Archived News and Information from 1/2000 through 12/2000

Privacy Rule is Finalized - Posted to HIPAAcomply 12/21/00    

Clinton to Issue New Rules on Medical Data Privacy- Posted to HIPAAcomply 11/21/00

HIMSS Sponsors Educational Audio Conference on HIPAA - Posted to HIPAAcomply 10/13/00

Link to Final Rule on National Standards for Electronic Transactions - Posted to HIPAAcomply 10/5/00

Does HIPAA Supercede State Law? - Posted to HIPAAcomply 10/4/00
(A HIPAAcomply Document Download)

Getting Ready for HIPAA -
Posted to HIPAAcomply 8/24/00

Document Reasonableness of Your Security Decisions - Posted to HIPAAcomply 8/24/00

U.S. Toughens Rules on Medical Privacy, but Some Want More Limits - Posted to HIPAAcomply 8/23/00

Believing in Biometrics - Posted to HIPAAcomply 8/22/00

Evaluating HIPAA Vendors? - A Tool to Measure Critical Capabilities - Posted to HIPAAcomply 8/17/00

Health data on 858 patients mistakenly e-mailed to others - Posted to HIPAAcomply 8/17/00 

DHHS Signs Final Rules for Transaction Standards
Posted to HIPAAcomply 8/14/00

WEDI's SNIP Initiative continues to Advance - Posted to HIPAAcomply 8/14/00

Klein Appointed to MedChi Privacy Committee - Posted to HIPAAcomply 7/19/00

HIPAA: "I want you to comply with privacy regulations" -
Posted to HIPAAcomply 7/12/00

HMO Held Responsible for Confidentiality Breach
Posted to HIPAAcomply 06/22/00

HIPAA Glossary Available from WEDI -
Posted to HIPAAcomply 06/20/00

Create Security/Privacy Committee to Handle Compliance Issues - Posted to HIPAAcomply 05/31/00

The Time to Start HIPAA Planning is Now - Posted to HIPAAcomply 05/25/00

GAO Senate Testimony on Privacy Standards
Posted to HIPAAcomply 05/09/00

HIPAA Sets Up New Hurdles for Healthcare Players - Posted to HIPAAcomply 05/01/00

Senate Committee Hears Differing Views on Proposed Privacy Rule - Posted to HIPAAcomply 05/01/00

CIO Survey says HIPAA Requires Action
Posted to HIPAAcomply 03/28/00

HHS Sets Firm Goal for Publication of Final Rule for Transactions and Code Sets Standards -
Posted to HIPAAcomply 03/27/00

Beacon Partners Responds to Delays in HIPAA Final Rules -
Posted to HIPAAcomply 03/27/00

WEDI Bulletin on Transaction Final Rule Date and Planning for Implementation - Posted to HIPAAcomply 03/16/00

HHS Indicates that HIPAA Final Rules will be Delayed Further - Posted to HIPAAcomply 03/15/00

Privacy Concerns May Spark Congressional Intervention - Posted to HIPAAcomply 03/15/00

HIPAA and Administrative Simplification
Posted to HIPAAcomply 03/15/00

Final HIPAA Privacy Rules will be Delayed -
Posted to HIPAAcomply 03/01/00

House Holds Hearing on HIPAA Regulations - Posted to HIPAAcomply 02/23/00

WEDI's Letter of Comment to the Privacy NPRM -
Posted to HIPAAcomply 02/17/00

Memo from Deputy Attorney General Eric Holder to Inspectors General Directing Them to Refer Potential Violations of Federal Privacy Statutes to the Department of Justice for Investigation and Prosecution - Posted to HIPAAcomply 02/02/00

HIPAA Regulation Compliance on Heels of Y2K Headache -
Posted to HIPAAcomply 01/12/00

DHHS moves on Patient Privacy - Posted to HIPAAcomply 01/04/00

Date for Responses to NPRM is Extended - Posted to HIPAAcomply 01/04/00

HHS Proposes First-Ever National Standards To Protect Patients' Personal Medical Records -
Posted to HIPAAcomply 01/04/00  

Clinton Plan Would Tighten Medical Privacy -
Posted to HIPAAcomply 01/04/00


HHS Secretary Donna E. Shalala today released the nation's first-ever standards for protecting the privacy of Americans' personal health records. This new regulation will protect medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.

For complete information on the final privacy rule click on the links below:

HHS Press Release

HHS Fact Sheet on the Final Privacy Rule

Download the text of the Final Rule (in PDF) - Beware!! It is quite large!!!

DHHS Administrative Simplification Page


Posted to HIPAAcomply 12/21/00

Clinton to Issue New Rules on Medical Data Privacy
(This article originally appeared in the N.Y. Times, November 20, 2000)

WASHINGTON, Nov. 19 — The Clinton administration will soon issue sweeping new rules to protect the privacy of medical records. But under pressure from the health care industry, officials say, they are backing off a proposal to give patients a broad new right to sue and recover damages for the improper disclosure of confidential information.

Chris Jennings, the health policy coordinator at the White House, said President Clinton would issue the final rules, with the force of law, in the next few weeks.

The administration is "going full steam ahead, with a full commitment" to the goal of protecting privacy, Mr. Jennings said.

As President Jimmy Carter did 20 years ago, Mr. Clinton is leaving office with a burst of regulatory activity that he hopes will leave an imprint on the nation long after his term ends. Last Monday, the government issued rules intended to protect millions of workers against repetitive stress injuries.

The privacy rules, the first comprehensive federal standards to protect the confidentiality of medical data, will affect virtually everyone who receives or provides health care in the United States. The rules come at a time when insurers and health care providers are making greater use of computers to store and exchange medical information on patients.

The new Congress could alter the rules, but will have great difficulty mustering a consensus for any alternative.

Legislation to set federal privacy standards died this year because of profound disagreements between consumer advocates and the health care industry.

A 1996 law required the secretary of health and human services to set the standards for medical privacy, but gave her little guidance on what the rules should say.

Under the new rules, consumers will for the first time have a federal right to inspect and copy information in their medical records. They will also have the right to request correction of information that they consider inaccurate or incomplete.

The standards will limit the use and disclosure of data by insurance companies, health maintenance organizations and other health care providers, including doctors, nurses, hospitals, nursing homes, pharmacies and medical laboratories.

In proposing the rules for public comment in November 1999, President Clinton lamented the fact that his regulatory authority was limited: he could not directly regulate the conduct of the many people with whom doctors and hospitals share information on patients.

"To fill this gap in our legislative authority," the government said, it will hold health care providers responsible for the activities of their "business associates," including lawyers, auditors, accountants, consultants, billing companies and other contractors.

Health care providers would have to rewrite contracts with these business partners to guarantee that information on patients is kept confidential. Business partners would have to promise to follow the federal privacy standards, just as doctors and hospitals do.

The 1996 law did not give patients a new right to sue for violations of their privacy.

"The statute does not provide for a private right of action for individuals," the administration said in a preamble to the proposed rules last year.

But federal officials tried to overcome the limits of the law. In the proposed rules, they said that patients must be named as the "intended third-party beneficiaries" of contracts between health care providers and their business partners.

This would have given patients a powerful new tool to enforce their rights. Patients could have sued in state court for violation of the contract if their medical records were improperly disclosed.

But federal officials said they had recently decided to back away from this proposal after receiving a torrent of criticism from the health care industry, which complained that the administration had exceeded its legal authority.

The American Association of Health Plans, a trade group for H.M.O.'s, said its members and their business partners would have faced "significant new legal liability" if the federal government had authorized patients to sue for violations of their privacy rights.

The Health Insurance Association of America said the Clinton proposal could have led to "excessive litigation, including class action lawsuits, that would drive up health care costs."

Employers said that health insurers would drag them into such litigation, and that the risk of new lawsuits would discourage companies from providing health benefits to employees.

Jackie M. Huchenski, a health lawyer in New York City, said: "The rule on business partners is very controversial. It imposes new obligations on health care providers and health plans, making them responsible for someone else's mistakes."

Paul G. Sherwood, senior vice president of Halifax Regional Medical Center, a 206-bed hospital in Roanoke Rapids, N.C., said it was unrealistic to hold him responsible for what his business partners might do.

"I have very little control over my contractors," Mr. Sherwood said. "The proposed rule appeared to be inviting a plethora of litigation."

Doctors, hospitals and their business partners will still have to comply with the rules, officials said, but patients will not get any new right to sue.

Even without an explicit new right to sue, Ms. Huchenski said, patients may be able to recover damages by filing suit under certain existing state laws that protect consumers or regulate health care.


Posted to HIPAAcomply 11/21/00

HIPAA: A Practical Implementation Guide 

An Audio Conference Series Sponsored by HIMSS 

To meet the needs of healthcare professionals for immediate, affordable education on HIPAA, HIMSS is offering two series of "how-to" audio conferences with industry experts who will provide insight, strategy, and practical tips for successful HIPAA implementation.

Choose any or all of the six scheduled conferences below. 

Series #2: HIPAA Information Security 
Presented by: David Tubbs, Chief Technology Officer, Talon Technology International, Inc. 

