Get documents about "Physician Confidentiality and Security Agreement
W
Description
Physician Confidentiality and Security Agreement document sample
Document Sample
PRIVACY AND SECURITY Scenario 1. Patient Care Scenario A
Patient X presents to emergency room of General Hospital in State A. She has been in a serious car accident. The patient is an 89 year old widow who
appears very confused. Her adult daughter informed the ER staff that her mother has recently undergone treatment at a hospital in a neighboring state
Scenario 1 - and has a prescription for an antipsychotic drug. The emergency room physician determines there is a need to obtain information about Patient X’s prior
DRAFT Patient Care A diagnosis and treatment during the inpatient stay.
Business Classification Specify Other
Policy: Short Stakeholder
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description Stakeholder (if
Description Organization
Name a Barrier) applicable)
Release to Health Care Providers: PHI may be released to other health care providers
without patient authorization to facilitate continued emergency patient care, only after
phone verification that the requestor is a health care professional calling from a health
Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we care institution. Other requests from hospitals must be accompanied by a signed
would fax minimum necessary for treatment without an authorization. If PHI is in the record, we completed release. Reasonable steps will be taken to limit both routine and non-routine
would determine if the daughter was the medical power of attorney. If yes, we would validate her uses of, disclosure of, and requests for protected health information (PHI) to the minimum
signature and then have her sign a release to send the protected info. If not, we would have a necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.
physician or nurse sign authorization and send, after validating who we are speaking to at the other Exceptions include: Use or disclosure to or requests by provider for treatment purposes
facility by a call back. We use a rolebased access process in which Directors/Managers/IT Uses & Disclosures of Use or disclosure to the subject of the information (patient) Use or disclosure made under
Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with Protected Health specific (detailed PHI) valid authorization Use or disclosure required for compliance with
2 other local facilities and share information for patient care purposes, however we do not release 3. Patient and Information & Disclosure HIPAA electronic transaction standards Use or disclosure required by other laws (such as
one anothers information to those outside of our OHCA. We do have audit capabilities on Scenario 1 - Barrier to provider of PHI Minimum victims of abuse, neglect, or domestic violence, and compliance with workers’
BP1 WV 001 S 1 systems. Random audits are performed. We use Tessa locks on doors. Patient Care A interoperability identification Necessary compensation—see policies III.080, III.085, III.090, III.095) Disclosure to DHHS. Hospitals
Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we
would fax minimum necessary for treatment without an authorization. If PHI is in the record, we
would determine if the daughter was the medical power of attorney. If yes, we would validate her
signature and then have her sign a release to send the protected info. If not, we would have a
physician or nurse sign authorization and send, after validating who we are speaking to at the other
facility by a call back. We use a rolebased access process in which Directors/Managers/IT 4. Information
Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with transmission
2 other local facilities and share information for patient care purposes, however we do not release security or
one anothers information to those outside of our OHCA. We do have audit capabilities on Scenario 1 - Barrier to exchange
BP1 WV 001 S 1 systems. Random audits are performed. We use Tessa locks on doors. Patient Care A interoperability protocols
ER staff (nurse, doctor, or clerk) would call hospital and advise that they were faxing a request for 2. Information
medical records. If necessary,the staff would obtain authorization from POA of responsible party. authorization Standard cover sheet with "Confidentiality Statement". Errors in transmission must be
Verbal confirmation by phone followed by faxed written request and authorization. There is security Scenario 1 - Not a barrier to and access Facsimile Machines and corrected immediately and reported to Privacy Officer. If there is no POA or responsible
BP2 WV 002 S 1 of exchange protocols for faxing information. No encryption. Patient Care A interoperability controls PHI P&P party the physician would order appointment of a surrogate. Hospitals
3. Patient and
Not a barrier to provider
BP2 WV 002 S 1 interoperability identification
4. Information
transmission
Not a barrier to security or
BP2 WV 002 S 1 interoperability exchange
5. Information
protection
Not a barrier to (against
BP2 WV 002 S 1 interoperability improper
6. Information
audits that
Not a barrier to record and
BP2 WV 002 S 1 interoperability monitor activity
Not a barrier to 8. State law
BP2 WV 002 S 1 interoperability restrictions
9. Information
Not a barrier to use and
BP2 WV 002 S 1 interoperability disclosure
5. Information
A clinician verifies the ER calling and verifies any restrictions placed on medical records that would protection
cause barriers. If none, send records. Tracking forms/initials on all things in chart. Computer Scenario 1 - Not a barrier to (against
BP3 WV 003 S 1 password. Patient Care A interoperability improper HIPAA Hospital/ER covered entity HIPAA Clinicians
In correctional facilities, there is no release of info without the pt's informed consent or medical
power of attorney. It has to be verified by fax and phone and signatures are compared by case
manager. We do not release info without a court order. If you are a prisoner and have a WC 9. Information
claim, you wont get paid. Corrections can only get the info thru a court order. There is no use and
electronic info in the prison system- all paper. WV has subcontracted this out to a company. Scenario 1 - Barrier to disclosure Correctional
BP4 WV 004 S 1 Patient Care A interoperability policy facilities
9. Information
use and Long term care
In long term care this process is very restrictive. We need authorization with everything involving Scenario 1 - Barrier to disclosure facilities and
BP5 WV 005 S 1 Mental Health. The facilities verify this with fax and phone. Nothing is verified electronically. Patient Care A interoperability policy nursing homes
RTI International
Privacy and Security Contract No. 290-05-0015 Page 1 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 1. Patient Care Scenario A
DRAFT DRAFT DRAFT DRAFT
Relevant Law (Legal Driver) -- Reference
BP# Cause Relevant Law (Legal Driver) -- Narrative
Code/Statute
While we agree that the identified verification
and security procedures represent barriers to
interoperability, we do not agree that a
signed authorization is required from either Original: 'Federal Register §164.502 Uses and disclosures of protected health
the patient or the medical power of attorney, information: general rules; hospital policy
and we do not agree that the minimum
necessary standard applies in this situation. One health care provider can disclose PHI of patient to another health care 45 C.F.R. §§ 164.310; 164.312; 164.502(a)(1)(ii);
These should not be barriers to provider for treatment purposes as long as proper verification and security 164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);
BP1 interoperability. procedures are followed, even when PHI contains mental health information. W. Va. Code § 27-3-1(b)(5)
HIPAA Security Technical Safeguards 45 CFR § 164.312
BP1
While we agree that the identified verification Original: HIPAA - Privacy and State Law -
and security procedures represent barriers to Appointment of Health Care Decision Maker
interoperability, we do not agree that a
signed authorization is required from either 45 C.F.R. §§ 164.310; 164.312; 164.502(a)(1)(ii);
the patient or the medical power of attorney. One health care provider can disclose PHI of patient to another health care 164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);
This should not be a barrier to provider for treatment purposes as long as proper verification and security W. Va. Code § 27-3-1(b)(5)
BP2 interoperability. procedures are followed, even when PHI contains mental health information.
BP2
BP2
BP2
BP2
BP2
BP2
We agree with the identified business
practice, but believe that a barrier to One health care provider can disclose PHI of patient to another health care 45 C.F.R. §§ 164.310; 164.312; 164.502(a)(1)(ii);
interoperability exists for the verification and provider for treatment purposes as long as proper verification and security 164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);
BP3 security procedures. procedures are followed, even when PHI contains mental health information. W. Va. Code § 27-3-1(b)(5)
We believe the verification and security
procedures do represent barriers to One health care provider can disclose PHI of patient to another health care
interoperability; we do not believe that a provider for treatment purposes as long as proper verification and security
signed authorization or court order is procedures are followed, even when PHI contains mental health information.
required to disclose PHI for treatment Information on HIPAA Security regs was included, although BP does not 45 C.F.R. §§ 164.310; 164.312; 164.502(a)(1)(ii);
purposes, and should not be viewed as mention electronic PHI. However, we are aware that Corrections’ status as a 164.502(b)(2)(i); 164.506(c)(2); 164.512(k)(5);
BP4 barriers to interoperability. covered entity may vary. 164.514(h)(1); W. Va. Code § 27-3-1(b)(5)
No legal barrier. We assume that State A is West Virginia. HIPAA allows HIPAA Regulation § 164.506; West Virginia Code
release of such information for treatment purposes. West Virginia State Law ''27-3-2; 27-5-9(e).
only precludes the ―release‖ of mental health information, but does not place
any special restrictions on the collection of such data. Unless the
neighboring state law restricts the release of such information to the
BP5 emergency room, this should not present a problem.
RTI International
Privacy and Security Contract No. 290-05-0015 Page 2 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 2. Patient Care Scenario B
A specialty substance abuse treatment facility wants to refer client X to a primary care facility for a
suspected medical problem. The client has a long history of using various drugs and alcohol relevant for
medical diagnosis. The information is being sent to the primary care provider without the patient's
authorization. The primary care provider refers the patient to a specialist and sends all of their
Scenario 2 - information (without patient authorization) including the information received from the substance abuse
DRAFT Patient Care B treatment facility to the specialist.
Business Classification
Policy: Short Stakeholder
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description Organization
Name a Barrier)
Release to Health Care Providers: PHI may
be released to other health care providers
without patient authorization to facilitate
continued emergency patient care, only
after phone verification that the requestor is
a health care professional calling from a
In our hospital, if the patient is able to sign then we (clinician or clerk) 9. Information use health care institution. Other requests from
would do that first. If patient is unable to make decisions on their own Scenario 2 - Barrier to and disclosure hospitals must be accompanied by a signed
BP1 WV 001 S2 the durable power of attorney or surrogate can authorize. Patient Care B interoperability policy Uses & Disclosure of PHI completed release. Hospitals
3. Patient and
Not a barrier to provider
BP1 WV 001 S2 interoperability identification
In our hospital, clinical information is not released without a signed 6. Information
authorization from the patient or guardian if patient is under the age of audits that record
12. State and Federal laws strictly outline procedures for sharing Scenario 2 - Not a barrier to and monitor
BP2 WV 002 S2 substance abuse patient information. Patient Care B interoperability activity Hospitals
7. Administrative
Not a barrier to or physical security
BP2 WV 002 S2 interoperability safeguards
Barrier to 8. State law
BP2 WV 002 S2 interoperability restrictions
If patient is unable to authorize release of
information, the physician orders that a
9. Information use health care surrogate be appointed per
State Mental Health Law prevents transfer of mental health records Scenario 2 - Barrier to and disclosure state mental health law. Authorization must State
BP3 WV 003 S2 without the patient's authorization. Patient Care B interoperability policy State Mental Health Law be obtained before release of information. government
In Corrections, if anything refers to substance abuse, we don’t release
that info, but if we are going to refer the inmate, we can send a referral
letter but we are limited to just the facts. Corrections keeps this info 2. Information
forever- they are paper based. They are kept in a locked room for Scenario 2 - Barrier to authorization and Correctional
BP4 WV 004 S2 limited access and are accessed by a Med Records Clerk. Patient Care B interoperability access controls facilities
RTI International
Privacy and Security Contract No. 290-05-0015 Page 3 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 2. Patient Care Scenario B
DRAFT DRAFTDRAFT DRAFT DRAFT
Specify Other Relevant Law (Legal
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative Driver) -- Reference
applicable) Code/Statute
Solution
Confidentiality of Alcohol and Drug Abuse Patient 42 CFR §§ 2.32 and 2.33
Records require patient consent for disclosure and
redisclosure of substance abuse records.
BP1
BP1
BP2
BP2
Consent is the key to releasing substance abuse information to Substance Abuse Regs. 42 Maximize use of general
third parties, even to other providers. When a patient enters a CFR, Part 2, Subpart B; HIPAA consents for treatment, payment
state hospital, we try to get them to agree to a generalized Regs. 45 CFR '''164,506(b); and health care operations for
consent to release information treatment, payment and health 503(g); Belcher v. CAMC, 188 patients with substance abuse
care operations. W. Va. 105, 422 S.E.2d 827 and/or mental illness entering
(1992). healthcare facilities under
BP2 As a general matter, substance abusers do not have personal HIPAA Reg '164.506(b).
representatives whose consent is required to release substance
State law requires DHHR to obtain consent for WV Code § 27-5-9(e) Repeal Section '27-5-9(e).
disclosure of mental health information for treatment. Amend '27-3-1 to allow release
WV law also requires all providers to obtain patient of mental health information to
consent for payment and operations. treatment, payment and
healthcare operations without
patient consent. WV Code § 27-
3-1
BP3
The identified One health care provider cannot disclose PHI of patient to 45 C.F.R. §§ 164.310; 164.312;
business practice another health care provider for routine treatment purposes 164.512(k)(5); 42 C.F.R.
does identify without a signed authorization when drug or alcohol abuse §§ 2.1; 2.2; 2.32; 2.51; W. Va.
barriers to treatment is involved; an authorized disclosure may not be re- Code § 27-3-1(b)(5)
interoperability. disclosed; proper verification and security procedures must be
followed.
BP4
RTI International
Privacy and Security Contract No. 290-05-0015 Page 4 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 2. Patient Care Scenario B
Business Classification
Policy: Short Stakeholder
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description Organization
Name a Barrier)
In Workers Comp., we refer pts to specialists but our staff only send
them what they need to know to treat the pt. WC makes the referral
and sends all the info on a CD. We have electronic capabilities and 2. Information
this can be reviewed on the internet. We provide an ID and password Scenario 2 - Barrier to authorization and
BP5 WV 005 S2 to the provider so they can access just what they need to on that pt. Patient Care B interoperability access controls Payers
RTI International
Privacy and Security Contract No. 290-05-0015 Page 5 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 2. Patient Care Scenario B
Specify Other Relevant Law (Legal
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative Driver) -- Reference
applicable) Code/Statute
Solution
Possibly Federal Substance Abuse Regulations 42 CFR Part 2
BP5
BP1
RTI International
Privacy and Security Contract No. 290-05-0015 Page 6 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
At 5:30pm Dr. X, a psychiatrist, arrives at the skilled nursing facility to evaluate his patient, recently discharged from the hospital
psych unit to the nursing home. At the time of the patient's transfer, the discharge summary and other pertinent records were
electronically transmitted to the nursing home. Upon entering the facility Dr. X seeks assistance in locating his patient, gaining
entrance to the locked psych unit and accessing her electronic health record to review her discharge summary, I&O, MAR and
progress notes. Dr. X was able to enter the unit by showing a picture identification badge, but was not able to access the EHR.
