7/27/2019 Hippa Medical Consent Form
1/63
PRIVACY AND SECURITY Scenario 1. Patient Care Scenario A
DRAFT
Scenario 1 -
Patient Care A
Patient X presents to emergency room of General Hospital in State A. She has been in a serious car accident. The patient is an 89 year old widow who
appears very confused. Her adult daughter informed the ER staff that her mother has recently undergone treatment at a hospital in a neighboring state
and has a prescription for an antipsychotic drug. The emergency room physician determines there is a need to obtain information about Patient Xs prior
diagnosis and treatment during the inpatient stay.
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not
a Barrier)
DomainPolicy: Short
Description
BP1 WV 001 S 1
Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, wewould fax minimum necessary for treatment without an authorization. If PHI is in the record, we
would determine if the daughter was the medical power of attorney. If yes, we would validate her
signature and then have her sign a release to send the protected info. If not, we would have a
physician or nurse sign authorization and send, after validating who we are speaking to at the other
facility by a call back. We use a rolebased access process in which Directors/Managers/IT
Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with
2 other local facilities and share information for patient care purposes, however we do not release
one anothers information to those outside of our OHCA. We do have audit capabilities on
systems. Random audits are performed. We use Tessa locks on doors.
Scenario 1 -
Patient Care A
Barrier to
interoperability
3. Patient and
provider
identification
Uses & Disclosures of
Protected Health
Information & Disclosure
of PHI Minimum
Necessary
Release to H
without patie
phone verific
care instituticompleted re
uses of, disc
necessary to
Exceptions i
Use or disclo
specific (det
HIPAA elect
victims of ab
compensatio
BP1 WV 001 S 1
Our hospital staff (nurse, doctor) would first validate if there is PHI in the pts records. If not, we
would fax minimum necessary for treatment without an authorization. If PHI is in the record, we
would determine if the daughter was the medical power of attorney. If yes, we would validate her
signature and then have her sign a release to send the protected info. If not, we would have a
physician or nurse sign authorization and send, after validating who we are speaking to at the other
facility by a call back. We use a rolebased access process in which Directors/Managers/IT
Security/ & Privacy collaborate. We have a signed OHCA (Organized Healtcare Arrangement) with
2 other local facilities and share information for patient care purposes, however we do not release
one anothers information to those outside of our OHCA. We do have audit capabilities onsystems. Random audits are performed. We use Tessa locks on doors.
Scenario 1 -Patient Care A
Barrier tointeroperability
4. Information
transmission
security or
exchangeprotocols
BP2 WV 002 S 1
ER staff (nurse, doctor, or clerk) would call hospital and advise that they were faxing a request for
medical records. If necessary,the staff would obtain authorization from POA of responsible party.
Verbal confirmation by phone followed by faxed written request and authorization. There is security
of exchange protocols for faxing information. No encryption.
Scenario 1 -
Patient Care A
Not a barrier to
interoperability
2. Information
authorization
and access
controls
Facsimile Machines and
PHI P&P
Standard co
corrected im
party the phy
BP2 WV 002 S 1
Not a barrier to
interoperability
3. Patient and
provider
identification
BP2 WV 002 S 1
Not a barrier to
interoperability
.
transmission
security or
exchange
BP2 WV 002 S 1
Not a barrier to
interoperability
.
protection(against
improper
7/27/2019 Hippa Medical Consent Form
2/63
PRIVACY AND SECURITY Scenario 1. Patient Care Scenario A
DRAFTBP#
BP1
BP1
BP2
BP2
BP2
BP2
DRAFT DRAFT DRAFTCause Relevant Law (Legal Driver) -- Narrative
Relevant Law (Legal Driver) -- Reference
Code/Statute
While we agree that the identified verification
and security procedures represent barriers to
interoperability, we do not agree that a
signed authorization is required from either
the patient or the medical power of attorney,
and we do not agree that the minimum
necessary standard applies in this situation.
These should not be barriers to
interoperability.
Original: 'Federal Register 164.502 Uses and disclosures of protected health
information: general rules; hospital policy
One health care provider can disclose PHI of patient to another health care
provider for treatment purposes as long as proper verification and security
procedures are followed, even when PHI contains mental health information.
45C.F.R. 164.310; 164.312; 164.502(a)(1)(ii);
164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);
W. Va. Code 27-3-1(b)(5)
HIPAA Security Technical Safeguards 45 CFR 164.312
While we agree that the identified verification
and security procedures represent barriers to
interoperability, we do not agree that a
signed authorization is required from either
the patient or the medical power of attorney.This should not be a barrier to
interoperability.
One health care provider can disclose PHI of patient to another health careprovider for treatment purposes as long as proper verification and security
procedures are followed, even when PHI contains mental health information.
Original: HIPAA - Privacy and State Law -
Appointment of Health Care Decision Maker
45 C.F.R. 164.310; 164.312; 164.502(a)(1)(ii);
164.502(b)(2)(i); 164.506(c)(2); 164.514(h)(1);W. Va. Code 27-3-1(b)(5)
7/27/2019 Hippa Medical Consent Form
3/63
7/27/2019 Hippa Medical Consent Form
4/63
PRIVACY AND SECURITY Scenario 2. Patient Care Scenario B
DRAFT
BP#
BP1
BP1
BP2
BP2
BP2
BP3
DRAF DRAFT DRAFT DRAFT
Stakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- Narrative
Relevant Law (Legal
Driver) -- Reference
Code/StatuteSolution
Hospitals
Confidentiality of Alcohol and Drug Abuse Patient
Records require patient consent for disclosure and
redisclosure of substance abuse records.
42 CFR 2.32 and 2.33
Hospitals
Consent is the key to releasing substance abuse information tothird parties, even to other providers. When a patient enters a
state hospital, we try to get them to agree to a generalized
consent to release information treatment, payment and health
care operations.
As a general matter, substance abusers do not have personal
Substance Abuse Regs. 42CFR, Part 2, Subpart B; HIPAA
Regs. 45 CFR '''164,506(b);
503(g); Belcher v. CAMC, 188
W. Va. 105, 422 S.E.2d 827
(1992).
Maximize use of generalconsents for treatment, payment
and health care operations for
patients with substance abuse
and/or mental illness entering
healthcare facilities under
HIPAA Reg '164.506(b).
State
government
State law requires DHHR to obtain consent for
disclosure of mental health information for treatment.
WV law also requires all providers to obtain patientconsent for payment and operations.
WV Code 27-5-9(e) Repeal Section '27-5-9(e).
Amend '27-3-1 to allow release
of mental health information totreatment, payment and
healthcare operations without
patient consent. WV Code 27-
3-1
Correctional
The identified
business practice
does identify
barriers to
interoperability.
One health care provider cannot disclose PHI of patient to
another health care provider for routine treatment purposes
without a signed authorization when drug or alcohol abuse
treatment is involved; an authorized disclosure may not be re-
disclosed; proper verification and security procedures must be
followed.
45C.F.R. 164.310; 164.312;
164.512(k)(5); 42C.F.R.
2.1; 2.2; 2.32; 2.51; W. Va.
Code 27-3-1(b)(5)
7/27/2019 Hippa Medical Consent Form
5/63
PRIVACY AND SECURITY Scenario 2. Patient Care Scenario B
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not
a Barrier)
DomainPolicy: Short
DescriptionPolicy: Long Description
BP5 WV 005 S2
In Workers Comp., we refer pts to specialists but our staff only send
them what they need to know to treat the pt. WC makes the referraland sends all the info on a CD. We have electronic capabilities and
this can be reviewed on the internet. We provide an ID and password
to the provider so they can access just what they need to on that pt.
Scenario 2 -
Patient Care B
Barrier to
interoperability
2. Information
authorization and
access controls
7/27/2019 Hippa Medical Consent Form
6/63
PRIVACY AND SECURITY Scenario 2. Patient Care Scenario B
BP#
BP5
Stakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- Narrative
Relevant Law (Legal
Driver) -- Reference
Code/StatuteSolution
Payers
Possibly Federal Substance Abuse Regulations 42 CFR Part 2
7/27/2019 Hippa Medical Consent Form
7/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
DRAFTScenario 3 -
Patient Care C
psych unit to the nursing home. At the time of the patient's transfer, the discharge summary and other pertinent records were
electronically transmitted to the nursing home. Upon entering the facility Dr. X seeks assistance in locating his patient, gaining
entrance to the locked psych unit and accessing her electronic health record to review her discharge summary, I&O, MAR and
progress notes. Dr. X was able to enter the unit by showing a picture identification badge, but was not able to access the EHR.
