Re: BA/hippaa/ communcating

[Guest guest]

the notion of a communication carrier being “only a conduit” might have worked in days of old. With digital transmission we never know what gets stored along the way. Various high profile cases leave me with the impression that data forensics experts can resurrect almost anything. This leaves two options: (1) Annoy patients with passwords and usernames or (2) Disclose you offer secure office visits (in your office) and all else is offered as a convenience via non secure services. If you haven’t had mail taken from your mail box you might assume snail mail is secure. IMHO From: [mailto: ] On Behalf Of Sent: Thursday, April 26, 2012 11:55 AMTo: Subject: BA/hippaa/ communcating this would imply- below -that faxing through the net etc is fineOther Situations in Which a Business Associate Contract Is NOT Required. With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. And this-below- says email with patients is fine( even though you think google saves everything) that would be part of the disclosure to patients? where I am left then ,is, and I do not use appointment services, it does sound dicey to use AQ unless they can say they are just a conduit --though the disclosure might help . where I am left as always always alwyas is that I cannot communicate with other docs Can doximity allow me to form a team of docs who can text/email each other?/upload ccr documents?Doximity is hippa complaint but they do no thave a tool do they to cloud compute common pateitn data Ccr documents currently have meds/allergies/labs sharing that would be a start if JOe SChmoe on Saturday seesmy patietn inthe er...http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html-- MD ph fax

[Guest guest]

Doximity says you are not a verified user. So how did I get verified? so sent you a fax.Sangeetha

 

thanks I would like to know more I can check  updox Doximity seems odd Most of what they do is light  weight stuff like provide  listings  of docs The meat of what they do is Baa/ Hippa secure  TEXTING  to I phones/android and Ipads. Well that is just not so universal.It is not clear to me that they can offer a tool most docs would use or CAN use ty share patient  info  AND when I talked to them they wanted to verify me--fine- but said to send them a photo from a  verified medical site and mentioned mayo clinic ,  and to send them a copy of my medcial ID

 Obviously I have neither Have they no indepednet docs? Or coudl use an NPI? I thought Sangeetha or Grace used them..Article in JAMA yesterday about the barriers to docs  communciaitng...  Jean

 

I'm sure Doximity can.  Updox also can.. from Updox support site:The Invite ProcessLast Updated: Apr 24, 2012 12:24PM EDT

This article is about the process used to invite other providers, specialists, or businesses to use Updox for free secure messaging between Updox users.  About Free Secure Messaging using Updox

Any Updox user can invite others to use Updox for free secure messaging.The invite process is free for all involved parties.After completing the process the invited user can send secure messages through Updox to other Updox users (free or paying customers).

To begin the invite process Click the Refer and Share button at the top of the Updox

workspace/Inbox. Click Send Invitation Type in the name of the person you are inviting, their email address or fax number, and a personal message if wanted. We will send an email or fax to the contact you have entered.

Your name, practice name, and practice phone number will be automatically included in the invitation email/fax. When the recipient receives your invitation they will click the link in the email or visit the url in the fax and can download a file. The file will open a login screen for Updox.

If the recipient does not have an Updox account they should use the bottom option on the login page titled “New to Updox?”That will take the recipient through a process to collect basic demographic information about them and their practice or business. This information is collected to allow us to create an Updox account for the invited party.

If the recipient does not

have a business or medical practice they should enter their own personal information for the practice/business info (Name, Address, Phone) After completing the page with that information Updox will open to the Workspace/Inbox

To complete the invite process the invited party must click the Refer and Share button at the top of the workspace/Inbox and click “Accept Invitation” and enter the Invite code from the email/fax. Following the completion of that process the invited party can send to or receive messages from the practice that invited them.

To: < >

Sent: Thursday, April 26, 2012 10:54 AM Subject: BA/hippaa/ communcating

 

this would imply- below -that faxing through the net etc is fineOther Situations in Which a Business Associate Contract Is NOT Required. With

a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. And this-below- says email with patients is fine( even though you think google saves everything) that would be part of the disclosure to patients? where I am left  then ,is, and I do not use  appointment services, it does sound dicey to use AQ unless they can  say they are just a conduit --though the disclosure might help .

 where I am left as always always alwyas is that I cannot communicate with other docs  Can doximity allow me to form a team of docs who can text/email each other?/upload ccr documents?Doximity  is  hippa complaint but  they do no thave a tool do they to  cloud compute common pateitn data Ccr documents  currently have  meds/allergies/labs  sharing that would be a start if JOe SChmoe on Saturday seesmy patietn inthe er...

http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html

--      MD          ph    fax

--      MD          ph    fax

[Guest guest]

Hi It is called DocBook MD.  I have no idea how it works.  I just know that the ACCMA is pushing it among members and local hospitals. The idea is to get everyone on staff onto it.  I would tell you more I if could, but maybe you can google it.