As it is Dr. X's first visit, he has no login or password to use their system. Dr. X completes his visit and prepares to complete his
Scenario 3 - documentation. Unable to access the long-term care facility EHR, Dr. X dictates his initial assessment via telephone to his
DRAFT Patient Care C outsourced, offshore transcription service.
The assessment is transcribed and posted to a secure web portal. The next morning, from his home computer, Dr. X checks his e-
mail and receives notification that the assessment is available. Dr. X logs into the portal, reviews the assessment, and applies his
electronic signature. Later that day, Dr X's Office Manager downloads this assessment from the web portal, saves the document
in the patient's record in his office and forwards the now encrypted document to the long-term care facility via e-mail. The long-
term care facility notifies Dr. X's office that they are unable to open the encrypted document because they do not have the
encryption key.
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain
Description
Name a Barrier)
In our hospital, all clinical staff are given log in and passwords to use
applicable data systems. Passwords limit the users ability to read
access only if they are not in a position to need to add, edit, or update
information. Electronic user logs are maintained on the mainframe.
Medical staff must use specific transcription resources to insure that
security is maintained and acceptable document formatting is used.
Individual-specific password and logins are used which limits access
on a need to know basis. Staff are instructed not to share passwords
and logins. All sensitive information is encrypted prior to exchange Scenario 3 - Barrier to 1. User and entity
BP1 WV 001 S3 over an electronic communications network. Patient Care C interoperability authentication
2. Information
Barrier to authorization and
BP1 WV 001 S3 interoperability access controls
Barrier to 3. Patient and
BP1 WV 001 S3 interoperability provider identification
4. Information
transmission security
Barrier to or exchange
BP1 WV 001 S3 interoperability protocols
7. Administrative or
Barrier to physical security
BP1 WV 001 S3 interoperability safeguards
Barrier to 8. State law
BP1 WV 001 S3 interoperability restrictions
Barrier to 9. Information use
BP1 WV 001 S3 interoperability and disclosure policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 7 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
DRAFT DRAFT DRAFT
Specify Other
Stakeholder
BP# Policy: Long Description Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Organization
applicable)
The classification of privacy and security domains 1, 2, 3, 4, and Psychiatrist without electronic access privileges and rights
7 as barriers to interoperability appear appropriate in this requests review of patient’s EHR containing information from
scenario due to the numerous issues related to EHR access. recent hospital stay. Use of psychiatrist’s picture identification
Classifying P&S domains 8 & 9 as barriers to interoperability badge met physical control requirements for access to health
facility. The psychiatrist’s inability to access EHR systems
also seems reasonable and appropriate given the disclosure to
prompts him to use an outsourced offshore transcription service.
a third-party without patient/representative consent. This scenario bypasses administrative and technical controls
required to limit access, encrypt and audit access to patient
EHR’s. Psychiatrist receives report via Web the information
security infrastructure, and management practices of the
transcription service are unclear. The psychiatrist sends these
results by encrypted email to the medical facility, although lack of
encryption key prevents delivery.
BP1 Hospitals
BP1
BP1
BP1
BP1
BP1
BP1
RTI International
Privacy and Security Contract No. 290-05-0015 Page 8 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
DRAFT DRAFT
Relevant Law (Legal
BP# Driver) -- Reference
Code/Statute Solution
HIPAA Security Regs – 45 CFR A national
§§ 164.308(a) (1), 164.308(a) federated
(3), 164.308(a) (4), 164.310(a) identification
(1), 164.312(a) (1), 164.312(b), management
164.312(d), 164.312(e) (1), system to validate
164.506, 164.508, 164.512(a), user identity to
164.512(e). WV Code § 27-3-1, allow system
WV Code § 27-3-2, WV Code § access may be a
27-5-9, WV Code § 64-12-14, potential solution.
US Code § H.R. 4127
BP1
BP1
BP1
BP1
BP1
BP1
BP1
RTI International
Privacy and Security Contract No. 290-05-0015 Page 9 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain
Description
Name a Barrier)
4. Information Medical Staff By Laws
Our hospital practice and policies are that physicians, or other transmission security Articles VI(Procedure for
practitioners who are not credentialed by our facility, do not have Scenario 3 - Barrier to or exchange Appointment) and
BP2 WV 002 S3 access to patient care areas, or to the system. Patient Care C interoperability protocols VII(Clinical Privileges)
Long term care facilities do not usually have locked psych units.
However, assuming that the physician entered the skilled nursing
facility and attempted to view the patient's EHR, expected policies and
procedures should address authorizing privileges, access to medical
records, inoperative computer systems and building access prior to
physician's first visit. There should be a Business Associate
Agreement with any "offshore transcription service" ensuring
compliance with Privacy and Security Laws with authorization for
monitoring for compliance. No PHI should be transmitted without 128
bit encryption capability with read only capability. Also, there should be Scenario 3 - Barrier to 1. User and entity Business Associate
BP3 WV 003 S3 a P&P for use of physician's electronic signature. Patient Care C interoperability authentication Agreements
2. Information
Barrier to authorization and
BP3 WV 003 S3 interoperability access controls
Barrier to 3. Patient and
BP3 WV 003 S3 interoperability provider identification
4. Information
transmission security
Barrier to or exchange
BP3 WV 003 S3 interoperability 5. protocols
Information
protection (against
Barrier to improper
BP3 WV 003 S3 interoperability modification)
6. Information audits
Not a barrier to that record and
BP3 WV 003 S3 interoperability monitor activity
7. Administrative or
Barrier to physical security
BP3 WV 003 S3 interoperability safeguards
Not a barrier to 8. State law
BP3 WV 003 S3 interoperability restrictions
RTI International
Privacy and Security Contract No. 290-05-0015 Page 10 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
Specify Other
Stakeholder
BP# Policy: Long Description Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Organization
applicable)
This business practice analysis only identifies privacy and Psychiatrist without electronic access privileges and rights
security domain 4 as a barrier the exchange and encryption of requests review of patient’s EHR containing information from
the information supports this classification. Given the complexity recent hospital stay. Use of psychiatrist’s picture identification
of this scenario, the classification of privacy and security badge met physical control requirements for access to health
facility. The psychiatrist’s inability to access EHR systems
domains 1, 2, 3, and 7 would also appear appropriate due to the
prompts him to use an outsourced offshore transcription service.
numerous issues related to EHR access. In addition, classifying This scenario bypasses administrative and technical controls
P&S domains 8 & 9 as barriers to interoperability also seems required to limit access, encrypt and audit access to patient
reasonable and appropriate given the disclosure to a third-party EHR’s. Psychiatrist receives report via Web the information
These describe the without patient/representative consent. This stakeholder’s security infrastructure, and management practices of the
procedures for applying to the business practice highlights the issue of credentialing and the transcription service are unclear. The psychiatrist sends these
staff for membership and administrative controls inherently contained within these results by encrypted email to the medical facility, although lack of
clinical privileges assigned policies. In addition, this business practice points out the encryption key prevents delivery
BP2 with such. Hospitals alternative of faxing, although physical and technical information
BP1
HIPAA Security regs require person or entity
authentication
Long term care
facilities and
BP3 nursing homes
HIPAA Security regs make encryption addressable.
BP3
HIPAA Security Rule
BP3
HIPAA Security Rule
BP3
HIPAA Security Rule
BP3
BP3
HIPAA Security regs make access control and validation
procedures addressable and require workstation security.
BP3 The HIPAA Security and Privacy Regs require Business
Associate Agreements in certain situations for CE’s.
BP3
RTI International
Privacy and Security Contract No. 290-05-0015 Page 11 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
Relevant Law (Legal
BP# Driver) -- Reference
Code/Statute Solution
HIPAA Security Regs – 45 CFR A national Original:H
§§ 164.308(a) (1), 164.308(a) federated IPAA -
(3), 164.308(a) (4), 164.310(a) identification 164.506
(1), 164.312(a) (1), 164.312(b), management TPO
164.312(d), 164.312(e) (1), system to validate State Law
164.506, 164.508, 164.512(a), user identity to - 64-CSR-
164.512(e). WV Code § 27-3-1, allow system
12-14
WV Code § 27-3-2, WV Code § access may be a
Professio
27-5-9, WV Code § 64-12-14, potential solution.
US Code § H.R. 4127 In addition, closely nal
linking this type of Standard
solution with health s-Medcal
facility Staff
BP2 credentialing
BP1 practices may
HIPAA Security Regs, 45
CFR § 164.312
BP3
HIPAA Security Regs, 45
CFR § 164.312
BP3
HIPAA Security Rule, 45
CFR § 164 Part C
BP3
HIPAA Security Rule, 45
CFR § 164 Part C
BP3
HIPAA Security Rule, 45
CFR § 164 Part C
BP3
BP3
HIPAA Security Regs 45
CFR §§163.310(a)(2)(iii);
BP3 164.310(c); 164.308(b)(1).
HIPAA Privacy Regs, 45
BP3
RTI International
Privacy and Security Contract No. 290-05-0015 Page 12 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain
Description
Name a Barrier)
Barrier to 9. Information use
BP3 WV 003 S3 interoperability and disclosure policy
In our physician group, as long as no HIPAA laws were broken and a
No Restriction form was signed this procedure is under the covered 2. Information
entity of patient care. Use Tracking form and initial all documents Scenario 3 - Barrier to authorization and
BP4 WV 004 S3 placed in the chart. User ID and password is needed. Patient Care C interoperability access controls HIPAA
LTC has business associate agreements in effect for different services
with state businesses. The BA agreement is a 1 page document that
spells out how you limit the area of exchange and limits sharing of 4. Information
information. Even temp employees must meet the credentialing transmission security
process. LTC has contracts with physicians but have no badges- Scenario 3 - Barrier to or exchange
BP5 WV 005 S3 everyone knows everyone here- it’s small. Patient Care C interoperability protocols
Corrections has a BA agreement for billing purposes but not for
sharing of information. Correctional Medical Services (in all WV
prisons) have access to health records. The reliability of the info
exchange is in the hands of the sender- we rely on what they say- no
verification process. Temps at corrections have limited access to Med 4. Information
Records- once he has left the place, he can’t get access to info again. transmission security
But they all get FBI background checks, photo ID, sign in and sign out. Scenario 3 - Barrier to or exchange
BP6 WV 006 S3 Patient Care C interoperability protocols
RTI International
Privacy and Security Contract No. 290-05-0015 Page 13 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
Specify Other
Stakeholder
BP# Policy: Long Description Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Organization
applicable)
HIPAA Security Rule
BP3
The business practice analysis generally asserts that this is a Original: HIPAA privacy and covered entity, regulation of rules of
barrier to interoperability if HIPAA laws are broken. In addition, nursing facility, Case -Psych-patient, Federal - overseas
the implication is that that this business practice would be transmissions
covered by the HIPAA construct of TPO. However, there is
Psychiatrist without electronic access privileges and rights
HER Transfer, personal recognition within the business practice analysis that several
requests review of patient’s EHR containing information from
identity, password failure, issues arise from patient transfer, identity, password, and
recent hospital stay. Use of psychiatrist’s picture identification
failure to provide encryption encryption failures that are described within the scenario. As badge met physical control requirements for access to health
BP4 code Physician groups such the classification by this stakeholder as a barrier based on facility. The psychiatrist’s inability to access EHR systems
the numerous violations of HIPAA regulations pursuant to prompts him to use an outsourced offshore transcription service.
BP1
Access to electronic information controlled by HIPAA Security
Rule Technical Safeguards.
Long term care
facilities and
BP5 nursing homes
The business practice analysis does not identify any of the Psychiatrist without electronic access privileges and rights
privacy and security domains as a barrier. The classification by requests review of patient’s EHR containing information from
this stakeholder is unassigned. In fact, the likelihood of a recent hospital stay. Use of psychiatrist’s picture identification
correctional system inmate being placed in a nursing home is badge met physical control requirements for access to health
facility. The psychiatrist’s inability to access EHR systems
remote. In addition, the business practice long description
prompts him to use an outsourced offshore transcription service.
emphasized the application and importance of business This scenario bypasses administrative and technical controls
associates agreements and the correctional systems reliance required to limit access, encrypt and audit access to patient
on these agreements to ensure compliance. However, these EHR’s. Psychiatrist receives report via Web the information
agreements are not designed to obviate the need for proper security infrastructure, and management practices of the
administrative, technical, and physical controls for protected transcription service are unclear. The psychiatrist sends these
health information. Given this observation the barriers results by encrypted email to the medical facility, although lack of
previously identified for this scenario would have to be encryption key prevents delivery
considered as barriers in this scenario.
Correctional
BP6 facilities
RTI International
Privacy and Security Contract No. 290-05-0015 Page 14 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
Relevant Law (Legal
BP# Driver) -- Reference
Code/Statute Solution
HIPAA Security Rule, 45
CFR § 164 Part C
BP3
HIPAA Security Regs – 45 CFR A national
§§ 164.308(a) (1), 164.308(a) federated
(3), 164.308(a) (4), 164.310(a) identification
(1), 164.312(a) (1), 164.312(b), management
164.312(d), 164.312(e) (1), system to validate
164.506, 164.508, 164.512(a), user identity to
164.512(e). WV Code § 27-3-1, allow system
WV Code § 27-3-2, WV Code § access may be a
BP4 27-5-9, WV Code § 64-12-14, potential solution.
US Code § H.R. 4127 In addition, closely
BP1
HIPAA Security Rule – 45 CFR
§164.312.
BP5
1. HIPAA Security Regs – 45 A national
CFR §§ 164.308(a) (1), federated
164.308(a) (3), 164.308(a) (4), identification
164.310(a) (1), 164.312(a) (1), management
164.312(b), 164.312(d), system to validate
164.312(e) (1), 164.506, user identity to
164.508, 164.512(a), allow system
164.512(e). WV Code § 27-3-1, access may be a
WV Code § 27-3-2, WV Code § potential solution.