Conference 4: Survivor: Replace or Update Your Information System? 
January 11, 2001 

Conference 5: Friend or Foe: Contractor and Business Partner Security 
January 25, 2001 

Conference 6: Finding Your Weakest Links: Reassessing and Addressing Vulnerabilities 
February 15, 2001 

Click here for more detailed information on this HIMSS sponsored educational series


Posted to HIPAAcomply 10/13/00

Link to Final Rule on National Standards for Electronic Transactions 

The Final Rule on National Standards for Electronic Transactions was published in Federal Register on Aug. 17, 2000 and is effective October 16, 2000. The compliance date is October 16, 2002 (2003 for small health plans). 

Click here to link to the FINAL RULE ONLINE


Posted to HIPAAcomply 10/5/00

Does HIPAA Supercede State Law?

For an excellent, in-depth treatment of the issue of preemption of state law as it applies to the HIPAA standards for transactions, code sets, identifiers, and security click below for a paper (in PDF format) by Tom Gilligan, Executive Director & Washington Representative for AFECHT.

Does HIPAA Supercede State Law Paper (PDF)


Posted to HIPAAcomply 10/4/00

Getting Ready for HIPAA
Although costs will be substantial, complex new federal rules could yield savings.
From Internet Health Care Magazine, July/August 2000


Posted to HIPAAcomply 08/24/00

Document Reasonableness of Your Security Decisions
The following article was published in the June 2000 issue of the Health Information Compliance Insider, and is reprinted with the permission of Brownstone Publishers, Inc.

Security Decisions - PDF Format


Posted to HIPAAcomply 08/24/00

U.S. Toughens Rules on Medical Privacy, but Some Want More Limits
From the New York Times, Sunday, August 20, 2000, National Desk 

WASHINGTON, Aug. 19 -- After nine months of blistering criticism from doctors, patients and consumer groups, the Clinton administration says it has decided to beef up protections for the privacy of medical records, beyond what it proposed last year.

But administration officials said the new rules, to be issued before the Nov. 7 election, would not give patients full control of their medical records, as many advocates of privacy rights had recommended.

The rules would, for the first time, set comprehensive federal standards requiring doctors, hospitals, pharmacists and insurance companies to limit the disclosure of medical information about individual patients.

The health care industry and insurance companies must comply with the new rules within two years. The rules, issued under a 1996 statute, would have the force of law; no further action by Congress is required.

The far-reaching, complex rules will touch almost every aspect of the health care system. They will come at a time when large amounts of medical data, including genetic information about a patient's risk of developing specific diseases, can be stored electronically and sent across the country or around the world with the click of a computer mouse.

Administration officials said they saw publication of the rules as a significant achievement that could help Vice President Al Gore, the Democratic candidate for president. Mr. Gore has called for an "electronic bill of rights" to protect people against the misuse of computerized personal information of all types.

Chris Jennings, the health policy coordinator at the White House, said President Clinton was committed to issuing the rules on medical privacy by late summer or early fall. "That's a very high priority," Mr. Jennings said.

Public opinion polls show that Americans are increasingly concerned about privacy in general and want greater protection for medical records, in particular. Some people say they shun testing for cancer, H.I.V. infection and other conditions because they fear discrimination in insurance or employment.

The Republican Party platform promises new rules to protect the privacy of medical information, but gives no details. If Gov. George W. Bush of Texas wins the presidential election, his advisers said, he would probably want to re-examine the rules, rather than rely on the policy judgments of the Clinton administration.

The White House published the proposed rules in the Federal Register on Nov. 3, 1999. After reviewing thousands of public comments, federal officials said, they expect to make these changes:

  • The rules, as originally proposed, would have applied mainly to information transmitted electronically or stored in computers. The final rules will also apply to many paper records. This is an important change because most medical records are still kept on paper.
  • Under the proposed rules, health care providers and insurance companies were supposed to advise patients of their rights and tell them how personal medical information might be used or disclosed. The new rules are likely to go further, stipulating that doctors should get patients to sign forms acknowledging that they have actually received such notices.
  • The proposed rules would have permitted the use and disclosure of medical information without a patient's consent for treatment, payment and a wide range of loosely defined "health care operations." They would also have prohibited doctors from asking patients to sign a consent form unless it was required by state law. The new standards will allow doctors to seek the patient's consent, and many doctors said they had an ethical obligation to do so.

Under current practice, doctors often ask patients to sign forms authorizing the use and disclosure of medical information for various purposes.

The American Civil Liberties Union said, "The proposed regulations are a step backward from current practice because they require only notice and not consent."

Administration officials said the new rules would limit disclosure of medical information to the "minimum necessary" and give patients a right to see their medical records. In addition, the rules would pre-empt weaker state laws.

A person who discloses health information in violation of the rules could be fined $50,000 and imprisoned for one year. If the offense is committed for commercial advantage or personal gain, the rules allow tougher penalties: a $250,000 fine and 10 years in prison.

The 1996 law directed the administration to issue rules on medical privacy if Congress failed to pass legislation by Aug. 21, 1999.

Lawmakers missed that self-imposed deadline. Congress could alter any of the new standards, but has been at an impasse, under pressure from scores of lobbyists with conflicting interests on the issue of medical privacy.

Robert M. Gellman, an expert on privacy and information policy, said the administration was "taking a real gamble" in issuing the rules before the election because they might be criticized as not going far enough to protect privacy.

On the other hand, the Health Insurance Association of America and the Blue Cross and Blue Shield Association said the proposed rules went too far, exceeded the government's legal authority, were unworkable and would impose new costs on patients and employers, who pay for much of the nation's health care.

When the rules were proposed last year, they were praised at first, but then criticized by the American Medical Association, the American Civil Liberties Union and experts like Janlori Goldman, director of the Health Privacy Project at Georgetown University.

After reading the fine print, critics said the proposals were a license to disclose sensitive medical information, rather than a fence restricting access.

In a typical comment, the American Cancer Society said it was concerned that the proposed rules would allow "the total free-flow of information" without input from patients.

"We believe that the individual should retain the ultimate right to decide to whom, and under what circumstances, individually identifiable health information will be disclosed, even in cases of treatment, payment or health care operations," the cancer society said.

Likewise, the American Medical Association said, "Valid consent should be obtained before personally identifiable health information is used for any purpose."


Posted to HIPAAcomply 08/23/00

Believing in Biometrics 
Biometric technologies not only exist--they work and are now affordable.

By Fred D. Baldwin 
August 2000 - Healthcare Informatics


Posted to HIPAAcomply 08/22/00

Evaluating HIPAA Vendors? - A Tool to Measure Critical Capabilities

With the recent adoption of the final HIPAA regulations for transactions and diagnosis/procedure codes, many organizations will be seeking HIPAA help. The attached tool can be used to measure critical capabilities and objectively compare different vendors. Health care organizations may add additional factors relevant to individual circumstances, such as prices and industry reputation.

Download HIPAA Vendor Evaluation (PDF format)


Posted to HIPAAcomply 08/17/00

Health data on 858 patients mistakenly e-mailed to others 
Medical information was among messages sent out by Kaiser 

By M. William Salganik 
Sun Staff

The Kaiser Permanente Health Plan admitted yesterday that it had inadvertently e-mailed to 19 of its patients health information about 858 other patients.including. 

"There was a glitch" when new software was installed Aug. 2 to speed up e-mail responses to patients, according to Beverly Hayon, director of national media relations for the HMO, which has headquarters in Oakland, Calif. 

The information sent out by mistake was of varying levels of sensitivity, Hayon said. 

It ranged from a simple note saying the member would be sent a password for the online system to "answers to medical questions about a particular disease or condition," she said. 

Kaiser noticed the problem after about 20 minutes, and shut down its e-mail system to fix it. Hayon said. 

The health plan had contacted everyone who received the information by mistake, and all had said they deleted it and had not transmitted it further. She also said it was calling all 858 members whose information had been sent out by mistake, and had already reached most of them. 

Both Beth Givens, director of the Privacy Rights Clearing House in San Diego, and Susan Pisano, vice president of the American Association of Health Plans, said that although the World Wide Web and e-mail are being used increasingly to provide health information, they were unaware of any similar problems. Givens said a credit-rating service, Experian, had sent credit reports ordered online to the wrong people a few years ago when "the system sort of blew up." In health, she said, some letters containing health information were stuffed into envelopes addressed to different people. 

But while such privacy errors can happen with conventional mailings, she said, "the scale can be grander in the online world." For example, she said, in the case of credit-card numbers, "one dishonest waiter can rip off 20 to 50 people a day, while a hacker can get 100,000 credit-card numbers in a few moments." 

While health plans are increasingly using automated methods for "reducing costs and increasing services," Givens said, they should build in safeguards, and when such problems occur, "perhaps they're getting too close to the bone." Pisano said Kaiser "views themselves as leaders" in the area of online health services, "and they see it as part of their leadership role to acknowledge that this happened." 

