Hippa Medical Consent Form

7/27/2019 Hippa Medical Consent Form

1/63

PRIVACY AND SECURITY Scenario 1. Patient Care Scenario A

DRAFT

Scenario 1 -

Patient Care A

Patient X presents to emergency room of General Hospital in State A. She has been in a serious car accident. The patient is an 89 year old widow who

appears very confused. Her adult daughter informed the ER staff that her mother has recently undergone treatment at a hospital in a neighboring state

and has a prescription for an antipsychotic drug. The emergency room physician determines there is a need to obtain information about Patient Xs prior

diagnosis and treatment during the inpatient stay.

BP#

Business

Practice Short

Name

Business Practice Long Description Scenario

Classification

(Barrier v. Not

a Barrier)

DomainPolicy: Short

Description

BP1 WV 001 S 1

Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, wewould fax minimum necessary for treatment without an authorization. If PHI is in the record, we

would determine if the daughter was the medical power of attorney. If yes, we would validate her

signature and then have her sign a release to send the protected info. If not, we would have a

physician or nurse sign authorization and send, after validating who we are speaking to at the other

facility by a call back. We use a rolebased access process in which Directors/Managers/IT

Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with

2 other local facilities and share information for patient care purposes, however we do not release

one anothers information to those outside of our OHCA. We do have audit capabilities on

systems. Random audits are performed. We use Tessa locks on doors.

Scenario 1 -

Patient Care A

Barrier to

interoperability

3. Patient and

provider

identification

Uses & Disclosures of

Protected Health

Information & Disclosure

of PHI Minimum

Necessary

Release to H

without patie

phone verific

care instituticompleted re

uses of, disc

necessary to

Exceptions i

Use or disclo

specific (det

HIPAA elect

victims of ab

compensatio

BP1 WV 001 S 1

Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we

would fax minimum necessary for treatment without an authorization. If PHI is in the record, we

would determine if the daughter was the medical power of attorney. If yes, we would validate her

signature and then have her sign a release to send the protected info. If not, we would have a

physician or nurse sign authorization and send, after validating who we are speaking to at the other

facility by a call back. We use a rolebased access process in which Directors/Managers/IT

Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with

2 other local facilities and share information for patient care purposes, however we do not release

one anothers information to those outside of our OHCA. We do have audit capabilities onsystems. Random audits are performed. We use Tessa locks on doors.

Scenario 1 -Patient Care A

Barrier tointeroperability

4. Information

transmission

security or

exchangeprotocols

BP2 WV 002 S 1

ER staff (nurse, doctor, or clerk) would call hospital and advise that they were faxing a request for

medical records. If necessary,the staff would obtain authorization from POA of responsible party.

Verbal confirmation by phone followed by faxed written request and authorization. There is security

of exchange protocols for faxing information. No encryption.

Scenario 1 -

Patient Care A

Not a barrier to

interoperability

2. Information

authorization

and access

controls

Facsimile Machines and

PHI P&P

Standard co

corrected im

party the phy

BP2 WV 002 S 1

Not a barrier to

interoperability

3. Patient and

provider

identification

BP2 WV 002 S 1

Not a barrier to

interoperability

.

transmission

security or

exchange

BP2 WV 002 S 1

Not a barrier to

interoperability

.

protection(against

improper


2/63

PRIVACY AND SECURITY Scenario 1. Patient Care Scenario A

DRAFTBP#

BP1

BP1

BP2

BP2

BP2

BP2

DRAFT DRAFT DRAFTCause Relevant Law (Legal Driver) -- Narrative

Relevant Law (Legal Driver) -- Reference

Code/Statute

While we agree that the identified verification

and security procedures represent barriers to

interoperability, we do not agree that a

signed authorization is required from either

the patient or the medical power of attorney,

and we do not agree that the minimum

necessary standard applies in this situation.

These should not be barriers to

interoperability.

Original: 'Federal Register 164.502 Uses and disclosures of protected health

information: general rules; hospital policy

One health care provider can disclose PHI of patient to another health care

provider for treatment purposes as long as proper verification and security

procedures are followed, even when PHI contains mental health information.

45C.F.R. 164.310; 164.312; 164.502(a)(1)(ii);

164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);

W. Va. Code 27-3-1(b)(5)

HIPAA Security Technical Safeguards 45 CFR 164.312

While we agree that the identified verification

and security procedures represent barriers to

interoperability, we do not agree that a

signed authorization is required from either

the patient or the medical power of attorney.This should not be a barrier to

interoperability.

One health care provider can disclose PHI of patient to another health careprovider for treatment purposes as long as proper verification and security

procedures are followed, even when PHI contains mental health information.

Original: HIPAA - Privacy and State Law -

Appointment of Health Care Decision Maker

45 C.F.R. 164.310; 164.312; 164.502(a)(1)(ii);

164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);W. Va. Code 27-3-1(b)(5)


3/63


4/63

PRIVACY AND SECURITY Scenario 2. Patient Care Scenario B

DRAFT

BP#

BP1

BP1

BP2

BP2

BP2

BP3

DRAF DRAFT DRAFT DRAFT

Stakeholder

Organization

Specify Other

Stakeholder (if

applicable)

Cause Relevant Law (Legal Driver) -- Narrative

Relevant Law (Legal

Driver) -- Reference

Code/StatuteSolution

Hospitals

Confidentiality of Alcohol and Drug Abuse Patient

Records require patient consent for disclosure and

redisclosure of substance abuse records.

42 CFR 2.32 and 2.33

Hospitals

Consent is the key to releasing substance abuse information tothird parties, even to other providers. When a patient enters a

state hospital, we try to get them to agree to a generalized

consent to release information treatment, payment and health

care operations.

As a general matter, substance abusers do not have personal

Substance Abuse Regs. 42CFR, Part 2, Subpart B; HIPAA

Regs. 45 CFR '''164,506(b);

503(g); Belcher v. CAMC, 188

W. Va. 105, 422 S.E.2d 827

(1992).

Maximize use of generalconsents for treatment, payment

and health care operations for

patients with substance abuse

and/or mental illness entering

healthcare facilities under

HIPAA Reg '164.506(b).

State

government

State law requires DHHR to obtain consent for

disclosure of mental health information for treatment.

WV law also requires all providers to obtain patientconsent for payment and operations.

WV Code 27-5-9(e) Repeal Section '27-5-9(e).

Amend '27-3-1 to allow release

of mental health information totreatment, payment and

healthcare operations without

patient consent. WV Code 27-

3-1

Correctional

The identified

business practice

does identify

barriers to

interoperability.

One health care provider cannot disclose PHI of patient to

another health care provider for routine treatment purposes

without a signed authorization when drug or alcohol abuse

treatment is involved; an authorized disclosure may not be re-

disclosed; proper verification and security procedures must be

followed.

45C.F.R. 164.310; 164.312;

164.512(k)(5); 42C.F.R.

2.1; 2.2; 2.32; 2.51; W. Va.

Code 27-3-1(b)(5)


5/63


BP#

Business

Practice Short

Name


Classification

(Barrier v. Not

a Barrier)

DomainPolicy: Short

DescriptionPolicy: Long Description

BP5 WV 005 S2

In Workers Comp., we refer pts to specialists but our staff only send

them what they need to know to treat the pt. WC makes the referraland sends all the info on a CD. We have electronic capabilities and

this can be reviewed on the internet. We provide an ID and password

to the provider so they can access just what they need to on that pt.

