Hippa Medical Consent Form

PRIVACY AND SECURITY
Scenario 1. Patient Care Scenario A
DRAFT
BP#
Scenario 1 Patient Care A Business Practice Short Name
Patient X presents to emergency room of General Hospital in State A. She has been in a serious car accident. The patient is an 89 year old widow who appears very confused. Her adult daughter informed the ER staff that her mother has recently undergone treatment at a hospital in a neighboring state and has a prescription for an antipsychotic drug. The emergency room physician determines there is a need to obtain information about Patient Xs prior diagnosis and treatment during the inpatient stay. Classification (Barrier v. Not a Barrier) Specify Other Stakeholder (if applicable)
Business Practice Long Description
Scenario
Domain
Policy: Short Description
Policy: Long Description
Stakeholder Organization
BP1
WV 001 S 1
Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we would fax minimum necessary for treatment without an authorization. If PHI is in the record, we would determine if the daughter was the medical power of attorney. If yes, we would validate her signature and then have her sign a release to send the protected info. If not, we would have a physician or nurse sign authorization and send, after validating who we are speaking to at the other facility by a call back. We use a rolebased access process in which Directors/Managers/IT Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with 2 other local facilities and share information for patient care purposes, however we do not release one anothers information to those outside of our OHCA. We do have audit capabilities on systems. Random audits are performed. We use Tessa locks on doors.
Scenario 1 Patient Care A
Barrier to interoperability
Release to Health Care Providers: PHI may be released to other health care providers without patient authorization to facilitate continued emergency patient care, only after phone verification that the requestor is a health care professional calling from a health care institution. Other requests from hospitals must be accompanied by a signed completed release. Reasonable steps will be taken to limit both routine and non-routine uses of, disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of PHI. Exceptions include: Use or disclosure to or requests by provider for treatment purposes Uses & Disclosures of Use or disclosure to the subject of the information (patient) Use or disclosure made under Protected Health specific (detailed PHI) valid authorization Use or disclosure required for compliance with 3. Patient and Information & Disclosure HIPAA electronic transaction standards Use or disclosure required by other laws (such as provider of PHI Minimum victims of abuse, neglect, or domestic violence, and compliance with workers identification Necessary compensationsee policies III.080, III.085, III.090, III.095) Disclosure to DHHS.
Hospitals
BP1
WV 001 S 1
Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we would fax minimum necessary for treatment without an authorization. If PHI is in the record, we would determine if the daughter was the medical power of attorney. If yes, we would validate her signature and then have her sign a release to send the protected info. If not, we would have a physician or nurse sign authorization and send, after validating who we are speaking to at the other facility by a call back. We use a rolebased access process in which Directors/Managers/IT Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with 2 other local facilities and share information for patient care purposes, however we do not release one anothers information to those outside of our OHCA. We do have audit capabilities on systems. Random audits are performed. We use Tessa locks on doors.
4. Information transmission security or exchange protocols
BP2
WV 002 S 1
ER staff (nurse, doctor, or clerk) would call hospital and advise that they were faxing a request for medical records. If necessary,the staff would obtain authorization from POA of responsible party. Verbal confirmation by phone followed by faxed written request and authorization. There is security of exchange protocols for faxing information. No encryption.
Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability
2. Information authorization and access Facsimile Machines and controls PHI P&P 3. Patient and provider identification 4. Information transmission security or exchange 5. Information protection (against improper 6. Information audits that record and monitor activity 8. State law restrictions 9. Information use and disclosure 5. Information protection (against improper HIPAA
Standard cover sheet with "Confidentiality Statement". Errors in transmission must be corrected immediately and reported to Privacy Officer. If there is no POA or responsible party the physician would order appointment of a surrogate.
Hospitals
BP2
WV 002 S 1
BP2
WV 002 S 1
BP2
WV 002 S 1
BP2 BP2 BP2
WV 002 S 1 WV 002 S 1 WV 002 S 1
Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability
BP3
WV 003 S 1
A clinician verifies the ER calling and verifies any restrictions placed on medical records that would cause barriers. If none, send records. Tracking forms/initials on all things in chart. Computer password.
Not a barrier to interoperability
Hospital/ER covered entity HIPAA
Clinicians
In correctional facilities, there is no release of info without the pt's informed consent or medical power of attorney. It has to be verified by fax and phone and signatures are compared by case manager. We do not release info without a court order. If you are a prisoner and have a WC claim, you wont get paid. Corrections can only get the info thru a court order. There is no electronic info in the prison system- all paper. WV has subcontracted this out to a company. BP4 WV 004 S 1
9. Information use and disclosure policy
Correctional facilities
BP5
WV 005 S 1
In long term care this process is very restrictive. We need authorization with everything involving Mental Health. The facilities verify this with fax and phone. Nothing is verified electronically.
Long term care facilities and nursing homes
RTI International Privacy and Security Contract No. 290-05-0015
Page 1 of 63
166337667.xls.ms_office
Scenario 1. Patient Care Scenario A
DRAFT DRAFT
BP# Cause
DRAFT
Relevant Law (Legal Driver) -- Narrative
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute
BP1
While we agree that the identified verification and security procedures represent barriers to interoperability, we do not agree that a signed authorization is required from either the patient or the medical power of attorney, and we do not agree that the minimum necessary standard applies in this situation. These should not be barriers to interoperability.
Original: 'Federal Register 164.502 Uses and disclosures of protected health information: general rules; hospital policy One health care provider can disclose PHI of patient to another health care provider for treatment purposes as long as proper verification and security procedures are followed, even when PHI contains mental health information. HIPAA Security Technical Safeguards 45 C.F.R. 164.310; 164.312; 164.502(a)(1)(ii); 164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1); W. Va. Code 27-3-1(b)(5) 45 CFR 164.312
BP1
BP2
While we agree that the identified verification and security procedures represent barriers to interoperability, we do not agree that a signed authorization is required from either the patient or the medical power of attorney. One health care provider can disclose PHI of patient to another health care This should not be a barrier to provider for treatment purposes as long as proper verification and security interoperability. procedures are followed, even when PHI contains mental health information.
Original: HIPAA - Privacy and State Law Appointment of Health Care Decision Maker 45 C.F.R. 164.310; 164.312; 164.502(a)(1)(ii); 164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1); W. Va. Code 27-3-1(b)(5)
BP2
BP2
BP2
BP2 BP2 BP2 We agree with the identified business practice, but believe that a barrier to One health care provider can disclose PHI of patient to another health care interoperability exists for the verification and provider for treatment purposes as long as proper verification and security security procedures. procedures are followed, even when PHI contains mental health information. We believe the verification and security procedures do represent barriers to interoperability; we do not believe that a signed authorization or court order is required to disclose PHI for treatment purposes, and should not be viewed as barriers to interoperability.
BP3
45 C.F.R. 164.310; 164.312; 164.502(a)(1)(ii); 164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1); W. Va. Code 27-3-1(b)(5)
BP4
One health care provider can disclose PHI of patient to another health care provider for treatment purposes as long as proper verification and security procedures are followed, even when PHI contains mental health information. Information on HIPAA Security regs was included, although BP does not 45 C.F.R. 164.310; 164.312; 164.502(a)(1)(ii); mention electronic PHI. However, we are aware that Corrections status as a 164.502(b)(2)(i); 164.506(c)(2); 164.512(k)(5); covered entity may vary. 164.514(h)(1); W. Va. Code 27-3-1(b)(5) No legal barrier. We assume that State A is West Virginia. HIPAA allows HIPAA Regulation 164.506; West Virginia Code release of such information for treatment purposes. West Virginia State Law ''27-3-2; 27-5-9(e). only precludes the release of mental health information, but does not place any special restrictions on the collection of such data. Unless the neighboring state law restricts the release of such information to the emergency room, this should not present a problem.
BP5
Page 2 of 63
Scenario 2. Patient Care Scenario B
DRAFT
BP#
Scenario 2 Patient Care B Business Practice Short Name
A specialty substance abuse treatment facility wants to refer client X to a primary care facility for a suspected medical problem. The client has a long history of using various drugs and alcohol relevant for medical diagnosis. The information is being sent to the primary care provider without the patient's authorization. The primary care provider refers the patient to a specialist and sends all of their information (without patient authorization) including the information received from the substance abuse treatment facility to the specialist. Classification (Barrier v. Not a Barrier) Policy: Short Description
Scenario
Domain
BP1
WV 001 S2
In our hospital, if the patient is able to sign then we (clinician or clerk) would do that first. If patient is unable to make decisions on their own the durable power of attorney or surrogate can authorize.
Scenario 2 Barrier to Patient Care B interoperability Not a barrier to interoperability
Release to Health Care Providers: PHI may be released to other health care providers without patient authorization to facilitate continued emergency patient care, only after phone verification that the requestor is a health care professional calling from a 9. Information use health care institution. Other requests from and disclosure hospitals must be accompanied by a signed policy Uses & Disclosure of PHI completed release. 3. Patient and provider identification
BP1
WV 001 S2
BP2
WV 002 S2
In our hospital, clinical information is not released without a signed authorization from the patient or guardian if patient is under the age of 12. State and Federal laws strictly outline procedures for sharing Scenario 2 - Not a barrier to substance abuse patient information. Patient Care B interoperability
6. Information audits that record and monitor activity
BP2
WV 002 S2
7. Administrative Not a barrier to or physical security interoperability safeguards
BP2
WV 002 S2
8. State law restrictions
BP3
WV 003 S2
State Mental Health Law prevents transfer of mental health records without the patient's authorization.
Scenario 2 Barrier to Patient Care B interoperability
If patient is unable to authorize release of information, the physician orders that a 9. Information use health care surrogate be appointed per and disclosure state mental health law. Authorization must policy State Mental Health Law be obtained before release of information.
BP4
WV 004 S2
In Corrections, if anything refers to substance abuse, we dont release that info, but if we are going to refer the inmate, we can send a referral letter but we are limited to just the facts. Corrections keeps this info forever- they are paper based. They are kept in a locked room for Scenario 2 Barrier to limited access and are accessed by a Med Records Clerk. Patient Care B interoperability
2. Information authorization and access controls
Page 3 of 63
DRAFT
BP# Stakeholder Organization Specify Other Stakeholder (if applicable)
DRAFTDRAFT
Cause Relevant Law (Legal Driver) -- Narrative Confidentiality of Alcohol and Drug Abuse Patient Records require patient consent for disclosure and redisclosure of substance abuse records.
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute 42 CFR 2.32 and 2.33
DRAFT
Solution
BP1
Hospitals
BP1
BP2
Hospitals
BP2 Consent is the key to releasing substance abuse information to third parties, even to other providers. When a patient enters a state hospital, we try to get them to agree to a generalized consent to release information treatment, payment and health care operations. BP2 As a general matter, substance abusers do not have personal representatives whose consent is required to release substance State law requires DHHR to obtain consent for disclosure of mental health information for treatment. WV law also requires all providers to obtain patient consent for payment and operations. WV Code 27-5-9(e) Substance Abuse Regs. 42 CFR, Part 2, Subpart B; HIPAA Regs. 45 CFR '''164,506(b); 503(g); Belcher v. CAMC, 188 W. Va. 105, 422 S.E.2d 827 (1992). Maximize use of general consents for treatment, payment and health care operations for patients with substance abuse and/or mental illness entering healthcare facilities under HIPAA Reg '164.506(b).
BP3
State government The identified business practice does identify barriers to interoperability. One health care provider cannot disclose PHI of patient to another health care provider for routine treatment purposes without a signed authorization when drug or alcohol abuse treatment is involved; an authorized disclosure may not be redisclosed; proper verification and security procedures must be followed. 45 C.F.R. 164.310; 164.312; 164.512(k)(5); 42 C.F.R. 2.1; 2.2; 2.32; 2.51; W. Va. Code 27-3-1(b)(5)
Repeal Section '27-5-9(e). Amend '27-3-1 to allow release of mental health information to treatment, payment and healthcare operations without patient consent. WV Code 273-1
BP4
Page 4 of 63

BP# Business Practice Short Name Business Practice Long Description

Scenario Classification (Barrier v. Not a Barrier) Domain Policy: Short Description Policy: Long Description
BP5
WV 005 S2
In Workers Comp., we refer pts to specialists but our staff only send them what they need to know to treat the pt. WC makes the referral and sends all the info on a CD. We have electronic capabilities and this can be reviewed on the internet. We provide an ID and password Scenario 2 Barrier to to the provider so they can access just what they need to on that pt. Patient Care B interoperability
Page 5 of 63