27-5-9, WV Code § 64-12-14, In addition, closely
US Code § H.R. 4127 linking this type of
solution with health
facility
credentialing
practices may
provide a
BP6 methodology for
RTI International
Privacy and Security Contract No. 290-05-0015 Page 15 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D
Patient X is HIV positive and is having a complete physical and an outpatient mammogram done in the Women's
Imaging Center of General Hospital in State A. She had her last physical and mammogram in an outpatient clinic in a
Scenario 4 - neighboring state. Her physician in State A is requesting a copy of her records and the radiologist at General Hospital
Patient Care would like to review the digital images of the mammogram performed at the outpatient clinic in State B for comparison
DRAFT D purposes. She also is having a test for the BrCa gene because other family members have had breast cancer.
Business Classification
Policy: Short Stakeholder
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description Organization
Short Name a Barrier)
Our clinic follows state law which does not allow the transmittal
of HIV information without the consent of the patient. Also, this
information is not supposed to be kept in the patient chart. This
is problematic in paper records - because it causes providers to
keep a secret registry. In electronic records, this is handled in
some cases by a provider making a decision to make this
information available to other providers. The interface of the
electronic record should inform the patient of his/her rights under Takes a global approach to medical
the law and allow the patient to designate which information information. Who has access to the
would be available. In paper systems this is incredibly hard to information. Who makes the decision to
enforce. In electronic systems, access can be granted to certain release the information. Consent forms
information - but users end up using common passwords for releases Special considerations for
because it is not always the provider who can ge the information Scenario 4 - Barrier to 1. User and entity Confidential Information certain laws governing HIV, Mental Community clinics
BP1 WV 001 S4 needed and take care of the patient. Patient Care D interoperability authentication Policy Health etc and health centers
2. Information
Scenario 4 - Not a barrier to authorization and
BP1 WV 001 S4 Patient Care D interoperability access controls
Scenario 4 - Not a barrier to 8. State law
BP1 WV 001 S4 Patient Care D interoperability restrictions
9. Information use
Scenario 4 - Barrier to and disclosure
BP1 WV 001 S4 Patient Care D interoperability policy
The presence of any behavioral medicine
patient at ourfacility and any and all
details of the treatment process of any
patient shall be maintained as
Our hospital staff, may include physician, nurse, clerk, NP,PA, confidential. For the purposes of
would release the minimum necessary information for treatment confidentiality, protected information i.e.
excluding the HIV information unless the pt provides 9. Information use drug, ETOH, STD (HIV), and behavioral
authorization. If not emergent, we ask for signed authorization Scenario 4 - Barrier to and disclosure health, and specific releases are
BP2 WV 002 S4 which includes HIV authorization. Patient Care D interoperability policy Confidentiality of PHI required. Hospitals
RTI International
Privacy and Security Contract No. 290-05-0015 Page 16 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D
DRAFT DRAFT DRAFT DRAFT
Specify Other
Relevant Law (Legal Driver) --
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Reference Code/Statute
applicable)
HIPAA Security Regs require person or HIPAA Security Regs, 45 CFR §
entity authentication. 164.312
BP1
BP1
BP1
Misinterpretation of state law. No WV Code §§ 16-3C-2, 16-3C-3(a)(5),
consent is required for the disclosure of and 16-3C-4.
the PHI for treatment purposes. WV law
specifically allows the disclosure of HIV
BP1 PHI for treatment of the individual.
Misinterpretation of state law and HIPAA. WV Code §§ 16-3C-2, 16-3C-3(a)(5),
Minimum necessary requirement does and 16-3C-4. HIPAA Privacy Regs 45
not apply to disclosures for treatment and CFR §§ 164.506 and 164.502(b).
there is no authorization requirement for
disclosure of the PHI for treatment
purposes in HIPAA or state law.
BP2
RTI International
Privacy and Security Contract No. 290-05-0015 Page 17 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D
Business Classification
Policy: Short Stakeholder
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description Organization
Short Name a Barrier)
In the workers' compensation arena, by filing a claim and signing
the injury report form a patient authorizes any physician to
release to or orally discuss with the employer or authorized agent
of the carrier any medical records pertaining to the occupational
injury or illness for which he/she is claiming benefits and any
prior injury to or disease to the portion of the body for which
he/she is alleging a medical impairment. Only authorized carrier
staff, employer staff, providers and the patient have access to
the electronic record. We use a system with security parameters
set based on individual job-related need for access. Password
required. Claimant, employer and provider access limited to
specific claim information only. Provider access can be further
limited for specific period of time. Carrier employees required to 2. Information
sign security policy agreement. Employ transmission protection Scenario 4 - Barrier to authorization and
BP3 WV 003 S4 such as VPN and encryption for outside network access. Patient Care D interoperability access controls Payers
RTI International
Privacy and Security Contract No. 290-05-0015 Page 18 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D
Specify Other
Relevant Law (Legal Driver) --
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Reference Code/Statute
applicable)
No legal requirements. WC provides None.
privacy and security of information as a
corporate decision.
BP1
BP3
RTI International
Privacy and Security Contract No. 290-05-0015 Page 19 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 5. Payment Scenario
X Health Payer (third party, workers compensation, disability insurance, employee assistance programs) provides health
insurance coverage to many subscribers in the region the healthcare provider serves. As part of the insurance coverage,
it is necessary for the health plan case managers to approve/authorize all inpatient encounters. This requires access to
the patient health information (e.g., emergency department records, clinic notes, etc.). The health care provider has
Scenario 5 - Payment
recently implemented an electronic health record (EHR) system. All patient information is now maintained in the EHR
and is accessible to users who have been granted access through an approval process. Access to the EHR has been
restricted to the healthcare provider's workforce members and medical staff members and their office staff. X Health
DRAFT Payer is requesting access to the EHR by its case management staff to approve/authorize inpatient encounters.
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not a Domain
Description
Name Barrier)
Our hospital security officer would allow the payer to have access to 2. Information
the EHR through a secure web portal. Only the requested records Scenario 5 - Barrier to authorization and Information Security
BP1 WV 001 S 5 would be accessible and the minimum necessary information. Payment interoperability access controls Policy & Remote Access
Our company would limit access to specific pieces of information
related to the payer's claim and would allow the needed transfer of
health information for payment purposes. User authentication, legal
agreement and hardware/software authentication would be required
to validate that access is provided only to the intended user.
Security parameters would further limit access to read only. Access
would be provided only to personnel of payer needing information
for job functions. Record linking methods required to match certain
information such as patient name, date of birth, date of service, to
allow payer access only to pertinent information. Transmission
protection such as VPN, encryption and network security required Scenario 5 - Barrier to 8. State law
BP2 WV 002 S 5 for access to information. Data use agreement would be in place. Payment interoperability restrictions
RTI International
Privacy and Security Contract No. 290-05-0015 Page 20 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 5. Payment Scenario
DRAFT DRAFT DRAFT DRAFT
Specify Other Relevant Law (Legal
Stakeholder Relevant Law (Legal
BP# Policy: Long Description Stakeholder (if Cause Driver) -- Reference
Organization Driver) -- Narrative
applicable) Code/Statute
Use and disclosure of HIPAA Privacy Rule – 45 CFR
Access to information in the possession or the control of our facility must be protected health information §§164.502 (b)(1); 160.103;
provided based on the need to know and the minimum necessary to perform for payment-related purposes 164.502 (e)(1); 164.504 (e)(1)
essential functions. Information must be disclosed only to people or entities who is subject to the HIPAA and (e)(2). HIPAA Security
have a legitimate need. The privileges granted to all users must be periodically Privacy Rule “minimum Rule – 45 CFR §164.312.
reviewed. Unless it has specifically been deemed public, all internal information necessary” standard, the
must be protected from disclosure to third parties. Third parties may be given HIPAA Security Rule
access to internal information only when a demonstrable need to know exists, Technical Safeguards, and may
when a Data Use Agreement or Business Associate Agreement has been be subject to business
signed, and when such a agreement has been expressly authorized by the associate contract
relevant information Owner. If sensitive information is suspected of being lost requirements.
or disclosed to unauthorized parties, the information Owner and the Compliance
Officer must be notified immediately. All third parties are responsible for
securing their private networks from our network. In no case shall network-to-
network connectivity be allowed without appropriate security technology. Some
type of security mechanisms shall exist between our network and any third
BP1 party. Hospitals
Use and disclosure of HIPAA Privacy Rule – 45 CFR
protected health information §§164.502 (b)(1); 160.103;
for payment-related purposes 164.502 (e)(1); 164.504 (e)(1)
is subject to the HIPAA and (e)(2). HIPAA Security
Privacy Rule “minimum Rule – 45 CFR §164.312.
necessary” standard, the
HIPAA Security Rule
Technical Safeguards, and may
be subject to business
associate contract
requirements.
BP2 Payers
RTI International
Privacy and Security Contract No. 290-05-0015 Page 21 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 5. Payment Scenario
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not a Domain
Description
Name Barrier)
Our business office personnel would request access to the EHR.
This would automate a process that is now manual. The system
needs to let us request and receive the minimum necessary
information for the situation. The provider would benefit by receiving
an automated approval/authorization from us. The more providers
connected to a common system/network, the more efficient the
process is for us and the providers. The patient benefits from the
faster approval/authorization of inpatient encounters, the provider
has less or no staff time involved in fulfilling the request, and we
have less burdensome processes in handling the
approval/authorization. This eliminates the problem of lost, 2. Information
misrouted, or stolen records and reduces shipping and Scenario 5 - Barrier to authorization and
BP3 WV 003 S 5 transportation costs. Payment interoperability access controls
RTI International
Privacy and Security Contract No. 290-05-0015 Page 22 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 5. Payment Scenario
Specify Other Relevant Law (Legal
Stakeholder Relevant Law (Legal
BP# Policy: Long Description Stakeholder (if Cause Driver) -- Reference
Organization Driver) -- Narrative
applicable) Code/Statute
HIPAA minimum necessary HIPAA Privacy Regs, 45 CFR §
requirements 514
BP3 Payers
BP1
RTI International
Privacy and Security Contract No. 290-05-0015 Page 23 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 6. RHIO Scenario
The RHIO in your region wants to access data from all participating organizations (and their patients) to
monitor the incidence and management of diabetic patients. The RHIO also intends to monitor
Scenario 6 - RHIOs
DRAFT participating providers to rank them for the provision of preventive services to their diabetic patients.
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description
Name a Barrier)
For our association, as long as the patient data
is aggregate or non-personally identifiable,
there would be not problem sharing with the
RHIO. Providers would be notified and given
the opportunity to participate. If personal
identifiers were required, there would be an IRB
approval process and a patient informing Scenario 6 - Barrier to 1. User and entity
BP1 WV 001 S 6 process. RHIO interoperability authentication
2. Information
Barrier to authorization and
BP1 WV 001 S 6 interoperability access controls
Not a barrier to 3. Patient and
BP1 WV 001 S 6 interoperability provider identification
5. Information
protection (against
Not a barrier to improper
BP1 WV 001 S 6 interoperability modification)
6. Information audits
Not a barrier to that record and
BP1 WV 001 S 6 interoperability monitor activity
Barrier to 8. State law
BP1 WV 001 S 6 interoperability restrictions
Barrier to 9. Information use
BP1 WV 001 S 6 interoperability and disclosure policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 24 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 6. RHIO Scenario
DRAFT DRAFT DRAFT DRAFT
Specify Other
Stakeholder Relevant Law (Legal Driver) --
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Organization Reference Code/Statute
applicable)
HIPAA Security and Privacy Rules as a BA under contract 45 CFR §§164, et seq.
Professional
associations and
BP1 societies
HIPAA Security and Privacy Rules as a BA under contract. IRB approval 45 CFR §§164, et seq.; 21 CFR Parts
is not required under law for disclosure to a BA for TPO. 50 and 56.
BP1
BP1
BP1
BP1
West Virginia law requires that, with respect to the West Virginia Health West Virginia Code Section 16-29G-8.
Information Network, the West Virginia Health Care authority ensure that
protected health information is disclosed only in accordance with the
patient’s authorization or best interest to those having a need to know, in
compliance with state confidentiality laws and HIPAA.
BP1
The HIPAA Privacy Rule does not specifically address the concept of HIPAA Privacy Rule – 45 CFR Part
Regional Health Information Organizations and how protected health 164, Subpart E; 45 CFR § 164.504(e).
information can be used or disclosed in connection with such
organizations absent patient authorization. However, the RHIO would
operate as a business associate.
BP1
RTI International
Privacy and Security Contract No. 290-05-0015 Page 25 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 6. RHIO Scenario
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description
Name a Barrier)
QIOs can release this information with their
CMS contracts, but if they have a research
grant, they need to get IRB approval. They
mostly give info out deidentified, if the contract Scenario 6 - Barrier to 9. Information use
BP2 WV 002 S 6 permits. RHIO interoperability and disclosure policy
Workers Comp has worked with a state agency
to give this info out and also did work on a Scenario 6 - Barrier to 9. Information use
BP3 WV 003 S 6 National Level- but wouldn’t give out identifiers. RHIO interoperability and disclosure policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 26 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 6. RHIO Scenario
Specify Other
Stakeholder Relevant Law (Legal Driver) --
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Organization Reference Code/Statute
applicable)
The HIPAA Privacy Rule does not specifically address the concept of Regional HIPAA Privacy Rule – 45 CFR Part 164,
Health Information Organizations and how protected health information can be Subpart E. West Virginia Code Section 16-
used or disclosed in connection with such organizations absent patient 29G-8.
authorization. West Virginia law requires that, with respect to the West Virginia
Health Information Network, the West Virginia Health Care authority ensure that
protected health information is disclosed only in accordance with the patient’s
authorization or best interest to those having a need to know, in compliance with
Quality
state confidentiality laws and HIPAA.
improvement
BP2 organizations
BP1
No legal requirements. WC provides privacy and security of information None.
as a corporate decision.
BP3 Payers
RTI International
Privacy and Security Contract No. 290-05-0015 Page 27 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario
A research project on children younger than age 13 is being conducted in a double blind study for a new drug for ADD/ADHD. The
research project is being reviewed by the IRB that presides over research protocols at the major medical center where the
research investigators are located. The data being collected are all electronic and all responses from the subjects are completed
DRA Scenario 7 - electronically in the same data base file. The principle investigator was asked by one of the investigators if they could use the raw
Research data to track the patients over an additional six months or use the raw data collected for a white paper that is not part of the
FT Data Use research protocols final document for his post doctoral fellow program.
