scenario, limiting marketing to communications that
                specifically describe a health-related product or service provided by
                the covered entity itself should cause it to fall within the permitted
                communications exception of the HIPAA Privacy Rule’s definition
                of marketing.




BP1




BP2

                In this scenario, limiting marketing to communications that
                specifically describe a health-related product or service provided by
                the covered entity itself should cause it to fall within the permitted
                communications exception of the HIPAA Privacy Rule’s definition
BP3             of marketing.


                In this scenario, limiting marketing to communications that
                specifically describe a health-related product or service provided by
                the covered entity itself should cause it to fall within the permitted
                communications exception of the HIPAA Privacy Rule’s definition
BP4             of marketing.




            RTI International
            Privacy and Security Contract No. 290-05-0015                                  Page 44 of 61                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                               Scenario 12. Healthcare Operations and Marketing Scenario B
                                    ABC hospital has approximately 3,600 births/year. The hospital Marketing Department is
                                       requesting PHI on all deliveries including mother's demographic information and birth
                                    outcome (to ensure that contact is made only with those deliveries that resulted in healthy
                                      live births). The Marketing Department has explained that they will use the PHI for the
                                            following purposes: 1. To provide information on the hospital's new pediatric
                  Scenario 12 -      wing/services; 2. To solicit registration for the hospital's parenting classes; 3. To request
                  Operations &       donations for construction of the proposed neonatal intensive care unit; 4. They will sell
DRAFT             Marketing B                                     the data to a local diaper company.
                     Business                                                                                     Classification
                                                                                                                                                          Policy: Short
      BP#          Practice Short            Business Practice Long Description                    Scenario       (Barrier v. Not        Domain
                                                                                                                                                           Description
                       Name                                                                                         a Barrier)




                                    Our hospital practice requires an authorization for
                                    release of PHI for marketing except for: 1. Face-to-face
                                    communication between our hospital and the patient; or
                                    2. A promotional gift of nominal value provided by our      Scenario 12 -                         9. Information
                                    hospital. Therefore, our hospital would not sell the data    Operatns &          Barrier to           use and      Use and Disclosure
BP1               WV 001 S 12       to a local diaper company without patient authorization.      Mkting B        interoperability   disclosure policy of PHI for Marketing




                                                                                                Scenario 12 -                         9. Information
                                                                                                 Operatns &          Barrier to           use and      Use of PHI for
BP2               WV 002 S 12       Our hospital would not allow this practice.                   Mkting B        interoperability   disclosure policy Marketing Purposes

                                    As a payer, we would have to sign a form with all
                                    involved persons to release any info- we do not sell any
                                    data. We used to be able to acquire lists, but now we
                                    would have to ask them to sign a form to release info-
                                    HIPAA has not been a Barrier to this because we can
                                    use permission forms. The info would be transferred         Scenario 12 -                         9. Information
                                    electronically and encrypted.                                Operatns &          Barrier to           use and
BP3               WV 003 S12                                                                      Mkting B        interoperability   disclosure policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                       Page 45 of 61                                                 061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                Scenario 12. Healthcare Operations and Marketing Scenario B




DRAFT                                                                                                               DRAFT          DRAFT                                  DRAFT
                                                                                                  Specify Other                                                              Relevant Law (Legal
                                                                                   Stakeholder                                      Relevant Law (Legal Driver) --
      BP#                           Policy: Long Description                                      Stakeholder (if          Cause                                             Driver) -- Reference
                                                                                   Organization                                               Narrative
                                                                                                    applicable)                                                                  Code/Statute
                                                                                                                                   With limited exceptions, activities    HIPAA Privacy Rule – 45
                                                                                                                                   that fall within the HIPAA Privacy     CFR §§ 164.501
                                                                                                                                   Rule’s definition of marketing         and164.508(a)(3).
                                                                                                                                   require authorization from the
                                                                                                                                   patient/patient’s representative.


                  Our hospital requires an authorization for release of PHI for
                  marketing except for: 1. Face-to-face communication
                  between our hospital and the patient; or 2. A promotional gift
BP1               of nominal value provided by our hospital.                        Hospitals



                                                                                                                                                                          HIPAA Privacy Rule – 45 CFR
                                                                                                                                   With limited exceptions, activities §§ 164.501 and164.508(a)(3).
                  1) Communication about a product or service that                                                                 that fall within the HIPAA Privacy
                  encourages recipients of the communication to purchase or                                                        Rule’s definition of marketing
                  use the product or service, or (2) An arrangement between                                                        require authorization from the
                  our hospital and another third party, whereby our hospital                                                       patient/patient’s representative.
                  discloses PHI to the third party in exchange for direct or                                                       In this scenario, limiting marketing
                  indirect remuneration as the result of the other party or its                                                    to communications that
                  affiliate making a communication about its own product or                                                        specifically describe a health-
                  service that encourages recipients of the communication to                                                       related product or service
                  purchase or use that product or service. our hospital may not                                                    provided by the covered entity
                  sell PHI to a business associate or any other third party for                                                    itself should cause it to fall within
                  that party's own purposes. our hospital may not sell lists of                                                    the permitted communications
                  patients or enrollees to third parties without obtaining                                                         exception of the HIPAA Privacy
BP2               authorization from each person on the list.                       Hospitals                                      Rule’s definition of marketing.

                                                                                                                                   With limited exceptions, activities that HIPAA Privacy Rule – 45 CFR
                                                                                                                                   fall within the HIPAA Privacy Rule’s     §§ 164.501 and164.508(a)(3).
                                                                                                                                   definition of marketing require
                                                                                                                                   authorization from the patient/patient’s
                                                                                                                                   representative.



BP3                                                                                  Payers




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                  Page 46 of 61                                              061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                 Scenario 12. Healthcare Operations and Marketing Scenario B




DRAFT
      BP#
                  Solution




BP1



                  1. In this scenario, limiting marketing to
                  communications that specifically describe
                  a health-related product or service
                  provided by the covered entity itself
                  should cause it to fall within the permitted
                  communications exception of the HIPAA
                  Privacy Rule’s definition of marketing.