Hayon said about 250,000 of Kaiser's 11 million members use the online information service, and about 20,000 more sign up each month. They can make appointments, order prescription refills and ask health questions to doctors, nurses and pharmacists. They receive answers or confirmations by e-mail. The e-mail system was shut down for installation of new software. Then, Hayon said, "Somebody pushed something and sent off the e-mails." Some members waiting for a response got multiple ones, from a few extra to as many as 400. Soon, Kaiser's technicians noted the unusual size of outgoing e-mail, and shut down the system for a fix. By yesterday evening, Hayon said, 13 people said they had already deleted the information, three others said they would delete it, two said it had never been delivered, and one member could not be reached. Givens said people using any new online service should realize that problems may surface, and might want to "wait until the bugs have been worked out" before offering their own sensitive information. A Kaiser member herself, she said she had not used the online service, not because of privacy concerns but because, "I just haven't found the time to delve into their Web site."

Originally published Aug 10, 2000 on


Posted to HIPAAcomply 08/17/00


The two-year compliance clock begins ticking 60 days after the final adoption date and all covered entities must comply by October 2002.

NORWELL, MA (August 14, 2000) - The final rules set the stage for sweeping changes across the health care industry to gain administrative savings through standardization and simplification of electronic health care transactions. The final rules require health plans, providers, and clearinghouses exchanging electronic administrative health care transactions to implement ASC X12 standards for health claims, referral certification/authorizations, claim status inquiries, eligibility requests/responses, remittance advices, and health benefit enrollment/disenrollment. Additionally, the final rules require retail drug claims to comply with the NCPDP standard for batch or telecommunication claims using version 1.0 or 5.1 respectively. Finally, the rules require utilization of ICD-9-CM, CPT, CDT, NDC, and HCPCS coding standards. Local codes are disallowed and redundant codes eliminated.

"With the long anticipated adoption of these final rules, health care organizations are well advised to accelerate preparations in earnest," said Tom Hanks, Practice Director, Enterprise Security and HIPAA Compliance, Beacon Partners. "HIPAA is an enterprise-wide event affecting not only EDI and IT concerns, but also has substantial ramifications on business and operational concerns".

"Some organizations have already undertaken education and assessment activities to better understand the impact of HIPAA," according to Jim Klein, Manager, Enterprise Security and HIPAA compliance, Beacon Partners. "There are many that have not initiated planning and preparation activities and with the clock now ticking, it is imperative that organizations develop a sense of urgency to avoid future expense, risk and penalties".

Recent updates from government officials indicate the remaining HIPAA standards are being prepared for publication later this year, which includes security, privacy, employer and provider unique identifiers, and draft standards for claim attachments.

Publication of the final rules is scheduled for August 17, 2000 and will be available from the Government's HIPAA website at and the Federal Register. The HIPAA transaction implementation guides are now available for free download from the Washington Publishing website at Additional HIPAA information can be found at

About Beacon 
Beacon Partners is a national health care management consulting firm with offices in Boston and Chicago serving over one hundred healthcare facilities in the United States. Since 1989, the consultants of Beacon Partners have provided healthcare organizations with a wide range of client-focused consulting services, including strategic planning, business operations management, clinical solutions, information systems and technical solutions. Beacon Partners is a recognized leader in the HIPAA arena with over fours years of HIPAA experience, including numerous educational and HIPAA assessment engagements. Beacon provides a full range of services for HIPAA compliance from initial education and assessment through remediation, implementation and on-going monitoring. Beacon's HIPAA experts have contributed to the underpinnings of the HIPAA regulations and are sought by many industry organizations to address HIPAA's scope and implications on healthcare. To learn more about Beacon Partners, call 1-800-4BEACON or visit


Thomas Hanks 
Practice Director, Enterprise Security & 
HIPAA Compliance 
Beacon Partners, Inc. 
(847) 490-5306
Jim Klein
Manager, Enterprise Security & 
HIPAA Compliance 
Beacon Partners, Inc. 
(410) 721-9144


Posted to HIPAAcomply 08/14/00

WEDI's SNIP Initiative continues to Advance

The Workgroup for Electronic Data Interchange (WEDI), with active participation from the Association for Electronic Health Care Transactions (AFEHCT), continues to advance the HIPAA initiative "Strategic National Implementation Process (SNIP)". SNIP has broad industry representation from major market segments including Federal Government, health plans, providers, clearinghouses, and numerous regional organizations. The major emphasis is to identify common industry HIPAA implementation issues and seek ways for health care organizations to minimize such issues through cooperative industry implementation planning and coordination. Three work groups were formed to advance the SNIP initiative including; Transactions/Code Sets/Identifiers, Security/Privacy, and Education/Awareness. The work groups continue to make significant headway and interested parties should check the WEDI website frequently for updates at Beacon Partners continues to maintain it's long-standing active role in WEDI initiatives. Mr. Tom Hanks, Beacon's Practice Director for Enterprise Security & HIPAA compliance serves as a WEDI board member and Mr. Jim Klein, Beacon's Manager for Enterprise Security & HIPAA Compliance serves on the steering committee for the SNIP Education/Awareness work group.


Posted to HIPAAcomply 08/14/00

Klein Appointed to MedChi Privacy Committee

Jim Klein, Manager of Enterprise Security and HIPAA Compliance for Beacon Partners, has been appointed as a member of the Privacy and Confidentiality Committee of MedChi for 2000. MedChi is the Maryland state medical society which was formed to unite the medical profession, promote and disseminate medical and surgical knowledge, protect public health and elevate the standards of medical education. The organization continues to actualize its original goals through legislative advocacy, public health programs and the expansion of its membership base. MedChi's mission is to serve as Maryland's foremost advocate and resource for physicians, their patients and the public's health.

MedChi's committees perform an important function through consideration of matters that face today's physicians and help set policy by making recommendations to the Board of Trustees and the House of Delegates.

For more information on MedChi visit


Posted to HIPAAcomply 07/19/00

HIPAA: "I want you to comply with privacy regulations" 

Soon the federal government will finalize privacy rules for electronic transfer of patient records. If you're not sure how your practice will fare, you should start thinking about it now. 

By Tyler Chin, AMNews staff. July 10/17, 2000.


Posted to HIPAAcomply 07/12/00

HMO Held Responsible for Confidentiality Breach

A New York appeals court has ruled that an HMO can be held liable for a breach of privacy even though the employee who released a patient's records wasn't acting in the normal course of business. The court says Community Health Plan-Kaiser Corp. is liable for a breach of confidentiality that occurred when an employee released the mental health records of an Albany, N.Y., woman that indicated she is gay. Both sides expect the case to be appealed further.

Click here for the full article from Modern Physician


Posted to HIPAAcomply 06/22/00

HIPAA Glossary Available from WEDI

The first of several remaining final and proposed rules authorized under the Health Insurance Portability and Accountability Act of 1996 are expected to be published at the end of June by DHHS. This first rule expected is a final rule to establish standard formats and data content for electronic claims and related transactions. This, and the remaining rules, promise to be full of acronyms, abbreviations and other unfamiliar terms.

The Workgroup for Electronic Data Interchange (WEDI) has created a HIPAA Glossary that will make it easier to look up such terms, rather than having to fumble through previous pages to find the first reference. In addition to explaining what provider taxonomy codes are, or the difference between structured and unstructured data, the glossary defines such abbreviations as A/S, DCC, EDIFACT and NASMD. You can access this glossary at (Please note: this document is in PDF format and requires the use of Adobe Acrobat Reader Software.)

WEDI is an advocacy organization that promotes the use of electronic commerce in healthcare and has advised federal officials in developing HIPAA rules. 


Posted to HIPAAcomply 06/20/00

Create Security/Privacy Committee to Handle Compliance Issues 
from Health Information Compliance Insider, May 2000, published by Brownstone Publishers, Inc., 1-800-643-8095)

Your health care organization will have to make many changes to ensure its compliance with HIPAA security and privacy regulations when they're finalized. You'll have to create, adopt, and enforce many new security and patient privacy policies and procedures, as well as develop and implement ongoing security and privacy education and training. To make these compliance efforts work, you'll have to make sure that they're "totally integrated" into your organization and that senior management is behind them, says health information consultant Tom Hanks.

How do you accomplish this? A good starting point is to create a security and privacy committee now to oversee development and implementation of your organization's compliance efforts, recommends Hanks. Here's a rundown on how to create an effective committee and what its first steps should be.

Make sure the following are on the committee:

Representatives from every department. 
Put a representative from every department in your organization on the committee. This will help ensure organization-wide participation in compliance efforts, says Hanks. Include a representative from: Nursing; Pharmacy; Legal; Human resources; Radiology; Lab; Information technology/information security; and Audit and records.

Who should be a department's representative? The larger your organization, the higher up the person should be in the department. The biggest mistake organizations make, according to Hanks, is to put low-level people on the committee. You don't want committee members who lack the authority to get your organization's senior management on board for compliance efforts, he points out.

Must the representative be the department head? Much depends on the culture of your organization, says Hanks. If department heads typically are educators and managers, then they belong on the committee. But if they typically delegate those functions to someone within the department, then that's the person who should represent the department.

Senior management. 
Also, have representatives of senior management on the committee. Include your organization's chief information officer, chief compliance officer, and general counsel. Ideally, the chief financial officer should also be on the committee. If not, make sure someone reporting directly to that position is on the committee. While it's a plus to get the chief executive officer's participation, it's not essential, says Hanks. But make sure the CEO gets minutes of the committee's meetings.