Scenario 2 -

Patient Care B

Barrier to

interoperability

2. Information

authorization and

access controls


6/63


BP#

BP5

Stakeholder

Organization

Specify Other

Stakeholder (if

applicable)


Relevant Law (Legal



Payers

Possibly Federal Substance Abuse Regulations 42 CFR Part 2


7/63

PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C

DRAFTScenario 3 -

Patient Care C

psych unit to the nursing home. At the time of the patient's transfer, the discharge summary and other pertinent records were

electronically transmitted to the nursing home. Upon entering the facility Dr. X seeks assistance in locating his patient, gaining

entrance to the locked psych unit and accessing her electronic health record to review her discharge summary, I&O, MAR and

progress notes. Dr. X was able to enter the unit by showing a picture identification badge, but was not able to access the EHR.

As it is Dr. X's first visit, he has no login or password to use their system. Dr. X completes his visit and prepares to complete his

documentation. Unable to access the long-term care facility EHR, Dr. X dictates his initial assessment via telephone to his

outsourced, offshore transcription service.

The assessment is transcribed and posted to a secure web portal. The next morning, from his home computer, Dr. X checks his e

mail and receives notification that the assessment is available. Dr. X logs into the portal, reviews the assessment, and applies his

electronic signature. Later that day, Dr X's Office Manager downloads this assessment from the web portal, saves the document

in the patient's record in his office and forwards the now encrypted document to the long-term care facility via e-mail. The long-

term care facility notifies Dr. X's office that they are unable to open the encrypted document because they do not have the

encryption key.

BP#

Business

Practice ShortName


Classification

(Barrier v. Nota Barrier)

Domain

Policy: Short

Description

BP1 WV 001 S3

In our hospital, all clinical staff are given log in and passwords to use

applicable data systems. Passwords limit the users ability to read

access only if they are not in a position to need to add, edit, or update

information. Electronic user logs are maintained on the mainframe.

Medical staff must use specific transcription resources to insure that

security is maintained and acceptable document formatting is used.Individual-specific password and logins are used which limits access

on a need to know basis. Staff are instructed not to share passwords

and logins. All sensitive information is encrypted prior to exchange

over an electronic communications network.

Scenario 3 -

Patient Care C

Barrier to

interoperability

1. User and entity

authentication

BP1 WV 001 S3

Barrier to

interoperability

2. Information

authorization and

access controls

BP1 WV 001 S3Barrier to

interoperability3. Patient and

provider identification

BP1 WV 001 S3

Barrier to

interoperability

4. Information

transmission security

or exchange

protocols

BP1 WV 001 S3

Barrier to

interoperability

7. Administrative or

physical security

safeguards

BP1 WV 001 S3Barrier to

interoperability8. State lawrestrictions

BP1 WV 001 S3

Barrier to

interoperability

9. Information use

and disclosure policy

RTI International

Privacy and Security Contract No. 290-05-0015 Page 7 of 63 166337667.xls.ms_office


8/63


DRAFT

BP#

BP1

BP1

BP1

BP1

BP1

BP1

BP1

DRAFT DRAFT

Policy: Long Description StakeholderOrganization

Specify Other

Stakeholder (if

applicable)


Hospitals

The classification of privacy and security domains 1, 2, 3, 4, and

7 as barriers to interoperability appear appropriate in this

scenario due to the numerous issues related to EHR access.

Classifying P&S domains 8 & 9 as barriers to interoperability

also seems reasonable and appropriate given the disclosure to

a third-party without patient/representative consent.

Psychiatrist without electronic access privileges and rights

requests review of patients EHR containing information from

recent hospital stay. Use of psychiatrists picture identification

badge met physical control requirements for access to health

facility. The psychiatrists inability to access EHR systems

prompts him to use an outsourced offshore transcription service.

This scenario bypasses administrative and technical controls

required to limit access, encrypt and audit access to patient

EHRs. Psychiatrist receives report via Web the informationsecurity infrastructure, and management practices of the

transcription service are unclear. The psychiatrist sends these

results by encrypted email to the medical facility, although lack of

encryption key prevents delivery.

RTI International

Privacy and Security Contract No. 290-05-0015Page 8 of 63 166337667.xls.ms_office


9/63


DRAFT

BP#

BP1

BP1

BP1

BP1

BP1

BP1

BP1

DRAFT

Relevant Law (Legal

Driver) -- ReferenceCode/Statute

Solution

HIPAA Security Regs 45 CFR

164.308(a) (1), 164.308(a)

(3), 164.308(a) (4), 164.310(a)

(1), 164.312(a) (1), 164.312(b),

164.312(d), 164.312(e) (1),

164.506, 164.508, 164.512(a),

164.512(e). WV Code 27-3-1,

WV Code 27-3-2, WV Code

27-5-9, WV Code 64-12-14,

US Code H.R. 4127

A national

federated

identification

management

system to validate

user identity to

allow system

access may be a

potential solution.

RTI International



10/63


BP#

Business

Practice Short

Name


Classification

(Barrier v. Not

a Barrier)

DomainPolicy: Short

Description

BP2 WV 002 S3

Our hospital practice and policies are that physicians, or other

practitioners who are not credentialed by our facility, do not have

access to patient care areas, or to the system.

Scenario 3 -

Patient Care C

Barrier to

interoperability

4. Information


or exchange

protocols

Medical Staff By Laws

Articles VI(Procedure for

Appointment) and

VII(Clinical Privileges)

BP3 WV 003 S3

Long term care facilities do not usually have locked psych units.

However, assuming that the physician entered the skilled nursing

facility and attempted to view the patient's EHR, expected policies and

procedures should address authorizing privileges, access to medical

records, inoperative computer systems and building access prior to

physician's first visit. There should be a Business Associate

Agreement with any "offshore transcription service" ensuringcompliance with Privacy and Security Laws with authorization for

monitoring for compliance. No PHI should be transmitted without 128

bit encryption capability with read only capability. Also, there should be

a P&P for use of physician's electronic signature.

Scenario 3 -

Patient Care C

Barrier to

interoperability

1. User and entity

authentication

Business Associate

Agreements

BP3 WV 003 S3

Barrier to

interoperability

2. Information

authorization and

access controls

BP3 WV 003 S3

Barrier to

interoperability

3. Patient and


BP3 WV 003 S3

Barrier to

interoperability

transmission securityor exchange

protocols

BP3 WV 003 S3

Barrier to

interoperability

protection (against

improper

modification)

BP3 WV 003 S3

Not a barrier to

interoperability

6. Information audits

that record and

monitor activity

BP3 WV 003 S3Barrier tointeroperability


physical securitysafeguards

BP3 WV 003 S3

Not a barrier to

interoperability

8. State law

restrictions

RTI International



11/63


BP#

BP2

BP3

BP3

BP3

BP3

BP3

BP3

BP3

BP3

Policy: Long DescriptionStakeholder

Organization

Specify Other

Stakeholder (if

applicable)


These describe the

procedures for applying to the

staff for membership and

clinical privileges assignedwith such. Hospitals

This business practice analysis only identifies privacy andsecurity domain 4 as a barrier the exchange and encryption of

the information supports this classification. Given the complexity

of this scenario, the classification of privacy and security

domains 1, 2, 3, and 7 would also appear appropriate due to the

numerous issues related to EHR access. In addition, classifying

P&S domains 8 & 9 as barriers to interoperability also seems

reasonable and appropriate given the disclosure to a third-party

without patient/representative consent. This stakeholders

business practice highlights the issue of credentialing and the

administrative controls inherently contained within these

policies. In addition, this business practice points out the

alternative of faxin althou h h sical and technical information

Psychiatrist without electronic access privileges and rightsrequests review of patients EHR containing information from







EHRs. Psychiatrist receives report via Web the information

security infrastructure, and management practices of the



encryption key prevents delivery

Long term care

facilities and

nursing homes

HIPAA Security regs require person or entity

authentication

HIPAA Security regs make encryption addressable.