BP2

                  In this scenario, limiting marketing to
                  communications that specifically describe
                  a health-related product or service
                  provided by the covered entity itself
                  should cause it to fall within the permitted
                  communications exception of the HIPAA
                  Privacy Rule’s definition of marketing.

BP3




            RTI International
            Privacy and Security Contract No. 290-05-0015                                 Page 47 of 61                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                                                                                                       Scenario 13. Bioterrorism Event
                                A provider sees a person who has anthrax, as determined through lab tests. The lab submits a report on this case to the
                                     local public health department. The public health department in the adjacent county has been contacted and has
                               confirmed that it is also seeing anthrax cases, and therefore it could be a possible bioterrorism event. Further investigation
                                    confirms that this is a bioterrorism event, and the State declares an emergency. This then shifts responsibility to a
                               designated state authority to oversee and coordinate a response, and involves alerting law enforcement, hospitals, hazmat
                                  teams, and other partners, as well informing the regional media to alert public to symptoms and seek treatment if feel
                                 affected. The State also notifies the Feds of the event, and some federal agencies may have direct involvement in the
                 Scenario 13 -   event. All parties may need to be notified of specific identifiable demographic and medical details of each case as they
                 Bioterrorism    arise to identify the source of the anthrax, locate and prosecute the parties responsible for distributing the anthrax, and
 DRAFT           Event                                                     protect the public from further infection.

                   Business                                                                                                Classification
                                                                                                                                                                     Policy: Short                                                                      Specify Other
       BP#         Practice                       Business Practice Long Description                         Scenario      (Barrier v. Not        Domain                                   Policy: Long Description   Stakeholder Organization
                                                                                                                                                                      Description                                                                  Stakeholder (if applicable)
                  Short Name                                                                                                 a Barrier)
                                                                                                                                                                Guidelines Pertaining to
                                                                                                                                                                Disclosures for Law
                                                                                                                                                                Enforcement Purposes
                                                                                                            Scenario 13                                         Without Written
                                                                                                                  -                            9. Information Authorization, Court
                                Our hospital privacy officer would disclose as required using the           Bioterrorism      Barrier to           use and      Order, Subpoena or
BP1              WV 001 S13     minimum necessary rule.                                                        Event       interoperability   disclosure policy Other Process                                                 Hospitals



                                Once our lab would submit a report to the local public health dept or to
                                the State as per those regs. governing anthrax and other public health
                                threats, then it would be in the hands of the State and Federal
                                agencies. If all parties would need to obtain additional information from   Scenario 13
                                our lab, then that agency would notify our corporate compliance dept.             -                            9. Information
                                via proper documentation or request.                                        Bioterrorism      Barrier to           use and
BP2              WV 002 S13                                                                                    Event       interoperability   disclosure policy                                                             Laboratories



                             Public health law is state-specific. I do not know the extent to which
                             Federal anti-terrorism legislation has attempted to pre-empt state law,
                             but I’m doubtful such pre-emption would be effective in a case like this
                             that does not appear to involve interstate commerce. Therefore, I
                             believe the state disease control laws would have primacy. Under state
                             law, the health director is generally authorized to disclose information
                             needed to control the spread of contagious disease. All information
                             exchange originating under the direction of the state health director or
                             his/her designate is probably permissible, even if it discloses PHI to the
                             public. There may be limits on the health director’s discretion, but I
                             doubt they would be significant under the scenario described. The one
                             important question is whether the public health director has authority to Scenario 13
                             disclose PHI to law enforcement agencies. Customarily, public health             -
                             agencies have not done so, because of the chilling effect it is believed   Bioterrorism          Barrier to        8. State law
BP3a             WV 003a S13 to have on ongoing disease investigation.                                     Event           interoperability      restrictions                                                          Public Health agencies
                             I don’t know if current law in West Virginia mandates such disclosure,
                             as it may; if it does not, then the disclosure would fall under the
                             discretion of the public health director. Therefore the major barrier
                             might be in the event individual institutions or health professionals were
                             not aware of their duty to report information in a public health           Scenario 13
                             emergency, or if they obstructed transmission of sensitive data to the           -                                9. Information
                             health agency out of a perceived risk of liability for disclosure. If they Bioterrorism          Barrier to           use and
BP3b             WV 003b S13 have read HIPAA, they won’t have such fears.                                  Event           interoperability   disclosure policy




                                As a federal health facility, we would not be allowed to give out any info
                                under the Laws of Confidentiality. Although, in an act of terrorism, there
                                are some exceptions. Your individual identity can not be revealed and
                                we could give them demographics and we could contact others about
                                the situation. But if the person has a contagious disease and he
                                knowingly infects others, he is then considered a criminal and he has
                                no rights. We would: Send the info by an authorized courier in a sealed Scenario 13                            2. Information
                                envelope or thru data secure telephone lines or thru scrambled,                  -                             authorization
                                encrypted email                                                            Bioterrorism       Barrier to        and access
BP4              WV 004 S13                                                                                   Event        interoperability        controls                                                            Federal health facilities




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                                   Page 48 of 61                                                                                       061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                                                                                               Scenario 13. Bioterrorism Event




 DRAFT DRAFT                               DRAFT                                    DRAFT
                                                                                       Relevant Law (Legal
                                                Relevant Law (Legal Driver) --
       BP#                Cause                                                        Driver) -- Reference
                                                          Narrative
                                                                                           Code/Statute

                                          HIPAA Privacy Regs require a CE to        HIPAA Privacy Rule, 45
                                          review the disclosure request to see if   CFR § 164.514(d)(3)(iii)(A);
                                          the public official represents that the   WV Code § 15-5-1 et seq .;
                                          information requested is the minimum      64 CSR § 7 (regs regarding
                                          necessary for the stated purpose          reportable diseases)

BP1



                                          HIPAA Privacy Regs require a CE to        HIPAA Privacy Rule, 45
                                          review the disclosure request to see if   CFR § 164.514(d)(3)(iii)(A);
                                          the public official represents that the   WV Code § 15-5-1 et seq .;
                                          information requested is the minimum      64 CSR § 7 (regs regarding
                                          necessary for the stated purpose          reportable diseases)

BP2


                                          No legal barrier to public health’s       W. Va. Code §§ 15-5-1 et
                                          disclosure to law enforcement. State      seq ., 16-3-1 and 15-5-6; 64
                                          Homeland Security provisions, the         CSR § 7 (regs regarding
                                          general and emergency powers of the       reportable diseases)
                                          Governor under the legislation, along
                                          with the State Director of Health’s
                                          authority allow for these disclosures




BP3a
                                          Stakeholder cites perception issues.      1. WV Code § 15-5-1 et
                                                                                    seq.