Insider Says: If your organization is small, you may not have many departments or separate people for each senior management role. One person may assume multiple roles. For instance, your general counsel may also be your chief compliance officer. If that's your situation, make sure that the committee has members representing all of the roles in your organization.

The smartest move you can make when forming a committee is to make sure that it reports to your organization's board of directors, recommends Hanks. If it does, the committee will be seen organization-wide to have clout, says Hanks. And that will go a long way toward making the committee's efforts successful.

Who on the board of directors should get the committee's reports? A typical board has an executive committee or a risk management or risk avoidance committee. Any of those board committees would be suitable, notes Hanks.

Once a committee is formed, you'll want to make sure it takes the right first steps. They should be:

Step #1: Conduct security/privacy assessment. The committee should assess your organization's current security and privacy policies and procedures, compare them with what's required by the proposed HIPAA security and privacy regulations, and determine what deficiencies exist, says Hanks.

Step #2: Conduct risk assessment. The committee then should have a risk assessment done that quantifies the risk associated with each security and privacy deficiency in your organization, the methods of eliminating those deficiencies (remediation), and their costs. A risk assessment can be conducted internally or by an outside consultant, says Hanks.

Insider Says: Make sure employees are interviewed as part of the risk assessment, advises Hanks. Employee input will help pinpoint problem areas. It will also provide insight on the level of employee compliance with current policies and how effective those policies are. It's best to get someone from outside your organization to conduct employee interviews, Hanks says. Having an insider conduct the interviews won't provide valid results, he explains, because employees are often reluctant to tell the truth to someone from their own organization.

Step #3: Set strategy. Once the risk assessment is done, says Hanks, the committee should set remediation priorities. It should decide how much money to spend on remediation, what risks the organization is willing to accept, and what remediation steps should be taken. 

Insider Source: 
Tom Hanks 
Practice Director, Enterprise Security & HIPAA Compliance 
Beacon Partners, Inc.
200 Cordwainer Dr., 3rd Fl., Norwell, MA 02061.


Posted to HIPAAcomply 0/25/00



(From HFMA WANTS YOU TO KNOW-May 24, 2000, A service of the Healthcare Financial Management Association, )

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) included administrative simplification provisions that will profoundly affect how the healthcare industry handles patient information and claims. By providing nationwide, uniform standards for doing business electronically, administrative simplification standards encourage healthcare entities to automate their claims processes. Once implemented, these standards are expected to streamline business processes, reduce operational disruptions, lower costs, and reduce claims-processing error rates.

Compliance with the HIPAA administrative simplification regulations will be required by Federal law and related regulatory and accreditation bodies within the next two to four years. Failure to comply will result in stiff monetary penalties and, possibly, program exclusion. Of special concern is knowing disclosure of individually identifiable patient information, which will result in criminal penalties against both the organization and the individual responsible for the disclosure. The time to start planning is NOW.

Based on input from an informal group of HFMA members and industry experts, HFMA suggests that providers take the following actions:

For most healthcare organizations, efforts to become HIPAA-compliant will be a multiyear, high-cost, institutionwide effort that likely will exceed the resource outlays that were required for Y2K compliance.

HIPAA-related changes will affect every information system and process that uses or collects patient data, including medical records and electronic business transactions (claims, referrals, and remittance). To implement these significant changes in processes, organization, and staffing, enterprisewide buy-in is critical.

Although information technology is a major component of HIPAA compliance, HIPAA initiatives would be managed more effectively as a strategic business issue than an IT issue, since the initiatives affect a wide range of staffs throughout the enterprise.
Large- and medium-sized organizations should engage a full-time, senior-level manager to lead the HIPAA compliance effort.

Unless your preparations are already well advanced, you will probably have to either defer other major projects or add staff to meet HIPAA compliance deadlines.

Like Y2K, HIPAA compliance is, in essence, a noncompetitive issue. You can increase the effectiveness of your implementation effort by working with the others in your healthcare community, especially payers, providers, and IT vendors. Such cooperation will minimize the cost, confusion, and disruption that typically accompany changes of  the magnitude HIPAA requires.

HIPAA provides for states to enact exceptions to the act's uniformity requirements. While this might be attractive to some entities, in the long run, state by state exceptions will undermine the benefits of national uniformity, especially for organizations that do business across state lines. You should be aware of actions that would affect uniformity, particularly if you do business in more than one state.

HFMA has been a long-standing proponent of uniform business standards. HFMA is working with members and other industry experts to develop resources to ensure HFMA members have the tools they need to effectively implement HIPAA's requirements and realize as much benefit as possible from standardized electronic transactions. Comments or inquiries may be directed to Trinita Robinson at (800) 252-HFMA, ext. 610. E-mail:

Learn more about this issue during "HIPAA Is Coming - Are You Prepared for the Challenges the HIPAA Regulation Brings?", part of a 2000 Annual National Institute preconference program, "The 21st Century PFS Professional". Other HIPAA-related ANI sessions include "Compelling Reasons to Start HIPAA Readiness," "Washington Update," and "Functional Compliance - A Hands On Approach to Complying with the Law."


Posted to HIPAAcomply 0/25/00

U.S. General Accounting Office Senate Testimony on Privacy Standards

Click here for a PDF file of the GAO Testimony before the Committee on Health, Education, Labor and Pensions, U.S. Senate, on Privacy Standards: Issues in HHS' Proposed Rule on Confidentiality of Personal Health Information. This testimony is the statement of Janet Heinrich, Associate Director, Health Financing and Public Health Issues, Health, Education and Human Services Division of the GAO. For more information on the GAO, visit them at


Posted to HIPAAcomply 05/09/00

HIPAA Sets Up New Hurdles for Healthcare Players
(From Managed Care News Perspectives issue April 18, 2000)
By Michael Casey, Managed Care Analyst, Medical Data International



The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996, but so far only the "portability" portion for an individual to receive continuous health insurance coverage when changing employers has been implemented. Now, however, after spending millions to upgrade computers because of the potential Y2K glitch, hospitals and other healthcare organizations are told they must provide security and confidentiality of all identifiable patient information in the development of electronic data interchange and healthcare information systems. Cost estimates are triple that of Y2K preparedness, but one HIPAA expert prefers to think of the expense as a long-term investment, especially as more electronic-commerce services are developed and implemented in the medical supply world.


The Kassebaum-Kennedy Act, also known as the Heath Insurance Portability and Accountability Act of 1996, was approved by a Senate committee in 1995 to prevent people with chronic health conditions from losing coverage as they changed jobs. Under the law, employees with insurance could keep that coverage at their next job or shorten the waiting period to receive coverage, but there was no guarantee that benefits would not change or premiums would not be higher. In 1996, the General Accounting Office estimated between 1 million and 3.6 million Americans fit that description.

The other half of the law requires that claims and payments be filed electronically. The law mandates that Congress pass legislation tightening the rules on how a person's private medical information could be used and who would have permission to see it, but Congress missed its August 1999 deadline and continues to work on regulations. The health industry now is pushing for a June 2000 deadline.

The seven provisions that established standards for electronic healthcare transactions and exchanges were intended to improve the flow of information between healthcare organizations while protecting individual privacy and preventing fraud. The Department of Health and Human Services (HHS) estimates the provisions could save health plans, healthcare clearinghouses and providers from $5 billion to $10 billion a year, and HHS projects the five-year cost of compliance to be about $3.8 billion.

However, many healthcare providers claim the actual cost of complying with the new regulations will far exceed the cost of their Y2K preparations. And to date, many providers are unwilling to commit a large portion of their budget during the next two years to comply with HIPAA until all of the rules are known.


The HIPAA requirement considered to be the most troublesome by providers involves the security and confidentiality of all types of patient-identifiable health information, including health claims, eligibility and payments. The standard requires all health plans, healthcare clearinghouses and providers to establish and maintain appropriate safeguards by such means as appointing an information security officer, developing a security plan, providing training for employees and securing physician access to records.

Healthcare providers say they are more concerned about security and privacy issues than any other aspect of HIPAA. Although some security safeguards do exist as part of the provider's standard practice, using the public Internet to transmit patient information represents a much greater risk in confidentiality.

Providers, though, cannot wait for Congress' final ruling before assessing their risk vulnerabilities and planning how to implement specific technical and administrative procedures to ensure the security of electronic health data. Hospitals, physicians and medical groups must start thinking now about their security precautions, warns Dr. Steven Lazarus of the Boundary Information Group, who serves as chair-elect for the Workgroup for Electronic Data Interchange (WEDI) and is an advisor to the Secretary of HHS.

"Hospitals tend to discuss HIPAA as a privacy issue, but we can't dismiss all of HIPAA as privacy. If (the hospitals) don't want to comply, they won't get paid on time," explained Lazarus, in an exclusive interview with Medical Data International, Inc. "The privacy issue is a problem, because no legislation has been passed. It is Congress' fault, and Congress can fix it. But we still can implement HIPAA without those changes. No state preemption is the biggest problem. The AMA (American Medical Association) wants state control. Everyone believes we need to have state uniform access."

WEDI was made an advisor when HIPAA was passed in 1996 and is the only industry-based group that is open to the public to provide input on consensus. Currently, 135 organizations belong to WEDI, but those represent only employer groups and health plans--no providers, Lazarus said in mid-April 2000.