As it is Dr. X's first visit, he has no login or password to use their system. Dr. X completes his visit and prepares to complete his
documentation. Unable to access the long-term care facility EHR, Dr. X dictates his initial assessment via telephone to his
outsourced, offshore transcription service.
The assessment is transcribed and posted to a secure web portal. The next morning, from his home computer, Dr. X checks his e
mail and receives notification that the assessment is available. Dr. X logs into the portal, reviews the assessment, and applies his
electronic signature. Later that day, Dr X's Office Manager downloads this assessment from the web portal, saves the document
in the patient's record in his office and forwards the now encrypted document to the long-term care facility via e-mail. The long-
term care facility notifies Dr. X's office that they are unable to open the encrypted document because they do not have the
encryption key.
BP#
Business
Practice ShortName
Business Practice Long Description Scenario
Classification
(Barrier v. Nota Barrier)
Domain
Policy: Short
Description
BP1 WV 001 S3
In our hospital, all clinical staff are given log in and passwords to use
applicable data systems. Passwords limit the users ability to read
access only if they are not in a position to need to add, edit, or update
information. Electronic user logs are maintained on the mainframe.
Medical staff must use specific transcription resources to insure that
security is maintained and acceptable document formatting is used.Individual-specific password and logins are used which limits access
on a need to know basis. Staff are instructed not to share passwords
and logins. All sensitive information is encrypted prior to exchange
over an electronic communications network.
Scenario 3 -
Patient Care C
Barrier to
interoperability
1. User and entity
authentication
BP1 WV 001 S3
Barrier to
interoperability
2. Information
authorization and
access controls
BP1 WV 001 S3Barrier to
interoperability3. Patient and
provider identification
BP1 WV 001 S3
Barrier to
interoperability
4. Information
transmission security
or exchange
protocols
BP1 WV 001 S3
Barrier to
interoperability
7. Administrative or
physical security
safeguards
BP1 WV 001 S3Barrier to
interoperability8. State lawrestrictions
BP1 WV 001 S3
Barrier to
interoperability
9. Information use
and disclosure policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 7 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
8/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
DRAFT
BP#
BP1
BP1
BP1
BP1
BP1
BP1
BP1
DRAFT DRAFT
Policy: Long Description StakeholderOrganization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- Narrative
Hospitals
The classification of privacy and security domains 1, 2, 3, 4, and
7 as barriers to interoperability appear appropriate in this
scenario due to the numerous issues related to EHR access.
Classifying P&S domains 8 & 9 as barriers to interoperability
also seems reasonable and appropriate given the disclosure to
a third-party without patient/representative consent.
Psychiatrist without electronic access privileges and rights
requests review of patients EHR containing information from
recent hospital stay. Use of psychiatrists picture identification
badge met physical control requirements for access to health
facility. The psychiatrists inability to access EHR systems
prompts him to use an outsourced offshore transcription service.
This scenario bypasses administrative and technical controls
required to limit access, encrypt and audit access to patient
EHRs. Psychiatrist receives report via Web the informationsecurity infrastructure, and management practices of the
transcription service are unclear. The psychiatrist sends these
results by encrypted email to the medical facility, although lack of
encryption key prevents delivery.
RTI International
Privacy and Security Contract No. 290-05-0015Page 8 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
9/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
DRAFT
BP#
BP1
BP1
BP1
BP1
BP1
BP1
BP1
DRAFT
Relevant Law (Legal
Driver) -- ReferenceCode/Statute
Solution
HIPAA Security Regs 45 CFR
164.308(a) (1), 164.308(a)
(3), 164.308(a) (4), 164.310(a)
(1), 164.312(a) (1), 164.312(b),
164.312(d), 164.312(e) (1),
164.506, 164.508, 164.512(a),
164.512(e). WV Code 27-3-1,
WV Code 27-3-2, WV Code
27-5-9, WV Code 64-12-14,
US Code H.R. 4127
A national
federated
identification
management
system to validate
user identity to
allow system
access may be a
potential solution.
RTI International
Privacy and Security Contract No. 290-05-0015 Page 9 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
10/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not
a Barrier)
DomainPolicy: Short
Description
BP2 WV 002 S3
Our hospital practice and policies are that physicians, or other
practitioners who are not credentialed by our facility, do not have
access to patient care areas, or to the system.
Scenario 3 -
Patient Care C
Barrier to
interoperability
4. Information
transmission security
or exchange
protocols
Medical Staff By Laws
Articles VI(Procedure for
Appointment) and
VII(Clinical Privileges)
BP3 WV 003 S3
Long term care facilities do not usually have locked psych units.
However, assuming that the physician entered the skilled nursing
facility and attempted to view the patient's EHR, expected policies and
procedures should address authorizing privileges, access to medical
records, inoperative computer systems and building access prior to
physician's first visit. There should be a Business Associate
Agreement with any "offshore transcription service" ensuringcompliance with Privacy and Security Laws with authorization for
monitoring for compliance. No PHI should be transmitted without 128
bit encryption capability with read only capability. Also, there should be
a P&P for use of physician's electronic signature.
Scenario 3 -
Patient Care C
Barrier to
interoperability
1. User and entity
authentication
Business Associate
Agreements
BP3 WV 003 S3
Barrier to
interoperability
2. Information
authorization and
access controls
BP3 WV 003 S3
Barrier to
interoperability
3. Patient and
provider identification
BP3 WV 003 S3
Barrier to
interoperability
transmission securityor exchange
protocols
BP3 WV 003 S3
Barrier to
interoperability
protection (against
improper
modification)
BP3 WV 003 S3
Not a barrier to
interoperability
6. Information audits
that record and
monitor activity
BP3 WV 003 S3Barrier tointeroperability
7. Administrative or
physical securitysafeguards
BP3 WV 003 S3
Not a barrier to
interoperability
8. State law
restrictions
RTI International
Privacy and Security Contract No. 290-05-0015 Page 10 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
11/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
BP#
BP2
BP3
BP3
BP3
BP3
BP3
BP3
BP3
BP3
Policy: Long DescriptionStakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- Narrative
These describe the
procedures for applying to the
staff for membership and
clinical privileges assignedwith such. Hospitals
This business practice analysis only identifies privacy andsecurity domain 4 as a barrier the exchange and encryption of
the information supports this classification. Given the complexity
of this scenario, the classification of privacy and security
domains 1, 2, 3, and 7 would also appear appropriate due to the
numerous issues related to EHR access. In addition, classifying
P&S domains 8 & 9 as barriers to interoperability also seems
reasonable and appropriate given the disclosure to a third-party
without patient/representative consent. This stakeholders
business practice highlights the issue of credentialing and the
administrative controls inherently contained within these
policies. In addition, this business practice points out the
alternative of faxin althou h h sical and technical information
Psychiatrist without electronic access privileges and rightsrequests review of patients EHR containing information from
recent hospital stay. Use of psychiatrists picture identification
badge met physical control requirements for access to health
facility. The psychiatrists inability to access EHR systems
prompts him to use an outsourced offshore transcription service.
This scenario bypasses administrative and technical controls
required to limit access, encrypt and audit access to patient
EHRs. Psychiatrist receives report via Web the information
security infrastructure, and management practices of the
transcription service are unclear. The psychiatrist sends these
results by encrypted email to the medical facility, although lack of
encryption key prevents delivery
Long term care
facilities and
nursing homes
HIPAA Security regs require person or entity
authentication
HIPAA Security regs make encryption addressable.
HIPAA Security Rule
HIPAA Security Rule
HIPAA Security Rule
HIPAA Security regs make access control and validation
procedures addressable and require workstation security.
The HIPAA Security and Privacy Regs require Business
RTI International
Privacy and Security Contract No. 290-05-0015 Page 11 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
12/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
BP#
BP2
BP3
BP3
BP3
BP3
BP3
BP3
BP3
BP3
Relevant Law (Legal
Driver) -- Reference
Code/StatuteSolution
HIPAA Security Regs 45 CFR 164.308(a) (1), 164.308(a)
(3), 164.308(a) (4), 164.310(a)
(1), 164.312(a) (1), 164.312(b),
164.312(d), 164.312(e) (1),
164.506, 164.508, 164.512(a),
164.512(e). WV Code 27-3-1,
WV Code 27-3-2, WV Code
27-5-9, WV Code 64-12-14,
US Code H.R. 4127
A nationalfederated
identification
management
system to validate
user identity to
allow system
access may be a
potential solution.