BP3b


                                          HIPAA Security and Privacy Rules          HIPAA Security Rule, 45
                                          together require the CE to safeguard      CFR Part 164, Subpart C
                                          protected health information,             and HIPAA Privacy Rule §
                                          electronic and hard copy                  164.530(c)




BP4




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                 Page 49 of 61          061539f6-54e2-4c12-8e94-39a09b41810b.xls
             PRIVACY AND SECURITY                                                   Scenario 14. Employee Health Information Scenario
                                    An employee (of any company) presents in the local emergency department for treatment of a chronic
                                  condition that has exacerbated which is not work-related. The employee's condition necessitates a four-day
                Scenario 14 -    leave from work for illness. The employer requires a "return to work" document for any illness requiring more
                 Employee          than 2 days leave. The hospital ED has an EHR and their practice is to cut and paste patient information
DRAFT            Health Info                 directly from the EHR and transmit the information electronically to the HR department.

                 Business                                                                                                       Classification
                                                                                                                                                                             Policy: Short
       BP#       Practice                        Business Practice Long Description                            Scenario         (Barrier v. Not           Domain                                  Policy: Long Description
                                                                                                                                                                              Description
                Short Name                                                                                                        a Barrier)


                                As a payer, our business practice is to allow employees a certain
                                number of paid time off (PTO) days. No detailed reason is needed for
                                using those days. Short-term disability/long-term disability are also
                                provided for certain medical issues and do require documentation to
                                justify the disability. In this scenario, there are a couple of options.
                                One, if the employer and hospital frequently exchange information, a
                                confidentiality agreement or data use agreement needs to be entered
                                into. The HR department could adjust it's form to require only certain,
                                non-specific medical information required only to justify the disability
                                period. The hospital would then be responsible for providing the
                                minimally necessary medical information as needed. It should be the
                                hospital's policy to not provide more information than requested or
                                needed per HIPAA privacy regulations so the cut and paste practice
                                may be a violation. The second option, one employed by the state of
                                WV, would be for the return to work document to require only the
                WV 001a S       disability period, the diagnosi and the treating doctor's signature.         Scenario 14 -         Barrier to    9. Information use and
BP1a            14                                                                                         Employee Hlth Info   interoperability disclosure policy

                                No specific medical information would be needed. End user should be
                                limited to HR department employees. No access should be provided
                                outside that unit. Data use agreement/confidentiality agreement should
                                be in place to prevent unnecessary dissemination of protected health
                                information.End user should be limited to HR department employees.
                                No access should be provided outside that unit. Data use
                                agreement/confidentiality agreement should be in place to prevent                                                6. Information audits
                WV 001b S       unnecessary dissemination of protected health information.                                      Not a barrier to that record and monitor
BP1b            14                                                                                                              interoperability activity
                                                                                                                                                 4. Information
                WV 001c S       Transmission protections would be implemented between the sender                                   Barrier to    transmission security or
BP1c            14              and end user such as encryption of information.                                                 interoperability exchange protocols


                WV 001d S       End user should be provided read only access to information. One-                               Not a barrier to 9. Information use and
BP1d            14              way transmission (ED to HR department only) should be considered.                               interoperability disclosure policy
                                Only HR department employees should have access to the transmitted
                                information. Information should be limited by ED to that minimally
                                necessary to fulfill HR's need. Once transmitted, information should be
                WV 001e S       contained within employee's personnel file and not be subject to view
BP1e            14              by outside parties.


                WV 001f S       Special precautions for psychiatric/HIV information - patient must                              Not a barrier to
BP1f            14              authorize release of information.                                                               interoperability 8. State law restrictions




                            Our hospital would prepare a leave of absence note for the employer
                            which would limit information to the name of the employee, date seen
                            by medical facility/physician, estimated time to be away from work,              Scenario 14 -         Barrier to    1. User and entity
BP2             WV 002 S 14 and signature of physician or other appropriate medical personnel.             Employee Hlth Info   interoperability authentication
             RTI International
             Privacy and Security Contract No. 290-05-0015                                                             Page 50 of 61                                                         061539f6-54e2-4c12-8e94-39a09b41810b.xls
             PRIVACY AND SECURITY                                               Scenario 14. Employee Health Information Scenario



DRAFT                                                                         DRAFT                                           DRAFT                                                                    DRAFT
                                                                                                                                                                                                          Relevant Law (Legal
                                                     Specify Other
       BP#        Stakeholder Organization                                                       Cause                                    Relevant Law (Legal Driver) -- Narrative                        Driver) -- Reference
                                                Stakeholder (if applicable)
                                                                                                                                                                                                              Code/Statute
                                                                              The identified business practice involves       A health care provider may not disclose PHI to a third party without     45 C.F.R. §§ 164.502(a)(1);
                                                                              multiple barriers to interoperability, but we   patient authorization unless for treatment, payment, or health care      164.508(a)(1); 164.310;
                                                                              disagree with the rationale employed;           operations; a “return to work” document is not treatment, payment, or    164.312; 164.502(b)(2)(iii);
                                                                              disclosure of PHI from existing health care     health care operations; if PHI is included in this document, patient     160.103
                                                                              records to the employer requires a signed       authorization would be required; when disclosure is authorized, proper
                                                                              authorization from the patient; once            security procedures must be followed when transmitting PHI
                                                                              authorization is signed, disclosures made       electronically.
                                                                              thereunder are not subject to the minimum
                                                                              necessary standard; once such information is
                                                                              lodged in employment files, it is no longer
                                                                              considered PHI; however, electronic
                                                                              transmission of the information to the
                                                                              employer must follow proper verification and
                                                                              security procedures.