HIPAA Security Rule

HIPAA Security Rule

HIPAA Security Rule

HIPAA Security regs make access control and validation

procedures addressable and require workstation security.

The HIPAA Security and Privacy Regs require Business

RTI International



12/63


BP#

BP2

BP3

BP3

BP3

BP3

BP3

BP3

BP3

BP3

Relevant Law (Legal



HIPAA Security Regs 45 CFR 164.308(a) (1), 164.308(a)

(3), 164.308(a) (4), 164.310(a)

(1), 164.312(a) (1), 164.312(b),

164.312(d), 164.312(e) (1),

164.506, 164.508, 164.512(a),

164.512(e). WV Code 27-3-1,

WV Code 27-3-2, WV Code

27-5-9, WV Code 64-12-14,

US Code H.R. 4127

A nationalfederated

identification

management

system to validate

user identity to

allow system

access may be a

potential solution.

In addition, closely

linking this type of

solution with health

facilitycredentialing

IPAA -

164.506

TPO

State Law

- 64-CSR-

12-14

Professio

nal

Standard

s-Medcal

Staff

HIPAA Security Regs, 45

CFR 164.312

HIPAA Security Regs, 45

CFR 164.312

HIPAA Security Rule, 45

CFR 164 Part CHIPAA Security Rule, 45

CFR 164 Part C

HIPAA Security Rule, 45

CFR 164 Part C

HIPAA Security Regs 45

CFR 163.310(a)(2)(iii);

164.310(c); 164.308(b)(1).

RTI International



13/63


BP#

Business

Practice Short

Name


Classification

(Barrier v. Not

a Barrier)

DomainPolicy: Short

Description

BP3 WV 003 S3Barrier tointeroperability 9. Information useand disclosure policy

BP4 WV 004 S3

In our physician group, as long as no HIPAA laws were broken and a

No Restriction form was signed this procedure is under the covered

entity of patient care. Use Tracking form and initial all documents

placed in the chart. User ID and password is needed.

Scenario 3 -

Patient Care C

Barrier to

interoperability

2. Information

authorization and

access controls HIPAA

BP5 WV 005 S3

LTC has business associate agreements in effect for different services

with state businesses. The BA agreement is a 1 page document that

spells out how you limit the area of exchange and limits sharing of

information. Even temp employees must meet the credentialing

process. LTC has contracts with physicians but have no badges-

everyone knows everyone here- its small.

Scenario 3 -

Patient Care C

Barrier to

interoperability

4. Information


or exchange

protocols

BP6 WV 006 S3

Corrections has a BA agreement for billing purposes but not for

sharing of information. Correctional Medical Services (in all WV

prisons) have access to health records. The reliability of the info

exchange is in the hands of the sender- we rely on what they say- noverification process. Temps at corrections have limited access to Med

Records- once he has left the place, he cant get access to info again.

But they all get FBI background checks, photo ID, sign in and sign out. Scenario 3 -

Patient Care C

Barrier to

interoperability

4. Information


or exchange

protocols

RTI International



14/63


BP#

BP3

BP4

BP5

BP6


Organization

Specify Other

Stakeholder (if

applicable)


HIPAA Security Rule

HER Transfer, personal

identity, password failure,

failure to provide encryptioncode Physician groups

The business practice analysis generally asserts that this is a

barrier to interoperability if HIPAA laws are broken. In addition,

the implication is that that this business practice would be

covered by the HIPAA construct of TPO. However, there is

recognition within the business practice analysis that several

issues arise from patient transfer, identity, password, and

encryption failures that are described within the scenario. Assuch the classification by this stakeholder as a barrier based on

Original: HIPAA privacy and covered entity, regulation of rules of

nursing facility, Case -Psych-patient, Federal - overseas

transmissions




badge met physical control requirements for access to healthfacility. The psychiatrists inability to access EHR systems

Long term care

facilities and

nursing homes

Access to electronic information controlled by HIPAA Security

Rule Technical Safeguards.

Correctional

facilities

The business practice analysis does not identify any of the

privacy and security domains as a barrier. The classification by

this stakeholder is unassigned. In fact, the likelihood of a

correctional system inmate being placed in a nursing home is

remote. In addition, the business practice long description

emphasized the application and importance of business

associates agreements and the correctional systems reliance

on these agreements to ensure compliance. However, these

agreements are not designed to obviate the need for properadministrative, technical, and physical controls for protected

health information. Given this observation the barriers

previously identified for this scenario would have to be

considered as barriers in this scenario.









EHRs. Psychiatrist receives report via Web the information

security infrastructure, and management practices of the



encryption key prevents delivery

RTI International



15/63


BP#

BP3

BP4

BP5

BP6

Relevant Law (Legal



HIPAA Security Rule, 45CFR 164 Part C

HIPAA Security Regs 45 CFR

164.308(a) (1), 164.308(a)

(3), 164.308(a) (4), 164.310(a)

(1), 164.312(a) (1), 164.312(b),

164.312(d), 164.312(e) (1),

164.506, 164.508, 164.512(a),

164.512(e). WV Code 27-3-1,WV Code 27-3-2, WV Code

27-5-9, WV Code 64-12-14,

A national

federated

identification

management

system to validate

user identity to

allow systemaccess may be a

potential solution.

HIPAA Security Rule 45 CFR

164.312.

1. HIPAA Security Regs 45

CFR 164.308(a) (1),

164.308(a) (3), 164.308(a) (4),

164.310(a) (1), 164.312(a) (1),

164.312(b), 164.312(d),

164.312(e) (1), 164.506,

164.508, 164.512(a),

164.512(e). WV Code 27-3-1,WV Code 27-3-2, WV Code

27-5-9, WV Code 64-12-14,

US Code H.R. 4127

A national

federated

identification

management

system to validate

user identity to

allow system

access may be apotential solution.

In addition, closely

linking this type of

solution with health

facility

credentialing

practices may

provide a

methodolo for

RTI InternationalP 15 f 63 166337667 l ffi

PRIVACY AND SECURITY S i 4 P ti t C S i D


16/63

PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D

DRAFT

Scenario 4 -

Patient Care

D

Patient X is HIV positive and is having a complete physical and an outpatient mammogram done in the Women's

Imaging Center of General Hospital in State A. She had her last physical and mammogram in an outpatient clinic in a

neighboring state. Her physician in State A is requesting a copy of her records and the radiologist at General Hospital

would like to review the digital images of the mammogram performed at the outpatient clinic in State B for comparison

purposes. She also is having a test for the BrCa gene because other family members have had breast cancer.

BP#

Business

PracticeShort Name


Classification

(Barrier v. Nota Barrier)

DomainPolicy: Short

Description Policy: Long Description

BP1 WV 001 S4

Our clinic follows state law which does not allow the transmittal

of HIV information without the consent of the patient. Also, this

information is not supposed to be kept in the patient chart. This

is problematic in paper records - because it causes providers to

keep a secret registry. In electronic records, this is handled in

some cases by a provider making a decision to make this

information available to other providers. The interface of the

electronic record should inform the patient of his/her rights underthe law and allow the patient to designate which information

would be available. In paper systems this is incredibly hard to

enforce. In electronic systems, access can be granted to certain

information - but users end up using common passwords

because it is not always the provider who can ge the information

needed and take care of the patient.