Lazarus acknowledges that many health providers still are reeling from spending considerable amounts of money to exterminate the Y2K bug. He cited a recent Gartner Group study that found HIPAA would cost healthcare organizations three times as much as Y2K. Much like Y2K, HIPAA's cost will depend heavily on how much upgrading a hospital has done on its information system during the past 10 years.

However, Lazarus says HIPAA regulations offer tremendous opportunities for healthcare organizations to become more efficient and achieve significant savings. Some experts believe the industry could save $125 million a week if standards already available today were employed for electronic transactions.

"Some parts of HIPAA will cost a lot of money, but it will be a good investment, especially when more e-commerce services come along and are implemented in the supply world," Lazarus said. "All e-commerce companies that are looking to deliver drugs are online, and all are covered by security regulations. They are not relying on patient authorization. That takes about half the cost away."

The most stringent HIPAA security requirement will cover patient information and transactions that are conducted online. HIPAA likely will require evidence that only the appropriate person can gain access to the information through authentication services such as encrypted codes and digital certificates. Another important component will be the entity that audits and records who accesses a patient's record, and when.

The good news is that more healthcare providers may be listening. In a survey of more than 500 hospital executives, released by the Healthcare Information and Management Systems Society (HIMSS) in April 2000, 70% said they will concentrate during the next two years on complying with HIPAA. Furthermore, 61% of the respondents said developing systems that improve efficiency will matter, 56% said cost-cutting systems are being evaluated and 42% said they are working on specific e-healthcare applications.

Yet, while HIPAA and the Internet remain top priorities for 2000, healthcare information executives will be working with limited budgets. Only 30% of those surveyed say their organizations' information technology budgets will increase in 2000, and proving return on income is on the minds of 22%, up from 15% in 1999.


Lazarus expects the final rules regarding HIPAA's regulations to be released June 29, 2000, which would give healthcare organizations two years and two months to comply. That would apply only to large providers and health plans; small payers, defined as less than $5 million in revenue per year, have an additional 12 months to comply, as do small providers, whose revenue cap has not been determined.

Healthcare providers are well aware that they must comply with HIPAA regulations on time or face penalties of as much as $100 per violation, at a maximum of $25,000 a year per violation. Still, many are content to take a wait-and-see approach, opting to evaluate final HIPAA rules before taking any action.

"It is a two-year program, but it could take considerably longer," Lazarus says. "Most insurers have legacy systems that can't audit and can't do electronic transmissions, eligibility, readmittance and so on. They will have to replace those systems in the next 1½ to two years, but they should be in the planning process now."

Some experts believe the true impact of HIPAA will not be known until the economy takes a substantial downturn again, causing people to be out of work for more than a few weeks and employers to cut benefits to save money. The longest-term impact likely will come from the government's willingness to tinker with various parts of the American healthcare system, including a bipartisan bill covering new patients' rights.

The value of HIPAA, says Lazarus, will be in "reducing the cost of administering healthcare and increasing employer and health plan satisfaction. I see it as finally having the kind of uniform system to protect the data and privacy of people, but not investing so much so that it places an undue burden on someone."

Resource: Medical Data International's "Managed Care IQ Provider & Payer Database," April 2000.

Copyright © 2000 Medical Data International, Inc. All rights reserved. Reprints mat be obtained by permission. Contact an MDI Account Representative at 800.826.5759. 

This article contains all original material developed, researched, and written by Managed Care News Perspectives staff writers for exclusive publication be Medical Data International.

Posted to HIPAAcomply 5/1/00



Senate Committee Hears Differing Views on Proposed Privacy Rule
(Information provided by the Department of Governmental Affairs, MGMA)

The Senate Health, Education, Labor and Pensions (HELP) Committee held a hearing on April 26 regarding the Department of Health and Human Services' (HHS) proposed privacy rule. During the hearing, witnesses offered varying viewpoints and reactions to the proposed rule. 

Although the committee has held many hearings on the issue of privacy, this was the first hearing the committee has held on the proposed rule. At the request of Chairman James Jeffords (R-VT), the General Accounting Office (GAO) reviewed the proposed rule and the comments submitted in response to it by a selected group of 40 organizations ("stakeholders")--one of which was MGMA. One of the most contentious elements of the proposed rule analyzed by the GAO was the "minimum necessary information" provision. HHS proposed that covered entities be prohibited from using or disclosing more than the minimum amount of protected health information necessary to accomplish the intended purpose of the disclosure. In its formal comments, MGMA expressed concerns over this proposal and the burdens it might place on group practices. In its written testimony, GAO specifically cited MGMA's concerns-"As stated by the Medical Group Management Association, it is likely that the entity requesting information for a particular purpose is in a better position to make the minimum necessary determination."

Posted to HIPAAcomply 5/1/00


CIO Survey says HIPAA Requires Action

(Health Data Management, March 27, 2000,

Hospital and integrated delivery systems have a long way to go in developing plans for complying with the Health Insurance Portability and Accountability Act of 1996, according to a new survey. More than 45% of 213 CIOs and other top I.T. executives surveyed earlier this year said their organizations had not yet begun to work on detailed plans for complying with HIPAA administrative simplification and data security/privacy rules. Virtually the same percentage report their organizations are working on such plans, while 7% said they already had a plan in place. In addition, only 17% of those surveyed report that the board of directors of their organizations had approved funding to begin HIPAA compliance efforts. On a similar note, 60% report that their CEO does not fully understand the ramifications of HIPAA and the potential costs involved. The survey, sent to a sample of Health Data Management readers, was conducted in January and February. Lawson Software, a St. Paul, Minn.-based company that markets enterprise electronic business applications for the health care industry, provided funding for the survey. A story on the survey results will appear in the April 2000 issue of Health Data Management magazine. 

Posted to HIPAAcomply 03/28/00


HHS Sets Firm Goal for Publication of Final Rule for Transactions and Code Sets Standards
(The following information is the text of an e-mail from Dr. William Braithwaite, Senior Advisor on Health Information Policy at DHHS, updating subscribers of DHHS' Administrative Simplification Web Page List Server)

In a March 14th letter to the Workgroup on Electronic Data Interchange (WEDI), the Deputy Secretary of HHS announced the "... goal to publish the final rule for Standards for Electronic Transactions by the end of June. As you can appreciate, this estimate is predicated upon several things, including approval of the rule by the Office of Management and Budget. We understand the importance of this rule to the health care industry and others and will take the steps necessary to make sure that this goal is met."

At this time, the tentative target dates for other rules have to be updated and the old targets will be removed from the administrative simplification web site until further notice. In any case, I am pleased that we have a firm date for the first final rule and I hope you will all take advantage of this advance notice to start your implementations of the transaction standards.  

The link to DHHS Administrative Simplification is

Posted to HIPAAcomply 3/27/00


Beacon Partners Responds to Delays in Final HIPAA Rules

– (March 22, 2000) – Thomas L. Hanks, Beacon Partners’ Practice Director of Enterprise Security and HIPAA Compliance, is responding to recent announcements of delays in the finalization of HIPAA regulations by advising clients and health care industry executives that, despite the delays in pending legislative mandates, entities still have an obligation to protect patient information, business information and to protect themselves from litigation.

“This delay does not change the basic requirements for protecting patient and business information,” said Hanks. “All health care entities that store and transmit patient identifiable information need to take the first step and completely assess their security capabilities and privacy practices. Getting an assessment started, and even finalized, before the regulations are final, will put an organization in a good position to start the remediation process.” Compliance is required two years from the date of final regulations, which is not considered much time to implement all of the changes that will be required under HIPAA.

“In any event, we do not foresee a lot of changes in the HIPAA security regulations.  For example, the transactions regulations received 17,000 comments, which accounted for approximately a 3% change in the regulations.  The security regulations received 2,000+ comments and we anticipate that will result in fewer than a 5% change in the regulations (most probably in the 2-3% range), and we have a good idea what those changes will be.  This creates a window of opportunity for organizations to get a jump on the HIPAA security requirements and lower their overall cost of compliance.  We learned with Y2K that the sooner you start, the better the outcome and the less it costs.  It doesn’t make sense to sacrifice getting started waiting for what amounts to a 2-5% change in the regulations.”

The Federal Government is pressing the Department of Health and Human Services (DHHS) to finalize regulations. In a recent letter to DHHS Secretary Donna Shalala, Congressman David L. Hobson, primary author of the Administrative Simplification provisions of HIPAA, asks the Secretary for her “personal involvement to move forward with a final regulation for Standards for Electronic Transactions and Code Sets.” The delay of regulations for Transactions and Code Sets is causing delays with all of the final rules. Representatives from WEDI (Workgroup for Electronic Data Interchange) recently met with Kevin Thurm, Deputy Secretary of DHHS.  As a result of that meeting, there has been a new emphasis put on finalizing some of the regulations.  DHHS has announced that the final date for transactions is June 29, 2000 and the final date for security is July 2000.  DHHS will publish all revised timelines on its web site ( indicating when the remaining proposed and final rules will be promulgated.  As of now, there is no final date for privacy regulations.