BP1a                        Payers




BP1b
                                                                                                                              HIPAA Security Technical Safeguards                                      HIPAA Security Rule, 45
                                                                                                                                                                                                       CFR § 164.312
BP1c



BP1d




BP1e
                                                                                                                              WV State law regarding HIV test results                                  W. Va. Code §§ 16-3C-2, 3,
                                                                                                                                                                                                       4; W. Va. Code § 27-3-1
BP1f



                                                                              We agree with the identified business practice, A health care provider may not disclose PHI to a third party without     45 C.F.R. §§ 164.502(a)(1);
                                                                              and believe that it constitutes a barrier to    patient authorization unless for treatment, payment, or health care      164.508(a)(1); 164.310;
                                                                              interoperability.                               operations; a “return to work” document is not treatment, payment, or    164.312; 164.502(b)(2)(iii);
                                                                                                                              health care operations; if PHI is included in this document, patient     160.103
                                                                                                                              authorization would be required; when disclosure is authorized, proper
                                                                                                                              security procedures must be followed when transmitting PHI
                                                                                                                              electronically.
BP2                        Hospitals
             RTI International
             Privacy and Security Contract No. 290-05-0015                                                               Page 51 of 61                                                                     061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                                Scenario 14. Employee Health Information Scenario
                Business                                                                                                    Classification
                                                                                                                                                                                Policy: Short
      BP#       Practice                      Business Practice Long Description                           Scenario         (Barrier v. Not            Domain                                         Policy: Long Description
                                                                                                                                                                                 Description
               Short Name                                                                                                     a Barrier)




                           As a correctional facility, our business practice/procedure is we have
                           our own form to fill out for a return to work. Electronic transfer of
                           emergency room data would not be accepted. The return to work form                                                                                                       Employee off more than 3
                           may eventually be able to be emailed and then completed for return.                                                                                                      days submits for FMLA under
                           Additional ER info would not be necessary or desired. Password                                                                                                           the Family and Medical Leave
                           protected on secure lines. Limited access to the computer itself.                                                                                                        Act (FMLA) of 1993. At the
                           Passwords must be changed on an irregular basis. Would need                                                                                                              end of leave must submit a
                           patient consent. The multiple information systems would need this                                                                                                        'return to work form" that has
                           patient consent prior to allowing access to the personal health                                                        2. Information                                    been completed by the
                           information. Would need development of special programs for the               Scenario 14 -         Barrier to        authorization and                                  physician - not by cut and
BP3            WV 003 S 14 encryption.                                                                 Employee Hlth Info   interoperability      access controls          return to work form      paste in the ER.


                           As a physician group, our office physician can release a RTW date to
                           the employer but any medical information would need a release of
                           records from the patient. The HIPAA and State Laws would override                                                      4. Information
                           the ER Policy. We use tracking forms in each chart to show info that          Scenario 14 -         Barrier to    transmission security or                               Patient release must be
BP4            WV 004 S 14 was copied /faxed, who sent it, and where it went and the date sent.        Employee Hlth Info   interoperability    exchange protocols    Covered entity                signed to release records.
                                                                                                                                             7. Administrative or
                                                                                                                            Not a barrier to physical security
BP4            WV 004 S 14                                                                                                  interoperability safeguards


                                                                                                                            Not a barrier to
BP4            WV 004 S 14                                                                                                  interoperability   8. State law restrictions


                           As a payer, under the State System we had PEIA Coverage and they
                           required the forms for being out for 3 days. Dr filled out the info and a
                           RTW notice- all done paper- no electronic version of this- This can
                           also be faxed and whoever is on the receiving end of the fax can view         Scenario 14 -      Not a barrier to
BP5            WV 005 S 14 the info.                                                                   Employee Hlth Info   interoperability   8. State law restrictions



                           In our payer organization, the employer can not get at the info unless
                           the employee signs an agreement. This is done on a paper basis.
                           Our organization has an imaging process. This info is
                           QUARANTINED- meaning only the appropriate person can get at the
                           info. All have a secure storage place for records- we have an onsite
                           storage place and to get entrance, you have to have special                   Scenario 14 -         Barrier to
BP6            WV 006 S 14 permissions- there is a keyless entry.                                      Employee Hlth Info   interoperability   8. State law restrictions

                                                                                                                               Barrier to      9. Information use and
BP6            WV 006 S 14                                                                                                  interoperability       disclosure policy




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                          Page 52 of 61                                                                 061539f6-54e2-4c12-8e94-39a09b41810b.xls
            PRIVACY AND SECURITY                                               Scenario 14. Employee Health Information Scenario
                                                                                                                                                                                                             Relevant Law (Legal
                                                    Specify Other
      BP#        Stakeholder Organization                                                        Cause                                       Relevant Law (Legal Driver) -- Narrative                        Driver) -- Reference
                                               Stakeholder (if applicable)
                                                                                                                                                                                                                 Code/Statute



                                                                             We agree with the identified business practice,     A health care provider may not disclose PHI to a third party without     Original: Other Federal Law -
                                                                             and agree that it involves multiple barriers to     patient authorization unless for treatment, payment, or health care      Family and Medical Leave Act
                                                                             interoperability, including patient authorization   operations; a “return to work” document is not treatment, payment, or    1993 Other - Company
                                                                             and use of proper security procedures.              health care operations; if PHI is included in this document, patient     FMLA and Time & Attendance
                                                                                                                                 authorization would be required; when disclosure is authorized, proper   Policy
                                                                                                                                 security procedures must be followed when transmitting PHI
                                                                                                                                 electronically.                                                          45 C.F.R. §§ 164.502(a)(1);
                                                                                                                                                                                                          164.508(a)(1); 164.310;
                                                                                                                                                                                                          164.312; 164.502(b)(2)(iii);
                                                                                                                                                                                                          160.103