Pratt

 

thanks I would like to know more I can check  updox Doximity seems odd Most of what they do is light  weight stuff like provide  listings  of docs The meat of what they do is Baa/ Hippa secure  TEXTING  to I phones/android and Ipads. Well that is just not so universal.It is not clear to me that they can offer a tool most docs would use or CAN use ty share patient  info  AND when I talked to them they wanted to verify me--fine- but said to send them a photo from a  verified medical site and mentioned mayo clinic ,  and to send them a copy of my medcial ID

 Obviously I have neither Have they no indepednet docs? Or coudl use an NPI? I thought Sangeetha or Grace used them..Article in JAMA yesterday about the barriers to docs  communciaitng...  Jean

 

I'm sure Doximity can.  Updox also can.. from Updox support site:The Invite ProcessLast Updated: Apr 24, 2012 12:24PM EDT

This article is about the process used to invite other providers, specialists, or businesses to use Updox for free secure messaging between Updox users.  About Free Secure Messaging using Updox

Any Updox user can invite others to use Updox for free secure messaging.The invite process is free for all involved parties.After completing the process the invited user can send secure messages through Updox to other Updox users (free or paying customers).

To begin the invite process Click the Refer and Share button at the top of the Updox

workspace/Inbox. Click Send Invitation Type in the name of the person you are inviting, their email address or fax number, and a personal message if wanted. We will send an email or fax to the contact you have entered.

Your name, practice name, and practice phone number will be automatically included in the invitation email/fax. When the recipient receives your invitation they will click the link in the email or visit the url in the fax and can download a file. The file will open a login screen for Updox.

If the recipient does not have an Updox account they should use the bottom option on the login page titled “New to Updox?”That will take the recipient through a process to collect basic demographic information about them and their practice or business. This information is collected to allow us to create an Updox account for the invited party.

If the recipient does not

have a business or medical practice they should enter their own personal information for the practice/business info (Name, Address, Phone) After completing the page with that information Updox will open to the Workspace/Inbox

To complete the invite process the invited party must click the Refer and Share button at the top of the workspace/Inbox and click “Accept Invitation” and enter the Invite code from the email/fax. Following the completion of that process the invited party can send to or receive messages from the practice that invited them.

To: < >

Sent: Thursday, April 26, 2012 10:54 AM Subject: BA/hippaa/ communcating

 

this would imply- below -that faxing through the net etc is fineOther Situations in Which a Business Associate Contract Is NOT Required. With

a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. And this-below- says email with patients is fine( even though you think google saves everything) that would be part of the disclosure to patients? where I am left  then ,is, and I do not use  appointment services, it does sound dicey to use AQ unless they can  say they are just a conduit --though the disclosure might help .

 where I am left as always always alwyas is that I cannot communicate with other docs  Can doximity allow me to form a team of docs who can text/email each other?/upload ccr documents?Doximity  is  hippa complaint but  they do no thave a tool do they to  cloud compute common pateitn data Ccr documents  currently have  meds/allergies/labs  sharing that would be a start if JOe SChmoe on Saturday seesmy patietn inthe er...

http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html

--      MD          ph    fax

--      MD          ph    fax

[Guest guest]

I am probably all confused by know- but see this?This thread began becasue of appointmetn making  with some practice that apparently  stored PHI  on the cloud without patietns knowing or consent or   BA agreement.- and it sounds  like that practice did not know that they did it if you ask me. they are accused of having no polcies etc no training  I bet that was the probelm

Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?Answer:Yes.

The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone,

fax, e-mail, or otherwise.For example:A laboratory may fax, or communicate over the phone, a patient’s medical test results to a physician.A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.

A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.A

doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.A physician may consult with another physician by e-mail about a patient’s condition.

A hospital may share an organ donor’s medical information with another hospital treating the organ recipient.The

Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the

fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.

thanks got it Am exploring a bunch of things Noone seems tot alk or think about htis stuff

" cept IMPS thanks

 

Doximity says you are not a verified user. So how did I get verified? so sent you a fax.Sangeetha

 

thanks I would like to know more I can check  updox Doximity seems odd Most of what they do is light  weight stuff like provide  listings  of docs The meat of what they do is Baa/ Hippa secure  TEXTING  to I phones/android and Ipads. Well that is just not so universal.It is not clear to me that they can offer a tool most docs would use or CAN use ty share patient  info  AND when I talked to them they wanted to verify me--fine- but said to send them a photo from a  verified medical site and mentioned mayo clinic ,  and to send them a copy of my medcial ID

 Obviously I have neither Have they no indepednet docs? Or coudl use an NPI? I thought Sangeetha or Grace used them..Article in JAMA yesterday about the barriers to docs  communciaitng...  Jean

 

I'm sure Doximity can.  Updox also can.. from Updox support site:The Invite ProcessLast Updated: Apr 24, 2012 12:24PM EDT

This article is about the process used to invite other providers, specialists, or businesses to use Updox for free secure messaging between Updox users.  About Free Secure Messaging using Updox

Any Updox user can invite others to use Updox for free secure messaging.The invite process is free for all involved parties.After completing the process the invited user can send secure messages through Updox to other Updox users (free or paying customers).