Scenario 4 -

Patient Care D

Barrier to

interoperability

1. User and entity

authentication

Confidential Information

Policy

Takes a global approach to medicalinformation. Who has access to the

information. Who makes the decision to

release the information. Consent forms

for releases Special considerations for

certain laws governing HIV, Mental

Health etc

BP1 WV 001 S4Scenario 4 -

Patient Care DNot a barrier tointeroperability

2. Information

authorization andaccess controls

BP1 WV 001 S4

Scenario 4 -

Patient Care D

Not a barrier to

interoperability

8. State law

restrictions

BP1 WV 001 S4

Scenario 4 -

Patient Care D

Barrier to

interoperability

9. Information use

and disclosure

policy

BP2 WV 002 S4

Our hospital staff, may include physician, nurse, clerk, NP,PA,

would release the minimum necessary information for treatment

excluding the HIV information unless the pt provides

authorization. If not emergent, we ask for signed authorization

which includes HIV authorization.

Scenario 4 -

Patient Care D

Barrier to

interoperability

9. Information use

and disclosure

policy Confidentiality of PHI

The presence of any behavioral medicine

patient at ourfacility and any and all

details of the treatment process of any

patient shall be maintained as

confidential. For the purposes of

confidentiality, protected information i.e.

drug, ETOH, STD (HIV), and behavioral

health, and specific releases are

required.

PRIVACY AND SECURITY Scenario 4 Patient Care Scenario D


17/63


DRAFT

BP#

BP1

BP1

BP1

BP1

BP2

DRAFT DRAFT DRAFT

Stakeholder

Organization

Specify Other

Stakeholder (if

applicable)

Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) --

Reference Code/Statute

Community clinics

and health centers

HIPAA Security Regs require person or

entity authentication.

HIPAA Security Regs, 45 CFR

164.312

Misinterpretation of state law. No

consent is required for the disclosure of

the PHI for treatment purposes. WV law

specifically allows the disclosure of HIV

PHI for treatment of the individual.

WV Code 16-3C-2, 16-3C-3(a)(5),

and 16-3C-4.

Hospitals

Misinterpretation of state law and HIPAA.Minimum necessary requirement does

not apply to disclosures for treatment and

there is no authorization requirement for

disclosure of the PHI for treatment

purposes in HIPAA or state law.

WV Code 16-3C-2, 16-3C-3(a)(5),and 16-3C-4. HIPAA Privacy Regs 45

CFR 164.506 and 164.502(b).

RTI InternationalPrivacy and Security Contract No. 290-05-0015 Page 17 of 63 166337667.xls.ms_office

PRIVACY AND SECURITY Scenario 4 Patient Care Scenario D


18/63


BP#

Business

Practice

Short Name


Classification

(Barrier v. Not

a Barrier)

DomainPolicy: Short


BP3 WV 003 S4

In the workers' compensation arena, by filing a claim and signing

the injury report form a patient authorizes any physician to

release to or orally discuss with the employer or authorized agent

of the carrier any medical records pertaining to the occupational

injury or illness for which he/she is claiming benefits and any

prior injury to or disease to the portion of the body for which

he/she is alleging a medical impairment. Only authorized carrier

staff, employer staff, providers and the patient have access to

the electronic record. We use a system with security parameters

set based on individual job-related need for access. Password

required. Claimant, employer and provider access limited to

specific claim information only. Provider access can be further

limited for specific period of time. Carrier employees required to

sign security policy agreement. Employ transmission protection

such as VPN and encryption for outside network access.

Scenario 4 -

Patient Care D

Barrier to

interoperability

2. Information

authorization and

access controls



19/63

Scenario 4. Patient Care Scenario D

BP#

BP3

Stakeholder

Organization

Specify Other

Stakeholder (if

applicable)



Payers

No legal requirements. WC provides

privacy and security of information as a

corporate decision.

None.

RTI International


PRIVACY AND SECURITY S i 5 P t S i


20/63

PRIVACY AND SECURITY Scenario 5. Payment Scenario

DRAF

Scenario 5 - Pay

X Health Payer (third party, workers compensation, disability insurance, employee assistance programs) provides health

insurance coverage to many subscribers in the region the healthcare provider serves. As part of the insurance coverage,

it is necessary for the health plan case managers to approve/authorize all inpatient encounters. This requires access to

the patient health information (e.g., emergency department records, clinic notes, etc.). The health care provider has

recently implemented an electronic health record (EHR) system. All patient information is now maintained in the EHR

and is accessible to users who have been granted access through an approval process. Access to the EHR has been

restricted to the healthcare provider's workforce members and medical staff members and their office staff. X HealthPayer is requesting access to the EHR by its case management staff to approve/authorize inpatient encounters.

BP#

Business

Practice Short

Name


Classification

(Barrier v. Not a

Barrier)

DomainPolicy: Short

Description

BP1 WV 001 S 5

Our hospital security officer would allow the payer to have access to

the EHR through a secure web portal. Only the requested records

would be accessible and the minimum necessary information.

Scenario 5 -

Payment

Barrier to

interoperability

2. Information

authorization and

access controls

Information Security

Policy & Remote Access

BP2 WV 002 S 5

Our company would limit access to specific pieces of informationrelated to the payer's claim and would allow the needed transfer of

health information for payment purposes. User authentication, legal

agreement and hardware/software authentication would be required

to validate that access is provided only to the intended user.

Security parameters would further limit access to read only. Access

would be provided only to personnel of payer needing information

for job functions. Record linking methods required to match certain

information such as patient name, date of birth, date of service, to

allow payer access only to pertinent information. Transmission

protection such as VPN, encryption and network security required

for access to information. Data use agreement would be in place.

Scenario 5 -

Payment

Barrier to

interoperability

8. State law

restrictions

RTI International

PRIVACY AND SECURITY Scenario 5 Payment Scenario


21/63


DRAF

BP#

BP1

BP2

DRAFT DRAFT DRAFT


Organization

Specify Other

Stakeholder (if

applicable)

CauseRelevant Law (Legal

Driver) -- Narrative

Relevant Law (Legal


Code/Statute

Access to information in the possession or the control of our facility must be

provided based on the need to know and the minimum necessary to perform

essential functions. Information must be disclosed only to people or entities who

have a legitimate need. The privileges granted to all users must be periodicallyreviewed. Unless it has specifically been deemed public, all internal information

must be protected from disclosure to third parties. Third parties may be given

access to internal information only when a demonstrable need to know exists,

when a Data Use Agreement or Business Associate Agreement has been

signed, and when such a agreement has been expressly authorized by the

relevant information Owner. If sensitive information is suspected of being lost

or disclosed to unauthorized parties, the information Owner and the Compliance

Officer must be notified immediately. All third parties are responsible for

securing their private networks from our network. In no case shall network-to-

network connectivity be allowed without appropriate security technology. Some

type of security mechanisms shall exist between our network and any thirdparty. Hospitals

Use and disclosure of

protected health information

for payment-related purposes

is subject to the HIPAA

Privacy Rule minimumnecessary standard, the

HIPAA Security Rule

Technical Safeguards, and may

be subject to business

associate contract

requirements.

HIPAA Privacy Rule 45 CFR

164.502 (b)(1); 160.103;

164.502 (e)(1); 164.504 (e)(1)

and (e)(2). HIPAA Security

Rule 45 CFR 164.312.

Payers

Use and disclosure of

protected health information

for payment-related purposes

is subject to the HIPAA

Privacy Rule minimum

necessary standard, the

HIPAA Security Rule

Technical Safeguards, and may

be subject to business

associate contract

requirements.

HIPAA Privacy Rule 45 CFR

164.502 (b)(1); 160.103;

164.502 (e)(1); 164.504 (e)(1)

and (e)(2). HIPAA Security

Rule 45 CFR 164.312.

RTI International

Privacy and Security Contract No 290 05 0015 Page 21 of 63 166337667 xls ms office

PRIVACY AND SECURITY Scenario 5 Payment Scenario


22/63


BP#

Business

Practice Short

Name


Classification

(Barrier v. Not a

Barrier)

DomainPolicy: Short

Description

BP3 WV 003 S 5

Our business office personnel would request access to the EHR.