BP3                 Correctional facilities

BP1a
                                                                             We agree with the identified business practice, Original: HIPAA                                                              45 C.F.R. §§ 164.502(a)(1);
                                                                             and believe that it constitutes a barrier to                                                                                 164.508(a)(1); 164.310;
                                                                             interoperability.                               A health care provider may not disclose PHI to a third party                 164.312; 164.502(b)(2)(iii);
                                                                                                                             without patient authorization unless for treatment, payment, or              160.103
BP4                   Physician groups                                                                                       health care operations; a ―return to work‖ document is not
                                                                                                                             treatment, payment, or health care operations; if PHI is

BP4



BP4




BP5                        Payers

                                                                             We agree with the identified business practice, A health care provider may not disclose PHI to a third party without         45 C.F.R. §§ 164.502(a)(1);
                                                                             and believe that it constitutes a barrier to    patient authorization unless for treatment, payment, or health care          164.508(a)(1); 164.310;
                                                                             interoperability.                               operations; a “return to work” document is not treatment, payment, or        164.312; 164.502(b)(2)(iii);
                                                                                                                             health care operations; if PHI is included in this document, patient         160.103
                                                                                                                             authorization would be required; when disclosure is authorized, proper
                                                                                                                             security procedures must be followed when transmitting PHI
                                                                                                                             electronically.
BP6                        Payers


BP6




            RTI International
            Privacy and Security Contract No. 290-05-0015                                                                 Page 53 of 61                                                                       061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                                                                                                            Scenario 15. Public Health Scenario A

                                 Active TB Patient has decided to move to a desert community that focuses on spiritual healing. The TB is classified MDR (multi-drug
                Scenario 15 -      resistant). Patient purchases a bus ticket - the bus ride will take a total of nine hours with two rest stops. State A is made aware of
                Public Health    Patient's intent two hours after the bus with Patient leaves. State now needs to contact the bus company and State B with the relevant
 DRAFT          A                                                   information. State A may need to contact every state along the route.

                  Business                                                                                                                Classification
                                                                                                                                                                                 Policy: Short                                                                      Specify Other
      BP#         Practice                            Business Practice Long Description                                   Scenario       (Barrier v. Not         Domain                           Policy: Long Description       Stakeholder Organization
                                                                                                                                                                                  Description                                                                  Stakeholder (if applicable)
                 Short Name                                                                                                                 a Barrier)


                            Since TB is a publicly reported disease the home health agency nurse would
                            report the information to the public health department and allow the public health
                            department to take action. At the present time there are very few systems in
                            which home health agencies share electronic personal health information and
                            the system for public reporting electronically such as would be needed in this
                            instance is not presently available. Would be necessary to assure integrity of the
                            communication between only those entities who had necessity of receiving the
                            data. In present home health electronic information systems only those
                            personnel who have been trained can access patient data. In general there are                                                                                        All home health agencies
                            few who can access the entire data base and changes/modifications can only be                                                                                        have in place within their
                            made by those with certain security/access abilities. While most agencies have                                                     2. Information                    infection control policies and
                            internal policies that dictate the utilization of electronic data within the agency and                                            authorization                     procedures for the reporting
                            most often that shared with a fiscal intermediary and the state data collection             Scenario 15 -        Barrier to         and access                       of publicly reported
BP1a            WV 001a S15 agency.                                                                                     Public Health A   interoperability         controls
                                                                                                                                                               5. Information                    communicable diseases.            Homecare and hospice
                                                                                                                                                                 protection
                                                                                                                                                                   (against
                                                                                                                        Scenario 15 -        Barrier to           improper
BP1a            WV 001a S15                                                                                             Public Health A   interoperability      modification)



                            Very few, if any of the home health agencies are presently sharing electronic
                            health data with other health care entities. Most exchange of information between
                            entities currently takes place by paper exhange or oral exchange. WV home                                                          4. Information
                            health agencies comply with federal regulation as outlined in the HIPPA                                                            transmission
                            standards and the home health conditions of participation as set forth by CMS at                                                     security or
                            the federal level. The WV Office of Health Facilities Licensure and Certification           Scenario 15 -        Barrier to          exchange
BP1b            WV 001b S15 are responsible for the oversite of agency compliance.                                      Public Health A   interoperability        protocols




                                I would think that State A is made aware of the TB patient's location, and would
                                need to locate both the bus company as well as other State along the route.                                                    3. Patient and
                                Each State dept. of health would be involved in this process until the patient is       Scenario 15 -   Not a barrier to          provider
BP2             WV 002 S15      located for additional follow-up.                                                       Public Health A interoperability        identification                                                          Laboratories




                                This is a pure public health response, clearly authorized under law. Since the
                                state already has a report of a case, there is no barrier to reporting the case in
                                the first place. Since the patient has absconded, the state health director may
                                use state quarantine law and ask the police to halt the bus before it leaves the
                                state. Failing that, the health director will inform the Centers for Disease Control,
                                which will inform the other states. The state health director’s discretionary           Scenario 15 -        Barrier to         8. State law
BP3             WV 003 S15      authority also allows him or her to notify adjacent states.                             Public Health A   interoperability       restrictions                                                      Public Health agencies




                                As a federal health facility, we would consider this to be a wanted person and
                                someone that is violating others rights. He would be considered a bio-hazard.
                                We could send the info to the media and to other states and health care
                                providers for instance we could say that John Doe is a wanted criminal or is a
                                suspect. He loses all of his rights under the Privacy Act. We would first check out
                                to see if he was dangerous to others and/or to himself. We would contact the            Scenario 15 -        Barrier to         8. State law
BP4             WV 004 S15      health authorities, and state police via phone.                                         Public Health A   interoperability       restrictions                                                      Federal health facilities




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                                                Page 54 of 61                                                                                           061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                                                                                                       Scenario 15. Public Health Scenario A



 DRAFTDRAFT                              DRAFT                                                            DRAFT
                                                                                                             Relevant Law (Legal
      BP#               Cause                       Relevant Law (Legal Driver) -- Narrative                 Driver) -- Reference
                                                                                                                 Code/Statute

                                         HIPAA Security regs require that PHI be safeguarded by           HIPAA Security Regs, 45
                                         covered entities, if a covered entity were sharing information   CFR § 164.302 et seq .
                                         with the state in this scenario