BP# Stakeholder Organization Specify Other Stakeholder (if applicable) Cause

Relevant Law (Legal Driver) -- Narrative Relevant Law (Legal Driver) -- Reference Code/Statute 42 CFR Part 2
Solution
Possibly Federal Substance Abuse Regulations
BP5
Payers
BP1
Page 6 of 63
DRAFT
Scenario 3 Patient Care C
At 5:30pm Dr. X, a psychiatrist, arrives at the skilled nursing facility to evaluate his patient, recently discharged from the hospital psych unit to the nursing home. At the time of the patient's transfer, the discharge summary and other pertinent records were electronically transmitted to the nursing home. Upon entering the facility Dr. X seeks assistance in locating his patient, gaining entrance to the locked psych unit and accessing her electronic health record to review her discharge summary, I&O, MAR and progress notes. Dr. X was able to enter the unit by showing a picture identification badge, but was not able to access the EHR. As it is Dr. X's first visit, he has no login or password to use their system. Dr. X completes his visit and prepares to complete his documentation. Unable to access the long-term care facility EHR, Dr. X dictates his initial assessment via telephone to his outsourced, offshore transcription service. The assessment is transcribed and posted to a secure web portal. The next morning, from his home computer, Dr. X checks his email and receives notification that the assessment is available. Dr. X logs into the portal, reviews the assessment, and applies his electronic signature. Later that day, Dr X's Office Manager downloads this assessment from the web portal, saves the document in the patient's record in his office and forwards the now encrypted document to the long-term care facility via e-mail. The longterm care facility notifies Dr. X's office that they are unable to open the encrypted document because they do not have the encryption key.
Scenario 3. Patient Care Scenario C
BP#
Business Practice Short Name
Scenario
Classification (Barrier v. Not a Barrier)
Domain
BP1
WV 001 S3
In our hospital, all clinical staff are given log in and passwords to use applicable data systems. Passwords limit the users ability to read access only if they are not in a position to need to add, edit, or update information. Electronic user logs are maintained on the mainframe. Medical staff must use specific transcription resources to insure that security is maintained and acceptable document formatting is used. Individual-specific password and logins are used which limits access on a need to know basis. Staff are instructed not to share passwords and logins. All sensitive information is encrypted prior to exchange over an electronic communications network.
Barrier to interoperability Barrier to interoperability
1. User and entity authentication 2. Information authorization and access controls
BP1
WV 001 S3
BP1
WV 001 S3
Barrier to 3. Patient and interoperability provider identification 4. Information transmission security Barrier to or exchange interoperability protocols 7. Administrative or Barrier to physical security interoperability safeguards Barrier to interoperability 8. State law restrictions
BP1
WV 001 S3
BP1 BP1 BP1
WV 001 S3 WV 001 S3 WV 001 S3
Barrier to 9. Information use interoperability and disclosure policy
Page 7 of 63
DRAFT
DRAFT
DRAFT
BP#
Specify Other Stakeholder (if applicable)
Cause The classification of privacy and security domains 1, 2, 3, 4, and 7 as barriers to interoperability appear appropriate in this scenario due to the numerous issues related to EHR access. Classifying P&S domains 8 & 9 as barriers to interoperability also seems reasonable and appropriate given the disclosure to a third-party without patient/representative consent.

Psychiatrist without electronic access privileges and rights requests review of patients EHR containing information from recent hospital stay. Use of psychiatrists picture identification badge met physical control requirements for access to health facility. The psychiatrists inability to access EHR systems prompts him to use an outsourced offshore transcription service. This scenario bypasses administrative and technical controls required to limit access, encrypt and audit access to patient EHRs. Psychiatrist receives report via Web the information security infrastructure, and management practices of the transcription service are unclear. The psychiatrist sends these results by encrypted email to the medical facility, although lack of encryption key prevents delivery.
BP1
Hospitals
BP1
BP1
BP1
BP1 BP1 BP1
Page 8 of 63
DRAFT DRAFT
BP#

HIPAA Security Regs 45 CFR 164.308(a) (1), 164.308(a) (3), 164.308(a) (4), 164.310(a) (1), 164.312(a) (1), 164.312(b), 164.312(d), 164.312(e) (1), 164.506, 164.508, 164.512(a), 164.512(e). WV Code 27-3-1, WV Code 27-3-2, WV Code 27-5-9, WV Code 64-12-14, US Code H.R. 4127
Solution
A national federated identification management system to validate user identity to allow system access may be a potential solution.
BP1
BP1
BP1
BP1
BP1 BP1 BP1
Page 9 of 63


Business Practice Long Description Scenario Classification (Barrier v. Not a Barrier) Domain Policy: Short Description
BP#
BP2
WV 002 S3
Our hospital practice and policies are that physicians, or other practitioners who are not credentialed by our facility, do not have access to patient care areas, or to the system.
4. Information transmission security Barrier to or exchange interoperability protocols
Medical Staff By Laws Articles VI(Procedure for Appointment) and VII(Clinical Privileges)
BP3
WV 003 S3
Long term care facilities do not usually have locked psych units. However, assuming that the physician entered the skilled nursing facility and attempted to view the patient's EHR, expected policies and procedures should address authorizing privileges, access to medical records, inoperative computer systems and building access prior to physician's first visit. There should be a Business Associate Agreement with any "offshore transcription service" ensuring compliance with Privacy and Security Laws with authorization for monitoring for compliance. No PHI should be transmitted without 128 bit encryption capability with read only capability. Also, there should be a P&P for use of physician's electronic signature.
BP3 BP3
WV 003 S3 WV 003 S3
1. User and entity authentication 2. Information authorization and access controls
Business Associate Agreements
BP3
WV 003 S3
BP3
WV 003 S3
Barrier to 3. Patient and interoperability provider identification 4. Information transmission security Barrier to or exchange interoperability 5. protocols Information protection (against Barrier to improper interoperability modification) Not a barrier to interoperability Barrier to interoperability Not a barrier to interoperability 6. Information audits that record and monitor activity 7. Administrative or physical security safeguards 8. State law restrictions
BP3
WV 003 S3
BP3 BP3
WV 003 S3 WV 003 S3
Page 10 of 63


Specify Other Stakeholder (if applicable) Cause This business practice analysis only identifies privacy and security domain 4 as a barrier the exchange and encryption of the information supports this classification. Given the complexity of this scenario, the classification of privacy and security domains 1, 2, 3, and 7 would also appear appropriate due to the numerous issues related to EHR access. In addition, classifying P&S domains 8 & 9 as barriers to interoperability also seems reasonable and appropriate given the disclosure to a third-party without patient/representative consent. This stakeholders business practice highlights the issue of credentialing and the administrative controls inherently contained within these policies. In addition, this business practice points out the alternative of faxing, although physical and technical information Relevant Law (Legal Driver) -- Narrative
Psychiatrist without electronic access privileges and rights requests review of patients EHR containing information from recent hospital stay. Use of psychiatrists picture identification badge met physical control requirements for access to health facility. The psychiatrists inability to access EHR systems prompts him to use an outsourced offshore transcription service. This scenario bypasses administrative and technical controls required to limit access, encrypt and audit access to patient EHRs. Psychiatrist receives report via Web the information security infrastructure, and management practices of the transcription service are unclear. The psychiatrist sends these results by encrypted email to the medical facility, although lack of encryption key prevents delivery
BP#
BP2 BP1
These describe the procedures for applying to the staff for membership and clinical privileges assigned with such.
Hospitals
HIPAA Security regs require person or entity authentication
BP3
Long term care facilities and nursing homes HIPAA Security regs make encryption addressable.
BP3 HIPAA Security Rule BP3 HIPAA Security Rule BP3 HIPAA Security Rule BP3
BP3 HIPAA Security regs make access control and validation procedures addressable and require workstation security. The HIPAA Security and Privacy Regs require Business Associate Agreements in certain situations for CEs.
BP3 BP3
Page 11 of 63

HIPAA Security Regs 45 CFR 164.308(a) (1), 164.308(a) (3), 164.308(a) (4), 164.310(a) (1), 164.312(a) (1), 164.312(b), 164.312(d), 164.312(e) (1), 164.506, 164.508, 164.512(a), 164.512(e). WV Code 27-3-1, WV Code 27-3-2, WV Code 27-5-9, WV Code 64-12-14, US Code H.R. 4127
BP#
Solution
A national federated identification management system to validate user identity to allow system access may be a potential solution. In addition, closely linking this type of solution with health facility credentialing practices may
Original:H IPAA 164.506 TPO State Law - 64-CSR12-14 Professio nal Standard s-Medcal Staff
BP2 BP1 HIPAA Security Regs, 45 CFR 164.312
BP3 HIPAA Security Regs, 45 CFR 164.312 BP3 BP3 HIPAA Security Rule, 45 CFR 164 Part C HIPAA Security Rule, 45 CFR 164 Part C BP3 HIPAA Security Rule, 45 CFR 164 Part C BP3
BP3 HIPAA Security Regs 45 CFR 163.310(a)(2)(iii); 164.310(c); 164.308(b)(1). HIPAA Privacy Regs, 45
BP3 BP3
Page 12 of 63


Business Practice Long Description Scenario Classification (Barrier v. Not a Barrier) Domain Policy: Short Description
BP#
BP3
WV 003 S3
Barrier to 9. Information use interoperability and disclosure policy
BP4
WV 004 S3
In our physician group, as long as no HIPAA laws were broken and a No Restriction form was signed this procedure is under the covered entity of patient care. Use Tracking form and initial all documents placed in the chart. User ID and password is needed.
HIPAA
BP5
WV 005 S3
LTC has business associate agreements in effect for different services with state businesses. The BA agreement is a 1 page document that spells out how you limit the area of exchange and limits sharing of information. Even temp employees must meet the credentialing process. LTC has contracts with physicians but have no badgeseveryone knows everyone here- its small.
Corrections has a BA agreement for billing purposes but not for sharing of information. Correctional Medical Services (in all WV prisons) have access to health records. The reliability of the info exchange is in the hands of the sender- we rely on what they say- no verification process. Temps at corrections have limited access to Med Records- once he has left the place, he cant get access to info again. But they all get FBI background checks, photo ID, sign in and sign out. BP6 WV 006 S3
Page 13 of 63


Specify Other Stakeholder (if applicable) Cause Relevant Law (Legal Driver) -- Narrative HIPAA Security Rule
BP#
BP3 The business practice analysis generally asserts that this is a barrier to interoperability if HIPAA laws are broken. In addition, the implication is that that this business practice would be covered by the HIPAA construct of TPO. However, there is recognition within the business practice analysis that several issues arise from patient transfer, identity, password, and encryption failures that are described within the scenario. As such the classification by this stakeholder as a barrier based on the numerous violations of HIPAA regulations pursuant to
Original: HIPAA privacy and covered entity, regulation of rules of nursing facility, Case -Psych-patient, Federal - overseas transmissions Psychiatrist without electronic access privileges and rights requests review of patients EHR containing information from recent hospital stay. Use of psychiatrists picture identification badge met physical control requirements for access to health facility. The psychiatrists inability to access EHR systems prompts him to use an outsourced offshore transcription service. Access to electronic information controlled by HIPAA Security Rule Technical Safeguards.
BP4 BP1
HER Transfer, personal identity, password failure, failure to provide encryption code
Physician groups
BP5
Long term care facilities and nursing homes The business practice analysis does not identify any of the privacy and security domains as a barrier. The classification by this stakeholder is unassigned. In fact, the likelihood of a correctional system inmate being placed in a nursing home is remote. In addition, the business practice long description emphasized the application and importance of business associates agreements and the correctional systems reliance on these agreements to ensure compliance. However, these agreements are not designed to obviate the need for proper administrative, technical, and physical controls for protected health information. Given this observation the barriers previously identified for this scenario would have to be considered as barriers in this scenario.
Psychiatrist without electronic access privileges and rights requests review of patients EHR containing information from recent hospital stay. Use of psychiatrists picture identification badge met physical control requirements for access to health facility. The psychiatrists inability to access EHR systems prompts him to use an outsourced offshore transcription service. This scenario bypasses administrative and technical controls required to limit access, encrypt and audit access to patient EHRs. Psychiatrist receives report via Web the information security infrastructure, and management practices of the transcription service are unclear. The psychiatrist sends these results by encrypted email to the medical facility, although lack of encryption key prevents delivery
BP6
Page 14 of 63