In addition, closely
linking this type of
solution with health
facilitycredentialing
IPAA -
164.506
TPO
State Law
- 64-CSR-
12-14
Professio
nal
Standard
s-Medcal
Staff
HIPAA Security Regs, 45
CFR 164.312
HIPAA Security Regs, 45
CFR 164.312
HIPAA Security Rule, 45
CFR 164 Part CHIPAA Security Rule, 45
CFR 164 Part C
HIPAA Security Rule, 45
CFR 164 Part C
HIPAA Security Regs 45
CFR 163.310(a)(2)(iii);
164.310(c); 164.308(b)(1).
RTI International
Privacy and Security Contract No. 290-05-0015 Page 12 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
13/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not
a Barrier)
DomainPolicy: Short
Description
BP3 WV 003 S3Barrier tointeroperability 9. Information useand disclosure policy
BP4 WV 004 S3
In our physician group, as long as no HIPAA laws were broken and a
No Restriction form was signed this procedure is under the covered
entity of patient care. Use Tracking form and initial all documents
placed in the chart. User ID and password is needed.
Scenario 3 -
Patient Care C
Barrier to
interoperability
2. Information
authorization and
access controls HIPAA
BP5 WV 005 S3
LTC has business associate agreements in effect for different services
with state businesses. The BA agreement is a 1 page document that
spells out how you limit the area of exchange and limits sharing of
information. Even temp employees must meet the credentialing
process. LTC has contracts with physicians but have no badges-
everyone knows everyone here- its small.
Scenario 3 -
Patient Care C
Barrier to
interoperability
4. Information
transmission security
or exchange
protocols
BP6 WV 006 S3
Corrections has a BA agreement for billing purposes but not for
sharing of information. Correctional Medical Services (in all WV
prisons) have access to health records. The reliability of the info
exchange is in the hands of the sender- we rely on what they say- noverification process. Temps at corrections have limited access to Med
Records- once he has left the place, he cant get access to info again.
But they all get FBI background checks, photo ID, sign in and sign out. Scenario 3 -
Patient Care C
Barrier to
interoperability
4. Information
transmission security
or exchange
protocols
RTI International
Privacy and Security Contract No. 290-05-0015 Page 13 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
14/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
BP#
BP3
BP4
BP5
BP6
Policy: Long DescriptionStakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- Narrative
HIPAA Security Rule
HER Transfer, personal
identity, password failure,
failure to provide encryptioncode Physician groups
The business practice analysis generally asserts that this is a
barrier to interoperability if HIPAA laws are broken. In addition,
the implication is that that this business practice would be
covered by the HIPAA construct of TPO. However, there is
recognition within the business practice analysis that several
issues arise from patient transfer, identity, password, and
encryption failures that are described within the scenario. Assuch the classification by this stakeholder as a barrier based on
Original: HIPAA privacy and covered entity, regulation of rules of
nursing facility, Case -Psych-patient, Federal - overseas
transmissions
Psychiatrist without electronic access privileges and rights
requests review of patients EHR containing information from
recent hospital stay. Use of psychiatrists picture identification
badge met physical control requirements for access to healthfacility. The psychiatrists inability to access EHR systems
Long term care
facilities and
nursing homes
Access to electronic information controlled by HIPAA Security
Rule Technical Safeguards.
Correctional
facilities
The business practice analysis does not identify any of the
privacy and security domains as a barrier. The classification by
this stakeholder is unassigned. In fact, the likelihood of a
correctional system inmate being placed in a nursing home is
remote. In addition, the business practice long description
emphasized the application and importance of business
associates agreements and the correctional systems reliance
on these agreements to ensure compliance. However, these
agreements are not designed to obviate the need for properadministrative, technical, and physical controls for protected
health information. Given this observation the barriers
previously identified for this scenario would have to be
considered as barriers in this scenario.
Psychiatrist without electronic access privileges and rights
requests review of patients EHR containing information from
recent hospital stay. Use of psychiatrists picture identification
badge met physical control requirements for access to health
facility. The psychiatrists inability to access EHR systems
prompts him to use an outsourced offshore transcription service.
This scenario bypasses administrative and technical controls
required to limit access, encrypt and audit access to patient
EHRs. Psychiatrist receives report via Web the information
security infrastructure, and management practices of the
transcription service are unclear. The psychiatrist sends these
results by encrypted email to the medical facility, although lack of
encryption key prevents delivery
RTI International
Privacy and Security Contract No. 290-05-0015 Page 14 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
15/63
PRIVACY AND SECURITY Scenario 3. Patient Care Scenario C
BP#
BP3
BP4
BP5
BP6
Relevant Law (Legal
Driver) -- Reference
Code/StatuteSolution
HIPAA Security Rule, 45CFR 164 Part C
HIPAA Security Regs 45 CFR
164.308(a) (1), 164.308(a)
(3), 164.308(a) (4), 164.310(a)
(1), 164.312(a) (1), 164.312(b),
164.312(d), 164.312(e) (1),
164.506, 164.508, 164.512(a),
164.512(e). WV Code 27-3-1,WV Code 27-3-2, WV Code
27-5-9, WV Code 64-12-14,
A national
federated
identification
management
system to validate
user identity to
allow systemaccess may be a
potential solution.
HIPAA Security Rule 45 CFR
164.312.
1. HIPAA Security Regs 45
CFR 164.308(a) (1),
164.308(a) (3), 164.308(a) (4),
164.310(a) (1), 164.312(a) (1),
164.312(b), 164.312(d),
164.312(e) (1), 164.506,
164.508, 164.512(a),
164.512(e). WV Code 27-3-1,WV Code 27-3-2, WV Code
27-5-9, WV Code 64-12-14,
US Code H.R. 4127
A national
federated
identification
management
system to validate
user identity to
allow system
access may be apotential solution.
In addition, closely
linking this type of
solution with health
facility
credentialing
practices may
provide a
methodolo for
RTI InternationalP 15 f 63 166337667 l ffi
PRIVACY AND SECURITY S i 4 P ti t C S i D
7/27/2019 Hippa Medical Consent Form
16/63
PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D
DRAFT
Scenario 4 -
Patient Care
D
Patient X is HIV positive and is having a complete physical and an outpatient mammogram done in the Women's
Imaging Center of General Hospital in State A. She had her last physical and mammogram in an outpatient clinic in a
neighboring state. Her physician in State A is requesting a copy of her records and the radiologist at General Hospital
would like to review the digital images of the mammogram performed at the outpatient clinic in State B for comparison
purposes. She also is having a test for the BrCa gene because other family members have had breast cancer.
BP#
Business
PracticeShort Name
Business Practice Long Description Scenario
Classification
(Barrier v. Nota Barrier)
DomainPolicy: Short
Description Policy: Long Description
BP1 WV 001 S4
Our clinic follows state law which does not allow the transmittal
of HIV information without the consent of the patient. Also, this
information is not supposed to be kept in the patient chart. This
is problematic in paper records - because it causes providers to
keep a secret registry. In electronic records, this is handled in
some cases by a provider making a decision to make this
information available to other providers. The interface of the
electronic record should inform the patient of his/her rights underthe law and allow the patient to designate which information
would be available. In paper systems this is incredibly hard to
enforce. In electronic systems, access can be granted to certain
information - but users end up using common passwords
because it is not always the provider who can ge the information
needed and take care of the patient.
Scenario 4 -
Patient Care D
Barrier to
interoperability
1. User and entity
authentication
Confidential Information
Policy
Takes a global approach to medicalinformation. Who has access to the
information. Who makes the decision to
release the information. Consent forms
for releases Special considerations for
certain laws governing HIV, Mental
Health etc
BP1 WV 001 S4Scenario 4 -
Patient Care DNot a barrier tointeroperability
2. Information
authorization andaccess controls
BP1 WV 001 S4
Scenario 4 -
Patient Care D
Not a barrier to
interoperability
8. State law
restrictions
BP1 WV 001 S4
Scenario 4 -
Patient Care D
Barrier to
interoperability
9. Information use
and disclosure
policy
BP2 WV 002 S4
Our hospital staff, may include physician, nurse, clerk, NP,PA,
would release the minimum necessary information for treatment
excluding the HIV information unless the pt provides
authorization. If not emergent, we ask for signed authorization
which includes HIV authorization.
