Re: Be Careful - You May Be Violating HIPAA
AOPA
Description
Collection
Title:
Re: Be Careful - You May Be Violating HIPAA
Creator:
AOPA
Date:
4/30/2003
Text:
Paul,
We're pleased to provide the following guidelines for listserv postings.
General Guidance on Posting Messages to a Listserv:
As of April 14, 2003, the compliance date for the HIPAA Privacy rule,
e-mails posted to this listserv must not violate HIPAA regulations.
The Privacy rule does not permit disclosure of a patient's protected
health information (PHI) for purposes other than treatment, payment or
health care operations without the patient's authorization. PHI does
not have to directly identify an individual. If the information
contained in an e-mail is specific enough that one can infer the
identity of the individual, it is considered PHI and subject to HIPAA
regulations.
While you are allowed to exchange PHI with another health care provider
for the purposes of treatment, you cannot be sure that all subscribers
to this listserv are health care providers. Further, the new HIPAA
Security rule also contains specific guidelines about ensuring the
security of PHI that is transmitted through e-mail.
Does this mean you can't use the listserv to ask important questions
about treatment or seek advice from other practitioners? Not at all.
There are a number of ways to handle treatment questions through the
listserv that do not violate the HIPAA Privacy or Security rules.
The American Orthotic & Prosthetic Association (AOPA) recommends that
you ask general questions that do not refer to specific patients. For
example, What kind of orthotic device should I use for diabetic
patients with...? If you must refer to a specific patient in your
email, then HIPAA requires that you have the patient's written
authorization. You should note this fact in your emails, My patient
has authorized me to ask the following question....
This interpretation of the HIPAA guidelines for posting messages to a
listserv was developed by experts at the American Orthotic & Prosthetic
Association (AOPA) which operates thanks to the financial support of
over 1550 dues paying member companies. AOPA has been delivering
successful, cost-effective business products and solutions for over 85
years.
AOPA Knows the Business of O&P. Join today at www.aopanet.org!
-----Original Message-----
From: Paul E. Prusakowski [mailto:<Email Address Redacted>]
Sent: Monday, April 28, 2003 10:06 AM
To: <Email Address Redacted>
Subject: Re: [OANDP-L] Be Careful - You May Be Violating HIPAA
Dear Virginia,
Maybe you could demonstrate AOPA's concern for the advancement of the
profession and industry by sharing this knowledge with all the
subscribers
of the oandp-l listserver within a few postings. This would be very
helpful
to everyone, and also very much appreciated by me as moderator. This
would
be a great benefit to all those trying to perform the best patient care
that
they can, and also save someone else the trouble of interpreting your
response to them and posting it publicly to the entire listserv. I think
it
would also be a great marketing opportunity for you to demonstrate
AOPA's
incredible knowledge of the HIPAA topic to the entire O&P community by
sharing this one piece with the online professional community as a
freebie.
Maybe other members of the listserv who are also AOPA members would like
to
comment to you privately to encourage this sharing of information which
would be of incredible value to the profession and most importantly to
the
patients we serve. In the spirit of the oandp-l listserv, sharing of
information for the benefit of elevating patient care and the
advancement of
the profession is a win-win for everyone. I hope that you are willing
to
take advantage of this opportunity to help ensure that practitioners are
properly educated on how to properly discuss patient care issues without
putting themselves at risk for any sort of HIPAA violation.
Sincerely,
Paul E. Prusakowski, CPO
Moderator
-----Original Message-----
From: Orthotics and Prosthetics List [mailto:<Email Address Redacted>] On
Behalf Of AOPA
Sent: Friday, April 25, 2003 2:53 PM
To: <Email Address Redacted>
Subject: Re: Be Careful - You May Be Violating HIPAA
Some of you have expressed concern that the example in our HIPAA e-mail
was far-fetched and only a marketing ploy. Below, please see our reply
to one such posting and the reasons why certain messages on this
listserv could cause HIPAA compliance problems. If you are still
concerned, please do not hesitate to contact us directly. -- AOPA
Mr. Foster:
You stated, ...you can discuss all the PHI you want, except the parts
that are readily identifiable to a particular person (e.g. SSN, names,
address, phone# etc.).