Business
Classification
Practice Policy: Short Stakeholder
BP# Business Practice Long Description Scenario (Barrier v. Not a Domain Policy: Long Description
Short Description Organization
Barrier)
Name
Under home health law, the principle investigator would decline the
request because the use of the data was not included in the
original IRB. Home health law in WV is based on federal regulation
and agencies must be compliant with the federal regulations. At
times agencies participate in research activities and must remain
compliant with the federal privacy requirements and also the
requirements of the research entity with which they are involved.
Therefore the utilization of data as outlined in the IRB would Scenario 7 -
necessitate the information only to be used in the manner which Research Data Barrier to Homecare and
BP1 WV 001 S7 was described. Use interoperability 8. State law restrictions hospice
Authorization, among many other items,
includes: *The name or identification of the
persons or class of persons authorized to Medical and
receive disclosures of PHI and to use the public health
Scenario 7 - PHI for research-related purposes. *A schools that
Additional tracking and use of data is not permitted unless a Research Data Not a barrier to 1. User and entity description of each purpose for the use or undertake
BP2 WV 002 S7 second study has been approved through the IRB. Use interoperability authentication HIPAA Research disclosure. research
2. Information
Not a barrier to authorization and access
BP2 WV 002 S7 interoperability controls
Not a barrier to 3. Patient and provider
BP2 WV 002 S7 interoperability identification
4. Information
Not a barrier to transmission security or
BP2 WV 002 S7 interoperability exchange protocols
5. Information protection
Not a barrier to (against improper
BP2 WV 002 S7 interoperability modification)
6. Information audits that
Not a barrier to record and monitor
BP2 WV 002 S7 interoperability activity
7. Administrative or
Not a barrier to physical security
BP2 WV 002 S7 interoperability safeguards
Not a barrier to
BP2 WV 002 S7 interoperability 8. State law restrictions
RTI International
Privacy and Security Contract No. 290-05-0015 Page 28 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario
DRA
FT DRAFT DRAFT DRAFT
Specify
Other Relevant Law (Legal
BP# Stakeholder Cause Relevant Law (Legal Driver) -- Narrative Driver) -- Reference
(if Code/Statute
applicable)
Human subject research pursuant to any federal HIPAA Privacy Regs – 45 CFR
funding is controlled by federal law and regulation, §§ 164.502 (g)(1--5), and
institutional policy, institutional review boards and §164.508 and .512; US DHHS
state law overlays to protect participants’ safety and Regs. governing human subject
privacy. Human subject research federal regulation research: 45 CFR §46.101--
does not pre-empt state law but adds additional §46.124; US FDA Regs.
federal requirements. HIPAA privacy law applies governing human subject drug
irrespective of the source of funding for research. In research: 21 CFR §
this scenario, we presume the research is pursuant to 50.50—50.56. WV Code § 16-
an approved FDA study. We also have the added 29-1; WV Code § 16-30-3(b);
legal driver of children for whom some authorized Belcher v. CAMC , 188 W. Va.
adult must give consent. 105, 422 S.E.2d 827 (1992);
BP1
HIPAA - Privacy Rule
Other Federal Law - 45 CFR-
46 Federal Human Subject
BP2 Protection Rules
BP2
BP2
BP2
BP2
BP2
BP2
BP2
RTI International
Privacy and Security Contract No. 290-05-0015 Page 29 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario
Business
Classification
Practice Policy: Short Stakeholder
BP# Business Practice Long Description Scenario (Barrier v. Not a Domain Policy: Long Description
Short Description Organization
Barrier)
Name
Barrier to 9. Information use and
BP2 WV 002 S7 interoperability disclosure policy
In our medical school, IRB approval must be sought (by the
Principal Investigator) for either scenario, however, the nature of
the request and the investigator responsibilities differ: To extend
data collection an additional six months for a purpose not covered
by the previously approved IRB protocol, the investigator must
submit a new protocol covering this new purpose to the IRB for
consideration. Since the proposal will be prospective, subjects will
need to give their consent (or assent for children under the age of
18) to collect data for this second purpose. The new protocol, like
the earlier protocol, would probably require a full-board review
because the target population is a protected population, i.e.,
children under 13 years of age. To analyze the raw data previously
collected under an approved IRB protocol, could make a new
protocol eligible for expedited consideration depending on whether Medical and
the raw data includes personal health information and sensitive public health
information that if released could potentially cause harm. It is Scenario 7 - 2. Information schools that
possible to request the IRB waive ―consenting‖ for existing data Research Data Barrier to authorization and access undertake
BP3 WV 003 S7 and on the grounds that it would be impractical or unfeasible. Use interoperability controls research
In our agency, the protected health information in the research
database would be covered by HIPAA, but HIPAA could be
addressed with appropriate business associate relationships. The
investigator would need to get approval of the additional research
from his/her institutional review board. The original IRB would
need to weigh whether granting access was permissible, and it
would likely depend on the disclosures in the original informed Scenario 7 -
consent. In the worst case, the new research would require new Research Data Barrier to 9. Information use and Public Health
BP4 WV 004 S7 informed consent from the parents of all of the children. Use interoperability disclosure policy agencies
RTI International
Privacy and Security Contract No. 290-05-0015 Page 30 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario
Specify
Other Relevant Law (Legal
BP# Stakeholder Cause Relevant Law (Legal Driver) -- Narrative Driver) -- Reference
(if Code/Statute
applicable)
Human subject research pursuant to any federal US DHHS Regs. governing
funding is controlled by federal law and human subject research: 45
regulation, institutional policy, CFR §46.101--§46.124; US
FDA Regs. governing human
subject drug research: 21
CFR § 50.50—50.56.
BP2
Tight control of human Human subject research pursuant to any federal HIPAA Privacy Regs – 45 CFR
subject research with fully funding is controlled by federal law and regulation, §§ 164.502 (g)(1--5), and
informed consent is institutional policy, institutional review boards and §164.508 and .512; US DHHS
BP1 state law overlays to protect participants’ safety and Regs. governing human subject
current public policy.
privacy. Human subject research federal regulation research: 45 CFR §46.101--
Sharing PHI data
does not pre-empt state law but adds additional §46.124; US FDA Regs.
(whether for adults or federal requirements. HIPAA privacy law applies governing human subject drug
children) without specific irrespective of the source of funding for research. In research: 21 CFR §
consent is contrary to this scenario, we presume the research is pursuant to 50.50—50.56. WV Code § 16-
current public policy an approved FDA study. We also have the added 29-1; WV Code § 16-30-3(b);
governing research legal driver of children for whom some authorized Belcher v. CAMC , 188 W. Va.
protocols. ** Please see adult must give consent. 105, 422 S.E.2d 827 (1992);
attached word document
for a fuller analysis of this
scenario.
BP3
Human subject research pursuant to any federal HIPAA Privacy Regs – 45 CFR
funding is controlled by federal law and regulation, §§ 164.502 (g)(1--5), and
institutional policy, institutional review boards and §164.508 and .512; US DHHS
state law overlays to protect participants’ safety and Regs. governing human subject
privacy. Human subject research federal regulation research: 45 CFR §46.101--
does not pre-empt state law but adds additional §46.124; US FDA Regs.
federal requirements. HIPAA privacy law applies governing human subject drug
irrespective of the source of funding for research. In research: 21 CFR §
this scenario, we presume the research is pursuant to 50.50—50.56. WV Code § 16-
an approved FDA study. We also have the added 29-1; WV Code § 16-30-3(b);
legal driver of children for whom some authorized Belcher v. CAMC , 188 W. Va.
BP4
adult must give consent. 105, 422 S.E.2d 827 (1992);
RTI International
Privacy and Security Contract No. 290-05-0015 Page 31 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 8. Scenario For Access By Law Enforcement
An injured nineteen (19) year old college student is brought to the ER following an automobile accident. It is
standard to run blood alcohol and drug screens. The police officer arrives in the ER in addition to the patient's
Scenario 8 - parents. The police officer requests a copy of the blood alcohol test results and the parents want to review the
Law ER record and lab results to see if their child tested positive for drugs. These requests are made to the ER
DRAFT Enforcement staff. The patient is covered under their parent's health and auto insurance policy.
Business Classification
Policy: Short Stakeholder
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not a Domain Policy: Long Description
Description Organization
Name Barrier)
The expected result would be that since the child is an adult, the parents
are not privy to his protected health information without his consent per
HIPAA privacy regulations. The police officer can obtain a copy of the
report without specific patient consent for determining proper charges. A
person who operates a motor vehicle implicitly consents to testing to
determine intoxication if there is just cause to believe the person is
intoxicated. If a paper copy is provided to law enforcement, proper
identification should be provided for user authentication. Fax submissions
should contain confidentiality statement and information on protocols if
received by unintended user. Electronic submissions should be encrypted. Scenario 8 - 6. Information audits that
If the provider and law enforcement agency exchange information Law Not a barrier to record and monitor
BP 1 WV 001 S 8 frequently, a data use agreement could be entered into. Enforcement interoperability activity Payers
7. Administrative or
Not a barrier to physical security
BP 1 WV 001 S 8 interoperability safeguards
Barrier to 9. Information use and
BP 1 WV 001 S 8 interoperability disclosure policy
In our agency, HIPAA and state confidentiality provisions would most likely
prevent the parents obtaining the information without the adult patient's Scenario 8 -
consent. The police officer could obtain the results in conjunction with his Law Barrier to
BP2 WV 002 S 8 or her investigation of the accident Enforcement interoperability 8. State law restrictions State government
In our hospital, law enforcement personnel are denied access to patients
unless they have a court order. Software access is limited by password.
Each password has restrictions as to information which may be accessed.
Through the use of third party software, all information is encrypted when
being sent over electronic communications network. Passwords have
designated security clearances which define whether user has no access,
view only access, or has an ability to add, delete or modify information. A
master security log is maintained on line to determine user access and the
processes completed. Staff are required to use the organizations network
for all I.S. activity. The network includes up to date security measures
which protects against unauthorized access, introduction of dangerous Barrier to 1. User and entity
BP3 WV 003 S 8 items such as worms, and attempts by users to enter unauthorized areas. interoperability authentication Hospitals
RTI International
Privacy and Security Contract No. 290-05-0015 Page 32 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 8. Scenario For Access By Law Enforcement
DRAFT DRAFT DRAFT DRAFT
Specify Other
Relevant Law (Legal Driver) -- Reference
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Code/Statute
applicable)
BP 1
BP 1
We agree with the identified business Parents of an adult “child” cannot access PHI without an Original: W. Va. Code §§17C-5-4 & 17C-5-6
practice, but believe that a barrier to authorization signed by that adult “child,” while law enforcement
interoperability exists when the disclosure is may gain such access as required by law. 45 C.F.R. §§ 164.502(a)(1)(i); 164.502(g)(3)(i);
to the parents, or when the disclosure to law 164.508(a)(1); 164.512(a); 164.512(f)(1)(i); 42
enforcement is not required by law. C.F.R. § 2.12(e); W. Va. Code §§ 16-29-1; 17C-
5-4; 17C-5-6
BP 1
As a 19 year old “child” is an adult, parents cannot access their WV Code § 16-29-1; Belcher v. CAMC , 188
child’s PHI, without authorization, under state law and HIPAA. W. Va. 105, 422 S.E.2d 827 (1992); HIPAA
Privacy Regs – 45 CFR §§ 164.502(a)(1)(i),
164.502 (g)(3)(i), and 164.508(a)(1).
BP2
We agree that disclosure to law HIPAA Security Regs requiring Administrative and HIPAA Security Regs, 45 CFR §§ 164.308,
enforcement of the PHI in this Scenario Technical Safeguards 164.312
would require patient authorization,
unless the tests were undertaken at the
direction of law enforcement, in which
case disclosure is required by law in
West Virginia; federal laws governing
the confidentiality of alcohol and drug
treatment records would not apply in
this circumstance, and would not
represent a barrier to interoperability.