Relevant Law (Legal Driver) -- Reference Code/Statute HIPAA Security Rule, 45 CFR 164 Part C
BP#
Solution
BP3
BP4 BP1
HIPAA Security Regs 45 CFR 164.308(a) (1), 164.308(a) (3), 164.308(a) (4), 164.310(a) (1), 164.312(a) (1), 164.312(b), 164.312(d), 164.312(e) (1), 164.506, 164.508, 164.512(a), 164.512(e). WV Code 27-3-1, WV Code 27-3-2, WV Code 27-5-9, WV Code 64-12-14, US Code H.R. 4127 HIPAA Security Rule 45 CFR 164.312.
A national federated identification management system to validate user identity to allow system access may be a potential solution. In addition, closely
BP5
1. HIPAA Security Regs 45 CFR 164.308(a) (1), 164.308(a) (3), 164.308(a) (4), 164.310(a) (1), 164.312(a) (1), 164.312(b), 164.312(d), 164.312(e) (1), 164.506, 164.508, 164.512(a), 164.512(e). WV Code 27-3-1, WV Code 27-3-2, WV Code 27-5-9, WV Code 64-12-14, US Code H.R. 4127 A national federated identification management system to validate user identity to allow system access may be a potential solution. In addition, closely linking this type of solution with health facility credentialing practices may provide a methodology for
BP6
Page 15 of 63
Scenario 4. Patient Care Scenario D
DRAFT
BP#
Scenario 4 Patient Care D Business Practice Short Name
Patient X is HIV positive and is having a complete physical and an outpatient mammogram done in the Women's Imaging Center of General Hospital in State A. She had her last physical and mammogram in an outpatient clinic in a neighboring state. Her physician in State A is requesting a copy of her records and the radiologist at General Hospital would like to review the digital images of the mammogram performed at the outpatient clinic in State B for comparison purposes. She also is having a test for the BrCa gene because other family members have had breast cancer. Classification (Barrier v. Not a Barrier) Policy: Short Description
Scenario
Domain
BP1
WV 001 S4
Our clinic follows state law which does not allow the transmittal of HIV information without the consent of the patient. Also, this information is not supposed to be kept in the patient chart. This is problematic in paper records - because it causes providers to keep a secret registry. In electronic records, this is handled in some cases by a provider making a decision to make this information available to other providers. The interface of the electronic record should inform the patient of his/her rights under the law and allow the patient to designate which information would be available. In paper systems this is incredibly hard to enforce. In electronic systems, access can be granted to certain information - but users end up using common passwords because it is not always the provider who can ge the information Scenario 4 needed and take care of the patient. Patient Care D
Takes a global approach to medical information. Who has access to the information. Who makes the decision to release the information. Consent forms for releases Special considerations for Barrier to 1. User and entity Confidential Information certain laws governing HIV, Mental interoperability authentication Policy Health etc
BP1 BP1
WV 001 S4 WV 001 S4
Scenario 4 Patient Care D Scenario 4 Patient Care D
2. Information Not a barrier to authorization and interoperability access controls Not a barrier to interoperability 8. State law restrictions
BP1
WV 001 S4
Scenario 4 Patient Care D
BP2
WV 002 S4
Our hospital staff, may include physician, nurse, clerk, NP,PA, would release the minimum necessary information for treatment excluding the HIV information unless the pt provides authorization. If not emergent, we ask for signed authorization which includes HIV authorization.
Scenario 4 Patient Care D
9. Information use and disclosure policy Confidentiality of PHI
The presence of any behavioral medicine patient at ourfacility and any and all details of the treatment process of any patient shall be maintained as confidential. For the purposes of confidentiality, protected information i.e. drug, ETOH, STD (HIV), and behavioral health, and specific releases are required.
Page 16 of 63
DRAFT
DRAFT
Cause
DRAFT
Relevant Law (Legal Driver) -- Narrative HIPAA Security Regs require person or entity authentication.
DRAFT
Relevant Law (Legal Driver) -Reference Code/Statute HIPAA Security Regs, 45 CFR 164.312
BP1
Community clinics and health centers
BP1 BP1 Misinterpretation of state law. No consent is required for the disclosure of the PHI for treatment purposes. WV law specifically allows the disclosure of HIV PHI for treatment of the individual. WV Code 16-3C-2, 16-3C-3(a)(5), and 16-3C-4.
BP1
Misinterpretation of state law and HIPAA. WV Code 16-3C-2, 16-3C-3(a)(5), Minimum necessary requirement does and 16-3C-4. HIPAA Privacy Regs 45 not apply to disclosures for treatment and CFR 164.506 and 164.502(b). there is no authorization requirement for disclosure of the PHI for treatment purposes in HIPAA or state law.
BP2
Hospitals
Page 17 of 63


BP3
WV 003 S4
In the workers' compensation arena, by filing a claim and signing the injury report form a patient authorizes any physician to release to or orally discuss with the employer or authorized agent of the carrier any medical records pertaining to the occupational injury or illness for which he/she is claiming benefits and any prior injury to or disease to the portion of the body for which he/she is alleging a medical impairment. Only authorized carrier staff, employer staff, providers and the patient have access to the electronic record. We use a system with security parameters set based on individual job-related need for access. Password required. Claimant, employer and provider access limited to specific claim information only. Provider access can be further limited for specific period of time. Carrier employees required to sign security policy agreement. Employ transmission protection Scenario 4 such as VPN and encryption for outside network access. Patient Care D
2. Information Barrier to authorization and interoperability access controls
Page 18 of 63

BP# Stakeholder Organization Specify Other Stakeholder (if applicable) Cause

Relevant Law (Legal Driver) -- Narrative No legal requirements. WC provides privacy and security of information as a corporate decision. Relevant Law (Legal Driver) -Reference Code/Statute None.
BP1
BP3
Payers
Page 19 of 63
Scenario 5. Payment Scenario
DRAFT
BP#
X Health Payer (third party, workers compensation, disability insurance, employee assistance programs) provides health insurance coverage to many subscribers in the region the healthcare provider serves. As part of the insurance coverage, it is necessary for the health plan case managers to approve/authorize all inpatient encounters. This requires access to the patient health information (e.g., emergency department records, clinic notes, etc.). The health care provider has Scenario 5 - Payment recently implemented an electronic health record (EHR) system. All patient information is now maintained in the EHR and is accessible to users who have been granted access through an approval process. Access to the EHR has been restricted to the healthcare provider's workforce members and medical staff members and their office staff. X Health Payer is requesting access to the EHR by its case management staff to approve/authorize inpatient encounters. Business Practice Short Name Classification (Barrier v. Not a Barrier) Policy: Short Description
Scenario
Domain
BP1
WV 001 S 5
Our hospital security officer would allow the payer to have access to the EHR through a secure web portal. Only the requested records would be accessible and the minimum necessary information.
Scenario 5 Payment
2. Information authorization and Information Security access controls Policy & Remote Access
BP2
WV 002 S 5
Our company would limit access to specific pieces of information related to the payer's claim and would allow the needed transfer of health information for payment purposes. User authentication, legal agreement and hardware/software authentication would be required to validate that access is provided only to the intended user. Security parameters would further limit access to read only. Access would be provided only to personnel of payer needing information for job functions. Record linking methods required to match certain information such as patient name, date of birth, date of service, to allow payer access only to pertinent information. Transmission protection such as VPN, encryption and network security required for access to information. Data use agreement would be in place.
Scenario 5 Payment
Page 20 of 63
DRAFT
BP# Policy: Long Description Stakeholder Organization Specify Other Stakeholder (if applicable)
DRAFT
Cause
DRAFT
Relevant Law (Legal Driver) -- Narrative Use and disclosure of protected health information for payment-related purposes is subject to the HIPAA Privacy Rule minimum necessary standard, the HIPAA Security Rule Technical Safeguards, and may be subject to business associate contract requirements.
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute HIPAA Privacy Rule 45 CFR 164.502 (b)(1); 160.103; 164.502 (e)(1); 164.504 (e)(1) and (e)(2). HIPAA Security Rule 45 CFR 164.312.
BP1
Access to information in the possession or the control of our facility must be provided based on the need to know and the minimum necessary to perform essential functions. Information must be disclosed only to people or entities who have a legitimate need. The privileges granted to all users must be periodically reviewed. Unless it has specifically been deemed public, all internal information must be protected from disclosure to third parties. Third parties may be given access to internal information only when a demonstrable need to know exists, when a Data Use Agreement or Business Associate Agreement has been signed, and when such a agreement has been expressly authorized by the relevant information Owner. If sensitive information is suspected of being lost or disclosed to unauthorized parties, the information Owner and the Compliance Officer must be notified immediately. All third parties are responsible for securing their private networks from our network. In no case shall network-tonetwork connectivity be allowed without appropriate security technology. Some type of security mechanisms shall exist between our network and any third party.
Hospitals
Use and disclosure of protected health information for payment-related purposes is subject to the HIPAA Privacy Rule minimum necessary standard, the HIPAA Security Rule Technical Safeguards, and may be subject to business associate contract requirements. BP2 Payers
HIPAA Privacy Rule 45 CFR 164.502 (b)(1); 160.103; 164.502 (e)(1); 164.504 (e)(1) and (e)(2). HIPAA Security Rule 45 CFR 164.312.
Page 21 of 63


Scenario Classification (Barrier v. Not a Barrier) Domain Policy: Short Description
BP3
WV 003 S 5
Our business office personnel would request access to the EHR. This would automate a process that is now manual. The system needs to let us request and receive the minimum necessary information for the situation. The provider would benefit by receiving an automated approval/authorization from us. The more providers connected to a common system/network, the more efficient the process is for us and the providers. The patient benefits from the faster approval/authorization of inpatient encounters, the provider has less or no staff time involved in fulfilling the request, and we have less burdensome processes in handling the approval/authorization. This eliminates the problem of lost, misrouted, or stolen records and reduces shipping and transportation costs.
Scenario 5 Payment
Page 22 of 63

BP# Policy: Long Description

Stakeholder Organization Specify Other Stakeholder (if applicable) Cause Relevant Law (Legal Driver) -- Narrative HIPAA minimum necessary requirements Relevant Law (Legal Driver) -- Reference Code/Statute HIPAA Privacy Regs, 45 CFR 514
BP3
Payers
BP1
Page 23 of 63
Scenario 6. RHIO Scenario
DRAFT
BP#
The RHIO in your region wants to access data from all participating organizations (and their patients) to monitor the incidence and management of diabetic patients. The RHIO also intends to monitor Scenario 6 - RHIOs participating providers to rank them for the provision of preventive services to their diabetic patients. Business Practice Short Name Classification (Barrier v. Not a Barrier)
Scenario
Domain
BP1
WV 001 S 6
For our association, as long as the patient data is aggregate or non-personally identifiable, there would be not problem sharing with the RHIO. Providers would be notified and given the opportunity to participate. If personal identifiers were required, there would be an IRB approval process and a patient informing Scenario 6 process. RHIO
1. User and entity authentication
BP1 BP1
WV 001 S 6 WV 001 S 6
Barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability
2. Information authorization and access controls 3. Patient and provider identification 5. Information protection (against improper modification) 6. Information audits that record and monitor activity
BP1
WV 001 S 6
BP1
WV 001 S 6
BP1
WV 001 S 6
BP1
WV 001 S 6
Page 24 of 63
DRAFT
DRAFT
Cause
DRAFT
Relevant Law (Legal Driver) -- Narrative HIPAA Security and Privacy Rules as a BA under contract
DRAFT
Relevant Law (Legal Driver) -Reference Code/Statute 45 CFR 164, et seq.
BP1
Professional associations and societies HIPAA Security and Privacy Rules as a BA under contract. IRB approval 45 CFR 164, et seq.; 21 CFR Parts is not required under law for disclosure to a BA for TPO. 50 and 56.
BP1 BP1
BP1
BP1 West Virginia law requires that, with respect to the West Virginia Health West Virginia Code Section 16-29G-8. Information Network, the West Virginia Health Care authority ensure that protected health information is disclosed only in accordance with the patients authorization or best interest to those having a need to know, in compliance with state confidentiality laws and HIPAA. BP1 The HIPAA Privacy Rule does not specifically address the concept of Regional Health Information Organizations and how protected health information can be used or disclosed in connection with such organizations absent patient authorization. However, the RHIO would operate as a business associate. BP1 HIPAA Privacy Rule 45 CFR Part 164, Subpart E; 45 CFR 164.504(e).
Page 25 of 63


BP#
BP2
WV 002 S 6
QIOs can release this information with their CMS contracts, but if they have a research grant, they need to get IRB approval. They mostly give info out deidentified, if the contract permits.
Scenario 6 RHIO
BP3
WV 003 S 6
Workers Comp has worked with a state agency to give this info out and also did work on a Scenario 6 National Level- but wouldnt give out identifiers. RHIO
Page 26 of 63

Stakeholder Organization Specify Other Stakeholder (if applicable)

Cause Relevant Law (Legal Driver) -- Narrative
The HIPAA Privacy Rule does not specifically address the concept of Regional Health Information Organizations and how protected health information can be used or disclosed in connection with such organizations absent patient authorization. West Virginia law requires that, with respect to the West Virginia Health Information Network, the West Virginia Health Care authority ensure that protected health information is disclosed only in accordance with the patients authorization or best interest to those having a need to know, in compliance with state confidentiality laws and HIPAA.
BP#
Relevant Law (Legal Driver) -Reference Code/Statute