Your statement is not accurate. Protected health information (PHI) does
not have to directly identify an individual. If the information is
specific enough that you can infer the identity of the individual, it is
considered PHI and subject to HIPAA regulations.
In the case that we used, Patient is a 2 year old child with a disorder
that causes her limbs to be 3 times the size of a normal child..., the
information is specific enough that a person familiar with the facility
or practitioner can easily identify the patient.
The Privacy rule (section 164.506(c)) states that a HIPAA covered entity
may use or disclose PHI for its own treatment, payment, or health care
operations, or for the treatment activities of any health care provider.
Asking a question on a very public listserv that is accessed by non
health care providers is not going to fit within either of those
permissible disclosures. This is akin to standing in a public hallway
in a hospital and shouting out to a crowd that you want to know how to
treat your 2 year old patient that has a disorder that causes her limbs
to be 3 times the size of a normal child.
Also, the HIPAA Security rule is going to require that you keep email
communications containing PHI secure. A listserv is not a secure forum
in which to discuss PHI.
It is part of AOPA's mission to provide education concerning HIPAA
regulations. While you are not at risk for violating HIPAA as an
individual employee, by your actions the facility that employs you could
face civil and monetary penalties for violating HIPAA regulations. This
is something AOPA is striving to prevent.
There are ways to ask a question on the listserv about treating a
specific condition that do not violate the HIPAA Privacy or Security
rules. We are pleased to have your facility as an AOPA member and are
happy to discuss these methods with you. You might also consider
attending the AOPA HIPAA Seminar on May 2.
Sincerely,
Virginia Torsch
Manager, Regulatory Affairs
AOPA
--------------------------------------------------------------
American Orthotic & Prosthetic Association T 571.431.0876
330 John Carlyle St, Ste 200 F 571.431.0899
Alexandria, VA 22314 www.aopanet.org
AOPA Knows the Business of O&P. Become a member today!
We're pleased to provide the following guidelines for listserv postings.
General Guidance on Posting Messages to a Listserv:
As of April 14, 2003, the compliance date for the HIPAA Privacy rule,
e-mails posted to this listserv must not violate HIPAA regulations.
The Privacy rule does not permit disclosure of a patient's protected
health information (PHI) for purposes other than treatment, payment or
health care operations without the patient's authorization. PHI does
not have to directly identify an individual. If the information
contained in an e-mail is specific enough that one can infer the
identity of the individual, it is considered PHI and subject to HIPAA
regulations.
While you are allowed to exchange PHI with another health care provider
for the purposes of treatment, you cannot be sure that all subscribers
to this listserv are health care providers. Further, the new HIPAA
Security rule also contains specific guidelines about ensuring the
security of PHI that is transmitted through e-mail.
Does this mean you can't use the listserv to ask important questions
about treatment or seek advice from other practitioners? Not at all.
There are a number of ways to handle treatment questions through the
listserv that do not violate the HIPAA Privacy or Security rules.
The American Orthotic & Prosthetic Association (AOPA) recommends that
you ask general questions that do not refer to specific patients. For
example, What kind of orthotic device should I use for diabetic
patients with...? If you must refer to a specific patient in your
email, then HIPAA requires that you have the patient's written
authorization. You should note this fact in your emails, My patient
has authorized me to ask the following question....
This interpretation of the HIPAA guidelines for posting messages to a
listserv was developed by experts at the American Orthotic & Prosthetic
Association (AOPA) which operates thanks to the financial support of
over 1550 dues paying member companies. AOPA has been delivering
successful, cost-effective business products and solutions for over 85
years.
AOPA Knows the Business of O&P. Join today at www.aopanet.org!