To begin the invite process Click the Refer and Share button at the top of the Updox

workspace/Inbox. Click Send Invitation Type in the name of the person you are inviting, their email address or fax number, and a personal message if wanted. We will send an email or fax to the contact you have entered.

Your name, practice name, and practice phone number will be automatically included in the invitation email/fax. When the recipient receives your invitation they will click the link in the email or visit the url in the fax and can download a file. The file will open a login screen for Updox.

If the recipient does not have an Updox account they should use the bottom option on the login page titled “New to Updox?”That will take the recipient through a process to collect basic demographic information about them and their practice or business. This information is collected to allow us to create an Updox account for the invited party.

If the recipient does not

have a business or medical practice they should enter their own personal information for the practice/business info (Name, Address, Phone) After completing the page with that information Updox will open to the Workspace/Inbox

To complete the invite process the invited party must click the Refer and Share button at the top of the workspace/Inbox and click “Accept Invitation” and enter the Invite code from the email/fax. Following the completion of that process the invited party can send to or receive messages from the practice that invited them.

To: < >

Sent: Thursday, April 26, 2012 10:54 AM Subject: BA/hippaa/ communcating

 

this would imply- below -that faxing through the net etc is fineOther Situations in Which a Business Associate Contract Is NOT Required. With

a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. And this-below- says email with patients is fine( even though you think google saves everything) that would be part of the disclosure to patients? where I am left  then ,is, and I do not use  appointment services, it does sound dicey to use AQ unless they can  say they are just a conduit --though the disclosure might help .

 where I am left as always always alwyas is that I cannot communicate with other docs  Can doximity allow me to form a team of docs who can text/email each other?/upload ccr documents?Doximity  is  hippa complaint but  they do no thave a tool do they to  cloud compute common pateitn data Ccr documents  currently have  meds/allergies/labs  sharing that would be a start if JOe SChmoe on Saturday seesmy patietn inthe er...

http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html

--      MD          ph    fax

--      MD          ph    fax

--      MD          ph    fax

--      MD          ph    fax

[Guest guest]

When the government doesn’t have the answer they toss in a requirement like “reasonable.” Sadly, this kicks the can to the courts. An attorney ask “Do you know where your data is stored and what safeguards exist?” Well, that’s the essence of a Business Associates Agreement. An aggressive plaintiff attorney wouldn’t let a little BAA get in his way and would likely hammer on our lack of attention to oversight of our service providers. As the attorney would explain, signing a contract means nothing if a party to the contract has a history of misbehavior or if you had not exercised due diligence in vetting them. Guess that’s why we buy insurance. Personally I’m still wondering what’s not like about a data security disclosure/policy that reads: “We provide private secure communication during office visits. All other communications including our web site, phone, internet, text messaging, fax, United States mail and commercial parcel services are provided as a convenience and are considered non secure communication to be used at your discretion.” I see this as the best balance between what we can do and what patients prefer in an environment of changing technology that defies clear answers. For the rich, famous and paranoid suggest they visit a doc that practices IT. Neighbors, MDHuntsville, Alabama Solo using FlexMedical EMR/Billing since 2/2009Attested MU in 2011 From: [mailto: ] On Behalf Of Sent: Saturday, April 28, 2012 8:55 AMTo: Subject: Re: BA/hippaa/ communcating I am probably all confused by know- but see this?This thread began becasue of appointmetn making with some practice that apparently stored PHI on the cloud without patietns knowing or consent or BA agreement.- and it sounds like that practice did not know that they did it if you ask me. they are accused of having no polcies etc no training I bet that was the probelm Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?Answer:Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.For example:A laboratory may fax, or communicate over the phone, a patient’s medical test results to a physician.A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.A doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.A physician may consult with another physician by e-mail about a patient’s condition.A hospital may share an organ donor’s medical information with another hospital treating the organ recipient.The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.thanks got it Am exploring a bunch of things Noone seems tot alk or think about htis stuff " cept IMPS thanks Doximity says you are not a verified user. So how did I get verified? so sent you a fax.Sangeetha thanks I would like to know more I can check updox Doximity seems odd Most of what they do is light weight stuff like provide listings of docs The meat of what they do is Baa/ Hippa secure TEXTING to I phones/android and Ipads. Well that is just not so universal.It is not clear to me that they can offer a tool most docs would use or CAN use ty share patient info AND when I talked to them they wanted to verify me--fine- but said to send them a photo from a verified medical site and mentioned mayo clinic , and to send them a copy of my medcial ID Obviously I have neither Have they no indepednet docs? Or coudl use an NPI? I thought Sangeetha or Grace used them..Article in JAMA yesterday about the barriers to docs communciaitng... I'm sure Doximity can. Updox also can.. from Updox support site:The Invite ProcessLast Updated: Apr 24, 2012 12:24PM EDTThis article is about the process used to invite other providers, specialists, or businesses to use Updox for free secure messaging between Updox users. About Free Secure Messaging using UpdoxAny Updox user can invite others to use Updox for free secure messaging.The invite process is free for all involved parties.After completing the process the invited user can send secure messages through Updox to other Updox users (free or paying customers).To begin the invite processClick the Refer and Share button at the top of the Updox workspace/Inbox.Click Send InvitationType in the name of the person you are inviting, their email address or fax number, and a personal message if wanted.We will send an email or fax to the contact you have entered.Your name, practice name, and practice phone number will be automatically included in the invitation email/fax.When the recipient receives your invitation they will click the link in the email or visit the url in the fax and can download a file. The file will open a login screen for Updox.If the recipient does not have an Updox account they should use the bottom option on the login page titled “New to Updox?”That will take the recipient through a process to collect basic demographic information about them and their practice or business. This information is collected to allow us to create an Updox account for the invited party.If the recipient does not have a business or medical practice they should enter their own personal information for the practice/business info (Name, Address, Phone)After completing the page with that information Updox will open to the Workspace/InboxTo complete the invite process the invited party must click the Refer and Share button at the top of the workspace/Inbox and click “Accept Invitation” and enter the Invite code from the email/fax.Following the completion of that process the invited party can send to or receive messages from the practice that invited them. To: < > Sent: Thursday, April 26, 2012 10:54 AMSubject: BA/hippaa/ communcating this would imply- below -that faxing through the net etc is fineOther Situations in Which a Business Associate Contract Is NOT Required. With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. And this-below- says email with patients is fine( even though you think google saves everything) that would be part of the disclosure to patients? where I am left then ,is, and I do not use appointment services, it does sound dicey to use AQ unless they can say they are just a conduit --though the disclosure might help . where I am left as always always alwyas is that I cannot communicate with other docs Can doximity allow me to form a team of docs who can text/email each other?/upload ccr documents?Doximity is hippa complaint but they do no thave a tool do they to cloud compute common pateitn data Ccr documents currently have meds/allergies/labs sharing that would be a start if JOe SChmoe on Saturday seesmy patietn inthe er...http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html-- MD ph fax -- MD ph fax -- MD ph fax -- MD ph fax