HIPAA Privacy Rule 45 CFR Part 164, Subpart E. West Virginia Code Section 1629G-8.
BP2 BP1
Quality improvement organizations
No legal requirements. WC provides privacy and security of information as a corporate decision. BP3 Payers
None.
Page 27 of 63
Scenario 7. Research Data Use Scenario
DRA FT
BP#
A research project on children younger than age 13 is being conducted in a double blind study for a new drug for ADD/ADHD. The research project is being reviewed by the IRB that presides over research protocols at the major medical center where the research investigators are located. The data being collected are all electronic and all responses from the subjects are completed Scenario 7 - electronically in the same data base file. The principle investigator was asked by one of the investigators if they could use the raw Research data to track the patients over an additional six months or use the raw data collected for a white paper that is not part of the Data Use research protocols final document for his post doctoral fellow program. Business Practice Short Name Classification (Barrier v. Not a Barrier)
Scenario
Domain
BP1
Under home health law, the principle investigator would decline the request because the use of the data was not included in the original IRB. Home health law in WV is based on federal regulation and agencies must be compliant with the federal regulations. At times agencies participate in research activities and must remain compliant with the federal privacy requirements and also the requirements of the research entity with which they are involved. Therefore the utilization of data as outlined in the IRB would necessitate the information only to be used in the manner which WV 001 S7 was described.
Scenario 7 Research Data Use
BP2
Additional tracking and use of data is not permitted unless a WV 002 S7 second study has been approved through the IRB.
BP2
WV 002 S7
1. User and entity authentication HIPAA Research 2. Information Not a barrier to authorization and access interoperability controls Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability 3. Patient and provider identification 4. Information transmission security or exchange protocols 5. Information protection (against improper modification) 6. Information audits that record and monitor activity 7. Administrative or physical security safeguards 8. State law restrictions
Authorization, among many other items, includes: *The name or identification of the persons or class of persons authorized to receive disclosures of PHI and to use the PHI for research-related purposes. *A description of each purpose for the use or disclosure.
BP2
WV 002 S7
BP2
WV 002 S7
BP2
WV 002 S7
BP2
WV 002 S7
BP2 BP2
WV 002 S7 WV 002 S7
Page 28 of 63
DRA FT
DRAFT
Cause
DRAFT
DRAFT
HIPAA Privacy Regs 45 CFR 164.502 (g)(1--5), and 164.508 and .512; US DHHS Regs. governing human subject research: 45 CFR 46.101-46.124; US FDA Regs. governing human subject drug research: 21 CFR 50.5050.56. WV Code 1629-1; WV Code 16-30-3(b); Belcher v. CAMC , 188 W. Va. 105, 422 S.E.2d 827 (1992);
Human subject research pursuant to any federal funding is controlled by federal law and regulation, institutional policy, institutional review boards and state law overlays to protect participants safety and privacy. Human subject research federal regulation does not pre-empt state law but adds additional federal requirements. HIPAA privacy law applies irrespective of the source of funding for research. In this scenario, we presume the research is pursuant to an approved FDA study. We also have the added legal driver of children for whom some authorized adult must give consent.
BP1
Homecare and hospice
BP2
Medical and public health schools that undertake research
HIPAA - Privacy Rule Other Federal Law - 45 CFR46 Federal Human Subject Protection Rules
BP2
BP2
BP2
BP2
BP2
BP2 BP2
Page 29 of 63


BP#
BP2
WV 002 S7
BP3
In our medical school, IRB approval must be sought (by the Principal Investigator) for either scenario, however, the nature of the request and the investigator responsibilities differ: To extend data collection an additional six months for a purpose not covered by the previously approved IRB protocol, the investigator must submit a new protocol covering this new purpose to the IRB for consideration. Since the proposal will be prospective, subjects will need to give their consent (or assent for children under the age of 18) to collect data for this second purpose. The new protocol, like the earlier protocol, would probably require a full-board review because the target population is a protected population, i.e., children under 13 years of age. To analyze the raw data previously collected under an approved IRB protocol, could make a new protocol eligible for expedited consideration depending on whether the raw data includes personal health information and sensitive information that if released could potentially cause harm. It is possible to request the IRB waive consenting for existing data WV 003 S7 and on the grounds that it would be impractical or unfeasible.
2. Information Barrier to authorization and access interoperability controls
BP4
In our agency, the protected health information in the research database would be covered by HIPAA, but HIPAA could be addressed with appropriate business associate relationships. The investigator would need to get approval of the additional research from his/her institutional review board. The original IRB would need to weigh whether granting access was permissible, and it would likely depend on the disclosures in the original informed consent. In the worst case, the new research would require new WV 004 S7 informed consent from the parents of all of the children.
Page 30 of 63

Specify Other Stakeholder (if applicable)

Cause Relevant Law (Legal Driver) -- Narrative Relevant Law (Legal Driver) -- Reference Code/Statute
BP#
Human subject research pursuant to any federal US DHHS Regs. governing funding is controlled by federal law and human subject research: 45 regulation, institutional policy, CFR 46.101--46.124; US FDA Regs. governing human subject drug research: 21 CFR 50.5050.56. BP2 Tight control of human subject research with fully informed consent is current public policy. Sharing PHI data (whether for adults or children) without specific consent is contrary to current public policy governing research protocols. ** Please see attached word document for a fuller analysis of this scenario.
Human subject research pursuant to any federal funding is controlled by federal law and regulation, institutional policy, institutional review boards and state law overlays to protect participants safety and privacy. Human subject research federal regulation does not pre-empt state law but adds additional federal requirements. HIPAA privacy law applies irrespective of the source of funding for research. In this scenario, we presume the research is pursuant to an approved FDA study. We also have the added legal driver of children for whom some authorized adult must give consent. HIPAA Privacy Regs 45 CFR 164.502 (g)(1--5), and 164.508 and .512; US DHHS Regs. governing human subject research: 45 CFR 46.101-46.124; US FDA Regs. governing human subject drug research: 21 CFR 50.5050.56. WV Code 1629-1; WV Code 16-30-3(b); Belcher v. CAMC , 188 W. Va. 105, 422 S.E.2d 827 (1992);
BP1
BP3
Medical and public health schools that undertake research
BP4
Public Health agencies
Human subject research pursuant to any federal funding is controlled by federal law and regulation, institutional policy, institutional review boards and state law overlays to protect participants safety and privacy. Human subject research federal regulation does not pre-empt state law but adds additional federal requirements. HIPAA privacy law applies irrespective of the source of funding for research. In this scenario, we presume the research is pursuant to an approved FDA study. We also have the added legal driver of children for whom some authorized adult must give consent.
HIPAA Privacy Regs 45 CFR 164.502 (g)(1--5), and 164.508 and .512; US DHHS Regs. governing human subject research: 45 CFR 46.101-46.124; US FDA Regs. governing human subject drug research: 21 CFR 50.5050.56. WV Code 1629-1; WV Code 16-30-3(b); Belcher v. CAMC , 188 W. Va. 105, 422 S.E.2d 827 (1992);
Page 31 of 63
Scenario 8. Scenario For Access By Law Enforcement
DRAFT
BP#
Scenario 8 Law Enforcement Business Practice Short Name
An injured nineteen (19) year old college student is brought to the ER following an automobile accident. It is standard to run blood alcohol and drug screens. The police officer arrives in the ER in addition to the patient's parents. The police officer requests a copy of the blood alcohol test results and the parents want to review the ER record and lab results to see if their child tested positive for drugs. These requests are made to the ER staff. The patient is covered under their parent's health and auto insurance policy. Classification (Barrier v. Not a Barrier) Policy: Short Description
Scenario
Domain
BP 1
WV 001 S 8
The expected result would be that since the child is an adult, the parents are not privy to his protected health information without his consent per HIPAA privacy regulations. The police officer can obtain a copy of the report without specific patient consent for determining proper charges. A person who operates a motor vehicle implicitly consents to testing to determine intoxication if there is just cause to believe the person is intoxicated. If a paper copy is provided to law enforcement, proper identification should be provided for user authentication. Fax submissions should contain confidentiality statement and information on protocols if received by unintended user. Electronic submissions should be encrypted. If the provider and law enforcement agency exchange information frequently, a data use agreement could be entered into.
Scenario 8 Law Enforcement
BP 1
WV 001 S 8
6. Information audits that Not a barrier to record and monitor interoperability activity 7. Administrative or Not a barrier to physical security interoperability safeguards
BP 1
WV 001 S 8
Barrier to 9. Information use and interoperability disclosure policy
BP2
WV 002 S 8
In our agency, HIPAA and state confidentiality provisions would most likely prevent the parents obtaining the information without the adult patient's consent. The police officer could obtain the results in conjunction with his or her investigation of the accident
Barrier to interoperability 8. State law restrictions
BP3
WV 003 S 8
In our hospital, law enforcement personnel are denied access to patients unless they have a court order. Software access is limited by password. Each password has restrictions as to information which may be accessed. Through the use of third party software, all information is encrypted when being sent over electronic communications network. Passwords have designated security clearances which define whether user has no access, view only access, or has an ability to add, delete or modify information. A master security log is maintained on line to determine user access and the processes completed. Staff are required to use the organizations network for all I.S. activity. The network includes up to date security measures which protects against unauthorized access, introduction of dangerous items such as worms, and attempts by users to enter unauthorized areas.
Barrier to 1. User and entity interoperability authentication
Page 32 of 63
DRAFT
DRAFT
Cause
DRAFT
DRAFT
BP 1
Payers
BP 1 We agree with the identified business Parents of an adult child cannot access PHI without an practice, but believe that a barrier to authorization signed by that adult child, while law enforcement interoperability exists when the disclosure is may gain such access as required by law. to the parents, or when the disclosure to law enforcement is not required by law. BP 1 Original: W. Va. Code 17C-5-4 & 17C-5-6 45 C.F.R. 164.502(a)(1)(i); 164.502(g)(3)(i); 164.508(a)(1); 164.512(a); 164.512(f)(1)(i); 42 C.F.R. 2.12(e); W. Va. Code 16-29-1; 17C5-4; 17C-5-6
As a 19 year old child is an adult, parents cannot access their childs PHI, without authorization, under state law and HIPAA.
WV Code 16-29-1; Belcher v. CAMC , 188 W. Va. 105, 422 S.E.2d 827 (1992); HIPAA Privacy Regs 45 CFR 164.502(a)(1)(i), 164.502 (g)(3)(i), and 164.508(a)(1).
BP2
State government We agree that disclosure to law HIPAA Security Regs requiring Administrative and enforcement of the PHI in this Scenario Technical Safeguards would require patient authorization, unless the tests were undertaken at the direction of law enforcement, in which case disclosure is required by law in West Virginia; federal laws governing the confidentiality of alcohol and drug treatment records would not apply in this circumstance, and would not represent a barrier to interoperability. HIPAA Security Regs, 45 CFR 164.308, 164.312
BP3
Hospitals
Page 33 of 63


Business Practice Long Description Scenario Classification (Barrier v. Not a Barrier) Domain Policy: Short Description Policy: Long Description
BP#
BP3 BP3
WV 003 S 8 WV 003 S 8
2. Information Barrier to authorization and access interoperability controls Not a barrier to 3. Patient and provider interoperability identification 4. Information Barrier to transmission security or interoperability exchange protocols 5. Information protection Barrier to (against improper interoperability modification) 6. Information audits that Barrier to record and monitor interoperability activity 7. Administrative or Barrier to physical security interoperability safeguards
BP3
WV 003 S 8
BP3
WV 003 S 8
BP3
WV 003 S 8
BP3
WV 003 S 8
BP3
WV 003 S 8
BP3
WV 003 S 8
BP4
WV 004 S 8
In correctional facilities, parents can not get at the info - it is a state law. If they are on parole, the parolees agree to monitoring while they are incarcerated- they dont have a choice.
Page 34 of 63