BP1a
                                         HIPAA Security regs require that PHI be safeguarded by           HIPAA Security Regs, 45
                                         covered entities, if a covered entity were sharing information   CFR § 164.302 et seq .
                                         with the state in this scenario
BP1a
                                         HIPAA Security regs require that PHI be safeguarded by           HIPAA Security Regs, 45
                                         covered entities, if a covered entity were sharing information   CFR § 164.302 et seq .
                                         with the state in this scenario




BP1b




BP2



                                         Home state public health department of active TB patient         WV Code § 16-3D-3 to 9;
                                         moving via bus to another city may, upon its order or order of   64 CSR §§ 7-3.4, 12.1.a.4,
                                         state court of record, disclose patients TB status to law        and 19-17-19; HIPAA
                                         enforcement and other state public health departments. Law       Privacy Regs § 164.512(b).
                                         enforcement access poses no barrier if assisting public health
                                         department to enforce state or court order. The patient is an
                                         active TB carrier spreading and subject to public health
                                         department isolation, quarantine, etc.




BP3



                                                                                                          WV Code § 16-3D-3 to 9; 64
                                         Home state public health department of active TB patient,        CSR §§ 7-3.4, 12.1.a.4, and
                                         moving via bus to another city may, upon its order or order of   19-17-19.
                                         state court of record, disclose patients TB status to law
                                         enforcement and other state public health departments. Law
                                         enforcement access poses no barrier if assisting public health
                                         department to enforce state or court order. The patient is an
                                         active TB carrier spreading and subject to public health
                                         department isolation, quarantine, etc. LWG unable to find any
                                         federal law dealing with TB and believe issue is left to the
BP4                                      States.




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                            Page 55 of 61             061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY
                                                                     Scenario 16. Public Health Scenario B
                                  A newborn’s screening test comes up positive for a rare genetic disorder and the state lab test results are made available to
                                   the child’s physicians and specialty care centers specializing in the disorder via an Interactive Voice Response system. The
                                    state lab also enters the information in its registry, and tracks the child over time through the child’s physicians. The state
                                  public health department provides services for this rare genetic disorder and notifies the physician that the child is eligible for
                 Scenario 16 -      those programs. One of the services that the mother uses from the state is regularly purchasing special food products for
DRAFT Public Health B                                                                       persons with PKU.

                   Business                                                                                                     Classification
                                                                                                                                                                             Policy: Short
      BP#        Practice Short                   Business Practice Long Description                            Scenario        (Barrier v. Not        Domain
                                                                                                                                                                              Description
                     Name                                                                                                         a Barrier)



                                  Generally, the provider and the clinical staff will make several phone
                                  calls to find assistance and support for the parent or child. In all my
                                  years of practice, I have never witnessed this scenario in the clinical
                                  setting - the closest to this scenario is the reportable infectious
                                  disease process - which is pretty effective. Also, not all providers are
                                  aware of mandated requirements to reports certain genetic or other
                                  disorders to the state - some labs are out of state, so do not know all    Scenario 16 -         Barrier to        8. State law
BP1              WV 001 S16       the state reporting requirements either.                                   Public Health B    interoperability      restrictions




                                  Office of Maternal Child and Family Health - WV Code 16-22-3
                                  mandates that abnormal labs in newborn children be reported to the
                                  Bureau for Public Health. It also permits identification, follow-up
                                  treatment with physicians and other resources provided by BPH.             Scenario 16 -      Not a barrier to     8. State law
BP2              WV 002 S16       Communication involving PII/PHI is conducted by phone and faxing.          Public Health B    interoperability      restrictions




                                  It may be necessary to identify this child with special codes so not to
                                  release the name of the child to outside entities, other than the
                                  physician and state health officials.                                      Scenario 16 -         Barrier to        8. State law
BP3              WV 003 S16                                                                                  Public Health B    interoperability      restrictions




RTI International
Privacy and Security Contract No. 290-05-0015                                                   Page 56 of 61                                                        061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY
                                                          Scenario 16. Public Health Scenario B




DRAFT                                                                                  DRAFT              DRAFT                            DRAFT
                                                                     Specify Other                                                         Relevant Law (Legal
                                                   Stakeholder                                               Relevant Law (Legal
      BP#              Policy: Long Description                      Stakeholder (if              Cause                                    Driver) -- Reference
                                                   Organization                                               Driver) -- Narrative
                                                                       applicable)                                                             Code/Statute




                                                                                                          No legal driver. (WV
                                                                                                          mandates reporting in WV
                                                                                                          Code § 16-22-1 et seq.
                                                    Professional                                          which disclosure is
                                                  associations and                                        permitted under the HIPAA
BP1                                                   societies                                           Privacy Rule.)




                                                   Public Health
BP2                                                  agencies




                                                                                                          No legal requirement to
                                                                                                          identify patient with specific
                                                                                                          codes, direct identifiers are
BP3                                                 Laboratories                                          allowed.




RTI International
Privacy and Security Contract No. 290-05-0015                                     Page 57 of 61                                            061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                                                                                                    Scenario 17. Public Health Scenario C

                                 A homeless man arrives at a county shelter and is found to be a drug addict and in need of medical care. The person does have a
                                 primary provider, and is sent there for the medical care, and is referred to a hospital-affiliated drug treatment clinic for his addiction
               Scenario 17 -    under a county program. The addiction center must report treatment information back to the county for program reimbursement, and
               Public Health        back to the shelter to verify that the person is in treatment. Someone claiming to be a relation of the homeless man requests
 DRAFT
     C                                                  information from the homeless shelter on all the health services the man has received.