Scenario 4 -
Patient Care D
Barrier to
interoperability
9. Information use
and disclosure
policy Confidentiality of PHI
The presence of any behavioral medicine
patient at ourfacility and any and all
details of the treatment process of any
patient shall be maintained as
confidential. For the purposes of
confidentiality, protected information i.e.
drug, ETOH, STD (HIV), and behavioral
health, and specific releases are
required.
PRIVACY AND SECURITY Scenario 4 Patient Care Scenario D
7/27/2019 Hippa Medical Consent Form
17/63
PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D
DRAFT
BP#
BP1
BP1
BP1
BP1
BP2
DRAFT DRAFT DRAFT
Stakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) --
Reference Code/Statute
Community clinics
and health centers
HIPAA Security Regs require person or
entity authentication.
HIPAA Security Regs, 45 CFR
164.312
Misinterpretation of state law. No
consent is required for the disclosure of
the PHI for treatment purposes. WV law
specifically allows the disclosure of HIV
PHI for treatment of the individual.
WV Code 16-3C-2, 16-3C-3(a)(5),
and 16-3C-4.
Hospitals
Misinterpretation of state law and HIPAA.Minimum necessary requirement does
not apply to disclosures for treatment and
there is no authorization requirement for
disclosure of the PHI for treatment
purposes in HIPAA or state law.
WV Code 16-3C-2, 16-3C-3(a)(5),and 16-3C-4. HIPAA Privacy Regs 45
CFR 164.506 and 164.502(b).
RTI InternationalPrivacy and Security Contract No. 290-05-0015 Page 17 of 63 166337667.xls.ms_office
PRIVACY AND SECURITY Scenario 4 Patient Care Scenario D
7/27/2019 Hippa Medical Consent Form
18/63
PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D
BP#
Business
Practice
Short Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not
a Barrier)
DomainPolicy: Short
DescriptionPolicy: Long Description
BP3 WV 003 S4
In the workers' compensation arena, by filing a claim and signing
the injury report form a patient authorizes any physician to
release to or orally discuss with the employer or authorized agent
of the carrier any medical records pertaining to the occupational
injury or illness for which he/she is claiming benefits and any
prior injury to or disease to the portion of the body for which
he/she is alleging a medical impairment. Only authorized carrier
staff, employer staff, providers and the patient have access to
the electronic record. We use a system with security parameters
set based on individual job-related need for access. Password
required. Claimant, employer and provider access limited to
specific claim information only. Provider access can be further
limited for specific period of time. Carrier employees required to
sign security policy agreement. Employ transmission protection
such as VPN and encryption for outside network access.
Scenario 4 -
Patient Care D
Barrier to
interoperability
2. Information
authorization and
access controls
PRIVACY AND SECURITY Scenario 4. Patient Care Scenario D
7/27/2019 Hippa Medical Consent Form
19/63
Scenario 4. Patient Care Scenario D
BP#
BP3
Stakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) --
Reference Code/Statute
Payers
No legal requirements. WC provides
privacy and security of information as a
corporate decision.
None.
RTI International
Privacy and Security Contract No. 290-05-0015 Page 19 of 63 166337667.xls.ms_office
PRIVACY AND SECURITY S i 5 P t S i
7/27/2019 Hippa Medical Consent Form
20/63
PRIVACY AND SECURITY Scenario 5. Payment Scenario
DRAF
Scenario 5 - Pay
X Health Payer (third party, workers compensation, disability insurance, employee assistance programs) provides health
insurance coverage to many subscribers in the region the healthcare provider serves. As part of the insurance coverage,
it is necessary for the health plan case managers to approve/authorize all inpatient encounters. This requires access to
the patient health information (e.g., emergency department records, clinic notes, etc.). The health care provider has
recently implemented an electronic health record (EHR) system. All patient information is now maintained in the EHR
and is accessible to users who have been granted access through an approval process. Access to the EHR has been
restricted to the healthcare provider's workforce members and medical staff members and their office staff. X HealthPayer is requesting access to the EHR by its case management staff to approve/authorize inpatient encounters.
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not a
Barrier)
DomainPolicy: Short
Description
BP1 WV 001 S 5
Our hospital security officer would allow the payer to have access to
the EHR through a secure web portal. Only the requested records
would be accessible and the minimum necessary information.
Scenario 5 -
Payment
Barrier to
interoperability
2. Information
authorization and
access controls
Information Security
Policy & Remote Access
BP2 WV 002 S 5
Our company would limit access to specific pieces of informationrelated to the payer's claim and would allow the needed transfer of
health information for payment purposes. User authentication, legal
agreement and hardware/software authentication would be required
to validate that access is provided only to the intended user.
Security parameters would further limit access to read only. Access
would be provided only to personnel of payer needing information
for job functions. Record linking methods required to match certain
information such as patient name, date of birth, date of service, to
allow payer access only to pertinent information. Transmission
protection such as VPN, encryption and network security required
for access to information. Data use agreement would be in place.
Scenario 5 -
Payment
Barrier to
interoperability
8. State law
restrictions
RTI International
PRIVACY AND SECURITY Scenario 5 Payment Scenario
7/27/2019 Hippa Medical Consent Form
21/63
PRIVACY AND SECURITY Scenario 5. Payment Scenario
DRAF
BP#
BP1
BP2
DRAFT DRAFT DRAFT
Policy: Long DescriptionStakeholder
Organization
Specify Other
Stakeholder (if
applicable)
CauseRelevant Law (Legal
Driver) -- Narrative
Relevant Law (Legal
Driver) -- Reference
Code/Statute
Access to information in the possession or the control of our facility must be
provided based on the need to know and the minimum necessary to perform
essential functions. Information must be disclosed only to people or entities who
have a legitimate need. The privileges granted to all users must be periodicallyreviewed. Unless it has specifically been deemed public, all internal information
must be protected from disclosure to third parties. Third parties may be given
access to internal information only when a demonstrable need to know exists,
when a Data Use Agreement or Business Associate Agreement has been
signed, and when such a agreement has been expressly authorized by the
relevant information Owner. If sensitive information is suspected of being lost
or disclosed to unauthorized parties, the information Owner and the Compliance
Officer must be notified immediately. All third parties are responsible for
securing their private networks from our network. In no case shall network-to-
network connectivity be allowed without appropriate security technology. Some
type of security mechanisms shall exist between our network and any thirdparty. Hospitals
Use and disclosure of
protected health information
for payment-related purposes
is subject to the HIPAA
Privacy Rule minimumnecessary standard, the
HIPAA Security Rule
Technical Safeguards, and may
be subject to business
associate contract
requirements.
HIPAA Privacy Rule 45 CFR
164.502 (b)(1); 160.103;
164.502 (e)(1); 164.504 (e)(1)
and (e)(2). HIPAA Security
Rule 45 CFR 164.312.
Payers
Use and disclosure of
protected health information
for payment-related purposes
is subject to the HIPAA
Privacy Rule minimum
necessary standard, the
HIPAA Security Rule
Technical Safeguards, and may
be subject to business
associate contract
requirements.
HIPAA Privacy Rule 45 CFR
164.502 (b)(1); 160.103;
164.502 (e)(1); 164.504 (e)(1)
and (e)(2). HIPAA Security
Rule 45 CFR 164.312.
RTI International
Privacy and Security Contract No 290 05 0015 Page 21 of 63 166337667 xls ms office
PRIVACY AND SECURITY Scenario 5 Payment Scenario
7/27/2019 Hippa Medical Consent Form
22/63
PRIVACY AND SECURITY Scenario 5. Payment Scenario
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not a
Barrier)
DomainPolicy: Short
Description
BP3 WV 003 S 5
Our business office personnel would request access to the EHR.
This would automate a process that is now manual. The system
needs to let us request and receive the minimum necessaryinformation for the situation. The provider would benefit by receiving
an automated approval/authorization from us. The more providers
connected to a common system/network, the more efficient the
process is for us and the providers. The patient benefits from the
faster approval/authorization of inpatient encounters, the provider
has less or no staff time involved in fulfilling the request, and we
have less burdensome processes in handling the
approval/authorization. This eliminates the problem of lost,
misrouted, or stolen records and reduces shipping and
transportation costs.