Cause Relevant Law (Legal Driver) -- Narrative HIPAA Security Regs requiring Administrative and Technical Safeguards Relevant Law (Legal Driver) -- Reference Code/Statute HIPAA Security Regs, 45 CFR 164.308, 164.312
BP#
BP3 BP3 HIPAA Security Regs require Technical Safeguards BP3 HIPAA Security Regs require Technical Safeguards BP3 BP 1 BP3 HIPAA Security Regs require Administrative Safeguards BP3 Parents of an adult child cannot access PHI without an authorization signed by that adult child, while law enforcement may gain such access when required by law. BP3 Parents of an adult child cannot access PHI without an authorization signed by that adult child, while law enforcement may gain such access when required by law. BP3 Law enforcement desires access to blood alcohol test results of 19-year-old accident victim. Parents desire access to 19-year-old childs ER record and lab results. Should the hospital tests result in showing of HIV or STD, those applicable infectious disease confidentiality provisions would also serve as a barrier. Parents of an adult child cannot access PHI without an authorization signed by that adult child, while law enforcement may gain such access when required by law. WV Code 16-29-1; 64 CSR 12-7.2 (DHHR Hospital Licensure Rule); 42 U.S.C.A. 290dd-3 (Public Health Service Act); 42 CFR 2.11(Federal Mental Health Record Confidentiality Rule); 45 CFR 164.502 (g) and (j), 164.524 (HIPAA Privacy Regs). 45 C.F.R. 164.512(a); 164.512(f)(1)(i); 42 C.F.R. 2.12(e); W. Va. Code 17C-5-4; 17C-5-6 45 C.F.R. 164.512(a); 164.512(f)(1)(i); 42 C.F.R. 2.12(e); W. Va. Code 17C-54; 17C-5-6 45 C.F.R. 164.512(a); 164.512(f)(1)(i); 42 C.F.R. 2.12(e); W. Va. Code 17C-54; 17C-5-6 HIPAA Security Regs, 45 CFR 164.308 HIPAA Security Regs, 45 CFR 164.312 HIPAA Security Regs, 45 CFR 164.312
HIPAA Security Regs require Technical Safeguards
HIPAA Security Regs, 45 CFR 164.312
BP4
Page 35 of 63
Scenario 9. Pharmacy Benefit Scenario A
DRAFT
BP#
Scenario 9 Pharmacy Benefit A Business Practice Short Name
The Pharmacy Benefit Manager (PBM) has a mail order pharmacy and also has a closed formulary. The PBM receives a prescription from Patient X for the antipsychotic medication Geodon. The PBMs preferred alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine (Seroquel), and Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the PBM sends a request to the prescribing physician to complete a prior authorization in order to fill and pay for the Geodon prescription. The PBM is in a different state than the providers Outpatient Clinic. Classification (Barrier v. Not a Barrier) Policy: Short Description
Scenario
Domain
BP1
WV 001 S9
In state govemment, we have a network established that connects the PBMs with payers and physicians. Members choose to participate under agreements with PBMs and PHI is transmitted with patient consent. User authentication is an important component to ensure that it is the PBM contacting the physician and the physician replying to the PBM.
Scenario 9 - Pharmacy Benefit A
BP2
WV 002 S9
Business practice is same as in the scenario.
Unassigned
1. User and entity authentication
BP3a
WV 003a S9
As a workers' compensation insurer, we have a standard drug list and require the use of generics where available. If a script is received and is not on the list, authorization for the drug is withheld. The prescribing physician may be contacted to write the script for an approved alternative drug for authorization or to provide justification for the prescribed drug before authorization is provided. If the claimant takes the script to a participating pharmacy and it is not approved, the claimant or the pharmacist may contact the claims adjuster for clarification. If a generic is available and the doctor has not indicated the claimant cannot take the generic, it may be authorized. Otherwise, the prescribing doctor will have to provide a new script for a medication on the drug list or provide justification for the prescribed drug. Further, W. Va. Code provides that if a generic medication is available, it must be provided. If the claimant chooses to obtain the brandname drug, he/she will be responsible for payment for the difference.
BP3b
WV 003b S9 RTI International Privacy and Security Contract No. 290-05-0015
In Workers Comp, the Point of Sale system is available only to those employees needing access to perform business functions and participating providers. Password authentication is required. Security policies/confidentiality agreements in place with employees regarding protection of information. End user agreements in place with participating providers. Authentication required for access to system. Technology in place to secure system from unintended users. Vendor used to implement secure transmission of data. Vendor provides software that allows protection from data modification. Page 36 of 63 166337667.xls.ms_office
DRAFT
DRAFT
Cause
DRAFT
Relevant Law (Legal Driver) -- Narrative There is currently no WV law regulating PBMs. Public Employees Insurance Agency (PEIA) does have statutory authority to manage the increase in prescription drug cost and execute prescription drug purchasing agreements on behalf of the state of West Virginia with PBMs and other private sector arrangements, provided that no private entity may be compelled to participate in the prescription drug purchasing pool, and PEIA may not enter into a contract with a private entity without Legislative approval. To the extent that the scenario anticipates that the communication occurs electronically, the electronic submission would violate West Virginia law and regs. First, the Board of Pharmacy regulation language indicates that a wet signature is required and that a digital signature (either physical digitalized signature or digital key signature) will not meet the requirement. Second, the regs have non intermediary requirements.
DRAFT
Relevant Law (Legal Driver) -Reference Code/Statute W.Va. Code 5-16C-1, et seq.; W.Va. Code 30-5-1 et seq. and W.Va. C.S.R. 15-1-1, et seq.; W.Va. Code 60A-1101, et seq;
BP1
State government
BP2
1. Unique features of West Virginia workers compensation program governing and requiring the prescribing of generic drugs by pharmacy for a workers compensation claimant. The workers compensation law requires a pharmacist who is filing a prescription for a workers compensation claimant to dispense the generic brand of the drug, if one exists. If a generic does not exist then the pharmacist can dispense the name brand drug. Interoperability issues involve the failure of out of state providers and businesses that operate in West Virginia in understand the unique requirements of the West Virginia workers compensation system.
Original: State Law - W. Va. Code 23-43(a)(3) Regulation - 85 C.S.R. 20 - Medical Management of Claims W.Va. Code 23-4-3(a)(3) and W.Va. C.S.R. 85-20-1 et seq.
BP3a
Payers
BP3b RTI International Privacy and Security Contract No. 290-05-0015 Page 37 of 63 166337667.xls.ms_office
DRAFT
BP# Possible Solutions
See report on e-Prescribing: http://www.tygart.com/Eprescript ions.asp BP1
BP2
BP3a
BP3b RTI International Privacy and Security Contract No. 290-05-0015 Page 38 of 63 166337667.xls.ms_office


BP#
BP3c
WV 003c S9
Workers' compensation programs are exempt from HIPAA. State law and regulations provide limits on prescription medication and medication management issues. Out of state providers may be unaware of these laws and regulations or may try to apply the laws and fee schedules from their state. We sometimes have difficulty getting out of state providers to accept workers' compensation patients and the established fee schedule on a nonemergent basis because of these issues. To address this problem, we contract with provider agencies that specialize in providing state-wide providers. By agreeing to accept WV Workers' Compensation patients, these providers agree to accept our fees and to abide by our laws and regulations
BP4
WV 004 S9
As a clinician, we deal with out of state PBM's daily who request an authorization form or provide OV notes over the phone and fax. If the patient does not meet the PBM formulary the Dr. changes the medication to preferred medication.
7. Administrative or physical Covered entity due to the security Prior authorization, Office insurance of continuted care safeguards and HIPAA policy for the patient.
BP5
WV 005 S9
As a payer, we have a preferred drug list.The claimant needs preauthorization for drugs not preauthorized and if claimant wants one that is not, they have to pay. If the generic is available, State Law says we can automatically give them the generic.
BP6
WV 006 S9
As a payer, we have a higher standard of security for behavioral health info and with administering these type of benefits. Care management personnel are specially trained and they have a higher level of permissions for this type of info. All this info is maintained in our database and reports can be generated.
Page 39 of 63


Cause Relevant Law (Legal Driver) -- Narrative Relevant Law (Legal Driver) -Reference Code/Statute
BP#
BP3c BP1 Original: HIPAA, State, and Federal law Determining the status of pharmacy benefit managers (PBM) under the Privacy Standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and whether PBMs are considered covered entities or business associates. Generally, PBMs do not meet the definition of a covered entity under Workers Comp law requires generic prescribing where available 1. HIPAA 45 C.F.R. 160.102; HIPAA 45 C.F.R. 164.502(e)(1); HIPAA 45 C.F.R. 164.506.
BP4
Clinicians
W. Va. Code 23-1-1 et seq.
BP5
Payers
The legal analysis differs depending upon whether the Pharmacy Benefit Manager or HIPAA Regulation 164.506; West the outpatient clinic is in West Virginia. HIPAA regulations allow the disclosure of Virginia Code 27-3-1; 27-3-2; 27-5-9(e) protected health information for payment purposes. If the Pharmacy Benefit Manager is in West Virginia, there are no West Virginia Code provisions against seeking the collection of data. If the clinic is in West Virginia, it may not reveal mental health information beyond that which the Pharmacy Benefits Manager already knows because the clinic has already released the data to the payor. The clinic should also assure that Pharmacy Benefits Managers have a Business Associate Agreement with the insurers.
BP6
Payers
Page 40 of 63
BP# Possible Solutions
BP3c BP1
BP4
BP5
BP6
Page 41 of 63
Scenario 10. Pharmacy Benefit Scenario B