This would automate a process that is now manual. The system

needs to let us request and receive the minimum necessaryinformation for the situation. The provider would benefit by receiving

an automated approval/authorization from us. The more providers

connected to a common system/network, the more efficient the

process is for us and the providers. The patient benefits from the

faster approval/authorization of inpatient encounters, the provider

has less or no staff time involved in fulfilling the request, and we

have less burdensome processes in handling the

approval/authorization. This eliminates the problem of lost,

misrouted, or stolen records and reduces shipping and

transportation costs.

Scenario 5 -

Payment

Barrier to

interoperability

2. Information

authorization and

access controls

RTI International

P i d S it C t t N 290 05 0015 Page 22 of 63 166337667 xls ms office



23/63

Scenario 5. Payment Scenario

BP#

BP3


Organization

Specify Other

Stakeholder (if

applicable)

CauseRelevant Law (Legal

Driver) -- Narrative

Relevant Law (Legal


Code/Statute

Payers

HIPAA minimum necessary

requirements

HIPAA Privacy Regs, 45 CFR

514

RTI International

Privacy and Security Contract No. 290-05-0015Page 23 of 63 166337667.xls.ms_office


24/63

PRIVACY AND SECURITY Scenario 6. RHIO Scenario

DRAFScenario 6 - RH

The RHIO in your region wants to access data from all participating organizations (and their patients) to

monitor the incidence and management of diabetic patients. The RHIO also intends to monitor

participating providers to rank them for the provision of preventive services to their diabetic patients.

BP#

Business

Practice Short

Name


Classification

(Barrier v. Not

a Barrier)

Domain Policy: ShortDescription

Policy: Long Description

BP1 WV 001 S 6

For our association, as long as the patient data

is aggregate or non-personally identifiable,

there would be not problem sharing with the

RHIO. Providers would be notified and given

the opportunity to participate. If personal

identifiers were required, there would be an IRB

approval process and a patient informingprocess. Scenario 6 -RHIO Barrier tointeroperability 1. User and entityauthentication

BP1 WV 001 S 6

Barrier to

interoperability

2. Information

authorization and

access controls

BP1 WV 001 S 6

Not a barrier to

interoperability

3. Patient and


BP1 WV 001 S 6Not a barrier tointeroperability

.

protection (against

impropermodification)

BP1 WV 001 S 6

Not a barrier to

interoperability

6. Information audits

that record and

monitor activity

BP1 WV 001 S 6

Barrier to

interoperability

8. State law

restrictions

BP1 WV 001 S 6

Barrier to

interoperability

9. Information use


RTI International



25/63


DRAF

BP#

BP1

BP1

BP1

BP1

BP1

BP1

BP1

DRAFT DRAFT DRAFT

StakeholderOrganization

Specify Other

Stakeholder ( if

applicable)

Cause Relevant Law (Legal Driver) -- Narrative Relevant Law (Legal Driver) --Reference Code/Statute

Professional

associations and

societies

HIPAA Security and Privacy Rules as a BA under contract 45 CFR 164, et seq.

HIPAA Security and Privacy Rules as a BA under contract. IRB approval

is not required under law for disclosure to a BA for TPO.

45 CFR 164, et seq.; 21 CFR Parts

50 and 56.

West Virginia law requires that, with respect to the West Virginia Health

Information Network, the West Virginia Health Care authority ensure that

protected health information is disclosed only in accordance with the

patients authorization or best interest to those having a need to know, in

compliance with state confidentiality laws and HIPAA.

West Virginia Code Section 16-29G-8.

The HIPAA Privacy Rule does not specifically address the concept of

Regional Health Information Organizations and how protected health

information can be used or disclosed in connection with such

organizations absent patient authorization. However, the RHIO would

operate as a business associate.

HIPAA Privacy Rule 45 CFR Part

164, Subpart E; 45 CFR 164.504(e).

RTI International



26/63


BP#

Business

Practice Short

Name


Classification

(Barrier v. Not

a Barrier)

DomainPolicy: Short


BP2 WV 002 S 6

QIOs can release this information with their

CMS contracts, but if they have a research

grant, they need to get IRB approval. They

mostly give info out deidentified, if the contract

permits.

Scenario 6 -

RHIO

Barrier to

interoperability

9. Information use


BP3 WV 003 S 6

Workers Comp has worked with a state agency

to give this info out and also did work on a

National Level- but wouldnt give out identifiers.

Scenario 6 -

RHIO

Barrier to

interoperability

9. Information use


RTI International



27/63


BP#

BP2

BP3

Stakeholder

Organization

Specify Other

Stakeholder (if

applicable)



Quality

improvement

organizations

The HIPAA Privacy Rule does not specifically address the concept of RegionalHealth Information Organizations and how protected health information can be

used or disclosed in connection with such organizations absent patient

authorization. West Virginia law requires that, with respect to the West Virginia

Health Information Network, the West Virginia Health Care authority ensure that

protected health information is disclosed only in accordance with the patients

authorization or best interest to those having a need to know, in compliance with

state confidentiality laws and HIPAA.

HIPAA Privacy Rule 45 CFR Part 164,Subpart E. West Virginia Code Section 16-

29G-8.

Payers

No legal requirements. WC provides privacy and security of information

as a corporate decision.

None.

RTI International


PRIVACY AND SECURITY Scenario 7 Research Data Use Scenario


28/63

PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario

DRA

FT

Scenario 7 -

Research

Data Use

A research project on children younger than age 13 is being conducted in a double blind study for a new drug for ADD/ADHD. The

research project is being reviewed by the IRB that presides over research protocols at the major medical center where the

research investigators are located. The data being collected are all electronic and all responses from the subjects are completed

electronically in the same data base file. The principle investigator was asked by one of the investigators if they could use the raw

data to track the patients over an additional six months or use the raw data collected for a white paper that is not part of the

research protocols final document for his post doctoral fellow program.

BP#

Business

Practice

Short

Name


Classification

(Barrier v. Not a

Barrier)

DomainPolicy: Short


BP1 WV 001 S7

Under home health law, the principle investigator would decline the

request because the use of the data was not included in the

original IRB. Home health law in WV is based on federal regulation

and agencies must be compliant with the federal regulations. At

times agencies participate in research activities and must remain

compliant with the federal privacy requirements and also the

requirements of the research entity with which they are involved.

Therefore the utilization of data as outlined in the IRB would

necessitate the information only to be used in the manner which

was described.

Scenario 7 -

Research Data

Use

Barrier to

interoperability 8. State law restrictions

BP2 WV 002 S7

Additional tracking and use of data is not permitted unless a

second study has been approved through the IRB.

Scenario 7 -

Research Data

Use

Not a barrier to

interoperability

1. User and entity

authentication HIPAA Research

Authorization, among many other items,

includes: *The name or identification of the

persons or class of persons authorized to

receive disclosures of PHI and to use the

PHI for research-related purposes. *A

description of each purpose for the use or

disclosure.