BP3
RTI International
Privacy and Security Contract No. 290-05-0015 Page 33 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 8. Scenario For Access By Law Enforcement
Business Classification
Policy: Short Stakeholder
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not a Domain Policy: Long Description
Description Organization
Name Barrier)
2. Information
Barrier to authorization and access
BP3 WV 003 S 8 interoperability controls
Not a barrier to 3. Patient and provider
BP3 WV 003 S 8 interoperability identification
4. Information
Barrier to transmission security or
BP3 WV 003 S 8 interoperability exchange protocols
5. Information protection
Barrier to (against improper
BP3 WV 003 S 8 interoperability modification)
6. Information audits that
Barrier to record and monitor
BP3 WV 003 S 8 interoperability activity
7. Administrative or
Barrier to physical security
BP3 WV 003 S 8 interoperability safeguards
Barrier to
BP3 WV 003 S 8 interoperability 8. State law restrictions
Barrier to 9. Information use and
BP3 WV 003 S 8 interoperability disclosure policy
In correctional facilities, parents can not get at the info - it is a state law. If Scenario 8 -
they are on parole, the parolees agree to monitoring while they are Law Barrier to Correctional
BP4 WV 004 S 8 incarcerated- they don’t have a choice. Enforcement interoperability 8. State law restrictions facilities
RTI International
Privacy and Security Contract No. 290-05-0015 Page 34 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 8. Scenario For Access By Law Enforcement
Specify Other
Relevant Law (Legal Driver) -- Reference
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Code/Statute
applicable)
HIPAA Security Regs requiring Administrative and HIPAA Security Regs, 45 CFR §§ 164.308,
Technical Safeguards 164.312
BP3
BP3
HIPAA Security Regs require Technical Safeguards HIPAA Security Regs, 45 CFR § 164.312
BP3
HIPAA Security Regs require Technical Safeguards HIPAA Security Regs, 45 CFR § 164.312
BP3
BP 1
HIPAA Security Regs require Technical Safeguards HIPAA Security Regs, 45 CFR § 164.312
BP3
HIPAA Security Regs require Administrative Safeguards HIPAA Security Regs, 45 CFR § 164.308
BP3
Parents of an adult ―child‖ cannot access PHI without an 45 C.F.R. §§ 164.512(a); 164.512(f)(1)(i);
authorization signed by that adult ―child,‖ while law 42 C.F.R. § 2.12(e); W. Va. Code §§ 17C-5-
enforcement may gain such access when required by law. 4; 17C-5-6
BP3
Parents of an adult ―child‖ cannot access PHI without an 45 C.F.R. §§ 164.512(a); 164.512(f)(1)(i);
authorization signed by that adult ―child,‖ while law 42 C.F.R. § 2.12(e); W. Va. Code §§ 17C-5-
enforcement may gain such access when required by law. 4; 17C-5-6
BP3
Law enforcement desires access to blood alcohol test WV Code § 16-29-1; 64 CSR 12-7.2
results of 19-year-old accident victim. Parents desire (DHHR Hospital Licensure Rule); 42
access to 19-year-old childs’ ER record and lab results. U.S.C.A. 290dd-3 (Public Health Service
Should the hospital tests result in showing of HIV or STD, Act); 42 CFR 2.11(Federal Mental Health
those applicable infectious disease confidentiality Record Confidentiality Rule); 45 CFR §§
provisions would also serve as a barrier. Parents of an 164.502 (g) and (j), 164.524 (HIPAA
adult ―child‖ cannot access PHI without an authorization Privacy Regs). 45 C.F.R. §§ 164.512(a);
signed by that adult ―child,‖ while law enforcement may gain 164.512(f)(1)(i); 42 C.F.R. § 2.12(e); W. Va.
such access when required by law. Code §§ 17C-5-4; 17C-5-6
BP4
RTI International
Privacy and Security Contract No. 290-05-0015 Page 35 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
The Pharmacy Benefit Manager (PBM) has a mail order pharmacy and also has a closed formulary. The PBM receives a prescription from
Patient X for the antipsychotic medication Geodon. The PBM’s preferred alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine
Scenario 9 - (Seroquel), and Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the PBM sends a request to the prescribing
Pharmacy physician to complete a prior authorization in order to fill and pay for the Geodon prescription. The PBM is in a different state than the provider’s
DRAFT Benefit A Outpatient Clinic.
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not a Domain Policy: Long Description
Description
Name Barrier)
In state govemment, we have a network established that connects the
PBMs with payers and physicians. Members choose to participate under
agreements with PBMs and PHI is transmitted with patient consent. User
authentication is an important component to ensure that it is the PBM Scenario 9 - Pharmacy Barrier to 8. State law
BP1 WV 001 S9 contacting the physician and the physician replying to the PBM. Benefit A interoperability restrictions
Scenario 9 - Pharmacy 1. User and entity
BP2 WV 002 S9 Business practice is same as in the scenario. Benefit A Unassigned authentication
As a workers' compensation insurer, we have a standard drug list and
require the use of generics where available. If a script is received and is not
on the list, authorization for the drug is withheld. The prescribing physician
may be contacted to write the script for an approved alternative drug for
authorization or to provide justification for the prescribed drug before
authorization is provided. If the claimant takes the script to a participating
pharmacy and it is not approved, the claimant or the pharmacist may
contact the claims adjuster for clarification. If a generic is available and the
doctor has not indicated the claimant cannot take the generic, it may be
authorized. Otherwise, the prescribing doctor will have to provide a new
script for a medication on the drug list or provide justification for the
prescribed drug. Further, W. Va. Code provides that if a generic medication
is available, it must be provided. If the claimant chooses to obtain the brand- Scenario 9 - Pharmacy Barrier to 8. State law
BP3a WV 003a S9 name drug, he/she will be responsible for payment for the difference. Benefit A interoperability restrictions
In Workers Comp, the Point of Sale system is available only to those
employees needing access to perform business functions and participating
providers. Password authentication is required. Security
policies/confidentiality agreements in place with employees regarding
protection of information. End user agreements in place with participating
providers. Authentication required for access to system. Technology in
place to secure system from unintended users. Vendor used to implement
secure transmission of data. Vendor provides software that allows
BP3b WV 003b S9 protection from data modification.
RTI International
Privacy and Security Contract No. 290-05-0015 Page 36 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
DRAFT DRAFT DRAFT DRAFT
Specify Other
Stakeholder Relevant Law (Legal Driver) --
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Organization Reference Code/Statute
applicable) Possible Solutions
There is currently no WV law regulating PBMs. Public Employees Insurance Agency W.Va. Code § 5-16C-1, et seq.; W.Va.
(―PEIA‖) does have statutory authority to manage the increase in prescription drug Code § 30-5-1 et seq. and W.Va. C.S.R.
cost and execute prescription drug purchasing agreements on behalf of the state of § 15-1-1, et seq.; W.Va. Code § 60A-1-
West Virginia with PBMs and other private sector arrangements, provided that ―no 101, et seq;
private entity may be compelled to participate in the prescription drug purchasing
pool,‖ and PEIA ―may not enter into a contract with a private entity‖ without
Legislative approval. To the extent that the scenario anticipates that the
communication occurs electronically, the electronic submission would violate West
Virginia law and regs. First, the Board of Pharmacy regulation language indicates
that a ―wet‖ signature is required and that a digital signature (either physical
See report on e-Prescribing:
digitalized signature or digital key signature) will not meet the requirement. Second,
http://www.tygart.com/Eprescript
the regs have ―non intermediary‖ requirements.
ions.asp
BP1 State government
Community
clinics and health
BP2 centers
1. Unique features of West Virginia workers’ compensation program governing and requiring Original: State Law - W. Va. Code §23-4-
the prescribing of generic drugs by pharmacy for a workers’ compensation claimant. The 3(a)(3)
workers’ compensation law requires a pharmacist who is filing a prescription for a workers’ Regulation - 85 C.S.R. 20 - Medical
compensation claimant to dispense the generic brand of the drug, if one exists. If a generic Management of Claims
does not exist then the pharmacist can dispense the name brand drug. Interoperability issues
involve the failure of out of state providers and businesses that operate in West Virginia in W.Va. Code § 23-4-3(a)(3) and W.Va.
understand the unique requirements of the West Virginia workers’ compensation system. C.S.R. § 85-20-1 et seq.
BP3a Payers
BP3b
RTI International
Privacy and Security Contract No. 290-05-0015 Page 37 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not a Domain Policy: Long Description
Description
Name Barrier)
Workers' compensation programs are exempt from HIPAA. State law and
regulations provide limits on prescription medication and medication
management issues. Out of state providers may be unaware of these laws
and regulations or may try to apply the laws and fee schedules from their
state. We sometimes have difficulty getting out of state providers to accept
workers' compensation patients and the established fee schedule on a non-
emergent basis because of these issues. To address this problem, we
contract with provider agencies that specialize in providing state-wide
providers. By agreeing to accept WV Workers' Compensation patients,
these providers agree to accept our fees and to abide by our laws and
BP3c WV 003c S9 regulations
As a clinician, we deal with out of state PBM's daily who request an 7. Administrative
authorization form or provide OV notes over the phone and fax. If the patient or physical Covered entity due to the
does not meet the PBM formulary the Dr. changes the medication to Scenario 9 - Pharmacy Barrier to security Prior authorization, Office insurance of continuted care
BP4 WV 004 S9 preferred medication. Benefit A interoperability safeguards and HIPAA policy for the patient.
As a payer, we have a preferred drug list.The claimant needs
preauthorization for drugs not preauthorized and if claimant wants one that
is not, they have to pay. If the generic is available, State Law says we can Scenario 9 - Pharmacy Barrier to 8. State law
BP5 WV 005 S9 automatically give them the generic. Benefit A interoperability restrictions
As a payer, we have a higher standard of security for behavioral health info
and with administering these type of benefits. Care management personnel
are specially trained and they have a higher level of permissions for this 2. Information
type of info. All this info is maintained in our database and reports can be Scenario 9 - Pharmacy Barrier to authorization and
BP6 WV 006 S9 generated. Benefit A interoperability access controls
RTI International
Privacy and Security Contract No. 290-05-0015 Page 38 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
Specify Other
Stakeholder Relevant Law (Legal Driver) --
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Organization Reference Code/Statute
applicable) Possible Solutions
BP3c
BP1
Original: HIPAA, State, and Federal law 1. HIPAA 45 C.F.R. § 160.102; HIPAA 45
C.F.R. § 164.502(e)(1); HIPAA 45 C.F.R. §
Determining the status of pharmacy benefit managers (―PBM‖) under the Privacy 164.506.
Standards of the Health Insurance Portability and Accountability Act of 1996
BP4 Clinicians (―HIPAA‖) and whether PBMs are considered ―covered entities‖ or ―business
associates.‖ Generally, PBMs do not meet the definition of a ―covered entity‖ under
Workers Comp law requires generic prescribing where available W. Va. Code § 23-1-1 et seq.
BP5 Payers
The legal analysis differs depending upon whether the Pharmacy Benefit Manager or HIPAA Regulation §164.506; West
the outpatient clinic is in West Virginia. HIPAA regulations allow the disclosure of Virginia Code § 27-3-1; 27-3-2; 27-5-9(e)
protected health information for payment purposes. If the Pharmacy Benefit
Manager is in West Virginia, there are no West Virginia Code provisions against
seeking the collection of data. If the clinic is in West Virginia, it may not reveal
mental health information beyond that which the Pharmacy Benefits Manager already
knows because the clinic has already released the data to the payor. The clinic
should also assure that Pharmacy Benefits Managers have a Business Associate
Agreement with the insurers.
BP6 Payers
RTI International
Privacy and Security Contract No. 290-05-0015 Page 39 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 10. Pharmacy Benefit Scenario B
A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the companies' employees’ prescription drug use and the
Scenario 10 - associated costs of the drugs prescribed. The objective would be to see if the PBM1 could save the company money on their prescription drug
Pharmacy benefit. Company A is self-insured and as part of their current benefits package, they have the prescription drug claims submitted through their
DRAFT Benefit B current PBM (PBM2). PBM1 has requested that Company A send their electronic claims to them to complete the review.
Business Classification
Policy: Short Stakeholder
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description Organization
Name a Barrier)
In our pharmacy, we recognize that HIPPA allows release of PHI for payment and
treatment purposes but the review of that information without patient consent by another
PBM would probably fall outside of that allowance. If the information was aggregate and not Scenario 10 - 9. Information use
patient identifiable, then the review could probably be conducted. Very important the PBMs Pharmacy Barrier to and disclosure
BP1 WV 001 S10 not be able to modify the data showing a prescription that has been processed and filled. Benefit B interoperability policy Pharmacies
From the perspective of our public health agency, using aggregate statistics would be all
right, but if the scenario is as stated, Company A is already on very thin ice. Assuming that
PBM2 and not Company A actually has the claims, then PBM2 could transmit the claims to
PBM1 under HIPAA, provided it had a Business Associate agreement with PBM. There
might be state law barriers related to disclosure of drugs used in specific conditions, e.g. Scenario 10 -
HIV/AIDS or psychiatric disorders. Pharmacy Barrier to 8. State law Public Health
BP2 WV 002 S10 Benefit B interoperability restrictions agencies
As a payer, we have Business Associate agreements in place. This is a standard
agreement unless the other company has another form- we may use both. We build
policies on what HIPAA requires- we have an index of BA policies. All the data we send is Scenario 10 - 9. Information use
encrypted. PHI has to be encrypted and the receiver has the user ID and password to un- Pharmacy Barrier to and disclosure
BP3 WV 003 S10 encrypt. Internally, that is not necessary because of our firewalls. Benefit B interoperability policy Payers
4. Information
transmission
Scenario 10 - security or
Pharmacy Barrier to exchange
BP3 WV 003 S10 Benefit B interoperability protocols Payers
As a payer, we have a consultant oversee pharmacy benefits and the consultant can see
info on pts- we have a BA agreement with them. We also have a procedure audit and they Scenario 10 - 9. Information use
are reviewed by HIPAA as part of due diligence. We contract with a company to provide Pharmacy Barrier to and disclosure
BP4 WV 004 S10 PHI. Every employee has signed a confidentiality agreement. Benefit B interoperability policy Payers
RTI International
Privacy and Security Contract No. 290-05-0015 Page 40 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 10. Pharmacy Benefit Scenario B
DRAFT DRAFT DRAFT DRAFT
Specify Other
Relevant Law (Legal Driver) -- Reference
BP# Stakeholder (if Cause Relevant Law (Legal Driver) -- Narrative
Code/Statute
applicable)
We generally agree that the identified Employer who sponsors a self-insured group health plan may have only limited access to PHI, but may 45 C.F.R. §§ 164.502(b)(1); 164.504(e); 164.504(f)
business practice presents barriers to obtain summary health information (a type of de-identified PHI) to obtain premium bids or to modify
interoperability, including the use of multiple or amend its group health plan.
business associate agreements, the creation
of summary health information (a type of de-
identified PHI), and compliance with the
minimum necessary standard.
BP1
The HIPAA privacy and security rules. WV Code § 16-29-1(b); HIPAA Privacy Regs. – 45
CFR §§ 164.312(e)(2), 164.501, 164.502(a)(1)(i),
164.502(e), 164.504(a), 164.504(e), 164.504(f),
164.504(f)(1)(ii), 164.504(f)(2)(ii)(C), 164.504(f)(2)(iii),
164.504(f)(3)(iv), 164.508(a)(1), 164.514(e)(4),
164.514(d)(3)
BP2
Business associate agreements are required by the HIPAA privacy rule. HIPAA Privacy Regs. – 45 CFR §§ 164.502(e),
164.504(e)
BP3
Secure transmission of electronic PHI must be consistent with the HIPAA Security rule. HIPAA Security Regs. – 45 CFR § 164.312
BP3
Business associate agreements are required by the HIPAA privacy rule. HIPAA Privacy Regs. – 45 CFR §§ 164.502(e),
164.504(e)
BP4
RTI International
Privacy and Security Contract No. 290-05-0015 Page 41 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 11. Healthcare Operations and Marketing Scenario A
ABC Health Care is an integrated health delivery system comprised of ten critical access hospitals and one large tertiary
hospital, DEF Medical Center, which has served as the system's primary referral center. Recently, DEF Medical Center
has expanded its rehab services and created a state-of-the-art, stand-alone rehab center. Six months into operation,
ABC Health Care does not feel that the rehab center is being fully utilized and is questioning the lack of rehab referrals
from the critical access hospitals.ABC Health Care has requested that its critical access hospitals submit monthly reports
to the system six-sigma team to analyze patient encounters and trends for the following rehab diagnoses/ procedures:
Scenario 11 - Cerebrovascular Accident (CVA), Hip Fracture, Total Joint Replacement. Additionally, ABC Health Care is requesting that
Operations this same information, along with individual patient demographic information, be provided to the system Marketing
and Department. The Marketing Department plans to distribute to these individuals a brochure highlighting the new rehab
DRAFT Marketing A center and the enhanced services available.