A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the companies' employees prescription drug use and the associated costs of the drugs prescribed. The objective would be to see if the PBM1 could save the company money on their prescription drug benefit. Company A is self-insured and as part of their current benefits package, they have the prescription drug claims submitted through their current PBM (PBM2). PBM1 has requested that Company A send their electronic claims to them to complete the review. Classification (Barrier v. Not a Barrier) Policy: Short Description Stakeholder Organization
DRAFT
BP#
Scenario 10 Pharmacy Benefit B Business Practice Short Name
Scenario
Domain
BP1
WV 001 S10
In our pharmacy, we recognize that HIPPA allows release of PHI for payment and treatment purposes but the review of that information without patient consent by another PBM would probably fall outside of that allowance. If the information was aggregate and not patient identifiable, then the review could probably be conducted. Very important the PBMs not be able to modify the data showing a prescription that has been processed and filled.
Scenario 10 Pharmacy Benefit B
Pharmacies
From the perspective of our public health agency, using aggregate statistics would be all right, but if the scenario is as stated, Company A is already on very thin ice. Assuming that PBM2 and not Company A actually has the claims, then PBM2 could transmit the claims to PBM1 under HIPAA, provided it had a Business Associate agreement with PBM. There might be state law barriers related to disclosure of drugs used in specific conditions, e.g. HIV/AIDS or psychiatric disorders. BP2 WV 002 S10
BP3
WV 003 S10
As a payer, we have Business Associate agreements in place. This is a standard agreement unless the other company has another form- we may use both. We build policies on what HIPAA requires- we have an index of BA policies. All the data we send is encrypted. PHI has to be encrypted and the receiver has the user ID and password to unencrypt. Internally, that is not necessary because of our firewalls.
BP3
WV 003 S10
9. Information use and disclosure policy 4. Information transmission security or exchange protocols
Payers
Payers
BP4
WV 004 S10
As a payer, we have a consultant oversee pharmacy benefits and the consultant can see info on pts- we have a BA agreement with them. We also have a procedure audit and they are reviewed by HIPAA as part of due diligence. We contract with a company to provide PHI. Every employee has signed a confidentiality agreement.
Payers
Page 42 of 63
Scenario 10. Pharmacy Benefit Scenario B
DRAFT
BP# Specify Other Stakeholder (if applicable)
DRAFT
Cause
DRAFT
DRAFT
We generally agree that the identified Employer who sponsors a self-insured group health plan may have only limited access to PHI, but may 45 C.F.R. 164.502(b)(1); 164.504(e); 164.504(f) business practice presents barriers to obtain summary health information (a type of de-identified PHI) to obtain premium bids or to modify interoperability, including the use of multiple or amend its group health plan. business associate agreements, the creation of summary health information (a type of deidentified PHI), and compliance with the minimum necessary standard. BP1 The HIPAA privacy and security rules. WV Code 16-29-1(b); HIPAA Privacy Regs. 45 CFR 164.312(e)(2), 164.501, 164.502(a)(1)(i), 164.502(e), 164.504(a), 164.504(e), 164.504(f), 164.504(f)(1)(ii), 164.504(f)(2)(ii)(C), 164.504(f)(2)(iii), 164.504(f)(3)(iv), 164.508(a)(1), 164.514(e)(4), 164.514(d)(3)
BP2 Business associate agreements are required by the HIPAA privacy rule. HIPAA Privacy Regs. 45 CFR 164.502(e), 164.504(e)
BP3 Secure transmission of electronic PHI must be consistent with the HIPAA Security rule. HIPAA Security Regs. 45 CFR 164.312
BP3
Business associate agreements are required by the HIPAA privacy rule. HIPAA Privacy Regs. 45 CFR 164.502(e), 164.504(e)
BP4
Page 43 of 63
Scenario 11. Healthcare Operations and Marketing Scenario A
DRAFT
BP#
ABC Health Care is an integrated health delivery system comprised of ten critical access hospitals and one large tertiary hospital, DEF Medical Center, which has served as the system's primary referral center. Recently, DEF Medical Center has expanded its rehab services and created a state-of-the-art, stand-alone rehab center. Six months into operation, ABC Health Care does not feel that the rehab center is being fully utilized and is questioning the lack of rehab referrals from the critical access hospitals.ABC Health Care has requested that its critical access hospitals submit monthly reports to the system six-sigma team to analyze patient encounters and trends for the following rehab diagnoses/ procedures: Scenario 11 - Cerebrovascular Accident (CVA), Hip Fracture, Total Joint Replacement. Additionally, ABC Health Care is requesting that Operations this same information, along with individual patient demographic information, be provided to the system Marketing and Department. The Marketing Department plans to distribute to these individuals a brochure highlighting the new rehab Marketing A center and the enhanced services available. Business Practice Short Name Classification (Barrier v. Not a Barrier) Policy: Short Description
Scenario
Domain
BP1
Our hospital policy permits Marketing to use PHI for marketing purposes as permitted by HIPAA and other applicable Federal and West Virginia laws. With limited exceptions, the Rule requires an individual's written authorization before a use or disclosure of his or her PHI can be made for marketing. Based WV 001 S 11 on the scenario they are IDS and would be appropriate.
Scenario 11 Operatns & Mkting A
1. User and entity Use of PHI for Marketing authentication Purposes
BP2
As a payer, we would not supply PHI to anyone, esp in a WV 002 S 11 marketing campaign, esp now with HIPAA.
BP3
As a long term care facility, we would not supply PHI to anyone, WV 003 S 11 esp in a marketing campaign, esp now with HIPAA.
BP4
As a QIO, we would not supply PHI to anyone, esp in a marketing campaign, esp now with HIPAA. In a QIO, we would WV 004 S 11 be in violation of HIPAA and our CMS contracts
Page 44 of 63
DRAFT
DRAFT
Cause
DRAFT
Relevant Law (Legal Driver) -Narrative 1. With limited exceptions, activities that fall within the HIPAA Privacy Rules definition of marketing require authorization from the patient/patients representative.
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute Original: HIPAA - 164.501 Definition - Marketing HIPAA Privacy Rule 45 CFR 164.501 and164.508(a)(3).
BP1
IDS may not sell PHI to a business associate or any other third party for that party's own purposes. IDS may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list. Exceptions to the definition of marketing fall into the following three categories: (1) A communication is not "marketing" if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of the covered entity making the communication, (2) A communication is not "marketing" if is made for treatment of the individual (3) A communication is not "marketing" if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
Hospitals With limited exceptions, activities that fall HIPAA Privacy Rule 45 CFR within the HIPAA Privacy Rules 164.501 and164.508(a)(3). definition of marketing require authorization from the patient/patients representative. With limited exceptions, activities that fall HIPAA Privacy Rule 45 CFR within the HIPAA Privacy Rules 164.501 and164.508(a)(3). definition of marketing require authorization from the patient/patients representative. With limited exceptions, activities that fall HIPAA Privacy Rule 45 CFR within the HIPAA Privacy Rules 164.501 and164.508(a)(3). definition of marketing require authorization from the patient/patients representative.
BP2
Payers
BP3
Long term care facilities and nursing homes
BP4
Quality improvement organizations
Page 45 of 63
DRAFT
BP# Solution 1. In this scenario, limiting marketing to communications that specifically describe a health-related product or service provided by the covered entity itself should cause it to fall within the permitted communications exception of the HIPAA Privacy Rules definition of marketing.
BP1
BP2 In this scenario, limiting marketing to communications that specifically describe a health-related product or service provided by the covered entity itself should cause it to fall within the permitted communications exception of the HIPAA Privacy Rules definition of marketing. In this scenario, limiting marketing to communications that specifically describe a health-related product or service provided by the covered entity itself should cause it to fall within the permitted communications exception of the HIPAA Privacy Rules definition of marketing.
BP3
BP4
Page 46 of 63
Scenario 12. Healthcare Operations and Marketing Scenario B
DRAFT
BP#
Scenario 12 Operations & Marketing B Business Practice Short Name
ABC hospital has approximately 3,600 births/year. The hospital Marketing Department is requesting PHI on all deliveries including mother's demographic information and birth outcome (to ensure that contact is made only with those deliveries that resulted in healthy live births). The Marketing Department has explained that they will use the PHI for the following purposes: 1. To provide information on the hospital's new pediatric wing/services; 2. To solicit registration for the hospital's parenting classes; 3. To request donations for construction of the proposed neonatal intensive care unit; 4. They will sell the data to a local diaper company. Business Practice Long Description Scenario Classification (Barrier v. Not a Barrier) Domain Policy: Short Description
BP1
WV 001 S 12
Our hospital practice requires an authorization for release of PHI for marketing except for: 1. Face-to-face communication between our hospital and the patient; or 2. A promotional gift of nominal value provided by our hospital. Therefore, our hospital would not sell the data to a local diaper company without patient authorization.
Scenario 12 Operatns & Mkting B
9. Information use and disclosure Use and Disclosure policy of PHI for Marketing
BP2
WV 002 S 12
Our hospital would not allow this practice. As a payer, we would have to sign a form with all involved persons to release any infowe do not sell any data. We used to be able to acquire lists, but now we would have to ask them to sign a form to release infoHIPAA has not been a Barrier to this because we can use permission forms. The info would be transferred electronically and encrypted.
9. Information use and disclosure Use of PHI for policy Marketing Purposes
BP3
WV 003 S12
Page 47 of 63
DRAFT
DRAFT
Cause
DRAFT
Relevant Law (Legal Driver) -Narrative With limited exceptions, activities that fall within the HIPAA Privacy Rules definition of marketing require authorization from the patient/patients representative.
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute HIPAA Privacy Rule 45 CFR 164.501 and164.508(a)(3).
BP1
Our hospital requires an authorization for release of PHI for marketing except for: 1. Face-to-face communication between our hospital and the patient; or 2. A promotional gift of nominal value provided by our hospital.
Hospitals
HIPAA Privacy Rule 45 CFR
BP2
1) Communication about a product or service that encourages recipients of the communication to purchase or use the product or service, or (2) An arrangement between our hospital and another third party, whereby our hospital discloses PHI to the third party in exchange for direct or indirect remuneration as the result of the other party or its affiliate making a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. our hospital may not sell PHI to a business associate or any other third party for that party's own purposes. our hospital may not sell lists of patients or enrollees to third parties without obtaining authorization from each person on the list.
Hospitals
With limited exceptions, activities 164.501 and164.508(a)(3). that fall within the HIPAA Privacy Rules definition of marketing require authorization from the patient/patients representative. In this scenario, limiting marketing to communications that specifically describe a health-related product or service provided by the covered entity itself should cause it to fall within the permitted communications exception of the HIPAA Privacy Rules definition of marketing.
With limited exceptions, activities that HIPAA Privacy Rule 45 CFR fall within the HIPAA Privacy Rules 164.501 and164.508(a)(3). definition of marketing require authorization from the patient/patients representative.
BP3
Payers
Page 48 of 63
DRAFT
BP# Solution
BP1
1. In this scenario, limiting marketing to communications that specifically describe a health-related product or service provided by the covered entity itself should cause it to fall within the permitted communications exception of the HIPAA Privacy Rules definition of marketing.
BP2
In this scenario, limiting marketing to communications that specifically describe a health-related product or service provided by the covered entity itself should cause it to fall within the permitted communications exception of the HIPAA Privacy Rules definition of marketing.
BP3
Page 49 of 63
Scenario 13. Bioterrorism Event
DRAFT
BP#
A provider sees a person who has anthrax, as determined through lab tests. The lab submits a report on this case to the local public health department. The public health department in the adjacent county has been contacted and has confirmed that it is also seeing anthrax cases, and therefore it could be a possible bioterrorism event. Further investigation confirms that this is a bioterrorism event, and the State declares an emergency. This then shifts responsibility to a designated state authority to oversee and coordinate a response, and involves alerting law enforcement, hospitals, hazmat teams, and other partners, as well informing the regional media to alert public to symptoms and seek treatment if feel affected. The State also notifies the Feds of the event, and some federal agencies may have direct involvement in the event. All parties may Scenario 13 need to be notified of specific identifiable demographic and medical details of each case as they arise to identify the Bioterrorism source of the anthrax, locate and prosecute the parties responsible for distributing the anthrax, and protect the public from Event further infection. Business Practice Short Name Classification (Barrier v. Not a Barrier) Policy: Short Description Specify Other Stakeholder (if applicable)
Scenario
Domain
BP1
WV 001 S13
Our hospital privacy officer would disclose as required using the minimum necessary rule.
Scenario 13 Bioterrorism Barrier to Event interoperability
Guidelines Pertaining to Disclosures for Law Enforcement Purposes Without Written 9. Information Authorization, Court use and Order, Subpoena or disclosure policy Other Process
Hospitals
BP2
WV 002 S13
Once our lab would submit a report to the local public health dept or to the State as per those regs. governing anthrax and other public health threats, then it would be in the hands of the State and Federal agencies. If all parties would need to obtain additional information from our lab, then that agency would notify our corporate compliance dept. via proper Scenario 13 documentation or request. Bioterrorism Barrier to Event interoperability
Laboratories
BP3a
BP3b
Public health law is state-specific. I do not know the extent to which Federal anti-terrorism legislation has attempted to pre-empt state law, but Im doubtful such pre-emption would be effective in a case like this that does not appear to involve interstate commerce. Therefore, I believe the state disease control laws would have primacy. Under state law, the health director is generally authorized to disclose information needed to control the spread of contagious disease. All information exchange originating under the direction of the state health director or his/her designate is probably permissible, even if it discloses PHI to the public. There may be limits on the health directors discretion, but I doubt they would be significant under the scenario described. The one important question is whether the public health director has authority to disclose PHI to law enforcement agencies. Customarily, public health agencies have not done so, because of the chilling effect it is believed WV 003a S13 to have on ongoing disease investigation. I dont know if current law in West Virginia mandates such disclosure, as it may; if it does not, then the disclosure would fall under the discretion of the public health director. Therefore the major barrier might be in the event individual institutions or health professionals were not aware of their duty to report information in a public health emergency, or if they obstructed transmission of sensitive data to the health agency out of a perceived risk of liability for disclosure. If they have read HIPAA, they WV 003b S13 wont have such fears.
BP4
WV 004 S13
As a federal health facility, we would not be allowed to give out any info under the Laws of Confidentiality. Although, in an act of terrorism, there are some exceptions. Your individual identity can not be revealed and we could give them demographics and we could contact others about the situation. But if the person has a contagious disease and he knowingly infects others, he is then considered a criminal and he has no rights. We would: Send the info by an authorized courier in a sealed envelope or thru data secure telephone lines or thru scrambled, Scenario 13 2. Information encrypted email Bioterrorism Barrier to authorization and Event interoperability access controls
Federal health facilities
Page 50 of 63
Scenario 13. Bioterrorism Event
DRAFT DRAFT
BP# Cause
DRAFT
Relevant Law (Legal Driver) -Narrative HIPAA Privacy Regs require a CE to review the disclosure request to see if the public official represents that the information requested is the minimum necessary for the stated purpose
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute HIPAA Privacy Rule, 45 CFR 164.514(d)(3)(iii)(A); WV Code 15-5-1 et seq .; 64 CSR 7 (regs regarding reportable diseases)
BP1
HIPAA Privacy Regs require a CE to review the disclosure request to see if the public official represents that the information requested is the minimum necessary for the stated purpose BP2 No legal barrier to public healths disclosure to law enforcement. State Homeland Security provisions, the general and emergency powers of the Governor under the legislation, along with the State Director of Healths authority allow for these disclosures
HIPAA Privacy Rule, 45 CFR 164.514(d)(3)(iii)(A); WV Code 15-5-1 et seq .; 64 CSR 7 (regs regarding reportable diseases)
W. Va. Code 15-5-1 et seq ., 16-3-1 and 15-5-6; 64 CSR 7 (regs regarding reportable diseases)
BP3a Stakeholder cites perception issues.
1. WV Code 15-5-1 et seq.
BP3b
HIPAA Security and Privacy Rules together require the CE to safeguard protected health information, electronic and hard copy
HIPAA Security Rule, 45 CFR Part 164, Subpart C and HIPAA Privacy Rule 164.530(c)
BP4
Page 51 of 63
Scenario 14. Employee Health Information Scenario
DRAFT
BP#
An employee (of any company) presents in the local emergency department for treatment of a chronic condition that has exacerbated which is not work-related. The employee's condition necessitates a four-day leave from Scenario 14 - work for illness. The employer requires a "return to work" document for any illness requiring more than 2 days Employee leave. The hospital ED has an EHR and their practice is to cut and paste patient information directly from the Health Info EHR and transmit the information electronically to the HR department. Business Practice Short Name Classification (Barrier v. Not a Barrier) Policy: Short Description
Scenario
Domain
BP1a
WV 001a S 14
As a payer, our business practice is to allow employees a certain number of paid time off (PTO) days. No detailed reason is needed for using those days. Short-term disability/long-term disability are also provided for certain medical issues and do require documentation to justify the disability. In this scenario, there are a couple of options. One, if the employer and hospital frequently exchange information, a confidentiality agreement or data use agreement needs to be entered into. The HR department could adjust it's form to require only certain, non-specific medical information required only to justify the disability period. The hospital would then be responsible for providing the minimally necessary medical information as needed. It should be the hospital's policy to not provide more information than requested or needed per HIPAA privacy regulations so the cut and paste practice may be a violation. The second option, one employed by the state of WV, would be for the return to work document to require only the disability period, the diagnosi and the treating doctor's signature.
Scenario 14 Employee Hlth Info
BP1b
WV 001b S 14 WV 001c S 14 WV 001d S 14
No specific medical information would be needed. End user should be limited to HR department employees. No access should be provided outside that unit. Data use agreement/confidentiality agreement should be in place to prevent unnecessary dissemination of protected health information.End user should be limited to HR department employees. No access should be provided outside that unit. Data use agreement/confidentiality agreement should be in place to prevent unnecessary dissemination of protected health information.
6. Information audits Not a barrier to that record and monitor interoperability activity 4. Information Barrier to transmission security or interoperability exchange protocols Not a barrier to 9. Information use and interoperability disclosure policy
BP1c
Transmission protections would be implemented between the sender and end user such as encryption of information. End user should be provided read only access to information. One-way transmission (ED to HR department only) should be considered. Only HR department employees should have access to the transmitted information. Information should be limited by ED to that minimally necessary to fulfill HR's need. Once transmitted, information should be contained within employee's personnel file and not be subject to view by outside parties. Special precautions for psychiatric/HIV information - patient must authorize release of information.
BP1d
BP1e
WV 001e S 14 WV 001f S 14
BP1f
Not a barrier to interoperability 8. State law restrictions
BP2
Our hospital would prepare a leave of absence note for the employer which would limit information to the name of the employee, date seen by medical facility/physician, estimated time to be away from work, and RTI International WV 002 S 14 signature of physician or other appropriate medical personnel. Privacy and Security Contract No. 290-05-0015
Scenario 14 Barrier to 1. User and entity Employee Hlth Info interoperability authentication Page 52 of 63
DRAFT
DRAFT
Cause The identified business practice involves multiple barriers to interoperability, but we disagree with the rationale employed; disclosure of PHI from existing health care records to the employer requires a signed authorization from the patient; once authorization is signed, disclosures made thereunder are not subject to the minimum necessary standard; once such information is lodged in employment files, it is no longer considered PHI; however, electronic transmission of the information to the employer must follow proper verification and security procedures.
DRAFT
Relevant Law (Legal Driver) -- Narrative A health care provider may not disclose PHI to a third party without patient authorization unless for treatment, payment, or health care operations; a return to work document is not treatment, payment, or health care operations; if PHI is included in this document, patient authorization would be required; when disclosure is authorized, proper security procedures must be followed when transmitting PHI electronically.
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute 45 C.F.R. 164.502(a)(1); 164.508(a)(1); 164.310; 164.312; 164.502(b)(2)(iii); 160.103
BP1a
Payers
BP1b HIPAA Security Technical Safeguards BP1c HIPAA Security Rule, 45 CFR 164.312
BP1d
BP1e WV State law regarding HIV test results BP1f W. Va. Code 16-3C-2, 3, 4; W. Va. Code 27-3-1
BP2
RTI InternationalHospitals Privacy and Security Contract No. 290-05-0015
We agree with the identified business practice, A health care provider may not disclose PHI to a third party without and believe that it constitutes a barrier to patient authorization unless for treatment, payment, or health care interoperability. operations; a return to work document is not treatment, payment, or health care operations; if PHI is included in this document, patient authorization would be required; when disclosure is authorized, proper security procedures must be followed when transmitting PHI electronically. Page 53 of 63
45 C.F.R. 164.502(a)(1); 164.508(a)(1); 164.310; 164.312; 164.502(b)(2)(iii); 160.103