BP2 WV 002 S7

Not a barrier to

interoperability

2. Information

authorization and access

controls

BP2 WV 002 S7

Not a barrier to

interoperability

3. Patient and provider

identification

BP2 WV 002 S7

Not a barrier to

interoperability

4. Information

transmission security or

exchange protocols

BP2 WV 002 S7

Not a barrier to

interoperability

5. Information protection

(against improper

modification)

BP2 WV 002 S7

Not a barrier to

interoperability

6. Information audits that

record and monitor

activity

BP2 WV 002 S7

Not a barrier to

interoperability


physical security

safeguards

BP2 WV 002 S7

Not a barrier to


RTI International

PRIVACY AND SECURITY Scenario 7 Research Data Use Scenario


29/63


DRA

FT

BP#

BP1

BP2

BP2

BP2

BP2

BP2

BP2

BP2

BP2

DRAFT DRAFT DRAFTStakeholder

Organization

Specify

Other

Stakeholder

(if

applicable)


Relevant Law (Legal


Code/Statute

Homecare and

hospice

Human subject research pursuant to any federal

funding is controlled by federal law and regulation,

institutional policy, institutional review boards and

state law overlays to protect participants safety and

privacy. Human subject research federal regulationdoes not pre-empt state law but adds additional

federal requirements. HIPAA privacy law applies

irrespective of the source of funding for research. In

this scenario, we presume the research is pursuant to

an approved FDA study. We also have the added

legal driver of children for whom some authorized

adult must give consent.

HIPAA Privacy Regs 45 CFR

164.502 (g)(1--5), and

164.508 and .512; US DHHS

Regs. governing human subject

research: 45 CFR 46.101--46.124; US FDA Regs.

governing human subject drug

research: 21 CFR

50.5050.56. WV Code 16-

29-1; WV Code 16-30-3(b);

Belcher v. CAMC, 188 W. Va.

105, 422 S.E.2d 827 (1992);

Medical and

public health

schools that

undertake

research

HIPAA - Privacy Rule

Other Federal Law - 45 CFR-

46 Federal Human Subject

Protection Rules



30/63

Scenario 7. Research Data Use Scenario

BP#

Business

Practice

Short

Name


Classification

(Barrier v. Not a

Barrier)

DomainPolicy: Short


BP2 WV 002 S7

Barrier to

interoperability

9. Information use and

disclosure policy

BP3 WV 003 S7

In our medical school, IRB approval must be sought (by the

Principal Investigator) for either scenario, however, the nature of

the request and the investigator responsibilities differ: To extend

data collection an additional six months for a purpose not covered

by the previously approved IRB protocol, the investigator must

submit a new protocol covering this new purpose to the IRB for

consideration. Since the proposal will be prospective, subjects will

need to give their consent (or assent for children under the age of

18) to collect data for this second purpose. The new protocol, like

the earlier protocol, would probably require a full-board review

because the target population is a protected population, i.e.,

children under 13 years of age. To analyze the raw data previouslycollected under an approved IRB protocol, could make a new

protocol eligible for expedited consideration depending on whether

the raw data includes personal health information and sensitive

information that if released could potentially cause harm. It is

possible to request the IRB waive consenting for existing data

and on the grounds that it would be impractical or unfeasible.

Scenario 7 -

Research Data

Use

Barrier to

interoperability

2. Information


controls

BP4 WV 004 S7

In our agency, the protected health information in the research

database would be covered by HIPAA, but HIPAA could be

addressed with appropriate business associate relationships. The

investigator would need to get approval of the additional research

from his/her institutional review board. The original IRB would

need to weigh whether granting access was permissible, and it

would likely depend on the disclosures in the original informed

consent. In the worst case, the new research would require new

informed consent from the parents of all of the children.

Scenario 7 -

Research Data

Use

Barrier to

interoperability


disclosure policy

RTI International



31/63

Scenario 7. Research Data Use Scenario

BP#

BP2

BP3

BP4

Stakeholder

Organization

Specify

Other

Stakeholder

(if

a licable


Relevant Law (Legal


Code/Statute


funding is controlled by federal law and

regulation, institutional policy,

US DHHS Regs. governing

human subject research: 45

CFR 46.101--46.124; US

FDA Regs. governing human

subject drug research: 21

CFR 50.5050.56.

Medical and

public health

schools that

undertake

research

Tight control of humansubject research with fully

informed consent is

current public policy.

Sharing PHI data

(whether for adults or

children) without specific

consent is contrary to

current public policy

governing research

protocols. ** Please seeattached word document

for a fuller analysis of this

scenario.

Human subject research pursuant to any federalfunding is controlled by federal law and regulation,



privacy. Human subject research federal regulation

does not pre-empt state law but adds additional






adult must give consent.

HIPAA Privacy Regs 45 CFR 164.502 (g)(1--5), and

164.508 and .512; US DHHS


research: 45 CFR 46.101--

46.124; US FDA Regs.


research: 21 CFR

50.5050.56. WV Code 16-

29-1; WV Code 16-30-3(b);


105, 422 S.E.2d 827 (1992);

Public Health

agencies


funding is controlled by federal law and regulation,



privacy. Human subject research federal regulation

does not pre-empt state law but adds additional






HIPAA Privacy Regs 45 CFR

164.502 (g)(1--5), and

164.508 and .512; US DHHS


research: 45 CFR 46.101--

46.124; US FDA Regs.


research: 21 CFR

50.5050.56. WV Code 16-

29-1; WV Code 16-30-3(b);


PRIVACY AND SECURITY Scenario 8 Scenario For Access By Law Enforcement


32/63

PRIVACY AND SECURITY Scenario 8. Scenario For Access By Law Enforcement

DRAF

Scenario 8 -

Law

Enforcement

An injured nineteen (19) year old college student is brought to the ER following an automobile accident. It is

standard to run blood alcohol and drug screens. The police officer arrives in the ER in addition to the patient's

parents. The police officer requests a copy of the blood alcohol test results and the parents want to review the

ER record and lab results to see if their child tested positive for drugs. These requests are made to the ER

staff. The patient is covered under their parent's health and auto insurance policy.

BP#

Business

Practice Short

Name


Classification

(Barrier v. Not a

Barrier)

DomainPolicy: Short


BP 1 WV 001 S 8

The expected result would be that since the child is an adult, the parents

are not privy to his protected health information without his consent per

HIPAA privacy regulations. The police officer can obtain a copy of the

report without specific patient consent for determining proper charges. A

person who operates a motor vehicle implicitly consents to testing to

determine intoxication if there is just cause to believe the person is

intoxicated. If a paper copy is provided to law enforcement, proper

identification should be provided for user authentication. Fax submissions

should contain confidentiality statement and information on protocols if

received by unintended user. Electronic submissions should be encrypted.

If the provider and law enforcement agency exchange information

frequently, a data use agreement could be entered into.

Scenario 8 -

Law

Enforcement

Not a barrier to

interoperability


record and monitor

activity

BP 1 WV 001 S 8

Not a barrier to

interoperability

. m n s ra ve or

physical security

safeguards

BP 1 WV 001 S 8

Barrier to

interoperability


disclosure policy

BP2 WV 002 S 8

In our agency, HIPAA and state confidentiality provisions would most likely

prevent the parents obtaining the information without the adult patient's

consent. The police officer could obtain the results in conjunction with his

or her investigation of the accident

Scenario 8 -

Law

Enforcement

Barrier to


BP3 WV 003 S 8

In our hospital, law enforcement personnel are denied access to patients

unless they have a court order. Software access is limited by password.

Each password has restrictions as to information which may be accessed.

Through the use of third party software, all information is encrypted when

being sent over electronic communications network. Passwords havedesignated security clearances which define whether user has no access,

view only access, or has an ability to add, delete or modify information. A

master security log is maintained on line to determine user access and the

processes completed. Staff are required to use the organizations network

for all I.S. activity. The network includes up to date security measures

which protects against unauthorized access, introduction of dangerous

items such as worms, and attempts by users to enter unauthorized areas.

Barrier to

interoperability

1. User and entity

authentication

RTI InternationalP 32 f 63 166337667 l ffi

PRIVACY AND SECURITY Scenario 8 Scenario For Access By Law Enforcement


33/63

Scenario 8. Scenario For Access By Law Enforcement

DRAFBP#

BP 1

BP 1

BP 1

BP2

BP3

DRAFT DRAFT DRAFTStakeholder

Organization

Specify Other

Stakeholder (if

applicable)

Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) -- Reference

Code/Statute

Payers

We agree with the identified businesspractice, but believe that a barrier to

interoperability exists when the disclosure is

to the parents, or when the disclosure to law

enforcement is not required by law.