Business Classification
Policy: Short
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain
Description
Short Name a Barrier)
Our hospital policy permits Marketing to use PHI for marketing
purposes as permitted by HIPAA and other applicable Federal
and West Virginia laws. With limited exceptions, the Rule
requires an individual's written authorization before a use or Scenario 11 -
disclosure of his or her PHI can be made for marketing. Based Operatns & Barrier to 1. User and entity Use of PHI for Marketing
BP1 WV 001 S 11 on the scenario they are IDS and would be appropriate. Mkting A interoperability authentication Purposes
Scenario 11 - 9. Information use
As a payer, we would not supply PHI to anyone, esp in a Operatns & Barrier to and disclosure
BP2 WV 002 S 11 marketing campaign, esp now with HIPAA. Mkting A interoperability policy
Scenario 11 - 9. Information use
As a long term care facility, we would not supply PHI to anyone, Operatns & Barrier to and disclosure
BP3 WV 003 S 11 esp in a marketing campaign, esp now with HIPAA. Mkting A interoperability policy
As a QIO, we would not supply PHI to anyone, esp in a Scenario 11 - 9. Information use
marketing campaign, esp now with HIPAA. In a QIO, we would Operatns & Barrier to and disclosure
BP4 WV 004 S 11 be in violation of HIPAA and our CMS contracts Mkting A interoperability policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 42 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 11. Healthcare Operations and Marketing Scenario A
DRAFT DRAFT DRAFT DRAFT
Specify Other Relevant Law (Legal
Stakeholder Relevant Law (Legal Driver) --
BP# Policy: Long Description Stakeholder (if Cause Driver) -- Reference
Organization Narrative
applicable) Code/Statute
1. With limited exceptions, activities that Original: HIPAA - §164.501 -
IDS may not sell PHI to a business associate or any other third fall within the HIPAA Privacy Rule’s Definition - Marketing
party for that party's own purposes. IDS may not sell lists of definition of marketing require
patients or enrollees to third parties without obtaining authorization from the patient/patient’s HIPAA Privacy Rule – 45 CFR
authorization from each person on the list. Exceptions to the representative. §§ 164.501 and164.508(a)(3).
definition of marketing fall into the following three categories: (1)
A communication is not "marketing" if it is made to describe a
health-related product or service (or payment for such product or
service) that is provided by, or included in a plan of benefits of
the covered entity making the communication, (2) A
communication is not "marketing" if is made for treatment of the
individual (3) A communication is not "marketing" if it is made for
case management or care coordination for the individual, or to
direct or recommend alternative treatments, therapies, health
BP1 care providers, or settings of care to the individual. Hospitals
With limited exceptions, activities that fall HIPAA Privacy Rule – 45 CFR
within the HIPAA Privacy Rule’s §§ 164.501 and164.508(a)(3).
definition of marketing require
authorization from the patient/patient’s
BP2 Payers representative.
With limited exceptions, activities that fall HIPAA Privacy Rule – 45 CFR
within the HIPAA Privacy Rule’s §§ 164.501 and164.508(a)(3).
definition of marketing require
Long term care
facilities and authorization from the patient/patient’s
BP3 nursing homes representative.
With limited exceptions, activities that fall HIPAA Privacy Rule – 45 CFR
within the HIPAA Privacy Rule’s §§ 164.501 and164.508(a)(3).
definition of marketing require
Quality
improvement authorization from the patient/patient’s
BP4 organizations representative.
RTI International
Privacy and Security Contract No. 290-05-0015 Page 43 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 11. Healthcare Operations and Marketing Scenario A
DRAFT
BP#
Solution
1. In this scenario, limiting marketing to communications that
specifically describe a health-related product or service provided by
the covered entity itself should cause it to fall within the permitted
communications exception of the HIPAA Privacy Rule’s definition of
marketing.
BP1
BP2
In this scenario, limiting marketing to communications that
specifically describe a health-related product or service provided by
the covered entity itself should cause it to fall within the permitted
communications exception of the HIPAA Privacy Rule’s definition of
BP3 marketing.
In this scenario, limiting marketing to communications that
specifically describe a health-related product or service provided by
the covered entity itself should cause it to fall within the permitted
communications exception of the HIPAA Privacy Rule’s definition of
BP4 marketing.
RTI International
Privacy and Security Contract No. 290-05-0015 Page 44 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 12. Healthcare Operations and Marketing Scenario B
ABC hospital has approximately 3,600 births/year. The hospital Marketing Department is
requesting PHI on all deliveries including mother's demographic information and birth
outcome (to ensure that contact is made only with those deliveries that resulted in healthy
live births). The Marketing Department has explained that they will use the PHI for the
following purposes: 1. To provide information on the hospital's new pediatric wing/services;
Scenario 12 - 2. To solicit registration for the hospital's parenting classes; 3. To request donations for
Operations & construction of the proposed neonatal intensive care unit; 4. They will sell the data to a
DRAFT Marketing B local diaper company.
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain
Description
Name a Barrier)
Our hospital practice requires an authorization for
release of PHI for marketing except for: 1. Face-to-face
communication between our hospital and the patient; or
2. A promotional gift of nominal value provided by our Scenario 12 - 9. Information use
hospital. Therefore, our hospital would not sell the data Operatns & Barrier to and disclosure Use and Disclosure
BP1 WV 001 S 12 to a local diaper company without patient authorization. Mkting B interoperability policy of PHI for Marketing
Scenario 12 - 9. Information use
Operatns & Barrier to and disclosure Use of PHI for
BP2 WV 002 S 12 Our hospital would not allow this practice. Mkting B interoperability policy Marketing Purposes
As a payer, we would have to sign a form with all
involved persons to release any info- we do not sell any
data. We used to be able to acquire lists, but now we
would have to ask them to sign a form to release info-
HIPAA has not been a Barrier to this because we can
use permission forms. The info would be transferred Scenario 12 - 9. Information use
electronically and encrypted. Operatns & Barrier to and disclosure
BP3 WV 003 S12 Mkting B interoperability policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 45 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 12. Healthcare Operations and Marketing Scenario B
DRAFT DRAFT DRAFT DRAFT
Specify Other Relevant Law (Legal
Stakeholder Relevant Law (Legal Driver) --
BP# Policy: Long Description Stakeholder (if Cause Driver) -- Reference
Organization Narrative
applicable) Code/Statute
With limited exceptions, activities HIPAA Privacy Rule – 45
that fall within the HIPAA Privacy CFR §§ 164.501
Rule’s definition of marketing and164.508(a)(3).
require authorization from the
patient/patient’s representative.
Our hospital requires an authorization for release of PHI for
marketing except for: 1. Face-to-face communication between
our hospital and the patient; or 2. A promotional gift of nominal
BP1 value provided by our hospital. Hospitals
HIPAA Privacy Rule – 45 CFR
With limited exceptions, activities §§ 164.501 and164.508(a)(3).
1) Communication about a product or service that encourages that fall within the HIPAA Privacy
recipients of the communication to purchase or use the Rule’s definition of marketing
product or service, or (2) An arrangement between our require authorization from the
hospital and another third party, whereby our hospital patient/patient’s representative. In
discloses PHI to the third party in exchange for direct or this scenario, limiting marketing to
indirect remuneration as the result of the other party or its communications that specifically
affiliate making a communication about its own product or describe a health-related product
service that encourages recipients of the communication to or service provided by the covered
purchase or use that product or service. our hospital may not entity itself should cause it to fall
sell PHI to a business associate or any other third party for within the permitted
that party's own purposes. our hospital may not sell lists of communications exception of the
patients or enrollees to third parties without obtaining HIPAA Privacy Rule’s definition of
BP2 authorization from each person on the list. Hospitals marketing.
With limited exceptions, activities that HIPAA Privacy Rule – 45 CFR
fall within the HIPAA Privacy Rule’s §§ 164.501 and164.508(a)(3).
definition of marketing require
authorization from the patient/patient’s
representative.
BP3 Payers
RTI International
Privacy and Security Contract No. 290-05-0015 Page 46 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 12. Healthcare Operations and Marketing Scenario B
DRAFT
BP#
Solution
BP1
1. In this scenario, limiting marketing to
communications that specifically describe
a health-related product or service
provided by the covered entity itself
should cause it to fall within the permitted
communications exception of the HIPAA
Privacy Rule’s definition of marketing.
BP2
In this scenario, limiting marketing to
communications that specifically describe
a health-related product or service
provided by the covered entity itself
should cause it to fall within the permitted
communications exception of the HIPAA
Privacy Rule’s definition of marketing.
BP3
RTI International
Privacy and Security Contract No. 290-05-0015 Page 47 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 13. Bioterrorism Event
A provider sees a person who has anthrax, as determined through lab tests. The lab submits a report on this case to the
local public health department. The public health department in the adjacent county has been contacted and has confirmed
that it is also seeing anthrax cases, and therefore it could be a possible bioterrorism event. Further investigation confirms
that this is a bioterrorism event, and the State declares an emergency. This then shifts responsibility to a designated state
authority to oversee and coordinate a response, and involves alerting law enforcement, hospitals, hazmat teams, and other
partners, as well informing the regional media to alert public to symptoms and seek treatment if feel affected. The State
also notifies the Feds of the event, and some federal agencies may have direct involvement in the event. All parties may
Scenario 13 - need to be notified of specific identifiable demographic and medical details of each case as they arise to identify the
Bioterrorism source of the anthrax, locate and prosecute the parties responsible for distributing the anthrax, and protect the public from
DRAFT Event further infection.
Business Classification
Policy: Short Specify Other Stakeholder
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description Stakeholder Organization
Description (if applicable)
Short Name a Barrier)
Guidelines Pertaining to
Disclosures for Law
Enforcement Purposes
Without Written
Scenario 13 - 9. Information Authorization, Court
Our hospital privacy officer would disclose as required using the Bioterrorism Barrier to use and Order, Subpoena or
BP1 WV 001 S13 minimum necessary rule. Event interoperability disclosure policy Other Process Hospitals
Once our lab would submit a report to the local public health dept or to
the State as per those regs. governing anthrax and other public health
threats, then it would be in the hands of the State and Federal agencies.
If all parties would need to obtain additional information from our lab,
then that agency would notify our corporate compliance dept. via proper Scenario 13 - 9. Information
documentation or request. Bioterrorism Barrier to use and
BP2 WV 002 S13 Event interoperability disclosure policy Laboratories
Public health law is state-specific. I do not know the extent to which
Federal anti-terrorism legislation has attempted to pre-empt state law,
but I’m doubtful such pre-emption would be effective in a case like this
that does not appear to involve interstate commerce. Therefore, I
believe the state disease control laws would have primacy. Under state
law, the health director is generally authorized to disclose information
needed to control the spread of contagious disease. All information
exchange originating under the direction of the state health director or
his/her designate is probably permissible, even if it discloses PHI to the
public. There may be limits on the health director’s discretion, but I
doubt they would be significant under the scenario described. The one
important question is whether the public health director has authority to
disclose PHI to law enforcement agencies. Customarily, public health Scenario 13 -
agencies have not done so, because of the chilling effect it is believed Bioterrorism Barrier to 8. State law
BP3a WV 003a S13 to have on ongoing disease investigation. Event interoperability restrictions Public Health agencies
I don’t know if current law in West Virginia mandates such disclosure, as
it may; if it does not, then the disclosure would fall under the discretion
of the public health director. Therefore the major barrier might be in the
event individual institutions or health professionals were not aware of
their duty to report information in a public health emergency, or if they
obstructed transmission of sensitive data to the health agency out of a Scenario 13 - 9. Information
perceived risk of liability for disclosure. If they have read HIPAA, they Bioterrorism Barrier to use and
BP3b WV 003b S13 won’t have such fears. Event interoperability disclosure policy
As a federal health facility, we would not be allowed to give out any info
under the Laws of Confidentiality. Although, in an act of terrorism, there
are some exceptions. Your individual identity can not be revealed and
we could give them demographics and we could contact others about
the situation. But if the person has a contagious disease and he
knowingly infects others, he is then considered a criminal and he has no
rights. We would: Send the info by an authorized courier in a sealed
envelope or thru data secure telephone lines or thru scrambled, Scenario 13 - 2. Information
encrypted email Bioterrorism Barrier to authorization and
BP4 WV 004 S13 Event interoperability access controls Federal health facilities
RTI International
Privacy and Security Contract No. 290-05-0015 Page 48 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 13. Bioterrorism Event
DRAFT DRAFT DRAFT DRAFT
Relevant Law (Legal
Relevant Law (Legal Driver) --
BP# Cause Driver) -- Reference
Narrative
Code/Statute
HIPAA Privacy Regs require a CE to HIPAA Privacy Rule, 45
review the disclosure request to see if CFR § 164.514(d)(3)(iii)(A);
the public official represents that the WV Code § 15-5-1 et seq .;
information requested is the minimum 64 CSR § 7 (regs regarding
necessary for the stated purpose reportable diseases)
BP1
HIPAA Privacy Regs require a CE to HIPAA Privacy Rule, 45
review the disclosure request to see if CFR § 164.514(d)(3)(iii)(A);
the public official represents that the WV Code § 15-5-1 et seq .;
information requested is the minimum 64 CSR § 7 (regs regarding
necessary for the stated purpose reportable diseases)
BP2
No legal barrier to public health’s W. Va. Code §§ 15-5-1 et
disclosure to law enforcement. State seq ., 16-3-1 and 15-5-6; 64
Homeland Security provisions, the CSR § 7 (regs regarding
general and emergency powers of the reportable diseases)
Governor under the legislation, along
with the State Director of Health’s
authority allow for these disclosures
BP3a
Stakeholder cites perception issues. 1. WV Code § 15-5-1 et
seq.
