Spacer
PedifixBannerAS2_319
Spacer
PresentCU425
Spacer
PMbannerE7-913.jpg 		MidmarkFX525
Podiatry Management Online


Facebook

 Podiatry Management Online
Podiatry Management Online

Home
Podiatry Management Online
CME
Podiatry Management Online
PM News
Podiatry Management Online
Classified Ads
Podiatry Management Online
PM Magazine
Subscriptions
Podiatry Management Online
Highlights from
Current Issue
Podiatry Management Online
Highlights from
Recent Issues
Podiatry Management Online
Diabetes/Wound
Management
Podiatry Management Online
Practice Management
Podiatry Management Online
Biomechanics/Footwear
Sports Podiatry
Podiatry Management Online
Clinical Innovations
Podiatry Management Online
Profiles and
The Clinical Forum
Podiatry Management Online
Buyers' Guide
Podiatry Management Online
Annual Survey Report
Podiatry Management Online
New Products & Services
Podiatry Management Online
Archives
Podiatry Management Online
Sponsors
Podiatry Management Online
Privacy Policy
Podiatry Management Online
Contact Us
Podiatry Management Online
 


NeurogenxGY425

Search

  
Search Results Details
Back To List Of Search Results

09/12/2019    Ray Posa, MBA

Who's Responsible When a Lab Has a Data Breach?

I just read Michael Brody’s article in the
September issue of Podiatry Management. As a
leader in the podiatry world podiatrist look to
Podiatry Management as the ‘source’ for all
things podiatry and they rely on the information
provided. I have to point out several factual
errors and outright wrong advice that he has
provided to the readers In Michael Brody’s recent
article.

First, in the first column Michael states that
“Both LabCorp and Quest are ‘covered entities’ in
that they do not have a direct relationship with
patients.” This is exactly the opposite of the
situation. The patients do have a direct
relationship with these labs. The labs have their
own NPI numbers and they bill the patient and or
the patient’s insurance companies directly, that
is what makes them ‘covered entities’.

Next, in the third column Michael states: “ Since
they are directly subject to the HIPAA rules and
regulations, you are not responsible for the
security of the data that they received.” That is
correct, the physicians are not responsible for
any breaches that occur at these covered entities
facilities.” Then he goes on to imply that the
mishandling of patient data is the physician’s
responsibility. That is not correct. Whether the
physician sent the patient directly to the lab or
just sent a specimen to the lab on the patient’s
behalf the physician bears no responsibility for
any breach that occurs at the lab.

Finally, Michael discuss the requirement to keep
a log of every electronic disclosure of patient
information and patients are entitled to an
accounting of those disclosures. This statement
is also inaccurate. HIPAA privacy only requires
the keeping of a log of disclosures of patient
information for ‘non-exempt’ reasons.

The term ‘Treatment, Payment and Operations
(TPO)’ is the biggest exemption. When patient
information is shared covered entity to covered
entity it is exempt and does not have to logged,
whether it is in paper or electronic. This is
clearly stated in any Notice of Privacy Practices
(NPP).The logs must only be kept when patient
information is shared for no-exempt reasons and
those reason are clearly stated in the Notice of
Privacy Practices (NPP).

I just wanted to bring some clarity to this issue
and not give the readers a false sense of alarm.

Raymond Posa, MBA, Farmingdale, NJ

There are no more messages in this thread.
StablePowerstep?121


Our privacy policy has changed.
Click HERE to read it!