[Guest guest]

I agree that using a disclosure that clearly states the impossibility of assuring complete privacy, and this version is a good start. What concerns me is the part that all of these types of communication are considered "non-secure communications" which suggests that you should never initiate use of those without the patient's permission. The part about "to be used at your discretion" extends the same concern...given this, I would think that you would need specific permission to use any of those communications you listed... if the patient did not 'opt-in' to the US mail, then I shouldn't send a result by mail. Or, would they need to approve use of fax for referral letters to other providers? If you state up front that it is not secure and is to be used at their discretion, I think that requires you to seek their permission.I plan to continue to use Appointment Quest for now. I am adding a checkbox** to each of my appointment choices that the patient will check to indicate they have read my privacy policy, understand it, and agree to the use of AQ with its inherent risks. I'll add something more specific in my privacy policy about AQ's security measures. I will

likely also disable the appointment notification to me by email**. That makes me feel I'm being responsible without being paranoid and demonstrates that I DID consider privacy when the HIPAA police come knocking.Carla Gibson FNP**For AQ users:AQ does not allow customization of what fields are sent by email in your notification, which is unfortunate. I may try contacting them to see if that is a feature they might provide. My bet is that they might consider it for the more expensive options! The patient's notification email does not list concerning information in my opinion. My notification includes info from my custom fields and thus, could be worrisome. The only time I will be bothered by not having notification are for those holes in the day when someone scoots in by scheduling 30 minutes before the

appointment. But, these tend to surprise me anyway since I might be doing faxes rather than email when I get that "catch up" time. I do think it might be worth a group effort in asking AQ to allow customization (assuming others agree that this might be helpful).RE: the checkbox... I am trying to do this under the SetUp->Custom forms function. The problem is that they offer a checkbox option but for some reason, that option cannot be "required"- every other option can be required, just not the checkbox. Odd. I may have to use a radio button with two YES choices... From: theNeighbors

To: Sent: Saturday, April 28, 2012 9:56 AM Subject: RE: BA/hippaa/ communcating

When the government doesn’t have the answer they toss in a requirement like “reasonable.†Sadly, this kicks the can to the courts. An attorney ask “Do you know where your data is stored and what safeguards exist?†Well, that’s the essence of a Business Associates Agreement. An aggressive plaintiff attorney wouldn’t let a little BAA get in his way and would likely hammer on our lack of attention to oversight of our service providers. As the attorney would explain, signing a contract means nothing if a party to the contract has a history of misbehavior or if you had not exercised due diligence in vetting them. Guess that’s why we buy insurance. Personally I’m still wondering what’s not like about a data security disclosure/policy that reads: “We provide private secure communication during office visits. All other communications including our web site, phone, internet, text messaging, fax, United States mail and commercial parcel services are provided as a convenience and are considered non secure communication to be used at your discretion.†I see this as the best balance between what we can do and what patients prefer in an environment of changing technology that defies clear answers.