BP3b
HIPAA Security and Privacy Rules HIPAA Security Rule, 45
together require the CE to safeguard CFR Part 164, Subpart C
protected health information, and HIPAA Privacy Rule §
electronic and hard copy 164.530(c)
BP4
RTI International
Privacy and Security Contract No. 290-05-0015 Page 49 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 14. Employee Health Information Scenario
An employee (of any company) presents in the local emergency department for treatment of a chronic condition
that has exacerbated which is not work-related. The employee's condition necessitates a four-day leave from
Scenario 14 - work for illness. The employer requires a "return to work" document for any illness requiring more than 2 days
Employee leave. The hospital ED has an EHR and their practice is to cut and paste patient information directly from the
DRAFT Health Info EHR and transmit the information electronically to the HR department.
Business Classification
Policy: Short
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description
Short Name a Barrier)
As a payer, our business practice is to allow employees a certain
number of paid time off (PTO) days. No detailed reason is needed for
using those days. Short-term disability/long-term disability are also
provided for certain medical issues and do require documentation to
justify the disability. In this scenario, there are a couple of options. One,
if the employer and hospital frequently exchange information, a
confidentiality agreement or data use agreement needs to be entered
into. The HR department could adjust it's form to require only certain,
non-specific medical information required only to justify the disability
period. The hospital would then be responsible for providing the
minimally necessary medical information as needed. It should be the
hospital's policy to not provide more information than requested or
needed per HIPAA privacy regulations so the cut and paste practice
may be a violation. The second option, one employed by the state of
WV, would be for the return to work document to require only the
WV 001a S disability period, the diagnosi and the treating doctor's signature. Scenario 14 - Barrier to 9. Information use and
BP1a 14 Employee Hlth Info interoperability disclosure policy
No specific medical information would be needed. End user should be
limited to HR department employees. No access should be provided
outside that unit. Data use agreement/confidentiality agreement should
be in place to prevent unnecessary dissemination of protected health
information.End user should be limited to HR department employees.
No access should be provided outside that unit. Data use
agreement/confidentiality agreement should be in place to prevent 6. Information audits
WV 001b S unnecessary dissemination of protected health information. Not a barrier to that record and monitor
BP1b 14 interoperability activity
4. Information
WV 001c S Transmission protections would be implemented between the sender Barrier to transmission security or
BP1c 14 and end user such as encryption of information. interoperability exchange protocols
WV 001d S End user should be provided read only access to information. One-way Not a barrier to 9. Information use and
BP1d 14 transmission (ED to HR department only) should be considered. interoperability disclosure policy
Only HR department employees should have access to the transmitted
information. Information should be limited by ED to that minimally
necessary to fulfill HR's need. Once transmitted, information should be
WV 001e S contained within employee's personnel file and not be subject to view
BP1e 14 by outside parties.
WV 001f S Special precautions for psychiatric/HIV information - patient must Not a barrier to
BP1f 14 authorize release of information. interoperability 8. State law restrictions
Our hospital would prepare a leave of absence note for the employer
which would limit information to the name of the employee, date seen
by medical facility/physician, estimated time to be away from work, and Scenario 14 - Barrier to 1. User and entity
BP2 WV 002 S 14 signature of physician or other appropriate medical personnel. Employee Hlth Info interoperability authentication
RTI International
Privacy and Security Contract No. 290-05-0015 Page 50 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 14. Employee Health Information Scenario
DRAFT DRAFT DRAFT DRAFT
Relevant Law (Legal
Specify Other Stakeholder
BP# Stakeholder Organization Cause Relevant Law (Legal Driver) -- Narrative Driver) -- Reference
(if applicable)
Code/Statute
The identified business practice involves A health care provider may not disclose PHI to a third party without 45 C.F.R. §§ 164.502(a)(1);
multiple barriers to interoperability, but we patient authorization unless for treatment, payment, or health care 164.508(a)(1); 164.310;
disagree with the rationale employed; operations; a “return to work” document is not treatment, payment, or 164.312; 164.502(b)(2)(iii);
disclosure of PHI from existing health care health care operations; if PHI is included in this document, patient 160.103
records to the employer requires a signed authorization would be required; when disclosure is authorized, proper
authorization from the patient; once security procedures must be followed when transmitting PHI
authorization is signed, disclosures made electronically.
thereunder are not subject to the minimum
necessary standard; once such information is
lodged in employment files, it is no longer
considered PHI; however, electronic
transmission of the information to the employer
must follow proper verification and security
procedures.
BP1a Payers
BP1b
HIPAA Security Technical Safeguards HIPAA Security Rule, 45
CFR § 164.312
BP1c
BP1d
BP1e
WV State law regarding HIV test results W. Va. Code §§ 16-3C-2, 3,
4; W. Va. Code § 27-3-1
BP1f
We agree with the identified business practice, A health care provider may not disclose PHI to a third party without 45 C.F.R. §§ 164.502(a)(1);
and believe that it constitutes a barrier to patient authorization unless for treatment, payment, or health care 164.508(a)(1); 164.310;
interoperability. operations; a “return to work” document is not treatment, payment, or 164.312; 164.502(b)(2)(iii);
health care operations; if PHI is included in this document, patient 160.103
authorization would be required; when disclosure is authorized, proper
security procedures must be followed when transmitting PHI
electronically.
BP2 Hospitals
RTI International
Privacy and Security Contract No. 290-05-0015 Page 51 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 14. Employee Health Information Scenario
Business Classification
Policy: Short
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description
Short Name a Barrier)
As a correctional facility, our business practice/procedure is we have
our own form to fill out for a return to work. Electronic transfer of Employee off more than 3
emergency room data would not be accepted. The return to work form days submits for FMLA under
may eventually be able to be emailed and then completed for return. the Family and Medical Leave
Additional ER info would not be necessary or desired. Password Act (FMLA) of 1993. At the
protected on secure lines. Limited access to the computer itself. end of leave must submit a
Passwords must be changed on an irregular basis. Would need patient 'return to work form" that has
consent. The multiple information systems would need this patient 2. Information been completed by the
consent prior to allowing access to the personal health information. Scenario 14 - Barrier to authorization and physician - not by cut and
BP3 WV 003 S 14 Would need development of special programs for the encryption. Employee Hlth Info interoperability access controls return to work form paste in the ER.
As a physician group, our office physician can release a RTW date to
the employer but any medical information would need a release of
records from the patient. The HIPAA and State Laws would override 4. Information
the ER Policy. We use tracking forms in each chart to show info that Scenario 14 - Barrier to transmission security or Patient release must be
BP4 WV 004 S 14 was copied /faxed, who sent it, and where it went and the date sent. Employee Hlth Info interoperability exchange protocols Covered entity signed to release records.
7. Administrative or
Not a barrier to physical security
BP4 WV 004 S 14 interoperability safeguards
Not a barrier to
BP4 WV 004 S 14 interoperability 8. State law restrictions
As a payer, under the State System we had PEIA Coverage and they
required the forms for being out for 3 days. Dr filled out the info and a
RTW notice- all done paper- no electronic version of this- This can also
be faxed and whoever is on the receiving end of the fax can view the Scenario 14 - Not a barrier to
BP5 WV 005 S 14 info. Employee Hlth Info interoperability 8. State law restrictions
In our payer organization, the employer can not get at the info unless
the employee signs an agreement. This is done on a paper basis. Our
organization has an imaging process. This info is QUARANTINED-
meaning only the appropriate person can get at the info. All have a
secure storage place for records- we have an onsite storage place and
to get entrance, you have to have special permissions- there is a
keyless entry. Scenario 14 - Barrier to
BP6 WV 006 S 14 Employee Hlth Info interoperability 8. State law restrictions
Barrier to 9. Information use and
BP6 WV 006 S 14 interoperability disclosure policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 52 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 14. Employee Health Information Scenario
Relevant Law (Legal
Specify Other Stakeholder
BP# Stakeholder Organization Cause Relevant Law (Legal Driver) -- Narrative Driver) -- Reference
(if applicable)
Code/Statute
We agree with the identified business practice, A health care provider may not disclose PHI to a third party without Original: Other Federal Law -
and agree that it involves multiple barriers to patient authorization unless for treatment, payment, or health care Family and Medical Leave Act
interoperability, including patient authorization operations; a “return to work” document is not treatment, payment, or 1993 Other - Company FMLA
and use of proper security procedures. health care operations; if PHI is included in this document, patient and Time & Attendance Policy
authorization would be required; when disclosure is authorized, proper
security procedures must be followed when transmitting PHI 45 C.F.R. §§ 164.502(a)(1);
electronically. 164.508(a)(1); 164.310;
164.312; 164.502(b)(2)(iii);
160.103
BP3 Correctional facilities
BP1a
We agree with the identified business practice, Original: HIPAA 45 C.F.R. §§ 164.502(a)(1);
and believe that it constitutes a barrier to 164.508(a)(1); 164.310;
interoperability. A health care provider may not disclose PHI to a third party 164.312; 164.502(b)(2)(iii);
without patient authorization unless for treatment, payment, or 160.103
BP4 Physician groups health care operations; a ―return to work‖ document is not
treatment, payment, or health care operations; if PHI is included
BP4
BP4
BP5 Payers
We agree with the identified business practice, A health care provider may not disclose PHI to a third party without 45 C.F.R. §§ 164.502(a)(1);
and believe that it constitutes a barrier to patient authorization unless for treatment, payment, or health care 164.508(a)(1); 164.310;
interoperability. operations; a “return to work” document is not treatment, payment, or 164.312; 164.502(b)(2)(iii);
health care operations; if PHI is included in this document, patient 160.103
authorization would be required; when disclosure is authorized, proper
security procedures must be followed when transmitting PHI
electronically.
BP6 Payers
BP6
RTI International
Privacy and Security Contract No. 290-05-0015 Page 53 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 15. Public Health Scenario A
Active TB Patient has decided to move to a desert community that focuses on spiritual healing. The TB is classified MDR (multi-drug
Scenario 15 - resistant). Patient purchases a bus ticket - the bus ride will take a total of nine hours with two rest stops. State A is made aware of
Public Health Patient's intent two hours after the bus with Patient leaves. State now needs to contact the bus company and State B with the relevant
DRAFT A information. State A may need to contact every state along the route.
Business Classification
Policy: Short Specify Other Stakeholder
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description Stakeholder Organization
Description (if applicable)
Short Name a Barrier)
Since TB is a publicly reported disease the home health agency nurse would
report the information to the public health department and allow the public health
department to take action. At the present time there are very few systems in which
home health agencies share electronic personal health information and the
system for public reporting electronically such as would be needed in this instance
is not presently available. Would be necessary to assure integrity of the
communication between only those entities who had necessity of receiving the
data. In present home health electronic information systems only those personnel All home health agencies have
who have been trained can access patient data. In general there are few who can in place within their infection
access the entire data base and changes/modifications can only be made by 2. Information control policies and
those with certain security/access abilities. While most agencies have internal authorization procedures for the reporting of
policies that dictate the utilization of electronic data within the agency and most Scenario 15 - Barrier to and access publicly reported
BP1a WV 001a S15 often that shared with a fiscal intermediary and the state data collection agency. Public Health A interoperability controls
5. Information communicable diseases. Homecare and hospice
protection
(against
Scenario 15 - Barrier to improper
BP1a WV 001a S15 Public Health A interoperability modification)
Very few, if any of the home health agencies are presently sharing electronic
health data with other health care entities. Most exchange of information between
entities currently takes place by paper exhange or oral exchange. WV home 4. Information
health agencies comply with federal regulation as outlined in the HIPPA standards transmission
and the home health conditions of participation as set forth by CMS at the federal security or
level. The WV Office of Health Facilities Licensure and Certification are Scenario 15 - Barrier to exchange
BP1b WV 001b S15 responsible for the oversite of agency compliance. Public Health A interoperability protocols
I would think that State A is made aware of the TB patient's location, and would
need to locate both the bus company as well as other State along the route. 3. Patient and
Each State dept. of health would be involved in this process until the patient is Scenario 15 - Not a barrier to provider
BP2 WV 002 S15 located for additional follow-up. Public Health A interoperability identification Laboratories
This is a pure public health response, clearly authorized under law. Since the
state already has a report of a case, there is no barrier to reporting the case in the
first place. Since the patient has absconded, the state health director may use
state quarantine law and ask the police to halt the bus before it leaves the state.
Failing that, the health director will inform the Centers for Disease Control, which
will inform the other states. The state health director’s discretionary authority also Scenario 15 - Barrier to 8. State law
BP3 WV 003 S15 allows him or her to notify adjacent states. Public Health A interoperability restrictions Public Health agencies
As a federal health facility, we would consider this to be a wanted person and
someone that is violating others rights. He would be considered a bio-hazard. We
could send the info to the media and to other states and health care providers for
instance we could say that John Doe is a wanted criminal or is a suspect. He
loses all of his rights under the Privacy Act. We would first check out to see if he
was dangerous to others and/or to himself. We would contact the health Scenario 15 - Barrier to 8. State law
BP4 WV 004 S15 authorities, and state police via phone. Public Health A interoperability restrictions Federal health facilities
RTI International
Privacy and Security Contract No. 290-05-0015 Page 54 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 15. Public Health Scenario A
DRAFTDRAFT DRAFT DRAFT
Relevant Law (Legal
BP# Cause Relevant Law (Legal Driver) -- Narrative Driver) -- Reference
Code/Statute
HIPAA Security regs require that PHI be safeguarded by HIPAA Security Regs, 45
covered entities, if a covered entity were sharing information CFR § 164.302 et seq .
with the state in this scenario
BP1a
HIPAA Security regs require that PHI be safeguarded by HIPAA Security Regs, 45
covered entities, if a covered entity were sharing information CFR § 164.302 et seq .
with the state in this scenario
BP1a
HIPAA Security regs require that PHI be safeguarded by HIPAA Security Regs, 45
covered entities, if a covered entity were sharing information CFR § 164.302 et seq .
with the state in this scenario
BP1b
BP2
Home state public health department of active TB patient WV Code § 16-3D-3 to 9; 64
moving via bus to another city may, upon its order or order of CSR §§ 7-3.4, 12.1.a.4, and
state court of record, disclose patients TB status to law 19-17-19; HIPAA Privacy
enforcement and other state public health departments. Law Regs § 164.512(b).
enforcement access poses no barrier if assisting public health
department to enforce state or court order. The patient is an
active TB carrier spreading and subject to public health
department isolation, quarantine, etc.