Scenario 5 -
Payment
Barrier to
interoperability
2. Information
authorization and
access controls
RTI International
P i d S it C t t N 290 05 0015 Page 22 of 63 166337667 xls ms office
PRIVACY AND SECURITY Scenario 5. Payment Scenario
7/27/2019 Hippa Medical Consent Form
23/63
Scenario 5. Payment Scenario
BP#
BP3
Policy: Long DescriptionStakeholder
Organization
Specify Other
Stakeholder (if
applicable)
CauseRelevant Law (Legal
Driver) -- Narrative
Relevant Law (Legal
Driver) -- Reference
Code/Statute
Payers
HIPAA minimum necessary
requirements
HIPAA Privacy Regs, 45 CFR
514
RTI International
Privacy and Security Contract No. 290-05-0015Page 23 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
24/63
PRIVACY AND SECURITY Scenario 6. RHIO Scenario
DRAFScenario 6 - RH
The RHIO in your region wants to access data from all participating organizations (and their patients) to
monitor the incidence and management of diabetic patients. The RHIO also intends to monitor
participating providers to rank them for the provision of preventive services to their diabetic patients.
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not
a Barrier)
Domain Policy: ShortDescription
Policy: Long Description
BP1 WV 001 S 6
For our association, as long as the patient data
is aggregate or non-personally identifiable,
there would be not problem sharing with the
RHIO. Providers would be notified and given
the opportunity to participate. If personal
identifiers were required, there would be an IRB
approval process and a patient informingprocess. Scenario 6 -RHIO Barrier tointeroperability 1. User and entityauthentication
BP1 WV 001 S 6
Barrier to
interoperability
2. Information
authorization and
access controls
BP1 WV 001 S 6
Not a barrier to
interoperability
3. Patient and
provider identification
BP1 WV 001 S 6Not a barrier tointeroperability
.
protection (against
impropermodification)
BP1 WV 001 S 6
Not a barrier to
interoperability
6. Information audits
that record and
monitor activity
BP1 WV 001 S 6
Barrier to
interoperability
8. State law
restrictions
BP1 WV 001 S 6
Barrier to
interoperability
9. Information use
and disclosure policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 24 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
25/63
PRIVACY AND SECURITY Scenario 6. RHIO Scenario
DRAF
BP#
BP1
BP1
BP1
BP1
BP1
BP1
BP1
DRAFT DRAFT DRAFT
StakeholderOrganization
Specify Other
Stakeholder ( if
applicable)
Cause Relevant Law (Legal Driver) -- Narrative Relevant Law (Legal Driver) --Reference Code/Statute
Professional
associations and
societies
HIPAA Security and Privacy Rules as a BA under contract 45 CFR 164, et seq.
HIPAA Security and Privacy Rules as a BA under contract. IRB approval
is not required under law for disclosure to a BA for TPO.
45 CFR 164, et seq.; 21 CFR Parts
50 and 56.
West Virginia law requires that, with respect to the West Virginia Health
Information Network, the West Virginia Health Care authority ensure that
protected health information is disclosed only in accordance with the
patients authorization or best interest to those having a need to know, in
compliance with state confidentiality laws and HIPAA.
West Virginia Code Section 16-29G-8.
The HIPAA Privacy Rule does not specifically address the concept of
Regional Health Information Organizations and how protected health
information can be used or disclosed in connection with such
organizations absent patient authorization. However, the RHIO would
operate as a business associate.
HIPAA Privacy Rule 45 CFR Part
164, Subpart E; 45 CFR 164.504(e).
RTI International
Privacy and Security Contract No. 290-05-0015 Page 25 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
26/63
PRIVACY AND SECURITY Scenario 6. RHIO Scenario
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not
a Barrier)
DomainPolicy: Short
DescriptionPolicy: Long Description
BP2 WV 002 S 6
QIOs can release this information with their
CMS contracts, but if they have a research
grant, they need to get IRB approval. They
mostly give info out deidentified, if the contract
permits.
Scenario 6 -
RHIO
Barrier to
interoperability
9. Information use
and disclosure policy
BP3 WV 003 S 6
Workers Comp has worked with a state agency
to give this info out and also did work on a
National Level- but wouldnt give out identifiers.
Scenario 6 -
RHIO
Barrier to
interoperability
9. Information use
and disclosure policy
RTI International
Privacy and Security Contract No. 290-05-0015 Page 26 of 63 166337667.xls.ms_office
7/27/2019 Hippa Medical Consent Form
27/63
PRIVACY AND SECURITY Scenario 6. RHIO Scenario
BP#
BP2
BP3
Stakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) --
Reference Code/Statute
Quality
improvement
organizations
The HIPAA Privacy Rule does not specifically address the concept of RegionalHealth Information Organizations and how protected health information can be
used or disclosed in connection with such organizations absent patient
authorization. West Virginia law requires that, with respect to the West Virginia
Health Information Network, the West Virginia Health Care authority ensure that
protected health information is disclosed only in accordance with the patients
authorization or best interest to those having a need to know, in compliance with
state confidentiality laws and HIPAA.
HIPAA Privacy Rule 45 CFR Part 164,Subpart E. West Virginia Code Section 16-
29G-8.
Payers
No legal requirements. WC provides privacy and security of information
as a corporate decision.
None.
RTI International
P i d S it C t t N 290 05 0015 Page 27 of 63 166337667 xls ms office
PRIVACY AND SECURITY Scenario 7 Research Data Use Scenario
7/27/2019 Hippa Medical Consent Form
28/63
PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario
DRA
FT
Scenario 7 -
Research
Data Use
A research project on children younger than age 13 is being conducted in a double blind study for a new drug for ADD/ADHD. The
research project is being reviewed by the IRB that presides over research protocols at the major medical center where the
research investigators are located. The data being collected are all electronic and all responses from the subjects are completed
electronically in the same data base file. The principle investigator was asked by one of the investigators if they could use the raw
data to track the patients over an additional six months or use the raw data collected for a white paper that is not part of the
research protocols final document for his post doctoral fellow program.
BP#
Business
Practice
Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not a
Barrier)
DomainPolicy: Short
DescriptionPolicy: Long Description
BP1 WV 001 S7
Under home health law, the principle investigator would decline the
request because the use of the data was not included in the
original IRB. Home health law in WV is based on federal regulation
and agencies must be compliant with the federal regulations. At
times agencies participate in research activities and must remain
compliant with the federal privacy requirements and also the
requirements of the research entity with which they are involved.
Therefore the utilization of data as outlined in the IRB would
necessitate the information only to be used in the manner which
was described.
Scenario 7 -
Research Data
Use
Barrier to
interoperability 8. State law restrictions
BP2 WV 002 S7
Additional tracking and use of data is not permitted unless a
second study has been approved through the IRB.
Scenario 7 -
Research Data
Use
Not a barrier to
interoperability
1. User and entity
authentication HIPAA Research
Authorization, among many other items,
includes: *The name or identification of the
persons or class of persons authorized to
receive disclosures of PHI and to use the
PHI for research-related purposes. *A
description of each purpose for the use or
disclosure.
BP2 WV 002 S7
Not a barrier to
interoperability
2. Information
authorization and access
controls
BP2 WV 002 S7
Not a barrier to
interoperability
3. Patient and provider
identification
BP2 WV 002 S7
Not a barrier to
interoperability
4. Information
transmission security or
exchange protocols
BP2 WV 002 S7
Not a barrier to
interoperability
5. Information protection
(against improper
modification)
BP2 WV 002 S7
Not a barrier to
interoperability
6. Information audits that
record and monitor
activity
BP2 WV 002 S7
Not a barrier to
interoperability
7. Administrative or
physical security
safeguards
BP2 WV 002 S7
Not a barrier to
interoperability 8. State law restrictions
RTI International
PRIVACY AND SECURITY Scenario 7 Research Data Use Scenario
7/27/2019 Hippa Medical Consent Form
29/63
PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario
DRA
FT
BP#
BP1
BP2
BP2
BP2
BP2
BP2
BP2
BP2
BP2
DRAFT DRAFT DRAFTStakeholder
Organization
Specify
Other
Stakeholder
(if
applicable)
Cause Relevant Law (Legal Driver) -- Narrative
Relevant Law (Legal
Driver) -- Reference
Code/Statute
Homecare and
hospice
Human subject research pursuant to any federal
funding is controlled by federal law and regulation,
institutional policy, institutional review boards and
state law overlays to protect participants safety and
privacy. Human subject research federal regulationdoes not pre-empt state law but adds additional
federal requirements. HIPAA privacy law applies
irrespective of the source of funding for research. In
this scenario, we presume the research is pursuant to
an approved FDA study. We also have the added
legal driver of children for whom some authorized
adult must give consent.