For the rich, famous and paranoid suggest they visit a doc that practices IT. Neighbors, MDHuntsville, Alabama Solo using FlexMedical EMR/Billing since 2/2009Attested MU in 2011 From: [mailto: ] On Behalf Of Sent: Saturday, April 28, 2012 8:55 AMTo: Subject: Re: BA/hippaa/ communcating I am probably all confused by know- but see this?This thread began becasue of appointmetn making with some practice that

apparently stored PHI on the cloud without patietns knowing or consent or BA agreement.- and it sounds like that practice did not know that they did it if you ask me. they are accused of having no polcies etc no training I bet that was the probelm Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?Answer:Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.For example:A laboratory may fax, or

communicate over the phone, a patient’s medical test results to a physician.A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.A doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.A physician may consult with another physician by e-mail about a patient’s condition.A hospital may share an organ donor’s medical information with

another hospital treating the organ recipient.The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.On Fri, Apr 27, 2012 at 6:17

AM, wrote:thanks got it Am exploring a bunch of things Noone seems tot alk or think about htis stuff"cept IMPS thanks Doximity says you are not a verified user. So how did I get verified? so sent you a fax.Sangeetha thanks I would like to know more I can check updox Doximity seems odd Most of what they do is light weight stuff like provide listings of docs The meat of what they do is Baa/ Hippa secure TEXTING to I phones/android and Ipads. Well that is just not so universal.It is not clear to me that they can offer a tool most docs would use or CAN use ty share patient info AND when I talked to them they wanted to verify me--fine- but said to send them a photo from a verified

medical site and mentioned mayo clinic , and to send them a copy of my medcial ID Obviously I have neither Have they no indepednet docs? Or coudl use an NPI? I thought Sangeetha or Grace used them..Article in JAMA yesterday about the barriers to docs communciaitng... I'm sure Doximity can. Updox also can.. from Updox support site:The Invite ProcessLast Updated: Apr 24, 2012 12:24PM EDTThis article is about the process used to invite other providers, specialists, or businesses to use Updox for free secure messaging between Updox users. About Free Secure Messaging using UpdoxAny Updox user can invite others to use Updox for free secure messaging.The invite process is free for all involved parties.After completing the process the invited user can send secure messages through Updox to other Updox users (free or paying customers).To begin the invite processClick the Refer and Share button at the top of the Updox workspace/Inbox.Click Send InvitationType in the name of the person you are inviting, their email address or fax number, and a personal message if wanted.We will send an email or fax to the contact you have entered.Your name, practice name, and practice phone number will be automatically included in the invitation email/fax.When the recipient receives your invitation they will click the link in the email or visit the url in the fax and can download a file. The file will open a login screen for Updox.If the recipient

does not have an Updox account they should use the bottom option on the login page titled “New to Updox?â€That will take the recipient through a process to collect basic demographic information about them and their practice or business. This information is collected to allow us to create an Updox account for the invited party.If the recipient does not have a business or medical practice they should enter their own personal information for the practice/business info (Name, Address, Phone)After completing the page with that information Updox will open to the Workspace/InboxTo complete the invite process the invited party must click the Refer

and Share button at the top of the workspace/Inbox and click “Accept Invitation†and enter the Invite code from the email/fax.Following the completion of that process the invited party can send to or receive messages from the practice that invited them. To: < > Sent: Thursday, April 26, 2012

10:54 AMSubject: BA/hippaa/ communcating this would imply- below -that faxing through the net etc is fineOther Situations in Which a Business Associate Contract Is NOT Required. With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. And this-below- says email with patients is fine( even though you think google saves everything) that would be part of the disclosure to

patients? where I am left then ,is, and I do not use appointment services, it does sound dicey to use AQ unless they can say they are just a conduit --though the disclosure might help . where I am left as always always alwyas is that I cannot communicate with other docs Can doximity allow me to form a team of docs who can text/email each other?/upload ccr documents?Doximity is hippa complaint but they do no thave a tool do they to cloud compute common pateitn data Ccr documents currently have meds/allergies/labs sharing that would be a start if JOe SChmoe on Saturday seesmy patietn inthe er...http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html-- Jean

Antonucci MD ph fax -- MD ph fax -- MD ph fax -- MD ph fax

[Guest guest]