Parents of an adult child cannot access PHI without anauthorization signed by that adult child, while law enforcement

may gain such access as required by law.

Original: W. Va. Code 17C-5-4 & 17C-5-6

45 C.F.R. 164.502(a)(1)(i); 164.502(g)(3)(i);

164.508(a)(1); 164.512(a); 164.512(f)(1)(i); 42

C.F.R. 2.12(e); W. Va. Code 16-29-1; 17C-

5-4; 17C-5-6

State government

As a 19 year old child is an adult, parents cannot access their

childs PHI, without authorization, under state law and HIPAA.

WV Code 16-29-1;Belcher v. CAMC, 188

W. Va. 105, 422 S.E.2d 827 (1992); HIPAA

Privacy Regs 45 CFR 164.502(a)(1)(i),

164.502 (g)(3)(i), and 164.508(a)(1).

Hospitals

We agree that disclosure to law

enforcement of the PHI in this Scenario

would require patient authorization,

unless the tests were undertaken at the

direction of law enforcement, in which

case disclosure is required by law in

West Virginia; federal laws governing

the confidentiality of alcohol and drug

treatment records would not apply in

this circumstance, and would not

represent a barrier to interoperability.

HIPAA Security Regs requiring Administrative and

Technical Safeguards

HIPAA Security Regs, 45 CFR 164.308,

164.312

RTI International




34/63

Scenario 8. Scenario For Access By Law Enforcement

BP#

Business

Practice Short

Name


Classification

(Barrier v. Not a

Barrier)

DomainPolicy: Short


BP3 WV 003 S 8

Barrier to

interoperability

2. Information


controls

BP3 WV 003 S 8

Not a barrier to

interoperability

3. Patient and provider

identification

BP3 WV 003 S 8

Barrier to

interoperability

4. Information

transmission security or

exchange protocols

BP3 WV 003 S 8

Barrier to

interoperability

5. Information protection

(against improper

modification)

BP3 WV 003 S 8

Barrier to

interoperability


record and monitor

activity

BP3 WV 003 S 8

Barrier to

interoperability


physical security

safeguards

BP3 WV 003 S 8

Barrier to


BP3 WV 003 S 8

Barrier to

interoperability


disclosure policy

BP4 WV 004 S 8

In correctional facilities, parents can not get at the info - it is a state law. If

they are on parole, the parolees agree to monitoring while they are

incarcerated- they dont have a choice.

Scenario 8 -

Law

Enforcement

Barrier to


RTI InternationalPrivacy and Security Contract No. 290-05-0015 Page 34 of 63 166337667.xls.ms_office



35/63

y

BP#

BP3

BP3

BP3

BP3

BP3

BP3

BP3

BP3

BP4

Stakeholder

Organization

Specify Other

Stakeholder (if

applicable)

Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) -- Reference

Code/Statute

HIPAA Security Regs requiring Administrative and

Technical Safeguards

HIPAA Security Regs, 45 CFR 164.308,

164.312

HIPAA Security Regs require Technical Safeguards HIPAA Security Regs, 45 CFR 164.312



HIPAA Security Regs require Administrative Safeguards HIPAA Security Regs, 45 CFR 164.308

Parents of an adult child cannot access PHI without an

authorization signed by that adult child, while law

enforcement may gain such access when required by law.

45 C.F.R. 164.512(a); 164.512(f)(1)(i);

42 C.F.R. 2.12(e); W. Va. Code 17C-5-

4; 17C-5-6

Parents of an adult child cannot access PHI without an

authorization signed by that adult child, while law

enforcement may gain such access when required by law.

45 C.F.R. 164.512(a); 164.512(f)(1)(i);

42 C.F.R. 2.12(e); W. Va. Code 17C-5-

4; 17C-5-6

Correctional

facilities

Law enforcement desires access to blood alcohol test

results of 19-year-old accident victim. Parents desire

access to 19-year-old childs ER record and lab results.

Should the hospital tests result in showing of HIV or STD,

those applicable infectious disease confidentialityprovisions would also serve as a barrier. Parents of an

adult child cannot access PHI without an authorization

signed by that adult child, while law enforcement may gain

such access when required by law.

WV Code 16-29-1; 64 CSR 12-7.2

(DHHR Hospital Licensure Rule); 42

U.S.C.A. 290dd-3 (Public Health Service

Act); 42 CFR 2.11(Federal Mental Health

Record Confidentiality Rule); 45 CFR 164.502 (g) and (j), 164.524 (HIPAA

Privacy Regs). 45 C.F.R. 164.512(a);

164.512(f)(1)(i); 42 C.F.R. 2.12(e); W. Va.

Code 17C-5-4; 17C-5-6

RTI International


PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A

The Pharmacy Benefit Manager (PBM) has a mail order pharmacy and also has a closed formulary. The PBM receives a prescription from


36/63

DRAF

Scenario 9 -

Pharmacy

Benefit A

The Pharmacy Benefit Manager (PBM) has a mail order pharmacy and also has a closed formulary. The PBM receives a prescription from

Patient X for the antipsychotic medication Geodon. The PBMs preferred alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine

(Seroquel), and Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the PBM sends a request to the prescribing

physician to complete a prior authorization in order to fill and pay for the Geodon prescription. The PBM is in a different state than the providers

Outpatient Clinic.

BP#Business

Practice Short

Name

Business Practice Long Description ScenarioClassification

(Barrier v. Not a

Barrier)

DomainPolicy: Short


BP1 WV 001 S9

In state govemment, we have a network established that connects the

PBMs with payers and physicians. Members choose to participate under

agreements with PBMs and PHI is transmitted with patient consent. User

authentication is an important component to ensure that it is the PBM

contacting the physician and the physician replying to the PBM.

Scenario 9 - Pharmacy

Benefit A

Barrier to

interoperability

8. State law

restrictions

BP2 WV 002 S9 Business practice is same as in the scenario.


Benefit A Unassigned

1. User and entity

authentication

BP3a WV 003a S9

As a workers' compensation insurer, we have a standard drug list and

require the use of generics where available. If a script is received and is not

on the list, authorization for the drug is withheld. The prescribing physician

may be contacted to write the script for an approved alternative drug for

authorization or to provide justification for the prescribed drug before

authorization is provided. If the claimant takes the script to a participatingpharmacy and it is not approved, the claimant or the pharmacist may

contact the claims adjuster for clarification. If a generic is available and the

doctor has not indicated the claimant cannot take the generic, it may be

authorized. Otherwise, the prescribing doctor will have to provide a new

script for a medication on the drug list or provide justification for the

prescribed drug. Further, W. Va. Code provides that if a generic medication

is available, it must be provided. If the claimant chooses to obtain the brand-

name drug, he/she will be responsible for payment for the difference.


Benefit A

Barrier to

interoperability

8. State law

restrictions

BP3b WV 003b S9

In Workers Comp, the Point of Sale system is available only to those

employees needing access to perform business functions and participating

providers. Password authentication is required. Security

policies/confidentiality agreements in place with employees regarding

protection of information. End user agreements in place with participating

providers. Authentication required for access to system. Technology in

place to secure system from unintended users. Vendor used to implement

secure transmission of data. Vendor provides software that allows

protection from data modification.RTI International



37/63

DRAF

BP#

BP1

BP2

BP3a

BP3b

DRAFT DRAFT DRAFT

Stakeholder

Organization

Specify OtherStakeholder (if

applicable)



State government

There is currently no WV law regulating PBMs. Public Employees Insurance Agency

(PEIA) does have statutory authority to manage the increase in prescription drug

cost and execute prescription drug purchasing agreements on behalf of the state of

West Virginia with PBMs and other private sector arrangements, provided that no

private entity may be compelled to participate in the prescription drug purchasing

pool, and PEIA may not enter into a contract with a private entity without

Legislative approval. To the extent that the scenario anticipates that the

communication occurs electronically, the electronic submission would violate West

Virginia law and regs. First, the Board of Pharmacy regulation language indicates

that a wet signature is required and that a digital signature (either physical

digitalized signature or digital key signature) will not meet the requirement. Second,

the regs have non intermediary requirements.