Thomas Hanks
Beacon Partners


Tom Hanks has 20 years of information systems, management consulting and network experience, with the last eight focusing on health care. He is recognized in the industry as an authority on HIPAA security and standards legislation. Mr. Hanks has used his security expertise to contribute to the development of the HIPAA standards and security regulations and is currently active on a number of industry security and standards workgroups addressing compliance with HIPAA legislation. Mr. Hanks is on the Board of Directors of WEDI (Workgroup for Electronic Data Interchange) as well as co-chair of the WEDI Privacy Policy Advisory Group. He was also recently appointed Commissioner for the Electronic Health Network Accreditation Commission.  

BEACON PARTNERS is a national health care management consulting firm with offices in Boston and Chicago. Since 1989, the consultants of Beacon Partners have provided health care organizations with a wide range of client-focused consulting services, including strategic planning, business operations management, enterprise security and HIPAA compliance, e.Solutions, clinical solutions, information systems and technical solutions. Clients include Integrated Delivery Networks (IDNs), hospitals, managed care organizations, and physician group practices, including academic practice plans. Beacon Partners’ highly experienced consultants are backed by a firm with a solid reputation for measurable results. To learn more about Beacon Partners health care consulting services, call 1-800-4BEACON or visit

Posted to HIPAAcomply 3/27/00


WEDI Bulletin on Revised Transaction Final Rule Date & Planning for Implementation

As we previously communicated, the revised date of June 30, 2000 has been announced regarding final rules being released through the clearance process at the Department of Health & Human Services (DHHS) and the Office of Management & Budget (OMB).  The new date for the final rule relates to the implementation guides for the following transactions:

ã    Health claims or equivalent encounter information.

v      Health Care Claim (837)

ã    Enrollment and disenrollment in a health plan.

v      Benefit Enrollment and Maintenance (834)

ã    Eligibility for a health plan.

v      Health Care Eligibility / Benefit Inquiry (270)

v      Health Care Eligibility / Benefit Information (271)

ã   Claim Payment

v      Health Care Claim Payment/Advice (835)

ã         Health claim status.

v      Health Care Claim Status request (276)

v      Health Care Claim Status Notification (277)

ã         Referral certification and authorization.

v      Health Care Service Review Information (278)

What’s important to keep in mind is that there are no further technical changes that will take place with the Implementation Guides prior to the final rule being released.  The reasons for the revised date is to assure that synchronization of definitions between rules are reconciled to assure consistency across them.  During this period, prior to the Transaction Final Rule being released, we would suggest that you take the following actions:

Ø      Commence an assessment of the gaps and impacts to implement the transactions.

Ø      Identify any translator requirements, if appropriate, and commence the selection process.

Ø      Involve your vendors, clearinghouses and other entities to determine their plans and any assistance that may be available.

Ø      Determine specific plans for implementation of the transactions from both an IS and business perspective.

Ø      Determine testing criteria and identify your trading partners.

Ø      Develop “Chain of Trust” language to provide to vendors and others, as appropriate.

Ø      Utilize any third party testing to ols to determine HIPAA compliance with the Implementation Guides.

We are further suggesting that organizations commence their planning now rather than waiting the additional 4 months until the final rule is published.  The risks of proceeding are minimal and can potentially provide a competitive advantage for those that are initially proactive.

As we continue our partnership with DHHS we will continue to provide information to you for your planning purposes.  WEDI and the Deputy Secretary, HHS are planning to meet approximately every two months in the future to facilitate government and healthcare industry planning for the implementation of HIPAA.

For further information, please contact Jim Schuping, Executive Vice President of WEDI at 703-391-2716.

Posted to HIPAAcomply 03/16/00


HHS indicates that HIPAA Final Rules will be Delayed Further

On Monday, March 13th, at the 2000 HIPAA Conference in McLean, Va., the Department of Health and Human Services delivered an update on the status of its timetable for producing final rules, as mandated in the administrative simplification section of the Health Insurance Portability and Accountability Act of 1996.  Bill Braithwaite, M.D.
, senior advisor on health information policy at HHS, indicated that the deadlines for producing final rules have been delayed further.

Dr. Braithwaite stated that the final rules have been postponed because they require further work. HHS hopes to issue final rules for employer identifiers and data security in the third quarter and for provider ID in the fourth quarter. The data privacy rule, which is turning out to be the most controversial, may not come out this year at all, due to the heavy volume of comments HHS has received, as well as the need to make sure the privacy rule dovetails with the security rule, Braithwaite says. The only deadline that HHS has committed to is for the rule setting transaction standards for claims and code sets, which will be published by the end of June.

HHS does expect to issue its first proposed rule for claims attachments in the third quarter. A proposed rule for physician's first report of injury--used for workers' compensation--won't come out until next year. HHS also expects to spell out its proposal for enforcing HIPAA next year, Dr. Braithwaite says. To view comments received on the privacy regulations, as well as a revised timeline (which HHS plans to publish soon) visit the Administrative Simplification website at

Posted to HIPAAcomply 03/15/00



Privacy concerns may spark congressional intervention
Critics of the Clinton administration's records privacy proposal take aim at its patient consent provisions and its requirement that physicians oversee their business partners' practices.

By Susan J. Landers, American Medical News staff. March 6, 2000

Washington -- Congress will likely re-enter the contentious medical records privacy debate it had, by default, turned over to the Dept. of Health and Human Services for resolution last summer. 

A recent House Ways and Means health subcommittee hearing showcased a wide
range of concerns raised by the department's 600-page proposal to establish federal privacy protections for electronically transmitted medical data. HHS released its proposal last fall.

Subcommittee Chair William Thomas (R, Calif.) said he had scheduled the hearing to help determine whether the regulation would "ultimately prove to be workable or whether additional legislation might be necessary." 

He received in reply a chorus of requests for Congress to return to the
drafting table.

Even Mary A. Hamburg, MD, HHS assistant secretary for planning and evaluation, called the department's proposal "a foundation." "We continue to believe that legislation is ultimately necessary if we are to appropriately protect the privacy of the health information of all Americans," she said.

Thomas indicated that lawmakers might renew their push for legislation by pointing to parts of the proposal in need of fixing. For example, he said a portion of the proposed rule that holds physicians, hospitals and health plans liable for the actions of their "business partners," such as lawyers and auditors, might be a likely area for legislative change. 

Thomas also drew attention to the proposal's provision that allows stronger
state confidentiality laws to prevail over a federal rule. He suggested that the provision could lead to a "crazy quilt" of federal-state relationships and indicated that it might be better to have a federal rule take priority over state laws.

Congress had tried for three years to draft legislation that would protect medical records privacy while allowing insurers and others sufficient access to patient data. When Congress failed to meet its own deadline for the passage of legislation, statute required that the issue be turned over to HHS for regulation. Lawmakers retained the right to continue to work on legislation and could decide to change the regulation retroactively. Congress had set the stage for several of the most contentious provisions-- including those criticized by Thomas -- by restricting HHS's regulatory power. For example, Congress dictated that state laws should take priority over a federal rule. It also named only physicians, hospitals and health plans as the entities to be covered by HHS and ignored their myriad partners who are also privy to medical data.

As a result, Dr. Hamburg noted that the proposal exempts certain state laws, and it follows an indirect course to regulating a host of medical information handlers by requiring physicians, hospitals and health plans to monitor their business partners' activities. 

Too far or not far enough?

The volume and diversity of criticism from outside groups at the hearing point to a difficult road ahead for lawmakers interested in forging privacy legislation. Medical groups and privacy advocates generally said the proposal falls short of protecting personal medical information in some areas, while insurance and business groups argued that it overreaches. 

Janlori Goldman, director of Georgetown University's Health Privacy
Project, Washington, D.C., told the House panel that the proposal was a "significant step toward restoring the public trust and confidence in our nation's health system," but she urged Congress to fill in the gaps in the proposed rule. For example, she recommended broadening its scope to include all those who "generate, maintain or receive protected health information." 

Others, including the AMA, called on Congress to take more wide-ranging action to address what they see as major flaws. AMA Trustee William Plested, MD, a vascular surgeon from Santa Monica, Calif., faulted the proposal for failing to require explicit patient consent before personally identifiable health information is disclosed. "My patients assume that the private information they discuss with me will be used to benefit them -- not to benefit anyone else who may find a way to profit from their personal information," Dr. Plested testified. He also criticized the additional administrative burden that would likely be imposed by a regulation. "The physicians of America are buried in paper, with less and less time to spend with our patients," he said.

The American Psychiatric Assn. joined in warning that the proposal doesn't go far enough to ensure privacy. The psychiatrists also urged that additional protections be placed on mental health records.

On the other hand, Mary R. Grealy, president of the Healthcare Leadership Council, testified that the proposal places too many limits on the uses of patient information and could restrict important health care activities, such as disease management programs. The council represents health plans, hospitals, universities and pharmaceutical companies. 

Deluge could cause delay 

The concerns voiced at the hearing represented only the tip of the iceberg. HHS received more than 50,000 public comments by its Feb. 17 deadline. Given the large volume of responses that must be reviewed, Dr. Hamburg declined to predict to the panel when a final regulation might be ready, although others have made estimates ranging from April to next year. Health care providers would be allowed two years from the publication of a final regulation to comply. Thomas told Dr. Hamburg that he was concerned about the length of time it might take the department to draft a final regulation, given all the comments that must be examined. As an example of a worst-case scenario, he pointed to the agency's failure to draft a rule for implementing the so-called Stark II self-referral law despite seven years of trying.