BP3
WV Code § 16-3D-3 to 9; 64
Home state public health department of active TB patient, CSR §§ 7-3.4, 12.1.a.4, and 19-
moving via bus to another city may, upon its order or order of 17-19.
state court of record, disclose patients TB status to law
enforcement and other state public health departments. Law
enforcement access poses no barrier if assisting public health
department to enforce state or court order. The patient is an
active TB carrier spreading and subject to public health
department isolation, quarantine, etc. LWG unable to find any
federal law dealing with TB and believe issue is left to the
BP4 States.
RTI International
Privacy and Security Contract No. 290-05-0015 Page 55 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY
Scenario 16. Public Health Scenario B
A newborn’s screening test comes up positive for a rare genetic disorder and the state lab test results are made available to
the child’s physicians and specialty care centers specializing in the disorder via an Interactive Voice Response system. The
state lab also enters the information in its registry, and tracks the child over time through the child’s physicians. The state
public health department provides services for this rare genetic disorder and notifies the physician that the child is eligible for
Scenario 16 - those programs. One of the services that the mother uses from the state is regularly purchasing special food products for
DRAFT Public Health B persons with PKU.
Business Classification
Policy: Short
BP# Practice Short Business Practice Long Description Scenario (Barrier v. Not Domain
Description
Name a Barrier)
Generally, the provider and the clinical staff will make several phone
calls to find assistance and support for the parent or child. In all my
years of practice, I have never witnessed this scenario in the clinical
setting - the closest to this scenario is the reportable infectious
disease process - which is pretty effective. Also, not all providers are
aware of mandated requirements to reports certain genetic or other
disorders to the state - some labs are out of state, so do not know all Scenario 16 - Barrier to 8. State law
BP1 WV 001 S16 the state reporting requirements either. Public Health B interoperability restrictions
Office of Maternal Child and Family Health - WV Code 16-22-3
mandates that abnormal labs in newborn children be reported to the
Bureau for Public Health. It also permits identification, follow-up
treatment with physicians and other resources provided by BPH. Scenario 16 - Not a barrier to 8. State law
BP2 WV 002 S16 Communication involving PII/PHI is conducted by phone and faxing. Public Health B interoperability restrictions
It may be necessary to identify this child with special codes so not to
release the name of the child to outside entities, other than the
physician and state health officials. Scenario 16 - Barrier to 8. State law
BP3 WV 003 S16 Public Health B interoperability restrictions
RTI International
Privacy and Security Contract No. 290-05-0015 Page 56 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY
Scenario 16. Public Health Scenario B
DRAFT DRAFT DRAFT DRAFT
Specify Other Relevant Law (Legal
Stakeholder Relevant Law (Legal
BP# Policy: Long Description Stakeholder (if Cause Driver) -- Reference
Organization Driver) -- Narrative
applicable) Code/Statute
No legal driver. (WV
mandates reporting in WV
Code § 16-22-1 et seq.
Professional which disclosure is
associations and permitted under the HIPAA
BP1 societies Privacy Rule.)
Public Health
BP2 agencies
No legal requirement to
identify patient with specific
codes, direct identifiers are
BP3 Laboratories allowed.
RTI International
Privacy and Security Contract No. 290-05-0015 Page 57 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 17. Public Health Scenario C
A homeless man arrives at a county shelter and is found to be a drug addict and in need of medical care. The person does have a
primary provider, and is sent there for the medical care, and is referred to a hospital-affiliated drug treatment clinic for his addiction
Scenario 17 - under a county program. The addiction center must report treatment information back to the county for program reimbursement, and
Public Health back to the shelter to verify that the person is in treatment. Someone claiming to be a relation of the homeless man requests
DRAFT
C information from the homeless shelter on all the health services the man has received.
Business Classification Specify Other
Policy: Short Stakeholder
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description Stakeholder (if
Description Organization
Short Name a Barrier) applicable)
As a public health agency, we recognize that under 42CFR Federal Law the patient
must authorize release of medical records. Chapter 27 of state mental health law on
the other hand requires that the spouse, or next of kin be notified of admission to
our state psychiatric facilities. Exceptions to patient authorization require a court Scenario 17 - Barrier to 8. State law Public Health
BP1 WV 001 S17 order. Public Health C interoperability restrictions agencies
Home health providers would not release this Information to this individual. All
home health providers are required by federal law to comply with HIPPA
regulations. Compliance with the transfer of electronic information in HIPPA
approved formats will in 2007 be required in order for agencies to receive
reimbursement. Administrations are designing and implementing programs that
meet these privacy standards. Also within the requirements for participation in the
Medicare/Medicaid program agencies must meet patient privacy standards as
outlined by the Centers for Medicare and Medicaid Services. Home health agencies
are regulated by federal regulation which are monitored and enforced by the WV All home health agencies have policies that
Office of Health Facilities Licensure and Certification. In this scenario also dictate to whom private information can be
applicable would be WV state law concerning next of kin and Medical Power of released. These policies are compliant with
Attorney which would only be utilized if the patient were incapacitated and could not Scenario 17 - Barrier to 8. State law federal regulations outlined in the HIPPA and Homecare and
BP2 WV 002 S17 relate his own wishes and desires for the handling of this health care information. Public Health C interoperability restrictions home health conditions of participation. hospice
Our facility may only disclose behavioral
health records, drug and alcohol abuse
Guidelines Pertaining to treatment records and HIV and AIDS related
Disclosures Made testing and treatment records under certain
Our hospital employees may only disclose behavioral health records, drug and Without Written circumstances that are set forth in state or
alcohol abuse treatment records and HIV and AIDS related testing and treatment Authorization But federal statutes. These specially protected
records under certain circumstances that are set forth in state or federal statutes. 9. Information Pursuant To A Court records shall never be disclosed without the
These specially protected records shall never be disclosed without the express use and Orders, Subpoena, express written authorization of the patient
written authorization of the patient unless there is a specific court order requiring Scenario 17 - Barrier to disclosure Search Warrant or unless there is a specific court order requiring
BP3 WV 003 S17 their disclosure. Public Health C interoperability policy Discovery Request their disclosure. Hospitals
As a federal health facility, we would not provide any info unless the vet says it is
ok. The family member would have to leave their contact info with us, and the case
manager would contact the Vet and give it to them- it is then their choice. If another
facility wants the info, the Privacy Act can release info if it is medically necessary.
The Vet would be able to release that to another facility- they have to sign the
waiver and it has to be signed in front of our employee. The Vet has to show
proper ID. The release form is specific to the info that they want to release. Info is
transmitted via letter, fax, or internet- and is encrypted. The only time PHI can be
released without the pts authorization is if it is a medical emergency- in other words,
if the vet would die if someone didn’t know the PHI. The privacy act protects us in
that they cant come back and sue us for giving out info unless they said we can and 2. Information
then it hinders the quick release of info if it is an emergency. It is so much easier to authorization
share info between our facilities because of our EHRS. We all follow the same Scenario 17 - and access Federal health
BP4 WV 004 S17 criteria. Public Health C Unassigned controls facilities
9. Information
use and
Scenario 17 - Barrier to disclosure
BP4 WV 004 S17 Public Health C interoperability policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 58 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 17. Public Health Scenario C
DRAFTDRAFT DRAFT DRAFT
Relevant Law (Legal Driver) -- Reference
BP# Cause Relevant Law (Legal Driver) -- Narrative
Code/Statute
Solution
Again, consent is the key to release of information. A homeless shelter is not a Original: HIPAA - Notice of Privacy Practices Have all patients with substance abuse problems and/or
covered entity under substance abuse regs or HIPAA regs., but is covered under WV State Law - Chapter 27 mental illness sign general consents to release information for
Code '27-3-1. It may release substance abuse information to the primary care Other Federal Law - 42 CFR Federal Law treatment, payment and healthcare operation under HIPAA
provider. Such provider is not covered by substance abuse regs. and can refer patient Substance Abuse Regs 42 CFR, Part 2, Subpart Reg. 164.506(b) upon entering the facility; repeal WV Code
to drug treatment clinic. The clinic is covered by the substance abuse regulations. D; HIPAA Regs 45 CFR '164.506; 522(a); WV '27-5-9(e). Amend '27-3-1 to allow release of mental health
The clinic cannot release information for reimbursement purposes absent consent. It Code ''27-3-1; 27-5-9(e) information for treatment, payment and healthcare operations
can release such information to the shelter, who already knows he/she is an addict. without patient consent.
The person claiming to be a relation cannot receive any substance abuse information
absent patient consent. DHHR may not release any information outside DHHR
without patient consent.
BP1
Relative of drug addict individual in need of treatment cannot access individuals’ PHI, WV Code § § 16-30-8, 27-1A-11, 27-3-1 and 2,
without authorization, under state law, HIPAA, and other federal laws, 27-5-9, 27-7-1 thru 3, 16-29-1; HIPAA Privacy
Regs – 45 CFR §§ 164.512 (a,b,e, and j),
164.506, 164.508, 164.510, 164.512(e),
164.514(a); 42 U.S.C.A. §§ 290dd-3, 290ee-3;
42 CFR §§ 2.1 et. seq.
BP2
A homeless shelter is not a covered entity under substance abuse regs or
HIPAA regs., but is covered under WV Code '27-3-1. It may release
substance abuse information to the primary care provider. Such provider is
not covered by substance abuse regs. and can refer patient to drug treatment
clinic. The clinic is covered by the substance abuse regulations. The clinic
cannot release information for reimbursement purposes absent consent. It
can release such information to the shelter, who already knows he/she is an HIPAA - Notice of Privacy Practices State
addict. The person claiming to be a relation cannot receive any substance Law - Chapter 27 . Other Federal Law - 42
abuse information absent patient consent. DHHR may not release any CFR Federal Law. Substance Abuse Regs
information outside DHHR without patient consent. The notification of next of 42 CFR, Part 2, Subpart D; HIPAA Regs 45
kin only applies after involuntary commitment to a mental health facility. If CFR §164.506; 522(a); WV Code § 27-3-1;
BP3 the patient objects, the information cannot be released. 27-5-9(e)
The HIPAA Privacy Rule provides for uses and disclosures of protected health HIPAA Privacy Rule – 45 CFR §164.510 (b).
information that require an opportunity for the individual to agree or to object.
BP4
BP4
RTI International
Privacy and Security Contract No. 290-05-0015 Page 59 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 18. Health Oversight: legal compliance/government accountability
The Governor's office has expressed concern about compliance with immunization and lead screening
requirements among low income children who do not receive consistent health care. The state agencies
responsible for public health, child welfare and protective services, Medicaid services, and education are
asked to share identifiable patient level health care data on an ongoing basis to determine if the children
Scenario 18 - are getting the healthcare they need. Because of the complexity of the task, the Governor has asked each
Health agency to provide these data to faculty at the state university medical campus who will design a system for
DRAFT Oversight integrating and analyzing the data.
Business Classification
Policy: Short
BP# Practice Business Practice Long Description Scenario (Barrier v. Not Domain Policy: Long Description
Description
Short Name a Barrier)
Our clinic would not participate in this project
until patients had been informed and gave
permission to share this information. We
would however, provide this information
without personal identifiers or addresses for a Scenario 18 -
WV 001 S study to determine where there may be Health Barrier to 1. User and entity
BP1 18 problems. Oversight interoperability authentication
2. Information
WV 001 S Barrier to authorization and access
BP1 18 interoperability controls
WV 001 S Not a barrier to 3. Patient and provider
BP1 18 interoperability identification
4. Information
WV 001 S Barrier to transmission security or
BP1 18 interoperability exchange protocols
6. Information audits that
WV 001 S Barrier to record and monitor
BP1 18 interoperability activity
7. Administrative or
WV 001 S Barrier to physical security
BP1 18 interoperability safeguards
WV 001 S Barrier to
BP1 18 interoperability 8. State law restrictions
WV 001 S Barrier to 9. Information use and
BP1 18 interoperability disclosure policy
As a payer, our research staff would need to
set this up as a designated research process.
Medicaid would be able to disclose PHI but
would have to deidentify the info. We are Scenario 18 -
WV 002 S asked by HCA all the time to give them info- Health Barrier to 9. Information use and
BP2 18 we have a BA with them. Oversight interoperability disclosure policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 60 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
PRIVACY AND SECURITY Scenario 18. Health Oversight: legal compliance/government accountability
DRAFT DRAFT DRAFT DRAFT
Specify Other Relevant Law (Legal
Stakeholder Relevant Law (Legal
BP# Stakeholder (if Cause Driver) -- Reference
Organization Driver) -- Narrative
applicable) Code/Statute
Solution
1. HIPAA permits disclosure 1. HIPAA Privacy Rule – 45 Enactment of state law that authorizes
of protected health CFR §§ 164.501 and 164.512 a public health authority as defined in
information for public health (b)(1) the HIPAA Privacy Rule to collect or
activities only to a public receive protected health information for
health authority that is the defined purpose described in the
authorized by law to collect or scenario.
Community clinics receive such information.
BP1 and health centers
BP1
BP1
BP1
BP1
BP1
BP1
BP1
HIPAA BAA and Research HIPAA Privacy Rule 1. Enactment of state law that authorizes a
requirements. HIPAA de- public health authority as defined in the
identification option is also HIPAA Privacy Rule to collect or receive
an option without getting a protected health information for the defined
purpose described in the scenario.
BAA or IRB approval.
BP2 Payers
RTI International
Privacy and Security Contract No. 290-05-0015 Page 61 of 61 5bba3f4e-4c9d-4956-97e2-93e268f6d514.xls