                 Business                                                                                                                   Classification                                                                                                                 Specify Other
                                                                                                                                                                                    Policy: Short                                                         Stakeholder
      BP#        Practice                             Business Practice Long Description                                     Scenario       (Barrier v. Not      Domain                                            Policy: Long Description                                Stakeholder (if
                                                                                                                                                                                     Description                                                          Organization
                Short Name                                                                                                                    a Barrier)                                                                                                                     applicable)




                               As a public health agency, we recognize that under 42CFR Federal Law the patient
                               must authorize release of medical records. Chapter 27 of state mental health law
                               on the other hand requires that the spouse, or next of kin be notified of admission
                               to our state psychiatric facilities. Exceptions to patient authorization require a court    Scenario 17 -       Barrier to      8. State law                                                                               Public Health
BP1            WV 001 S17      order.                                                                                     Public Health C   interoperability    restrictions                                                                                agencies


                               Home health providers would not release this Information to this individual. All
                               home health providers are required by federal law to comply with HIPPA
                               regulations. Compliance with the transfer of electronic information in HIPPA
                               approved formats will in 2007 be required in order for agencies to receive
                               reimbursement. Administrations are designing and implementing programs that
                               meet these privacy standards. Also within the requirements for participation in the
                               Medicare/Medicaid program agencies must meet patient privacy standards as
                               outlined by the Centers for Medicare and Medicaid Services. Home health
                               agencies are regulated by federal regulation which are monitored and enforced by
                               the WV Office of Health Facilities Licensure and Certification. In this scenario also                                                                                      All home health agencies have policies that
                               applicable would be WV state law concerning next of kin and Medical Power of                                                                                               dictate to whom private information can be
                               Attorney which would only be utilized if the patient were incapacitated and could                                                                                          released. These policies are compliant with
                               not relate his own wishes and desires for the handling of this health care                  Scenario 17 -       Barrier to      8. State law                               federal regulations outlined in the HIPPA and   Homecare and
BP2            WV 002 S17      information.                                                                               Public Health C   interoperability    restrictions                              home health conditions of participation.          hospice




                                                                                                                                                                                                          Our facility may only disclose behavioral
                                                                                                                                                                                                          health records, drug and alcohol abuse
                                                                                                                                                                               Guidelines Pertaining to   treatment records and HIV and AIDS related
                                                                                                                                                                               Disclosures Made           testing and treatment records under certain
                               Our hospital employees may only disclose behavioral health records, drug and                                                                    Without Written            circumstances that are set forth in state or
                               alcohol abuse treatment records and HIV and AIDS related testing and treatment                                                       9.         Authorization But          federal statutes. These specially protected
                               records under certain circumstances that are set forth in state or federal statutes.                                            Information     Pursuant To A Court        records shall never be disclosed without the
                               These specially protected records shall never be disclosed without the express                                                    use and       Orders, Subpoena,          express written authorization of the patient
                               written authorization of the patient unless there is a specific court order requiring       Scenario 17 -       Barrier to       disclosure     Search Warrant or          unless there is a specific court order
BP3            WV 003 S17      their disclosure.                                                                          Public Health C   interoperability       policy      Discovery Request          requiring their disclosure.                       Hospitals

                               As a federal health facility, we would not provide any info unless the vet says it is
                               ok. The family member would have to leave their contact info with us, and the
                               case manager would contact the Vet and give it to them- it is then their choice. If
                               another facility wants the info, the Privacy Act can release info if it is medically
                               necessary. The Vet would be able to release that to another facility- they have to
                               sign the waiver and it has to be signed in front of our employee. The Vet has to
                               show proper ID. The release form is specific to the info that they want to release.
                               Info is transmitted via letter, fax, or internet- and is encrypted. The only time PHI
                               can be released without the pts authorization is if it is a medical emergency- in
                               other words, if the vet would die if someone didn’t know the PHI. The privacy act                                                     2.
                               protects us in that they cant come back and sue us for giving out info unless they                                               Information
                               said we can and then it hinders the quick release of info if it is an emergency. It is                                          authorization
                               so much easier to share info between our facilities because of our EHRS. We all             Scenario 17 -                        and access                                                                                Federal health
BP4            WV 004 S17      follow the same criteria.                                                                  Public Health C    Unassigned           controls                                                                                   facilities
                                                                                                                                                                     9.
                                                                                                                                                                Information
                                                                                                                           Scenario 17 -       Barrier to         use and
BP4            WV 004 S17                                                                                                 Public Health C   interoperability     disclosure




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                                    Page 58 of 61                                                                                                  061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                                                                                                         Scenario 17. Public Health Scenario C




 DRAFTDRAFT                              DRAFT                                                                                   DRAFT
                                                                                                                                 Relevant Law (Legal Driver) -- Reference
      BP#               Cause                                Relevant Law (Legal Driver) -- Narrative
                                                                                                                                              Code/Statute
                                                                                                                                                                                 Solution
                                         Again, consent is the key to release of information. A homeless shelter is not a        Original: HIPAA - Notice of Privacy Practices   Have all patients with substance abuse problems and/or
                                         covered entity under substance abuse regs or HIPAA regs., but is covered under WV       State Law - Chapter 27                          mental illness sign general consents to release information
                                         Code '27-3-1. It may release substance abuse information to the primary care            Other Federal Law - 42 CFR Federal Law          for treatment, payment and healthcare operation under
                                         provider. Such provider is not covered by substance abuse regs. and can refer patient   Substance Abuse Regs 42 CFR, Part 2, Subpart    HIPAA Reg. 164.506(b) upon entering the facility; repeal
                                         to drug treatment clinic. The clinic is covered by the substance abuse regulations.     D; HIPAA Regs 45 CFR '164.506; 522(a); WV       WV Code '27-5-9(e). Amend '27-3-1 to allow release of
                                         The clinic cannot release information for reimbursement purposes absent consent. It     Code ''27-3-1; 27-5-9(e)                        mental health information for treatment, payment and
                                         can release such information to the shelter, who already knows he/she is an addict.                                                     healthcare operations without patient consent.
                                         The person claiming to be a relation cannot receive any substance abuse information
                                         absent patient consent. DHHR may not release any information outside DHHR
                                         without patient consent.
BP1

                                         Relative of drug addict individual in need of treatment cannot access individuals’      WV Code § § 16-30-8, 27-1A-11, 27-3-1 and 2,
                                         PHI, without authorization, under state law, HIPAA, and other federal laws,             27-5-9, 27-7-1 thru 3, 16-29-1; HIPAA Privacy
                                                                                                                                 Regs – 45 CFR §§ 164.512 (a,b,e, and j),
                                                                                                                                 164.506, 164.508, 164.510, 164.512(e),
                                                                                                                                 164.514(a); 42 U.S.C.A. §§ 290dd-3, 290ee-3;
                                                                                                                                 42 CFR §§ 2.1 et. seq.