HIPAA Privacy Regs 45 CFR
164.502 (g)(1--5), and
164.508 and .512; US DHHS
Regs. governing human subject
research: 45 CFR 46.101--46.124; US FDA Regs.
governing human subject drug
research: 21 CFR
50.5050.56. WV Code 16-
29-1; WV Code 16-30-3(b);
Belcher v. CAMC, 188 W. Va.
105, 422 S.E.2d 827 (1992);
Medical and
public health
schools that
undertake
research
HIPAA - Privacy Rule
Other Federal Law - 45 CFR-
46 Federal Human Subject
Protection Rules
PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario
7/27/2019 Hippa Medical Consent Form
30/63
Scenario 7. Research Data Use Scenario
BP#
Business
Practice
Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not a
Barrier)
DomainPolicy: Short
DescriptionPolicy: Long Description
BP2 WV 002 S7
Barrier to
interoperability
9. Information use and
disclosure policy
BP3 WV 003 S7
In our medical school, IRB approval must be sought (by the
Principal Investigator) for either scenario, however, the nature of
the request and the investigator responsibilities differ: To extend
data collection an additional six months for a purpose not covered
by the previously approved IRB protocol, the investigator must
submit a new protocol covering this new purpose to the IRB for
consideration. Since the proposal will be prospective, subjects will
need to give their consent (or assent for children under the age of
18) to collect data for this second purpose. The new protocol, like
the earlier protocol, would probably require a full-board review
because the target population is a protected population, i.e.,
children under 13 years of age. To analyze the raw data previouslycollected under an approved IRB protocol, could make a new
protocol eligible for expedited consideration depending on whether
the raw data includes personal health information and sensitive
information that if released could potentially cause harm. It is
possible to request the IRB waive consenting for existing data
and on the grounds that it would be impractical or unfeasible.
Scenario 7 -
Research Data
Use
Barrier to
interoperability
2. Information
authorization and access
controls
BP4 WV 004 S7
In our agency, the protected health information in the research
database would be covered by HIPAA, but HIPAA could be
addressed with appropriate business associate relationships. The
investigator would need to get approval of the additional research
from his/her institutional review board. The original IRB would
need to weigh whether granting access was permissible, and it
would likely depend on the disclosures in the original informed
consent. In the worst case, the new research would require new
informed consent from the parents of all of the children.
Scenario 7 -
Research Data
Use
Barrier to
interoperability
9. Information use and
disclosure policy
RTI International
PRIVACY AND SECURITY Scenario 7. Research Data Use Scenario
7/27/2019 Hippa Medical Consent Form
31/63
Scenario 7. Research Data Use Scenario
BP#
BP2
BP3
BP4
Stakeholder
Organization
Specify
Other
Stakeholder
(if
a licable
Cause Relevant Law (Legal Driver) -- Narrative
Relevant Law (Legal
Driver) -- Reference
Code/Statute
Human subject research pursuant to any federal
funding is controlled by federal law and
regulation, institutional policy,
US DHHS Regs. governing
human subject research: 45
CFR 46.101--46.124; US
FDA Regs. governing human
subject drug research: 21
CFR 50.5050.56.
Medical and
public health
schools that
undertake
research
Tight control of humansubject research with fully
informed consent is
current public policy.
Sharing PHI data
(whether for adults or
children) without specific
consent is contrary to
current public policy
governing research
protocols. ** Please seeattached word document
for a fuller analysis of this
scenario.
Human subject research pursuant to any federalfunding is controlled by federal law and regulation,
institutional policy, institutional review boards and
state law overlays to protect participants safety and
privacy. Human subject research federal regulation
does not pre-empt state law but adds additional
federal requirements. HIPAA privacy law applies
irrespective of the source of funding for research. In
this scenario, we presume the research is pursuant to
an approved FDA study. We also have the added
legal driver of children for whom some authorized
adult must give consent.
HIPAA Privacy Regs 45 CFR 164.502 (g)(1--5), and
164.508 and .512; US DHHS
Regs. governing human subject
research: 45 CFR 46.101--
46.124; US FDA Regs.
governing human subject drug
research: 21 CFR
50.5050.56. WV Code 16-
29-1; WV Code 16-30-3(b);
Belcher v. CAMC, 188 W. Va.
105, 422 S.E.2d 827 (1992);
Public Health
agencies
Human subject research pursuant to any federal
funding is controlled by federal law and regulation,
institutional policy, institutional review boards and
state law overlays to protect participants safety and
privacy. Human subject research federal regulation
does not pre-empt state law but adds additional
federal requirements. HIPAA privacy law applies
irrespective of the source of funding for research. In
this scenario, we presume the research is pursuant to
an approved FDA study. We also have the added
legal driver of children for whom some authorized
HIPAA Privacy Regs 45 CFR
164.502 (g)(1--5), and
164.508 and .512; US DHHS
Regs. governing human subject
research: 45 CFR 46.101--
46.124; US FDA Regs.
governing human subject drug
research: 21 CFR
50.5050.56. WV Code 16-
29-1; WV Code 16-30-3(b);
Belcher v. CAMC, 188 W. Va.
PRIVACY AND SECURITY Scenario 8 Scenario For Access By Law Enforcement
7/27/2019 Hippa Medical Consent Form
32/63
PRIVACY AND SECURITY Scenario 8. Scenario For Access By Law Enforcement
DRAF
Scenario 8 -
Law
Enforcement
An injured nineteen (19) year old college student is brought to the ER following an automobile accident. It is
standard to run blood alcohol and drug screens. The police officer arrives in the ER in addition to the patient's
parents. The police officer requests a copy of the blood alcohol test results and the parents want to review the
ER record and lab results to see if their child tested positive for drugs. These requests are made to the ER
staff. The patient is covered under their parent's health and auto insurance policy.
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not a
Barrier)
DomainPolicy: Short
DescriptionPolicy: Long Description
BP 1 WV 001 S 8
The expected result would be that since the child is an adult, the parents
are not privy to his protected health information without his consent per
HIPAA privacy regulations. The police officer can obtain a copy of the
report without specific patient consent for determining proper charges. A
person who operates a motor vehicle implicitly consents to testing to
determine intoxication if there is just cause to believe the person is
intoxicated. If a paper copy is provided to law enforcement, proper
identification should be provided for user authentication. Fax submissions
should contain confidentiality statement and information on protocols if
received by unintended user. Electronic submissions should be encrypted.
If the provider and law enforcement agency exchange information
frequently, a data use agreement could be entered into.
Scenario 8 -
Law
Enforcement
Not a barrier to
interoperability
6. Information audits that
record and monitor
activity
BP 1 WV 001 S 8
Not a barrier to
interoperability
. m n s ra ve or
physical security
safeguards
BP 1 WV 001 S 8
Barrier to
interoperability
9. Information use and
disclosure policy
BP2 WV 002 S 8
In our agency, HIPAA and state confidentiality provisions would most likely
prevent the parents obtaining the information without the adult patient's
consent. The police officer could obtain the results in conjunction with his
or her investigation of the accident
Scenario 8 -
Law
Enforcement
Barrier to
interoperability 8. State law restrictions
BP3 WV 003 S 8
In our hospital, law enforcement personnel are denied access to patients
unless they have a court order. Software access is limited by password.
Each password has restrictions as to information which may be accessed.
Through the use of third party software, all information is encrypted when
being sent over electronic communications network. Passwords havedesignated security clearances which define whether user has no access,
view only access, or has an ability to add, delete or modify information. A
master security log is maintained on line to determine user access and the
processes completed. Staff are required to use the organizations network
for all I.S. activity. The network includes up to date security measures
which protects against unauthorized access, introduction of dangerous
items such as worms, and attempts by users to enter unauthorized areas.
Barrier to
interoperability
1. User and entity
authentication
RTI InternationalP 32 f 63 166337667 l ffi
PRIVACY AND SECURITY Scenario 8 Scenario For Access By Law Enforcement
7/27/2019 Hippa Medical Consent Form
33/63
Scenario 8. Scenario For Access By Law Enforcement
DRAFBP#
BP 1
BP 1
BP 1
BP2
BP3
DRAFT DRAFT DRAFTStakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) -- Reference
Code/Statute
Payers
We agree with the identified businesspractice, but believe that a barrier to
interoperability exists when the disclosure is
to the parents, or when the disclosure to law
enforcement is not required by law.
Parents of an adult child cannot access PHI without anauthorization signed by that adult child, while law enforcement
may gain such access as required by law.