About disclosure of intent to use non secure communications, simply make this part of every new patient packet.In other words, every patient is opted in by default if they want to be in your practice.Anyone that has a concern can make an appointment. Why cater to 1% and annoy 99%?After all, it’s your policy not theirs. From: [mailto: ] On Behalf Of Carla GibsonSent: Saturday, April 28, 2012 1:34 PMTo: Subject: Re: BA/hippaa/ communcating I agree that using a disclosure that clearly states the impossibility of assuring complete privacy, and this version is a good start. What concerns me is the part that all of these types of communication are considered " non-secure communications " which suggests that you should never initiate use of those without the patient's permission. The part about " to be used at your discretion " extends the same concern...given this, I would think that you would need specific permission to use any of those communications you listed... if the patient did not 'opt-in' to the US mail, then I shouldn't send a result by mail. Or, would they need to approve use of fax for referral letters to other providers? If you state up front that it is not secure and is to be used at their discretion, I think that requires you to seek their permission. I plan to continue to use Appointment Quest for now. I am adding a checkbox** to each of my appointment choices that the patient will check to indicate they have read my privacy policy, understand it, and agree to the use of AQ with its inherent risks. I'll add something more specific in my privacy policy about AQ's security measures. I will likely also disable the appointment notification to me by email**. That makes me feel I'm being responsible without being paranoid and demonstrates that I DID consider privacy when the HIPAA police come knocking. Carla Gibson FNP **For AQ users:AQ does not allow customization of what fields are sent by email in your notification, which is unfortunate. I may try contacting them to see if that is a feature they might provide. My bet is that they might consider it for the more expensive options! The patient's notification email does not list concerning information in my opinion. My notification includes info from my custom fields and thus, could be worrisome. The only time I will be bothered by not having notification are for those holes in the day when someone scoots in by scheduling 30 minutes before the appointment. But, these tend to surprise me anyway since I might be doing faxes rather than email when I get that " catch up " time. I do think it might be worth a group effort in asking AQ to allow customization (assuming others agree that this might be helpful). RE: the checkbox... I am trying to do this under the SetUp->Custom forms function. The problem is that they offer a checkbox option but for some reason, that option cannot be " required " - every other option can be required, just not the checkbox. Odd. I may have to use a radio button with two YES choices... To: Sent: Saturday, April 28, 2012 9:56 AMSubject: RE: BA/hippaa/ communcating When the government doesn’t have the answer they toss in a requirement like “reasonable.†Sadly, this kicks the can to the courts. An attorney ask “Do you know where your data is stored and what safeguards exist?†Well, that’s the essence of a Business Associates Agreement. An aggressive plaintiff attorney wouldn’t let a little BAA get in his way and would likely hammer on our lack of attention to oversight of our service providers. As the attorney would explain, signing a contract means nothing if a party to the contract has a history of misbehavior or if you had not exercised due diligence in vetting them. Guess that’s why we buy insurance. Personally I’m still wondering what’s not like about a data security disclosure/policy that reads: “We provide private secure communication during office visits. All other communications including our web site, phone, internet, text messaging, fax, United States mail and commercial parcel services are provided as a convenience and are considered non secure communication to be used at your discretion.†I see this as the best balance between what we can do and what patients prefer in an environment of changing technology that defies clear answers. For the rich, famous and paranoid suggest they visit a doc that practices IT. Neighbors, MDHuntsville, Alabama Solo using FlexMedical EMR/Billing since 2/2009Attested MU in 2011 From: [mailto: ] On Behalf Of Sent: Saturday, April 28, 2012 8:55 AMTo: Subject: Re: BA/hippaa/ communcating I am probably all confused by know- but see this?This thread began becasue of appointmetn making with some practice that apparently stored PHI on the cloud without patietns knowing or consent or BA agreement.- and it sounds like that practice did not know that they did it if you ask me. they are accused of having no polcies etc no training I bet that was the probelm Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?Answer:Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.For example:A laboratory may fax, or communicate over the phone, a patient’s medical test results to a physician.A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.A doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.A physician may consult with another physician by e-mail about a patient’s condition.A hospital may share an organ donor’s medical information with another hospital treating the organ recipient.The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.thanks got it Am exploring a bunch of things Noone seems tot alk or think about htis stuff " cept IMPS thanks Doximity says you are not a verified user. So how did I get verified? so sent you a fax.Sangeetha thanks I would like to know more I can check updox Doximity seems odd Most of what they do is light weight stuff like provide listings of docs The meat of what they do is Baa/ Hippa secure TEXTING to I phones/android and Ipads. Well that is just not so universal.It is not clear to me that they can offer a tool most docs would use or CAN use ty share patient info AND when I talked to them they wanted to verify me--fine- but said to send them a photo from a verified medical site and mentioned mayo clinic , and to send them a copy of my medcial ID Obviously I have neither Have they no indepednet docs? Or coudl use an NPI? I thought Sangeetha or Grace used them..Article in JAMA yesterday about the barriers to docs communciaitng... I'm sure Doximity can. Updox also can.. from Updox support site:The Invite ProcessLast Updated: Apr 24, 2012 12:24PM EDTThis article is about the process used to invite other providers, specialists, or businesses to use Updox for free secure messaging between Updox users. About Free Secure Messaging using UpdoxAny Updox user can invite others to use Updox for free secure messaging.The invite process is free for all involved parties.After completing the process the invited user can send secure messages through Updox to other Updox users (free or paying customers).To begin the invite processClick the Refer and Share button at the top of the Updox workspace/Inbox.Click Send InvitationType in the name of the person you are inviting, their email address or fax number, and a personal message if wanted.We will send an email or fax to the contact you have entered.Your name, practice name, and practice phone number will be automatically included in the invitation email/fax.When the recipient receives your invitation they will click the link in the email or visit the url in the fax and can download a file. The file will open a login screen for Updox.If the recipient does not have an Updox account they should use the bottom option on the login page titled “New to Updox?â€That will take the recipient through a process to collect basic demographic information about them and their practice or business. This information is collected to allow us to create an Updox account for the invited party.If the recipient does not have a business or medical practice they should enter their own personal information for the practice/business info (Name, Address, Phone)After completing the page with that information Updox will open to the Workspace/InboxTo complete the invite process the invited party must click the Refer and Share button at the top of the workspace/Inbox and click “Accept Invitation†and enter the Invite code from the email/fax.Following the completion of that process the invited party can send to or receive messages from the practice that invited them. To: < > Sent: Thursday, April 26, 2012 10:54 AMSubject: BA/hippaa/ communcating this would imply- below -that faxing through the net etc is fineOther Situations in Which a Business Associate Contract Is NOT Required. With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. And this-below- says email with patients is fine( even though you think google saves everything) that would be part of the disclosure to patients? where I am left then ,is, and I do not use appointment services, it does sound dicey to use AQ unless they can say they are just a conduit --though the disclosure might help . where I am left as always always alwyas is that I cannot communicate with other docs Can doximity allow me to form a team of docs who can text/email each other?/upload ccr documents?Doximity is hippa complaint but they do no thave a tool do they to cloud compute common pateitn data Ccr documents currently have meds/allergies/labs sharing that would be a start if JOe SChmoe on Saturday seesmy patietn inthe er...http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html-- MD ph fax -- MD ph fax -- MD ph fax -- MD ph fax