-----Original Message-----
From: Paul E. Prusakowski [mailto:<Email Address Redacted>]
Sent: Monday, April 28, 2003 10:06 AM
To: <Email Address Redacted>
Subject: Re: [OANDP-L] Be Careful - You May Be Violating HIPAA
Dear Virginia,
Maybe you could demonstrate AOPA's concern for the advancement of the
profession and industry by sharing this knowledge with all the
subscribers
of the oandp-l listserver within a few postings. This would be very
helpful
to everyone, and also very much appreciated by me as moderator. This
would
be a great benefit to all those trying to perform the best patient care
that
they can, and also save someone else the trouble of interpreting your
response to them and posting it publicly to the entire listserv. I think
it
would also be a great marketing opportunity for you to demonstrate
AOPA's
incredible knowledge of the HIPAA topic to the entire O&P community by
sharing this one piece with the online professional community as a
freebie.
Maybe other members of the listserv who are also AOPA members would like
to
comment to you privately to encourage this sharing of information which
would be of incredible value to the profession and most importantly to
the
patients we serve. In the spirit of the oandp-l listserv, sharing of
information for the benefit of elevating patient care and the
advancement of
the profession is a win-win for everyone. I hope that you are willing
to
take advantage of this opportunity to help ensure that practitioners are
properly educated on how to properly discuss patient care issues without
putting themselves at risk for any sort of HIPAA violation.
Sincerely,
Paul E. Prusakowski, CPO
Moderator
-----Original Message-----
From: Orthotics and Prosthetics List [mailto:<Email Address Redacted>] On
Behalf Of AOPA
Sent: Friday, April 25, 2003 2:53 PM
To: <Email Address Redacted>
Subject: Re: Be Careful - You May Be Violating HIPAA
Some of you have expressed concern that the example in our HIPAA e-mail
was far-fetched and only a marketing ploy. Below, please see our reply
to one such posting and the reasons why certain messages on this
listserv could cause HIPAA compliance problems. If you are still
concerned, please do not hesitate to contact us directly. -- AOPA
Mr. Foster:
You stated, ...you can discuss all the PHI you want, except the parts
that are readily identifiable to a particular person (e.g. SSN, names,
address, phone# etc.).
Your statement is not accurate. Protected health information (PHI) does
not have to directly identify an individual. If the information is
specific enough that you can infer the identity of the individual, it is
considered PHI and subject to HIPAA regulations.
In the case that we used, Patient is a 2 year old child with a disorder
that causes her limbs to be 3 times the size of a normal child..., the
information is specific enough that a person familiar with the facility
or practitioner can easily identify the patient.
The Privacy rule (section 164.506(c)) states that a HIPAA covered entity
may use or disclose PHI for its own treatment, payment, or health care
operations, or for the treatment activities of any health care provider.
Asking a question on a very public listserv that is accessed by non
health care providers is not going to fit within either of those
permissible disclosures. This is akin to standing in a public hallway
in a hospital and shouting out to a crowd that you want to know how to
treat your 2 year old patient that has a disorder that causes her limbs
to be 3 times the size of a normal child.
Also, the HIPAA Security rule is going to require that you keep email
communications containing PHI secure. A listserv is not a secure forum
in which to discuss PHI.
It is part of AOPA's mission to provide education concerning HIPAA
regulations. While you are not at risk for violating HIPAA as an
individual employee, by your actions the facility that employs you could
face civil and monetary penalties for violating HIPAA regulations. This
is something AOPA is striving to prevent.
There are ways to ask a question on the listserv about treating a
specific condition that do not violate the HIPAA Privacy or Security
rules. We are pleased to have your facility as an AOPA member and are
happy to discuss these methods with you. You might also consider
attending the AOPA HIPAA Seminar on May 2.
Sincerely,
Virginia Torsch
Manager, Regulatory Affairs
AOPA
--------------------------------------------------------------
American Orthotic & Prosthetic Association T 571.431.0876
330 John Carlyle St, Ste 200 F 571.431.0899
Alexandria, VA 22314 www.aopanet.org
AOPA Knows the Business of O&P. Become a member today!
Citation
AOPA, “Re: Be Careful - You May Be Violating HIPAA,” Digital Resource Foundation for Orthotics and Prosthetics, accessed November 2, 2024, https://library.drfop.org/items/show/221096.