Original: W. Va. Code 17C-5-4 & 17C-5-6
45 C.F.R. 164.502(a)(1)(i); 164.502(g)(3)(i);
164.508(a)(1); 164.512(a); 164.512(f)(1)(i); 42
C.F.R. 2.12(e); W. Va. Code 16-29-1; 17C-
5-4; 17C-5-6
State government
As a 19 year old child is an adult, parents cannot access their
childs PHI, without authorization, under state law and HIPAA.
WV Code 16-29-1;Belcher v. CAMC, 188
W. Va. 105, 422 S.E.2d 827 (1992); HIPAA
Privacy Regs 45 CFR 164.502(a)(1)(i),
164.502 (g)(3)(i), and 164.508(a)(1).
Hospitals
We agree that disclosure to law
enforcement of the PHI in this Scenario
would require patient authorization,
unless the tests were undertaken at the
direction of law enforcement, in which
case disclosure is required by law in
West Virginia; federal laws governing
the confidentiality of alcohol and drug
treatment records would not apply in
this circumstance, and would not
represent a barrier to interoperability.
HIPAA Security Regs requiring Administrative and
Technical Safeguards
HIPAA Security Regs, 45 CFR 164.308,
164.312
RTI International
Privacy and Security Contract No. 290-05-0015 Page 33 of 63 166337667.xls.ms_office
PRIVACY AND SECURITY Scenario 8. Scenario For Access By Law Enforcement
7/27/2019 Hippa Medical Consent Form
34/63
Scenario 8. Scenario For Access By Law Enforcement
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not a
Barrier)
DomainPolicy: Short
DescriptionPolicy: Long Description
BP3 WV 003 S 8
Barrier to
interoperability
2. Information
authorization and access
controls
BP3 WV 003 S 8
Not a barrier to
interoperability
3. Patient and provider
identification
BP3 WV 003 S 8
Barrier to
interoperability
4. Information
transmission security or
exchange protocols
BP3 WV 003 S 8
Barrier to
interoperability
5. Information protection
(against improper
modification)
BP3 WV 003 S 8
Barrier to
interoperability
6. Information audits that
record and monitor
activity
BP3 WV 003 S 8
Barrier to
interoperability
7. Administrative or
physical security
safeguards
BP3 WV 003 S 8
Barrier to
interoperability 8. State law restrictions
BP3 WV 003 S 8
Barrier to
interoperability
9. Information use and
disclosure policy
BP4 WV 004 S 8
In correctional facilities, parents can not get at the info - it is a state law. If
they are on parole, the parolees agree to monitoring while they are
incarcerated- they dont have a choice.
Scenario 8 -
Law
Enforcement
Barrier to
interoperability 8. State law restrictions
RTI InternationalPrivacy and Security Contract No. 290-05-0015 Page 34 of 63 166337667.xls.ms_office
PRIVACY AND SECURITY Scenario 8. Scenario For Access By Law Enforcement
7/27/2019 Hippa Medical Consent Form
35/63
y
BP#
BP3
BP3
BP3
BP3
BP3
BP3
BP3
BP3
BP4
Stakeholder
Organization
Specify Other
Stakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) -- Reference
Code/Statute
HIPAA Security Regs requiring Administrative and
Technical Safeguards
HIPAA Security Regs, 45 CFR 164.308,
164.312
HIPAA Security Regs require Technical Safeguards HIPAA Security Regs, 45 CFR 164.312
HIPAA Security Regs require Technical Safeguards HIPAA Security Regs, 45 CFR 164.312
HIPAA Security Regs require Technical Safeguards HIPAA Security Regs, 45 CFR 164.312
HIPAA Security Regs require Administrative Safeguards HIPAA Security Regs, 45 CFR 164.308
Parents of an adult child cannot access PHI without an
authorization signed by that adult child, while law
enforcement may gain such access when required by law.
45 C.F.R. 164.512(a); 164.512(f)(1)(i);
42 C.F.R. 2.12(e); W. Va. Code 17C-5-
4; 17C-5-6
Parents of an adult child cannot access PHI without an
authorization signed by that adult child, while law
enforcement may gain such access when required by law.
45 C.F.R. 164.512(a); 164.512(f)(1)(i);
42 C.F.R. 2.12(e); W. Va. Code 17C-5-
4; 17C-5-6
Correctional
facilities
Law enforcement desires access to blood alcohol test
results of 19-year-old accident victim. Parents desire
access to 19-year-old childs ER record and lab results.
Should the hospital tests result in showing of HIV or STD,
those applicable infectious disease confidentialityprovisions would also serve as a barrier. Parents of an
adult child cannot access PHI without an authorization
signed by that adult child, while law enforcement may gain
such access when required by law.
WV Code 16-29-1; 64 CSR 12-7.2
(DHHR Hospital Licensure Rule); 42
U.S.C.A. 290dd-3 (Public Health Service
Act); 42 CFR 2.11(Federal Mental Health
Record Confidentiality Rule); 45 CFR 164.502 (g) and (j), 164.524 (HIPAA
Privacy Regs). 45 C.F.R. 164.512(a);
164.512(f)(1)(i); 42 C.F.R. 2.12(e); W. Va.
Code 17C-5-4; 17C-5-6
RTI International
P i d S it C t t N 290 05 0015 Page 35 of 63 166337667 xls ms office
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
The Pharmacy Benefit Manager (PBM) has a mail order pharmacy and also has a closed formulary. The PBM receives a prescription from
7/27/2019 Hippa Medical Consent Form
36/63
DRAF
Scenario 9 -
Pharmacy
Benefit A
The Pharmacy Benefit Manager (PBM) has a mail order pharmacy and also has a closed formulary. The PBM receives a prescription from
Patient X for the antipsychotic medication Geodon. The PBMs preferred alternatives for antipsychotics are Risperidone (Risperdal), Quetiapine
(Seroquel), and Aripiprazole (Abilify). Since Geodon is not on the preferred alternatives list, the PBM sends a request to the prescribing
physician to complete a prior authorization in order to fill and pay for the Geodon prescription. The PBM is in a different state than the providers
Outpatient Clinic.
BP#Business
Practice Short
Name
Business Practice Long Description ScenarioClassification
(Barrier v. Not a
Barrier)
DomainPolicy: Short
DescriptionPolicy: Long Description
BP1 WV 001 S9
In state govemment, we have a network established that connects the
PBMs with payers and physicians. Members choose to participate under
agreements with PBMs and PHI is transmitted with patient consent. User
authentication is an important component to ensure that it is the PBM
contacting the physician and the physician replying to the PBM.
Scenario 9 - Pharmacy
Benefit A
Barrier to
interoperability
8. State law
restrictions
BP2 WV 002 S9 Business practice is same as in the scenario.
Scenario 9 - Pharmacy
Benefit A Unassigned
1. User and entity
authentication
BP3a WV 003a S9
As a workers' compensation insurer, we have a standard drug list and
require the use of generics where available. If a script is received and is not
on the list, authorization for the drug is withheld. The prescribing physician
may be contacted to write the script for an approved alternative drug for
authorization or to provide justification for the prescribed drug before
authorization is provided. If the claimant takes the script to a participatingpharmacy and it is not approved, the claimant or the pharmacist may
contact the claims adjuster for clarification. If a generic is available and the
doctor has not indicated the claimant cannot take the generic, it may be
authorized. Otherwise, the prescribing doctor will have to provide a new
script for a medication on the drug list or provide justification for the
prescribed drug. Further, W. Va. Code provides that if a generic medication
is available, it must be provided. If the claimant chooses to obtain the brand-
name drug, he/she will be responsible for payment for the difference.
Scenario 9 - Pharmacy
Benefit A
Barrier to
interoperability
8. State law
restrictions
BP3b WV 003b S9
In Workers Comp, the Point of Sale system is available only to those
employees needing access to perform business functions and participating
providers. Password authentication is required. Security
policies/confidentiality agreements in place with employees regarding
protection of information. End user agreements in place with participating
providers. Authentication required for access to system. Technology in
place to secure system from unintended users. Vendor used to implement
secure transmission of data. Vendor provides software that allows
protection from data modification.RTI International
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
7/27/2019 Hippa Medical Consent Form
37/63
DRAF
BP#
BP1
BP2
BP3a
BP3b
DRAFT DRAFT DRAFT
Stakeholder
Organization
Specify OtherStakeholder (if
applicable)
Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) --
Reference Code/Statute
State government
There is currently no WV law regulating PBMs. Public Employees Insurance Agency
(PEIA) does have statutory authority to manage the increase in prescription drug
cost and execute prescription drug purchasing agreements on behalf of the state of
West Virginia with PBMs and other private sector arrangements, provided that no
private entity may be compelled to participate in the prescription drug purchasing
pool, and PEIA may not enter into a contract with a private entity without
Legislative approval. To the extent that the scenario anticipates that the
communication occurs electronically, the electronic submission would violate West
Virginia law and regs. First, the Board of Pharmacy regulation language indicates
that a wet signature is required and that a digital signature (either physical
digitalized signature or digital key signature) will not meet the requirement. Second,
the regs have non intermediary requirements.