BP2



                                         A homeless shelter is not a covered entity under substance abuse regs or
                                         HIPAA regs., but is covered under WV Code '27-3-1. It may release
                                         substance abuse information to the primary care provider. Such provider is
                                         not covered by substance abuse regs. and can refer patient to drug
                                         treatment clinic. The clinic is covered by the substance abuse regulations.
                                         The clinic cannot release information for reimbursement purposes absent
                                         consent. It can release such information to the shelter, who already knows
                                         he/she is an addict. The person claiming to be a relation cannot receive any            HIPAA - Notice of Privacy Practices State
                                         substance abuse information absent patient consent. DHHR may not                        Law - Chapter 27 . Other Federal Law - 42
                                         release any information outside DHHR without patient consent. The                       CFR Federal Law. Substance Abuse Regs
                                         notification of next of kin only applies after involuntary commitment to a              42 CFR, Part 2, Subpart D; HIPAA Regs
                                         mental health facility. If the patient objects, the information cannot be               45 CFR §164.506; 522(a); WV Code § 27-
BP3                                      released.                                                                               3-1; 27-5-9(e)
                                         The HIPAA Privacy Rule provides for uses and disclosures of protected health            HIPAA Privacy Rule – 45 CFR §164.510 (b).
                                         information that require an opportunity for the individual to agree or to object.




BP4



BP4




RTI International
Privacy and Security Contract No. 290-05-0015                                                                                                       Page 59 of 61                                                                              061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                     Scenario 18. Health Oversight: legal compliance/government accountability
                             The Governor's office has expressed concern about compliance with immunization and lead screening
                            requirements among low income children who do not receive consistent health care. The state agencies
                            responsible for public health, child welfare and protective services, Medicaid services, and education are
                            asked to share identifiable patient level health care data on an ongoing basis to determine if the children
               Scenario 18 are getting the healthcare they need. Because of the complexity of the task, the Governor has asked each
               - Health    agency to provide these data to faculty at the state university medical campus who will design a system for
DRAFT          Oversight                                         integrating and analyzing the data.

                Business                                                                       Classification
                                                                                                                                              Policy: Short
      BP#       Practice        Business Practice Long Description               Scenario      (Barrier v. Not            Domain                              Policy: Long Description
                                                                                                                                               Description
               Short Name                                                                        a Barrier)


                            Our clinic would not participate in this project
                            until patients had been informed and gave
                            permission to share this information. We
                            would however, provide this information
                            without personal identifiers or addresses for a    Scenario 18 -
               WV 001 S     study to determine where there may be                 Health          Barrier to         1. User and entity
BP1            18           problems.                                            Oversight     interoperability        authentication
                                                                                                                       2. Information
               WV 001 S                                                                           Barrier to         authorization and
BP1            18                                                                              interoperability       access controls

               WV 001 S                                                                        Not a barrier to   3. Patient and provider
BP1            18                                                                              interoperability        identification
                                                                                                                        4. Information
               WV 001 S                                                                           Barrier to      transmission security or
BP1            18                                                                              interoperability      exchange protocols
                                                                                                                    6. Information audits
               WV 001 S                                                                           Barrier to      that record and monitor
BP1            18                                                                              interoperability              activity
                                                                                                                    7. Administrative or
               WV 001 S                                                                           Barrier to         physical security
BP1            18                                                                              interoperability         safeguards
               WV 001 S                                                                           Barrier to
BP1            18                                                                              interoperability   8. State law restrictions
               WV 001 S                                                                           Barrier to      9. Information use and
BP1            18                                                                              interoperability       disclosure policy



                            As a payer, our research staff would need to
                            set this up as a designated research process.
                             Medicaid would be able to disclose PHI but
                            would have to deidentify the info. We are          Scenario 18 -
               WV 002 S     asked by HCA all the time to give them info-          Health          Barrier to      9. Information use and
BP2            18           we have a BA with them.                              Oversight     interoperability       disclosure policy




RTI International
Privacy and Security Contract No. 290-05-0015                                                       Page 60 of 61                                               061539f6-54e2-4c12-8e94-39a09b41810b.xls
PRIVACY AND SECURITY                     Scenario 18. Health Oversight: legal compliance/government accountability




DRAFT                                                 DRAFT     DRAFT                           DRAFT
                                    Specify Other                                                  Relevant Law (Legal
                  Stakeholder                                      Relevant Law (Legal
      BP#                           Stakeholder (if     Cause                                      Driver) -- Reference
                  Organization                                      Driver) -- Narrative
                                      applicable)                                                      Code/Statute
                                                                                                                             Solution
                                                                1. HIPAA permits disclosure     1. HIPAA Privacy Rule – 45   Enactment of state law that authorizes
                                                                of protected health             CFR §§ 164.501 and 164.512   a public health authority as defined in
                                                                information for public health   (b)(1)                       the HIPAA Privacy Rule to collect or
                                                                activities only to a public                                  receive protected health information
                                                                health authority that is                                     for the defined purpose described in
                                                                authorized by law to collect                                 the scenario.
               Community clinics                                or receive such information.
BP1            and health centers


BP1


BP1



BP1


BP1



BP1


BP1


BP1



                                                                HIPAA BAA and Research          HIPAA Privacy Rule           1. Enactment of state law that authorizes a
                                                                requirements. HIPAA de-                                      public health authority as defined in the
                                                                identification option is also                                HIPAA Privacy Rule to collect or receive
                                                                an option without getting a                                  protected health information for the
                                                                                                                             defined purpose described in the scenario.
                                                                BAA or IRB approval.
BP2                  Payers




RTI International
Privacy and Security Contract No. 290-05-0015                                       Page 61 of 61                                                           061539f6-54e2-4c12-8e94-39a09b41810b.xls

				
DOCUMENT INFO
Description: Confidentiality Agreement Between Employer and Employ document sample