Posted to HIPAAcomply 03/15/00


HIPAA and Administrative Simplification
Important Federal Regulations for Hospitals, Physicians, Employers, Health Plans, and Service Organizations in the Health Care Industry

By Jim Klein
Manager, Enterprise Security and HIPAA Compliance
Beacon Partners, Inc.

President Clinton signed into law the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on August 21, 1996. Don’t be misled by the name. This new federal law (P.L. 104-191) applies to many health care market players, not just health plans and insurance companies. It is the most sweeping legislation to affect the health care industry in over thirty years. HIPAA is comprised of two major legislative actions including health insurance reform and administrative simplification. The health insurance reform provisions have been in effect for some time and required implementation of certain practices by health plans and insurers regarding portability and continuity of health coverage. This article focuses on the Administrative Simplification (AS) provisions, which may become effective as soon as the 2nd qtr of 2000.

AS provides for the establishment of various protections, standards and requirements for the transmission, storage and handling of certain electronic health care information. Market players affected include government and private health plans and insurers, hospitals, physicians, care providers, employers, clearinghouses, practice management system vendors, billing agents, and other service organizations. The intent of AS is to improve the efficiency and effectiveness of the health care system and is expected by many in the industry to promote long term benefits through the use of widely adopted standards.

AS includes provisions for five distinct areas regarding the exchange of electronic administrative health care information. The five areas include transaction standards, code set standards, standards for unique health identifiers, security standards, and privacy protections. The Department of Health and Human Services (DHHS) is required under HIPAA to promulgate (adopt) the specified standards. Prior to adoption, the proposed standards are published in the Federal Register and the public has a sixty-day period in which to provide comments to DHHS through the Notice of Proposed Rule Making (NPRM) process. Sometime after the sixty-day comment period, the DHHS Secretary will adopt the final standards. Finally, DHHS is required to submit recommendations to Congress for privacy legislation to protect individually identifiable health information (submitted on September 11, 1997). Since Congress failed to enact privacy legislation by August 21, 1999, the DHHS Secretary is required to issue privacy regulations by February 21, 2000. Draft privacy regulations were released on November 3, 1999. The final privacy regulations have been delayed and a new release date has not been announced. The draft regulations include far-reaching requirements including: use and disclosure; audit records; patient rights to inspect, copy, and correct records; policies and procedures; and business partner agreements.

Compliance with AS must be attained within two years of the standards adoption date, except for small health plans with annual receipts of $5 million or less. These small health plans must comply within three years of the standards adoption date. Those who do not comply may be fined up to a maximum of $25,000 for any identical requirement violated in a one-year period. Wrongful disclosure of individually identifiable health data is a felony offense and punishable by one to ten years imprisonment and fines of $50,000 - $250,000.

Much of the initial work to develop the AS standards has been completed by the DHHS Data Council (website: The following paragraphs summarize the standards proposed, or in some cases to be proposed later, for adoption by the DHHS Secretary.

The transaction standards, subject to modification through the NPRM process, include the American National Standards Institute (ANSI), Accredited Standards Committee (ASC) X12 transaction sets (version 4010) for claims/encounters, attachments, enrollment, disenrollment, eligibility, payment/remittance advice, premium payments, first report of injury, claim status, referral certification/authorization and coordination of benefits. Under HIPAA, compliance with the ANSI ASC X12 transaction sets may be achieved through the use of a clearinghouse.

The code set standards for diagnosis and procedure codes, subject to modification through the NPRM process, include those defined under the International Classification of Diseases - 9th Revision - Clinical Modification (ICD-9-CM) and the Health Care Financing Administration (HCFA) Common Procedure Coding System (HCPCS). Pharmacy transactions will use the code set specified by the National Council of Prescription Drug Programs (NCPDP).

Standards for unique health identifiers include; identifiers for health plans, providers, employers and individuals. HCFA has established proposed standards for health plans and providers, the PAYERID and the National Provider Identifier (NPI), respectfully. Also, the widely used Employer Identification Number (EIN) is proposed for use as the unique employer health identifier. The standard for unique individual health identifiers continues to undergo evaluation and is not ready due to unresolved privacy concerns. Standards for all unique health identifiers are subject to change resulting from the aforementioned NPRM process.

Finally, the security standards protect the integrity, confidentiality and availability of health care information through the establishment of administrative, physical and technical controls. The standards, which are subject to modification through the NPRM process, include a comprehensive matrix of security requirements to be implemented, as appropriate, by organizations involved in the transmission, storage, and handling of the above listed electronic health care transactions. A list of security standards is included in the requirement that organizations may choose from to help implement their security program. The technologies, techniques and measures that may be deployed are discretionary based upon the organization’s exposure and risk levels. It is up to each organization to deploy the appropriate security measures commensurate with the circumstances and operations of their organization.

The AS provisions under HIPAA present important and far-reaching regulations throughout the health care industry. These regulations extend beyond the traditional relationships between caregivers and health plans. Consequently, employers and other organizations exchanging electronic health care transactions are also a part of the HIPAA landscape. Every player in the industry affected by these regulations should actively engage in education and planning activities. Early planning will help alleviate problems and better prepare those impacted by AS. Additional details and updates are available on the government’s website at

Jim Klein is Manager for Beacon Partner’s Enterprise Security and HIPAA Compliance practice. He is a recognized HIPAA expert and Commissioner for Electronic Healthcare Network Accreditation Commission (EHNAC). He is on several work groups for the Association For Electronic Health Care Transactions (AFEHCT) including privacy and security. He co-chairs AFEHCT's administrative simplification work group. He is an active member of several other industry organizations and groups working on HIPAA initiatives. Mr. Klein has authored several published articles and addressed numerous industry groups regarding HIPAA and security in the health care industry.

Posted to HIPAAcomply 03/15/00


Final HIPAA Privacy Rules Will Be Delayed

At a Feb. 28 meeting,  Federal officials from DHHS indicated to industry representatives that there will be further delays in publishing final rules to implement the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996. The original deadline for final rules to be published was Feb. 21, 1998. DHHS was delayed initially in publishing proposed rules and did not publish the first proposed rules until May 1998. The department has yet to publish some proposed rules and has not published any final rules.

Industry representatives from the Workgroup for Electronic Data Interchange, Reston, Va., and the Association for Electronic Health Care Transactions, Washington were present at the Feb. 28 meeting with HHS Deputy Secretary Kevin Thurm and HHS Senior Advisor on Health Information Policy, William Braithwaite. According to Dr. Braithwaite, a final rule for standard electronic transactions and coding sets will not published until late spring or very early summer. This rule, the first due to be published, was originally due in March. 

A final rule on the employer identifier is the next rule due and is expected to be published on the heels of the transactions/coding rule. But the delays in these first final rules will likely delay publication of other final and proposed rules. The department indicated that the timetables are predicated upon available resources within the department. There are various initiatives competing for resources within DHHS and the department has stated that it is focusing on getting the transaction/coding rule out first. The department hopes within ten days to have a new schedule for publishing final and proposed rules on its Web site,

Prior to the Feb. 28 meeting, Rep. David Hobson (R-Ohio), author of HIPAA's administrative simplification provisions, sent a letter to HHS Secretary Donna Shalala asking her to quickly publish final standards for electronic transactions and code sets. In his letter he requests Secretary Shalala's "personal involvement to move forward with a final regulation for Standards for Electronic Transactions and Code Sets."

Posted to HIPAAcomply 03/01/00


House Holds Hearing on HIPAA Regulations
(From Premier Advocacy  -

On February 17th, the final day of the comment period for the proposed
privacy regulations, the Health Subcommittee of the Ways and Means Committee held a hearing that focused on industry reaction. Testifying for the Administration was Margaret Hamburg, M.D., assistant secretary for planning and evaluation. Hamburg related that HHS has received 30,000 written comments and another 10,000 comments via the Website. She reviewed the Secretary's five recommendations for legislation and the proposed regulation: boundaries, security, consumer control, accountability, and public responsibility. HHS estimates the regulation's implementation cost at $3.8 billion over five years. Subcommittee Chairman Bill Thomas (R-CA), as well as other witness', challenged that estimate as being greatly underestimated.

Discussed at great length was the desire by many, including Thomas, for federal rules that would preempt state confidentiality laws. The draft regulations only preempt weaker state laws. At the conclusion of Hamburg's testimony, Thomas asked that the history of the implementation of the Stark II regulations, still not final after seven years, not be used as a model for the HIPAA regulations. Citing the IOM study, Thomas also expressed his concern that attempts to gather data to correct medical errors not be impeded.

Mary Grealy, president of the Healthcare Leadership Council, outlined both the aspects of the standards they support, as well as those where they felt the regulations fall short. Of concern were the attempt to restrict all uses of patient information, as opposed to disclosure of information, the cumbersome task of individual authorizations for research unrelated to treatment and the tremendous underestimation of the costs involved.