W.Va. Code 5-16C-1, et seq.; W.Va.
Code 30-5-1 et seq. and W.Va. C.S.R.
15-1-1, et seq.; W.Va. Code 60A-1-
101, et seq;
clinics and health
centers
Payers
1. Unique features of West Virginia workers compensation program governing and requiring
the prescribing of generic drugs by pharmacy for a workers compensation claimant. The
workers compensation law requires a pharmacist who is filing a prescription for a workers
compensation claimant to dispense the generic brand of the drug, if one exists. If a generic
does not exist then the pharmacist can dispense the name brand drug. Interoperability issues
involve the failure of out of state providers and businesses that operate in West Virginia in
understand the unique requirements of the West Virginia workers compensation system.
Original: State Law - W. Va. Code 23-4-
3(a)(3)
Regulation - 85 C.S.R. 20 - Medical
Management of Claims
W.Va. Code 23-4-3(a)(3) and W.Va.
C.S.R. 85-20-1 et seq.
RTI InternationalPrivacy and Security Contract No 290-05-0015 Page 37 of 63 166337667.xls.ms office
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
7/27/2019 Hippa Medical Consent Form
38/63
DRAF
BP#
BP1
BP2
BP3a
BP3b
Possible Solutions
See report on e-Prescribing:http://www.tygart.com/Eprescript
ions.asp
RTI International
Privacy and Security Contract No. 290-05-0015 Page 38 of 63 166337667.xls.ms_office
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
BP#
Business
Practice Short Business Practice Long Description Scenario
Classification
(Barrier v Not a DomainPolicy: Short
Policy: Long Description
7/27/2019 Hippa Medical Consent Form
39/63
BP# Practice Short
Name
Business Practice Long Description Scenario (Barrier v. Not a
Barrier)
DomainDescription
Policy: Long Description
BP3c WV 003c S9
Workers' compensation programs are exempt from HIPAA. State law and
regulations provide limits on prescription medication and medication
management issues. Out of state providers may be unaware of these laws
and regulations or may try to apply the laws and fee schedules from their
state. We sometimes have difficulty getting out of state providers to accept
workers' compensation patients and the established fee schedule on a non-
emergent basis because of these issues. To address this problem, we
contract with provider agencies that specialize in providing state-wide
providers. By agreeing to accept WV Workers' Compensation patients,
these providers agree to accept our fees and to abide by our laws and
regulations
BP4 WV 004 S9
As a clinician, we deal with out of state PBM's daily who request an
authorization form or provide OV notes over the phone and fax. If the patient
does not meet the PBM formulary the Dr. changes the medication to
preferred medication.
Scenario 9 - Pharmacy
Benefit A
Barrier to
interoperability
7. Administrative
or physical
security
safeguards
Prior authorization, Office
and HIPAA policy
Covered entity due to the
insurance of continuted care
for the patient.
BP5 WV 005 S9
As a payer, we have a preferred drug list.The claimant needs
preauthorization for drugs not preauthorized and if claimant wants one thatis not, they have to pay. If the generic is available, State Law says we can
automatically give them the generic.
Scenario 9 - Pharmacy
Benefit A
Barrier to
interoperability
8. State law
restrictions
BP6 WV 006 S9
As a payer, we have a higher standard of security for behavioral health info
and with administering these type of benefits. Care management personnel
are specially trained and they have a higher level of permissions for this
type of info. All this info is maintained in our database and reports can be
generated.
Scenario 9 - Pharmacy
Benefit A
Barrier to
interoperability
2. Information
authorization and
access controls
RTI International
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
BP#Stakeholder
O i ti
Specify Other
Stakeholder (if Cause Relevant Law (Legal Driver) -- NarrativeRelevant Law (Legal Driver) --
R f C d /St t t
7/27/2019 Hippa Medical Consent Form
40/63
BP3c
BP4
BP5
BP6
OrganizationStakeholder (if
applicable)
Cause Relevant Law (Legal Driver) NarrativeReference Code/Statute
Clinicians
Original: HIPAA, State, and Federal law
Determining the status of pharmacy benefit managers (PBM) under the Privacy
Standards of the Health Insurance Portability and Accountability Act of 1996
(HIPAA) and whether PBMs are considered covered entities or business
1. HIPAA 45 C.F.R. 160.102; HIPAA 45
C.F.R. 164.502(e)(1); HIPAA 45 C.F.R.
164.506.
Payers
Workers Comp law requires generic prescribing where available W. Va. Code 23-1-1 et seq.
Payers
The legal analysis differs depending upon whether the Pharmacy Benefit Manager or
the outpatient clinic is in West Virginia. HIPAA regulations allow the disclosure of
protected health information for payment purposes. If the Pharmacy Benefit
Manager is in West Virginia, there are no West Virginia Code provisions against
seeking the collection of data. If the clinic is in West Virginia, it may not reveal
mental health information beyond that which the Pharmacy Benefits Manager already
knows because the clinic has already released the data to the payor. The clinicshould also assure that Pharmacy Benefits Managers have a Business Associate
Agreement with the insurers.
HIPAA Regulation 164.506; West
Virginia Code 27-3-1; 27-3-2; 27-5-9(e)
RTI International
P i d S i C N 290 05 0015 Page 40 of 63 166337667 xls ms office
PRIVACY AND SECURITY Scenario 9. Pharmacy Benefit Scenario A
BP#
Possible Sol tions
7/27/2019 Hippa Medical Consent Form
41/63
BP3c
BP4
BP5
BP6
Possible Solutions
RTI International
Privacy and Security Contract No. 290-05-0015 Page 41 of 63 166337667.xls.ms_office
PRIVACY AND SECURITY Scenario 10. Pharmacy Benefit Scenario B
7/27/2019 Hippa Medical Consent Form
42/63
DRAF
Scenario 10 -
Pharmacy
Benefit B
A Pharmacy Benefit Manager 1 (PBM1) has an agreement with Company A to review the companies' employees prescription drug use and the
associated costs of the drugs prescribed. The objective would be to see if the PBM1 could save the company money on their prescription drug
benefit. Company A is self-insured and as part of their current benefits package, they have the prescription drug claims submitted through their
current PBM (PBM2). PBM1 has requested that Company A send their electronic claims to them to complete the review.
BP#
Business
Practice Short
Name
Business Practice Long Description Scenario
Classification
(Barrier v. Not
a Barrier)
DomainPolicy: Short
DescriptionPolicy: Lo
BP1 WV 001 S10
In our pharmacy, we recognize that HIPPA allows release of PHI for payment and
treatment purposes but the review of that information without patient consent by another
PBM would probably fall outside of that allowance. If the information was aggregate and notpatient identifiable, then the review could probably be conducted. Very important the PBMs
not be able to modify the data showing a prescription that has been processed and filled.
Scenario 10 -Pharmacy
Benefit B
Barrier to
interoperability
9. Information useand disclosure
policy
BP2 WV 002 S10
From the perspective of our public health agency, using aggregate statistics would be all
right, but if the scenario is as stated, Company A is already on very thin ice. Assuming that
PBM2 and not Company A actually has the claims, then PBM2 could transmit the claims to
PBM1 under HIPAA, provided it had a Business Associate agreement with PBM. There
might be state law barriers related to disclosure of drugs used in specific conditions, e.g.
HIV/AIDS or psychiatric disorders.
Scenario 10 -
Pharmacy
Benefit B
Barrier to
interoperability
8. State law
restrictions
BP3 WV 003 S10
As a payer, we have Business Associate agreements in place. This is a standard
agreement unless the other company has another form- we may use both. We build
policies on what HIPAA requires- we have an index of BA policies. All the data we send is
encrypted. PHI has to be encrypted and the receiver has the user ID and password to un-
encrypt. Internally, that is not necessary because of our firewalls.
Scenario 10 -
Pharmacy
Benefit B
Barrier to
interoperability
9. Information use
and disclosure
p