|
Comment Number |
Section |
Page |
Comments |
|
1 |
I. Background - Summary
and Purpose |
59922 |
It is important that even
purely paper records with individually identifiable health information should
be treated with some privacy requirements. In some cases, paper is the least
secure and the easiest to obtain. While electronic means may
make data more easily distributed, the privacy principles of individually
identifiable health information remains the same. Throughout the document,
it is discussed that paper that comes out of electronic usage could be
considered protected health information. How would a practitioner be able to
keep up with the “rules” for what practice to use for which piece of paper
that originated from where? At the least, there should be “recommended
practices” for purely paper which correspond appropriately to practices for
electronic or paper-from-electronic usage. How far is paper from
electronic practices taken? What are the responsibilities of the mailing or
courier services used by covered entities. How far are companies responsible
for keeping paper and it’s route safe? Is this feasible? |
|
2 |
II. Provisions of the
Proposed Rule - A. Applicability |
59929 |
See comment 1 above. |
|
3 |
II. Provisions of the
Proposed Rule - B. Definitions 4. Health care
clearinghouse |
59930 |
Request revision of
statement “For purposes of this rule, we would consider billing services,
repricing companies, community health management information systems or
community health information system, “value added” networks, switches, intermediaries and similar
organizations to be health care clearinghouses for purposes of this part only
if they actually perform the same functions as a health care clearinghouse.”
(addition of intermediaries - although
they do fit under the some of the other terms) |
|
4 |
II. Provisions of the
Proposed Rule - B. Definitions 19. Individually
identifiable health information |
59936 |
Comment to list of
data elements listed. Some data elements can identify an individual - such as
SSN. Some data elements can be used to derive an individual - such as medical
record number, health plan beneficiary number, certificate/license number, et
cetera, provided one has access to the specific database. However some of these
data elements by themselves cannot identify a specific individual unless used
in conjunction with another data element. It is not an accurate
statement to say “All of the following data elements have been removed or
otherwise concealed”. It would not be compromising individual privacy to have
a file with only date of birth as the only individual data, if the
research/reporting only needed to pull trends/patterns based on 10 year olds,
for example. A date of birth and a ZIP code in a remote area could identify
an individual. However a date of birth and a ZIP code in an urban area would
not. In the remote area, it might be prudent to limit the ZIP code to 2 or 3
digits to broaden the area. It would be more accurate to group the data
elements by which ones could actually identify an individual, and then
describe combinations of data elements which could describe an individual and
place some conditions on this, rather than list the elements as a group and
say none of these fields can be used. |
|
5 |
II. Provisions of the
Proposed Rule - B. Definitions 19. Individually
identifiable health information - “best way in which to inform covered
entities of appropriate and useful information on methods that they can use
to determine whether information is de-identified. |
59936 |
Information could be given
to the Standards Developing Organizations and national organizations to
disseminate to membership as a possible route. |
|
6 |
II. Provisions of the
Proposed Rule - C. Introduction to General Rules |
59939 |
Comment on additional
protection for sensitive information. If individually identifiable
information is protected, then sensitive information should fall under this
same restriction. Sensitive information may be useful for research or trends
as long as individual information
is not present. Different rules or procedures for sensitive information could
lead to confusion and misinformation. |
|
7 |
II. Provisions of the
Proposed Rule - C. Introduction to General Rules 4. Creation of
De-identified Information |
59947 |
See comment 4 above. |
|
8 |
II. Provisions of the
Proposed Rule - C. Introduction to General Rules 5. Business partners |
59947 |
Agree that health
care clearinghouses should be treated as business partners and covered
entities. Also agree to not apply several requirements that would be applied
to covered plans and providers. |
|
9 |
II. Provisions of the
Proposed Rule - C. Introduction to General Rules 5. Business partners
- ii. Scope of the contractual agreement |
59947 |
Comment on “At termination
of the contract, require the business partner to return or destroy all
protected health information….” In some business, this might be
acceptable. However, in the case of a
clearinghouse, daily pharmacy transactions may be kept on logs for historical
or research purposes for customers. These logs may be kept for years on tape
backup. It would be very costly and impractical for a clearinghouse to
retrieve years of data saved for these purposes and purge just specific
business partner claims off logs that contain all transactions. Business partners who
retain paper copies of electronic information would be required to segregate
this information in case of purge needs. This may be very impractical. We believe this may be an
attempt to discuss individual
identifiable databases where the business partner may be an originator of
individual information and not other situations. |
|
10 |
II. Provisions of the
Proposed Rule - C. Introduction to General Rules 5. Business partners
- c. Accountability |
59950 |
Comment on automatic
termination. Agree with “require the covered entity to take reasonable steps
to end the breach and mitigate its effects”. Businesses should have the
ability to right any problems, especially as this rule takes effect and
changes will occur as well. |
|
11 |
II. Provisions of the
Proposed Rule - F. Introduction to rights of individuals |
59976 |
Comment on requiring
clearinghouses to comply with all of the provisions of the individual rights
section. The assumptions are correct that the vast majority of the
clearinghouse functions falls within the scope of treatment, payment, and
health care operations. Clearinghouses do not as a rule, have relationships
with patients and this would cause significant burden on the patients.
Clearinghouses can be covered under definitions stated as a business partner. |
|
12 |
II. Provisions of the
Proposed Rule - F. Introduction to rights of individuals - Access for inspection
or copying - Right of access to information maintained by business partners |
59981 |
Comment on
clearinghouses. As a norm, clearinghouses do not create the data. “As
technology improves it is likely that clearinghouses will find ways to take
advantage of databases of protected health information..." We object to
the term “find ways to take advantage”. Clearinghouses and other parties will make use of new technologies as it fits
their business needs. “This technology would allow more cost effective access
to clearinghouse records on individuals and therefore access for inspection
and copying could be appropriate and reasonable.” This is a leap into the
future. This is assuming something about the technology and assuming a
business practice that may or may not happen. It still may be very difficult
and/or time-consuming to perform research on an individual. A clearinghouse
or other entity may not choose to perform this role. |
|
13 |
III. Small Business
Assistance |
60003 |
“Only those covered
entities who disclose health information to marketers, …” should be changed
“Only those covered entities who disclose individually identifiable health
information to marketers, reporters, ….for purposes unrelated to treatment,
payment, and health care operations are required to get the written consent
of the patient in accordance with this rule”. |
|
14 |
Appendix to Subpart E
of Part 164 - Authorization Form |
60065 |
Does the form need
something to designate the patient or responsible party has seen the form and
refused to sign? |