W.Va. Code 5-16C-1, et seq.; W.Va.

Code 30-5-1 et seq. and W.Va. C.S.R.

15-1-1, et seq.; W.Va. Code 60A-1-

101, et seq;

clinics and health

centers

Payers

1. Unique features of West Virginia workers compensation program governing and requiring

the prescribing of generic drugs by pharmacy for a workers compensation claimant. The

workers compensation law requires a pharmacist who is filing a prescription for a workers

compensation claimant to dispense the generic brand of the drug, if one exists. If a generic

does not exist then the pharmacist can dispense the name brand drug. Interoperability issues

involve the failure of out of state providers and businesses that operate in West Virginia in

understand the unique requirements of the West Virginia workers compensation system.

Original: State Law - W. Va. Code 23-4-

3(a)(3)

Regulation - 85 C.S.R. 20 - Medical

Management of Claims

W.Va. Code 23-4-3(a)(3) and W.Va.

C.S.R. 85-20-1 et seq.

RTI InternationalPrivacy and Security Contract No 290-05-0015 Page 37 of 63 166337667.xls.ms office



38/63

DRAF

BP#

BP1

BP2

BP3a

BP3b

Possible Solutions

See report on e-Prescribing:http://www.tygart.com/Eprescript

ions.asp

RTI International



BP#

Business

Practice Short Business Practice Long Description Scenario

Classification

(Barrier v Not a DomainPolicy: Short



39/63

BP# Practice Short

Name

Business Practice Long Description Scenario (Barrier v. Not a

Barrier)

DomainDescription


BP3c WV 003c S9

Workers' compensation programs are exempt from HIPAA. State law and

regulations provide limits on prescription medication and medication

management issues. Out of state providers may be unaware of these laws

and regulations or may try to apply the laws and fee schedules from their

state. We sometimes have difficulty getting out of state providers to accept

workers' compensation patients and the established fee schedule on a non-

emergent basis because of these issues. To address this problem, we

contract with provider agencies that specialize in providing state-wide

providers. By agreeing to accept WV Workers' Compensation patients,

these providers agree to accept our fees and to abide by our laws and

regulations

BP4 WV 004 S9

As a clinician, we deal with out of state PBM's daily who request an

authorization form or provide OV notes over the phone and fax. If the patient

does not meet the PBM formulary the Dr. changes the medication to

preferred medication.


Benefit A

Barrier to

interoperability

7. Administrative

or physical

security

safeguards

Prior authorization, Office

and HIPAA policy

Covered entity due to the

insurance of continuted care

for the patient.

BP5 WV 005 S9

As a payer, we have a preferred drug list.The claimant needs

preauthorization for drugs not preauthorized and if claimant wants one thatis not, they have to pay. If the generic is available, State Law says we can

automatically give them the generic.


Benefit A

Barrier to

interoperability

8. State law

restrictions

BP6 WV 006 S9

As a payer, we have a higher standard of security for behavioral health info

and with administering these type of benefits. Care management personnel

are specially trained and they have a higher level of permissions for this

type of info. All this info is maintained in our database and reports can be

generated.


Benefit A

Barrier to

interoperability

2. Information

authorization and

access controls

RTI International


BP#Stakeholder

O i ti

Specify Other

Stakeholder (if Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) --

R f C d /St t t


40/63

BP3c

BP4

BP5

BP6

OrganizationStakeholder (if

applicable)

Cause Relevant Law (Legal Driver) NarrativeReference Code/Statute

Clinicians

Original: HIPAA, State, and Federal law

Determining the status of pharmacy benefit managers (PBM) under the Privacy

Standards of the Health Insurance Portability and Accountability Act of 1996

(HIPAA) and whether PBMs are considered covered entities or business

1. HIPAA 45 C.F.R. 160.102; HIPAA 45

C.F.R. 164.502(e)(1); HIPAA 45 C.F.R.

164.506.

Payers

Workers Comp law requires generic prescribing where available W. Va. Code 23-1-1 et seq.

Payers

The legal analysis differs depending upon whether the Pharmacy Benefit Manager or

the outpatient clinic is in West Virginia. HIPAA regulations allow the disclosure of

protected health information for payment purposes. If the Pharmacy Benefit

Manager is in West Virginia, there are no West Virginia Code provisions against

seeking the collection of data. If the clinic is in West Virginia, it may not reveal

mental health information beyond that which the Pharmacy Benefits Manager already

knows because the clinic has already released the data to the payor. The clinicshould also assure that Pharmacy Benefits Managers have a Business Associate

Agreement with the insurers.

HIPAA Regulation 164.506; West

Virginia Code 27-3-1; 27-3-2; 27-5-9(e)

RTI International

P i d S i C N 290 05 0015 Page 40 of 63 166337667 xls ms office


BP#

Possible Sol tions


41/63

BP3c

BP4

BP5

BP6

Possible Solutions

RTI International


PRIVACY AND SECURITY Scenario 10. Pharmacy Benefit Scenario B


42/63

DRAF

Scenario 10 -

Pharmacy

Benefit B

A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the companies' employees prescription drug use and the

associated costs of the drugs prescribed. The objective would be to see if the PBM1 could save the company money on their prescription drug

benefit. Company A is self-insured and as part of their current benefits package, they have the prescription drug claims submitted through their

current PBM (PBM2). PBM1 has requested that Company A send their electronic claims to them to complete the review.

BP#

Business

Practice Short

Name


Classification

(Barrier v. Not

a Barrier)

DomainPolicy: Short

DescriptionPolicy: Lo

BP1 WV 001 S10

In our pharmacy, we recognize that HIPPA allows release of PHI for payment and

treatment purposes but the review of that information without patient consent by another

PBM would probably fall outside of that allowance. If the information was aggregate and notpatient identifiable, then the review could probably be conducted. Very important the PBMs

not be able to modify the data showing a prescription that has been processed and filled.

Scenario 10 -Pharmacy

Benefit B

Barrier to

interoperability

9. Information useand disclosure

policy

BP2 WV 002 S10

From the perspective of our public health agency, using aggregate statistics would be all

right, but if the scenario is as stated, Company A is already on very thin ice. Assuming that

PBM2 and not Company A actually has the claims, then PBM2 could transmit the claims to

PBM1 under HIPAA, provided it had a Business Associate agreement with PBM. There

might be state law barriers related to disclosure of drugs used in specific conditions, e.g.

HIV/AIDS or psychiatric disorders.

Scenario 10 -

Pharmacy

Benefit B

Barrier to

interoperability

8. State law

restrictions

BP3 WV 003 S10

As a payer, we have Business Associate agreements in place. This is a standard

agreement unless the other company has another form- we may use both. We build

policies on what HIPAA requires- we have an index of BA policies. All the data we send is

encrypted. PHI has to be encrypted and the receiver has the user ID and password to un-

encrypt. Internally, that is not necessary because of our firewalls.

Scenario 10 -

Pharmacy

Benefit B

Barrier to

interoperability

9. Information use

and disclosure

p

Documents

Hippa Medical Consent Form