BP# Business Practice Short Name

BP3
As a correctional facility, our business practice/procedure is we have our own form to fill out for a return to work. Electronic transfer of emergency room data would not be accepted. The return to work form may eventually be able to be emailed and then completed for return. Additional ER info would not be necessary or desired. Password protected on secure lines. Limited access to the computer itself. Passwords must be changed on an irregular basis. Would need patient consent. The multiple information systems would need this patient consent prior to allowing access to the personal health information. WV 003 S 14 Would need development of special programs for the encryption.
return to work form
Employee off more than 3 days submits for FMLA under the Family and Medical Leave Act (FMLA) of 1993. At the end of leave must submit a 'return to work form" that has been completed by the physician - not by cut and paste in the ER.
BP4
As a physician group, our office physician can release a RTW date to the employer but any medical information would need a release of records from the patient. The HIPAA and State Laws would override the ER Policy. We use tracking forms in each chart to show info that WV 004 S 14 was copied /faxed, who sent it, and where it went and the date sent.
BP4
WV 004 S 14
4. Information Barrier to transmission security or interoperability exchange protocols Covered entity 7. Administrative or Not a barrier to physical security interoperability safeguards Not a barrier to interoperability
Patient release must be signed to release records.
BP4
WV 004 S 14
BP5
As a payer, under the State System we had PEIA Coverage and they required the forms for being out for 3 days. Dr filled out the info and a RTW notice- all done paper- no electronic version of this- This can also be faxed and whoever is on the receiving end of the fax can view the WV 005 S 14 info. In our payer organization, the employer can not get at the info unless the employee signs an agreement. This is done on a paper basis. Our organization has an imaging process. This info is QUARANTINEDmeaning only the appropriate person can get at the info. All have a secure storage place for records- we have an onsite storage place and to get entrance, you have to have special permissions- there is a keyless entry.
BP6
WV 006 S 14
8. State law restrictions 9. Information use and disclosure policy
BP6
WV 006 S 14
Page 54 of 63


Cause Relevant Law (Legal Driver) -- Narrative Relevant Law (Legal Driver) -- Reference Code/Statute
We agree with the identified business practice, and agree that it involves multiple barriers to interoperability, including patient authorization and use of proper security procedures.
A health care provider may not disclose PHI to a third party without patient authorization unless for treatment, payment, or health care operations; a return to work document is not treatment, payment, or health care operations; if PHI is included in this document, patient authorization would be required; when disclosure is authorized, proper security procedures must be followed when transmitting PHI electronically.
Original: Other Federal Law Family and Medical Leave Act 1993 Other - Company FMLA and Time & Attendance Policy 45 C.F.R. 164.502(a)(1); 164.508(a)(1); 164.310; 164.312; 164.502(b)(2)(iii); 160.103
BP3 BP1a
Correctional facilities We agree with the identified business practice, Original: HIPAA and believe that it constitutes a barrier to A health care provider may not disclose PHI to a third party interoperability. without patient authorization unless for treatment, payment, or health care operations; a return to work document is not treatment, payment, or health care operations; if PHI is included 45 C.F.R. 164.502(a)(1); 164.508(a)(1); 164.310; 164.312; 164.502(b)(2)(iii); 160.103
BP4
Physician groups
BP4
BP4
BP5
Payers We agree with the identified business practice, A health care provider may not disclose PHI to a third party without and believe that it constitutes a barrier to patient authorization unless for treatment, payment, or health care interoperability. operations; a return to work document is not treatment, payment, or health care operations; if PHI is included in this document, patient authorization would be required; when disclosure is authorized, proper security procedures must be followed when transmitting PHI electronically. 45 C.F.R. 164.502(a)(1); 164.508(a)(1); 164.310; 164.312; 164.502(b)(2)(iii); 160.103
BP6
Payers
BP6
Page 55 of 63
Scenario 15. Public Health Scenario A

Active TB Patient has decided to move to a desert community that focuses on spiritual healing. The TB is classified MDR (multi-drug resistant). Patient purchases a bus ticket - the bus ride will take a total of nine hours with two rest stops. State A is made aware of Patient's intent two hours after the bus with Patient leaves. State now needs to contact the bus company and State B with the relevant information. State A may need to contact every state along the route. Classification (Barrier v. Not a Barrier) Policy: Short Description Specify Other Stakeholder (if applicable)
DRAFT
BP#
Scenario 15 Public Health A Business Practice Short Name
Scenario
Domain
BP1a
Since TB is a publicly reported disease the home health agency nurse would report the information to the public health department and allow the public health department to take action. At the present time there are very few systems in which home health agencies share electronic personal health information and the system for public reporting electronically such as would be needed in this instance is not presently available. Would be necessary to assure integrity of the communication between only those entities who had necessity of receiving the data. In present home health electronic information systems only those personnel who have been trained can access patient data. In general there are few who can access the entire data base and changes/modifications can only be made by those with certain security/access abilities. While most agencies have internal policies that dictate the utilization of electronic data within the agency and most Scenario 15 WV 001a S15 often that shared with a fiscal intermediary and the state data collection agency. Public Health A
BP1a
WV 001a S15
Scenario 15 Public Health A
2. Information authorization and access controls 5. Information protection (against improper modification)
All home health agencies have in place within their infection control policies and procedures for the reporting of publicly reported communicable diseases.
BP1b
Very few, if any of the home health agencies are presently sharing electronic health data with other health care entities. Most exchange of information between entities currently takes place by paper exhange or oral exchange. WV home health agencies comply with federal regulation as outlined in the HIPPA standards and the home health conditions of participation as set forth by CMS at the federal level. The WV Office of Health Facilities Licensure and Certification are Scenario 15 WV 001b S15 responsible for the oversite of agency compliance. Public Health A
4. Information transmission security or exchange protocols
BP2
WV 002 S15
I would think that State A is made aware of the TB patient's location, and would need to locate both the bus company as well as other State along the route. Each State dept. of health would be involved in this process until the patient is located for additional follow-up.
3. Patient and provider identification
Laboratories
BP3
WV 003 S15
This is a pure public health response, clearly authorized under law. Since the state already has a report of a case, there is no barrier to reporting the case in the first place. Since the patient has absconded, the state health director may use state quarantine law and ask the police to halt the bus before it leaves the state. Failing that, the health director will inform the Centers for Disease Control, which will inform the other states. The state health directors discretionary authority also allows him or her to notify adjacent states.
BP4
WV 004 S15
As a federal health facility, we would consider this to be a wanted person and someone that is violating others rights. He would be considered a bio-hazard. We could send the info to the media and to other states and health care providers for instance we could say that John Doe is a wanted criminal or is a suspect. He loses all of his rights under the Privacy Act. We would first check out to see if he was dangerous to others and/or to himself. We would contact the health Scenario 15 authorities, and state police via phone. Public Health A
Page 56 of 63
Scenario 15. Public Health Scenario A
DRAFTDRAFT
BP# Cause
DRAFT
Relevant Law (Legal Driver) -- Narrative HIPAA Security regs require that PHI be safeguarded by covered entities, if a covered entity were sharing information with the state in this scenario
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute HIPAA Security Regs, 45 CFR 164.302 et seq .
BP1a HIPAA Security regs require that PHI be safeguarded by covered entities, if a covered entity were sharing information with the state in this scenario BP1a HIPAA Security regs require that PHI be safeguarded by covered entities, if a covered entity were sharing information with the state in this scenario HIPAA Security Regs, 45 CFR 164.302 et seq . HIPAA Security Regs, 45 CFR 164.302 et seq .
BP1b
BP2
Home state public health department of active TB patient moving via bus to another city may, upon its order or order of state court of record, disclose patients TB status to law enforcement and other state public health departments. Law enforcement access poses no barrier if assisting public health department to enforce state or court order. The patient is an active TB carrier spreading and subject to public health department isolation, quarantine, etc.
WV Code 16-3D-3 to 9; 64 CSR 7-3.4, 12.1.a.4, and 19-17-19; HIPAA Privacy Regs 164.512(b).
BP3
BP4
Home state public health department of active TB patient, moving via bus to another city may, upon its order or order of state court of record, disclose patients TB status to law enforcement and other state public health departments. Law enforcement access poses no barrier if assisting public health department to enforce state or court order. The patient is an active TB carrier spreading and subject to public health department isolation, quarantine, etc. LWG unable to find any federal law dealing with TB and believe issue is left to the States.
WV Code 16-3D-3 to 9; 64 CSR 7-3.4, 12.1.a.4, and 1917-19.
Page 57 of 63
Scenario 16. Public Health Scenario B

A newborns screening test comes up positive for a rare genetic disorder and the state lab test results are made available to the childs physicians and specialty care centers specializing in the disorder via an Interactive Voice Response system. The state lab also enters the information in its registry, and tracks the child over time through the childs physicians. The state public health department provides services for this rare genetic disorder and notifies the physician that the child is eligible for those programs. One of the services that the mother uses from the state is regularly purchasing special food products for persons with PKU. Classification (Barrier v. Not a Barrier) Policy: Short Description
DRAFT Public Health B