[Guest guest]

I find the description of why the appt. is being scheduled by email very helpful, especially on short notice appointments (do I need to get out a suture tray?, etc.)

I hate to scare AQ (and us) into being helpful to our patients.I like the idea of just incorporating it into the privacy policies at the beginning.

Sharon

 

About disclosure of intent to use non secure communications, simply make this part of every new patient packet.

In other words, every patient is opted in by default if they want to be in your practice.Anyone that has a concern can make an appointment. 

Why cater to 1% and annoy 99%?After all, it’s your policy not theirs.

  

From: [mailto: ] On Behalf Of Carla Gibson

Sent: Saturday, April 28, 2012 1:34 PMTo: Subject: Re: BA/hippaa/ communcating

   I agree that using a disclosure that clearly states the impossibility of assuring complete privacy, and this version is a good start. What concerns me is the part that all of these types of communication are considered " non-secure communications " which suggests that you should never initiate use of those without the patient's permission. The part about " to be used at your discretion " extends the same concern...given this, I would think that you would need specific permission to use any of those communications you listed... if the patient did not 'opt-in' to the US mail, then I shouldn't send a result by mail. Or, would they need to approve use of fax for referral letters to other providers? If you state up front that it is not secure and is to be used at their discretion, I think that requires you to seek their permission.

 I plan to continue to use Appointment Quest for now. I am adding a checkbox** to each of my appointment choices that the patient will check to indicate they have read my privacy policy, understand it, and agree to the use of AQ with its inherent risks. I'll add something more specific in my privacy policy about AQ's security measures.  I will likely also disable the appointment notification to me by email**.  That makes me feel I'm being responsible without being paranoid and demonstrates that I DID consider privacy when the HIPAA police come knocking.

 Carla Gibson FNP

 **For AQ users:

AQ does not allow customization of what fields are sent by email in your notification, which is unfortunate. I may try contacting them to see if that is a feature they might provide.  My bet is that they might consider it for the more expensive options! The patient's notification email does not list concerning information in my opinion. My notification includes info from my custom fields and thus, could be worrisome. The only time I will be bothered by not having notification are for those holes in the day when someone scoots in by scheduling 30 minutes before the appointment. But, these tend to surprise me anyway since I might be doing faxes rather than email when I get that " catch up " time. I do think it might be worth a group effort in asking AQ to allow customization (assuming others agree that this might be helpful).

 RE: the checkbox... I am trying to do this under the SetUp->Custom forms function.  The problem is that they offer a checkbox option but for some reason, that option cannot be " required " - every other option can be required, just not the checkbox. Odd. I may have to use a radio button with two YES choices...

 

To: Sent: Saturday, April 28, 2012 9:56 AMSubject: RE: BA/hippaa/ communcating

  

When the government doesn’t have the answer they toss in a requirement like “reasonable.”  Sadly, this kicks the can to the courts.  An attorney ask “Do you know where your data is stored and what safeguards exist?”  Well, that’s the essence of a Business Associates Agreement.  An aggressive plaintiff attorney wouldn’t let a little BAA get in his way and would likely hammer on our lack of attention to oversight of our service providers.  As the attorney would explain, signing a contract means nothing if a party to the contract has a history of misbehavior or if you had not exercised due diligence in vetting them.  Guess that’s why we buy insurance. 

