Privacy Officer's Roundtable

search criteria = ALL
Privacy Officer's Roundtable sorted by thread
 
  enterprise wide access to behavioral insurance provider infoJul 20, 2012 5:20 PMMarian Hughlett
  RE:enterprise wide access to behavioral insurance provider infoJul 21, 2012 8:32 AMFrank Ruelas
  RE:enterprise wide access to behavioral insurance provider infoJul 21, 2012 10:50 AMFrank Ruelas
 

1.
enterprise wide access to behavioral insurance provider info
From: Marian Hughlett
To: Privacy Officer's Roundtable
Posted: Jul 20, 2012 5:20 PM
Subject: enterprise wide access to behavioral insurance provider info
Message:
In an electronic registration system for a single multi-specialty practice group, is it typical for behavioral health insurance provider information to be visible to system users across all specialty units?

For example, Mrs. A is a patient of the cardiology group, the OB-GYN group, and also receives substance abuse counseling from the psychiatry group.  The proposed patient registration system stores insurance and demographic information for all patients at the "enterprise-wide" level (not the same as the medical record system) where anyone responsible for verifying insurance, scheduling appointments, etc., can have access to the insurance info of ALL practice group patients. 

In this scenario, the OBGYN registration desk might see that Mrs. A has an insurance carrier known to cover substance abuse programs in addition to her health insurance provider which covers her annual OB-GYN exam.

Could this pose a problem not just under HIPAA (minimum necessary) but for state laws which may protect "information" used to identify substance abuse treatment programs?

If so, I would appreciate any confirmations and if not, I would like to better understand any points of education that might be shared.

Thanks!


-------------------------------------------
MarianHughlettCHC, CHRC
-------------------------------------------
Be the first person to recommend this.


2.
RE:enterprise wide access to behavioral insurance provider info
From: Frank Ruelas
To: Privacy Officer's Roundtable
Posted: Jul 21, 2012 8:32 AM
Subject: RE:enterprise wide access to behavioral insurance provider info
Message:
Marian,

In the registration systems that I have seen for multi specialty clinics, which are a fair number from different vendors, my recollection is that insurance information, as you described, resides in a module which is a subset of the information that many or all users are able to access.  Some systems do restrict this due to role based access rules, but generally, it is available to all.

Keep in mind that these systems, which are used by the workforce which have been trained to adhere to the covered entity's policies and procedures are also expected to safeguard this information.  So if this patient, Mrs. A had listed in her insurance information data that she had:
Insurance #1 - General Health Insurance
Insurance #2 - General Mental Health Insurance
Insurance #3 - Specialty Cancer Health Insurance
...to know that Mrs. A has a specific type of insurance does not necessarily equate to the registration desk knowing whether or not Mrs. A has received services under these policies.

Now if the OB/GYN desk saw that Mrs. A had in my supplement to your example, mental health insurance coverage AND THEN went into the mental health module or screens of the clinic's medical record keeping system to see what types of services may have been covered by this insurance...now we have a problem.

The good thing is that more and more clinic based systems would limit the OB/GYN desk to those modules and data related to OB/GYN care and therefore, even if there was an attempt, Mrs. A mental health related care would not be accessible by OB/GYN.  BUT...this is not always the case and sometimes there are overrides that staff can use when they are moving from one health care service category to another.



-------------------------------------------
Frank Ruelas
Principal
HIPAA College
Casa Grande,AZ
-------------------------------------------






Show Original Message
Be the first person to recommend this.


3.
RE:enterprise wide access to behavioral insurance provider info
From: Frank Ruelas
To: Privacy Officer's Roundtable
Posted: Jul 21, 2012 10:50 AM
Subject: RE:enterprise wide access to behavioral insurance provider info
Message:
Marian,

I almost forgot to mention that you also likely have a very good option for auditing and monitoring related to workforce use of the medical recordkeeping system.

It is also my experience that these systems generate what are essentially activity logs which show the different screens or sections that a user accesses.

This would be another way you can support an effective compliance program with respect to HIPAA by monitoring through a review of these activity logs whether folks are accessing areas which their roles who indicate may not be consistent with the duties they perform.

Too often I see that auditing and monitoring are weak links in the chain of Compliance and I am always looking to point folks in directions that can help this be a stronger facet of their compliance efforts.

-------------------------------------------
Frank Ruelas
Principal
HIPAA College
Casa Grande,AZ
-------------------------------------------






Show Original Message
Be the first person to recommend this.