BP# Business Practice Short Name
Scenario 16 -
Scenario
Domain
BP1
WV 001 S16
Generally, the provider and the clinical staff will make several phone calls to find assistance and support for the parent or child. In all my years of practice, I have never witnessed this scenario in the clinical setting - the closest to this scenario is the reportable infectious disease process - which is pretty effective. Also, not all providers are aware of mandated requirements to reports certain genetic or other disorders to the state - some labs are out of state, so do not know all the state reporting requirements either.
Scenario 16 Public Health B
BP2
WV 002 S16
Office of Maternal Child and Family Health - WV Code 16-22-3 mandates that abnormal labs in newborn children be reported to the Bureau for Public Health. It also permits identification, follow-up treatment with physicians and other resources provided by BPH. Communication involving PII/PHI is conducted by phone and faxing.
It may be necessary to identify this child with special codes so not to release the name of the child to outside entities, other than the physician and state health officials. BP3 WV 003 S16
Page 58 of 63
Scenario 16. Public Health Scenario B
DRAFT
DRAFT
Cause
DRAFT
DRAFT
BP1
Professional associations and societies
No legal driver. (WV mandates reporting in WV Code 16-22-1 et seq. which disclosure is permitted under the HIPAA Privacy Rule.)
BP2
BP3
Laboratories
No legal requirement to identify patient with specific codes, direct identifiers are allowed.
Page 59 of 63
Scenario 17. Public Health Scenario C
C DRAFT BP#
Scenario 17 Public Health
A homeless man arrives at a county shelter and is found to be a drug addict and in need of medical care. The person does have a primary provider, and is sent there for the medical care, and is referred to a hospital-affiliated drug treatment clinic for his addiction under a county program. The addiction center must report treatment information back to the county for program reimbursement, and back to the shelter to verify that the person is in treatment. Someone claiming to be a relation of the homeless man requests information from the homeless shelter on all the health services the man has received. Classification (Barrier v. Not a Barrier) Policy: Short Description Stakeholder Organization Specify Other Stakeholder (if applicable)
Scenario
Domain
BP1
WV 001 S17
As a public health agency, we recognize that under 42CFR Federal Law the patient must authorize release of medical records. Chapter 27 of state mental health law on the other hand requires that the spouse, or next of kin be notified of admission to our state psychiatric facilities. Exceptions to patient authorization require a court Scenario 17 order. Public Health C
BP2
WV 002 S17
Home health providers would not release this Information to this individual. All home health providers are required by federal law to comply with HIPPA regulations. Compliance with the transfer of electronic information in HIPPA approved formats will in 2007 be required in order for agencies to receive reimbursement. Administrations are designing and implementing programs that meet these privacy standards. Also within the requirements for participation in the Medicare/Medicaid program agencies must meet patient privacy standards as outlined by the Centers for Medicare and Medicaid Services. Home health agencies are regulated by federal regulation which are monitored and enforced by the WV Office of Health Facilities Licensure and Certification. In this scenario also applicable would be WV state law concerning next of kin and Medical Power of Attorney which would only be utilized if the patient were incapacitated and could not Scenario 17 relate his own wishes and desires for the handling of this health care information. Public Health C
All home health agencies have policies that dictate to whom private information can be released. These policies are compliant with federal regulations outlined in the HIPPA and home health conditions of participation.
BP3
WV 003 S17
Our hospital employees may only disclose behavioral health records, drug and alcohol abuse treatment records and HIV and AIDS related testing and treatment records under certain circumstances that are set forth in state or federal statutes. These specially protected records shall never be disclosed without the express written authorization of the patient unless there is a specific court order requiring their disclosure.
Scenario 17 Public Health C
Guidelines Pertaining to Disclosures Made Without Written Authorization But 9. Information Pursuant To A Court use and Orders, Subpoena, Barrier to disclosure Search Warrant or interoperability policy Discovery Request
Our facility may only disclose behavioral health records, drug and alcohol abuse treatment records and HIV and AIDS related testing and treatment records under certain circumstances that are set forth in state or federal statutes. These specially protected records shall never be disclosed without the express written authorization of the patient unless there is a specific court order requiring their disclosure.
Hospitals
BP4
WV 004 S17
As a federal health facility, we would not provide any info unless the vet says it is ok. The family member would have to leave their contact info with us, and the case manager would contact the Vet and give it to them- it is then their choice. If another facility wants the info, the Privacy Act can release info if it is medically necessary. The Vet would be able to release that to another facility- they have to sign the waiver and it has to be signed in front of our employee. The Vet has to show proper ID. The release form is specific to the info that they want to release. Info is transmitted via letter, fax, or internet- and is encrypted. The only time PHI can be released without the pts authorization is if it is a medical emergency- in other words, if the vet would die if someone didnt know the PHI. The privacy act protects us in that they cant come back and sue us for giving out info unless they said we can and then it hinders the quick release of info if it is an emergency. It is so much easier to share info between our facilities because of our EHRS. We all follow the same Scenario 17 criteria. Public Health C
BP4
WV 004 S17
Scenario 17 Public Health C
2. Information authorization and access Unassigned controls 9. Information use and Barrier to disclosure interoperability policy
Page 60 of 63
Scenario 17. Public Health Scenario C
DRAFT DRAFT
BP# Cause
DRAFT
Relevant Law (Legal Driver) -- Narrative Again, consent is the key to release of information. A homeless shelter is not a covered entity under substance abuse regs or HIPAA regs., but is covered under WV Code '27-3-1. It may release substance abuse information to the primary care provider. Such provider is not covered by substance abuse regs. and can refer patient to drug treatment clinic. The clinic is covered by the substance abuse regulations. The clinic cannot release information for reimbursement purposes absent consent. It can release such information to the shelter, who already knows he/she is an addict. The person claiming to be a relation cannot receive any substance abuse information absent patient consent. DHHR may not release any information outside DHHR without patient consent.
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute Original: HIPAA - Notice of Privacy Practices State Law - Chapter 27 Other Federal Law - 42 CFR Federal Law Substance Abuse Regs 42 CFR, Part 2, Subpart D; HIPAA Regs 45 CFR '164.506; 522(a); WV Code ''27-3-1; 27-5-9(e) Solution Have all patients with substance abuse problems and/or mental illness sign general consents to release information for treatment, payment and healthcare operation under HIPAA Reg. 164.506(b) upon entering the facility; repeal WV Code '27-5-9(e). Amend '27-3-1 to allow release of mental health information for treatment, payment and healthcare operations without patient consent.
BP1 Relative of drug addict individual in need of treatment cannot access individuals PHI, WV Code 16-30-8, 27-1A-11, 27-3-1 and 2, without authorization, under state law, HIPAA, and other federal laws, 27-5-9, 27-7-1 thru 3, 16-29-1; HIPAA Privacy Regs 45 CFR 164.512 (a,b,e, and j), 164.506, 164.508, 164.510, 164.512(e), 164.514(a); 42 U.S.C.A. 290dd-3, 290ee-3; 42 CFR 2.1 et. seq.
BP2
BP3
A homeless shelter is not a covered entity under substance abuse regs or HIPAA regs., but is covered under WV Code '27-3-1. It may release substance abuse information to the primary care provider. Such provider is not covered by substance abuse regs. and can refer patient to drug treatment clinic. The clinic is covered by the substance abuse regulations. The clinic cannot release information for reimbursement purposes absent consent. It can release such information to the shelter, who already knows he/she is an addict. The person claiming to be a relation cannot receive any substance abuse information absent patient consent. DHHR may not release any information outside DHHR without patient consent. The notification of next of kin only applies after involuntary commitment to a mental health facility. If the patient objects, the information cannot be released.
The HIPAA Privacy Rule provides for uses and disclosures of protected health information that require an opportunity for the individual to agree or to object.
HIPAA - Notice of Privacy Practices State Law - Chapter 27 . Other Federal Law - 42 CFR Federal Law. Substance Abuse Regs 42 CFR, Part 2, Subpart D; HIPAA Regs 45 CFR 164.506; 522(a); WV Code 27-3-1; 27-5-9(e)
HIPAA Privacy Rule 45 CFR 164.510 (b).
BP4
BP4
Page 61 of 63
Scenario 18. Health Oversight: legal compliance/government accountability
DRAFT
BP#
The Governor's office has expressed concern about compliance with immunization and lead screening requirements among low income children who do not receive consistent health care. The state agencies responsible for public health, child welfare and protective services, Medicaid services, and education are asked to share identifiable patient level health care data on an ongoing basis to determine if the children Scenario 18 - are getting the healthcare they need. Because of the complexity of the task, the Governor has asked each agency to provide these data to faculty at the state university medical campus who will design a system for Health integrating and analyzing the data. Oversight Business Practice Short Name Classification (Barrier v. Not a Barrier) Policy: Short Description
Scenario
Domain
BP1 BP1
WV 001 S 18 WV 001 S 18 WV 001 S 18 WV 001 S 18 WV 001 S 18 WV 001 S 18 WV 001 S 18 WV 001 S 18
Our clinic would not participate in this project until patients had been informed and gave permission to share this information. We would however, provide this information without personal identifiers or addresses for a study to determine where there may be problems.
Scenario 18 Health Oversight
1. User and entity authentication 2. Information Barrier to authorization and access interoperability controls Not a barrier to interoperability Barrier to interoperability 3. Patient and provider identification
BP1
BP1
BP1
4. Information transmission security or exchange protocols 6. Information audits that Barrier to record and monitor interoperability activity Barrier to interoperability Barrier to interoperability Barrier to interoperability 7. Administrative or physical security safeguards 8. State law restrictions 9. Information use and disclosure policy
BP1 BP1 BP1
BP2
WV 002 S 18
As a payer, our research staff would need to set this up as a designated research process. Medicaid would be able to disclose PHI but would have to deidentify the info. We are asked by HCA all the time to give them infowe have a BA with them.
Scenario 18 Health Oversight
Page 62 of 63
Scenario 18. Health Oversight: legal compliance/government accountability
DRAFT
DRAFT
Cause
DRAFT
DRAFT
Relevant Law (Legal Driver) -- Reference Code/Statute Solution Enactment of state law that authorizes a public health authority as defined in the HIPAA Privacy Rule to collect or receive protected health information for the defined purpose described in the scenario.
BP1 BP1
1. HIPAA permits disclosure 1. HIPAA Privacy Rule 45 of protected health CFR 164.501 and 164.512 information for public health (b)(1) activities only to a public health authority that is authorized by law to collect or receive such information.
BP1
BP1
BP1
BP1 BP1 BP1
HIPAA BAA and Research requirements. HIPAA deidentification option is also an option without getting a BAA or IRB approval. BP2 Payers
HIPAA Privacy Rule
1. Enactment of state law that authorizes a public health authority as defined in the HIPAA Privacy Rule to collect or receive protected health information for the defined purpose described in the scenario.
Page 63 of 63

Hippa Medical Consent Form

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hippa Medical Consent Form

Uploaded by

Copyright:

Available Formats

PRIVACY AND SECURITY

Scenario 1. Patient Care Scenario A

Scenario 1 Patient Care A Business Practice Short Name

Business Practice Long Description

Policy: Short Description

Policy: Long Description

Scenario 1 Patient Care A

Scenario 1 Patient Care A

4. Information transmission security or exchange protocols

Scenario 1 Patient Care A

BP2 BP2 BP2

WV 002 S 1 WV 002 S 1 WV 002 S 1

Not a barrier to interoperability Not a barrier to interoperability Not a barrier to interoperability

Scenario 1 Patient Care A

Not a barrier to interoperability

Hospital/ER covered entity HIPAA

Scenario 1 Patient Care A

9. Information use and disclosure policy

Scenario 1 Patient Care A

9. Information use and disclosure policy

Long term care facilities and nursing homes

RTI International Privacy and Security Contract No. 290-05-0015

PRIVACY AND SECURITY

Scenario 1. Patient Care Scenario A

RTI International Privacy and Security Contract No. 290-05-0015

PRIVACY AND SECURITY

Scenario 2. Patient Care Scenario B

Scenario 2 Patient Care B Business Practice Short Name

Business Practice Long Description

Policy: Long Description

Scenario 2 Barrier to Patient Care B interoperability Not a barrier to interoperability

6. Information audits that record and monitor activity

7. Administrative Not a barrier to or physical security interoperability safeguards

8. State law restrictions

Scenario 2 Barrier to Patient Care B interoperability

2. Information authorization and access controls

RTI International Privacy and Security Contract No. 290-05-0015

PRIVACY AND SECURITY

Scenario 2. Patient Care Scenario B

RTI International Privacy and Security Contract No. 290-05-0015

PRIVACY AND SECURITY

Scenario 2. Patient Care Scenario B

2. Information authorization and access controls

RTI International Privacy and Security Contract No. 290-05-0015

PRIVACY AND SECURITY

Scenario 2. Patient Care Scenario B

Possibly Federal Substance Abuse Regulations

RTI International Privacy and Security Contract No. 290-05-0015

PRIVACY AND SECURITY

Scenario 3 Patient Care C

Scenario 3. Patient Care Scenario C

Business Practice Short Name

Business Practice Long Description

Classification (Barrier v. Not a Barrier)

Policy: Short Description

Scenario 3 Patient Care C

Barrier to interoperability Barrier to interoperability

1. User and entity authentication 2. Information authorization and access controls

BP1 BP1 BP1

WV 001 S3 WV 001 S3 WV 001 S3

Barrier to 9. Information use interoperability and disclosure policy

RTI International Privacy and Security Contract No. 290-05-0015

PRIVACY AND SECURITY

Scenario 3. Patient Care Scenario C