 Personally I’m still wondering what’s not like about a data security disclosure/policy that reads:   “We provide private secure communication during office visits.  All other communications including our web site, phone, internet, text messaging, fax, United States mail and commercial parcel services are provided as a convenience and are considered non secure communication to be used at your discretion.”

 I see this as the best balance between what we can do and what patients prefer in an environment of changing technology that defies clear answers.

 For the rich, famous and paranoid suggest they visit a doc that practices IT. 

  Neighbors, MD

Huntsville, Alabama

 Solo using FlexMedical EMR/Billing since 2/2009

Attested MU in 2011

 From: [mailto: ] On Behalf Of

Sent: Saturday, April 28, 2012 8:55 AMTo: Subject: Re: BA/hippaa/ communcating

  

I am probably all confused by know- but see this?This thread began becasue of appointmetn making  with some practice that apparently  stored PHI  on the cloud without patietns knowing or consent or   BA agreement.- and it sounds  like that practice did not know that they did it if you ask me. they are accused of having no polcies etc no training  I bet that was the probelm

 Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?

Answer:Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.

For example:A laboratory may fax, or communicate over the phone, a patient’s medical test results to a physician.

A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.

A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.A doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.

A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.

A physician may consult with another physician by e-mail about a patient’s condition.A hospital may share an organ donor’s medical information with another hospital treating the organ recipient.

The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.

thanks got it Am exploring a bunch of things Noone seems tot alk or think about htis stuff " cept IMPS thanks

 

  Doximity says you are not a verified user. So how did I get verified? so sent you a fax.

Sangeetha 

  thanks I would like to know more

 I can check  updox Doximity seems odd Most of what they do is light  weight stuff like provide  listings  of docs The meat of what they do is Baa/ Hippa secure  TEXTING  to I phones/android and Ipads. Well that is just not so universal.It is not clear to me that they can offer a tool most docs would use or CAN use ty share patient  info  AND when I talked to them they wanted to verify me--fine- but said to send them a photo from a  verified medical site and mentioned mayo clinic ,  and to send them a copy of my medcial ID

 Obviously I have neither Have they no indepednet docs? Or coudl use an NPI? I thought Sangeetha or Grace used them..Article in JAMA yesterday about the barriers to docs  communciaitng...  Jean

 

  I'm sure Doximity can.  Updox also can.. from Updox support site:

The Invite ProcessLast Updated: Apr 24, 2012 12:24PM EDT

This article is about the process used to invite other providers, specialists, or businesses to use Updox for free secure messaging between Updox users.

 About Free Secure Messaging using UpdoxAny Updox user can invite others to use Updox for free secure messaging.

The invite process is free for all involved parties.After completing the process the invited user can send secure messages through Updox to other Updox users (free or paying customers).

To begin the invite processClick the Refer and Share button at the top of the Updox workspace/Inbox.

Click Send InvitationType in the name of the person you are inviting, their email address or fax number, and a personal message if wanted.

We will send an email or fax to the contact you have entered.Your name, practice name, and practice phone number will be automatically included in the invitation email/fax.

When the recipient receives your invitation they will click the link in the email or visit the url in the fax and can download a file. The file will open a login screen for Updox.

If the recipient does not have an Updox account they should use the bottom option on the login page titled “New to Updox?”

That will take the recipient through a process to collect basic demographic information about them and their practice or business. This information is collected to allow us to create an Updox account for the invited party.

If the recipient does not have a business or medical practice they should enter their own personal information for the practice/business info (Name, Address, Phone)

After completing the page with that information Updox will open to the Workspace/Inbox

To complete the invite process the invited party must click the Refer and Share button at the top of the workspace/Inbox and click “Accept Invitation” and enter the Invite code from the email/fax.

Following the completion of that process the invited party can send to or receive messages from the practice that invited them.

 

To: < >

Sent: Thursday, April 26, 2012 10:54 AMSubject: BA/hippaa/ communcating 

  this would imply- below -that faxing through the net etc is fine

Other Situations in Which a Business Associate Contract Is NOT Required. 

 With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.

And this-below- says email with patients is fine( even though you think google saves everything) that would be part of the disclosure to patients?

 where I am left  then ,is, and I do not use  appointment services, it does sound dicey to use AQ unless they can  say they are just a conduit --though the disclosure might help . where I am left as always always alwyas is that I cannot communicate with other docs

 Can doximity allow me to form a team of docs who can text/email each other?/upload ccr documents?Doximity  is  hippa complaint but  they do no thave a tool do they to  cloud compute common pateitn data Ccr documents  currently have  meds/allergies/labs  sharing that would be a start if JOe SChmoe on Saturday seesmy patietn inthe er...

http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html--      MD

          ph    fax

 

--      MD          ph    fax

 

--      MD          ph    fax

--      MD          ph    fax