Testimony is available at:

Posted to HIPAAcomply 02/23/00


WEDI's Letter of Comment to the Privacy NPRM

February 11, 2000

US Department of Health and Human Services
Assistant Secretary for Planning & Evaluation
Attn: Privacy-P
Room G-322A
Hubert Humphrey Building
200 Independence Avenue, SW
Washington, DC  20201

RE:  Privacy-P

Dear Sirs:

The following represent the comments of the Workgroup on Electronic Data Interchange (WEDI) on the proposed rule regarding the adoption of the Standards for Privacy of Individually Identifiable health Information which is mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  This proposed rule is referred to in the Federal Register as 45CFR Parts 160 through 164.   

Following its publication in the Federal register, the proposed rule was posted to the WEDI web site.  Shortly thereafter, WEDI scheduled and announced a 2-½ day Privacy PAG session to be held in Chicago on November 29, 30 and December 1.  This session was conducted, during which the Privacy PAG and other industry representatives reviewed both the rule in general and the specific areas within the rule on which comments were directly solicited.   The session was open to both WEDI members and non-members, and it was well attended by representatives of the payer, provider and vendor communities.       

The results of that session were a series of recommended comments to the proposed rule that were presented to WEDI’s Board of Directors.  On December 16, 1999 and again on January 26, 2000, the Board met to review each such recommendation.  The following comments are the product of the Board’s deliberations and therefore, represent the organization’s official positions on these issues.  However, there may be individual organizations represented by members of the WEDI board that will be submitting separate comments that may differ from the comments included herein.  We believe that our comments represent the views of the broadest coalition in the health care industry, and we hope that they can contribute significantly to the timely preparation of the final rule on Standards for Electronic Transactions.

In August of 1999, WEDI responded by letter to a DHHS request for input prior to the release of the Privacy NPRM and WEDI wishes to restate the recommendations contained in that letter and has attached it herein as Exhibit A.  

Executive Summary:

In regards to the Privacy NPRM, the board of WEDI board has prepared an Executive Summary representing the majority position of the WEDI board in regards to key critical issues contained in the privacy NPRM.

1)      WEDI first wants to state that all comments contained herein should be assessed by DHHS with the knowledge that the WEDI board unanimously, strongly supports the protection of individual health information and the rights of the individual to the privacy of that information.  Furthermore, those individuals deserve protections of their right to the privacy of their health information.  WEDI urges, that in the process of providing privacy regulations, DHHS not stray from the authority granted in the HIPAA legislation and exercise extreme care and diligence to ensure that the resulting regulations do not risk degradation of patient care and are not overly burdensome to the covered entities charged with providing those protections.

2)      WEDI has a number of concerns in regards to enforcement.

a.       Ability for covered entities to comply with Privacy Regulations within the two-year deadline.  Therefore, WEDI asks that DHHS extend the time for criminal enforcement to thirty-six months to allow covered entities time to implement all of the changes necessary to comply with time allotted for entities to comply with the Privacy Regulations.

b.      Strictness of enforcement of the criminal penalties and ask that DHHS provide a “good faith” standard of enforcement where covered entities would not be prosecuted if they had been making “good faith” efforts to comply with the privacy regulations.

c.       WEDI asks that all organizations involved in the enforcement of this regulation be directed to only respond to complaints in their investigative process and not be allowed to make random compliance checks.

d.      WEDI recommends that covered entities be given 90 days from notification of complaint to resolve any complaints directly with the individual before any enforcement process is initiated.

3)      WEDI agrees with the DHHS position that all entities that store or use protected health information should be subject to privacy rules and is concerned that DHHS does not have the authority to cover entities outside of providers, clearing houses and payers.  However, WEDI does not believe that the Business Partner Agreement in the form currently mandated in the Privacy rules can be an effective substitute for that authority and is overly burdensome to current covered entities.   The third party beneficiary language that is intended to make the individual a party to the Business Partner Agreement is onerous and presents cost and risk far exceeding it’s limited ability to enforce privacy rules on non-covered entities.  Having the ability to outsource some business functions - requiring access to protected patient information - has become a proven method for covered entities to reduce their costs.  WEDI has serious concerns that the impact of the Business Partner Agreement and third party beneficiary language would be to force covered entities to discontinue outsourcing functions that require access to protected information and incur significant additional cost and burden of bringing those functions in-house.  This could cause the failure of outsourcing firms, drive up the administrative cost of health care and serve to defeat the purpose of the Administrative Simplification portion of the Act.   Current covered entities are not in the position to fill in DHHS gaps in authority and third party beneficiary language should be removed from the final Privacy rule.

4)      However, WEDI does agree that, in the absence of DHHS rules covering all entities, a Business Partner Agreement that protects covered information consistent with this Proposed Rule should be required for a covered entity to share protected information.  However, this should be presented as a concept and particular language should not be mandated by the regulations.  The specific business partner contractual arrangements and the contract terms should be left up to the individual entities.

5)      WEDI believes that the minimum necessary disclosure of information concept be defined as a general principal with each covered entity having the freedom to implement minimum disclosure based on that that entity’s assessment and risk analysis.  Furthermore, due to the risk of degradation of patient care, WEDI asks that the minimum use concept be excluded from implementation for the purposes of disclosures related to treatment.

6)      In regards to pre-emption of State law and regulation, WEDI feels that this issue is extremely critical and wishes to re-state the position it communicated to DHHS in August of 1999 which is included in the detailed comments following the executive summary,

7)      WEDI is concerned that the current list based definition of health care operations may omit valid functions that should be included in health care operations and cannot take into account valid health care operation functions that may be developed in the future.  The definition of health care operations should be revised to eliminate use of a list as the basis for definition.  Instead, the definition should reflect the intent of the current language but should do so in a manner that is sufficiently precise to detail the obligations and rights of the affected parties.   In depth comments regarding definition of health care operations are included in the detailed comments following the executive summary.

8)   WEDI has concerns about the how the term “marketing” will be defined in the regulations. While we support the concept of requiring specific authorization for the use of health information for marketing purposes, we do not want covered entities to be restricted in their ability to communicate information that positively affects patient care.  Following are a few examples of activities that we are concerned could be construed as marketing, but the restriction of which could have a negative impact on patient care.  These examples involve patient population selections based wellness, current diagnosis or treatment, based on   history, patient profile (e.g. age related) or current prescribed drugs. (A) Reminder notices for appointments, diagnostic testing, treatments, lab tests, and physical exams, (B) Announcing availability of new drugs, diagnosis, treatments or wellness information, and (C) Notices of formularies, wellness programs, additional (or restricted) plan coverage and educational materials.

Therefore, WEDI supports the concept that activities that take place as a part of “payment, treatment or health care operations” do not fall within the scope of “marketing” activities.  The proposed regulations, however, do not clearly set forth those activities which constitute marketing.  WEDI suggests that, to provide certainty for covered entities, DHHS adopt the following definition of “marketing activities”:  The following constitute “marketing activities”:  (a) disclosure of protected health care information for sale, rent or barter; (b) the use of protected health care information by a non-health related division of the same corporation; (3) disclosure of information to an employer for use in employment determinations; and (4) the use or disclosure of information for fund raising. 

1)      WEDI is concerned about the impact of individual authorization on mergers and acquisitions.  There are times when the consolidation of covered entities through merger or acquisition results in lower cost and improved patient care.  The requirement for individual authorization would impair the ability for covered entities to consolidate.   Therefore, WEDI recommends that authorization for release of information not be required for mergers and acquisitions between covered entities.  Additionally, WEDI has general concerns about resolution of enforcement in the event a HIPAA compliant covered entity acquires or merges with a non-HIPAA compliant covered entity.

Detailed Comments:

For ease of reference, each comment is identified as to the page number, Section in the Federal Register and the issue to which it pertains.

1)      Summary and Purpose Page 59924 Sec. I.E.1 – Applicability

WEDI recognizes that DHHS’s authority to cover all entities that handle Protected Health Information is limited to health plans, clearinghouses and any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act.  In that context, WEDI strongly supports HHS position that this lack of authority leaves many entities that use Protected Health Information outside of any system of protection.  WEDI believes that the use of the business partner agreement is a tortured and poor substitute for privacy legislation and joins with HHS in urging Congress to quickly pass privacy legislation that would ensure coverage for all entities that handle protected health information, including financial institutions.

2)       Page 59924, Sec. I.E.1 – Applicability

WEDI believes the privacy of purely paper records would provide consistency of policy and procedure throughout a covered entity and would remove any potential conflict and confusion on what information should be protected and how it should be handled.

3)      Page 59924, Sec. I.E.2 – General rules

The proposed rule provides that individuals may request that a covered entity restrict disclosure to a specific entity (e.g. restrict disclosure to specific physicians or nurses).  If the covered entity to which the request is made agrees to that request, WEDI is concerned about the status of subsequent covered entities that were not a party to such request and did not agree to the individual’s restrictions.   In the normal course of treatment, payment or health care operations, a covered entity may receive restricted information and unknowingly disclose such restricted information to the restricted entity.

For example, a patient may request a covered health care provider not to disclose information to an uncle who is also a covered health care provider.  In the normal course of payment related activities, a health plan may receive this patient’s information and may have a relationship with the patient’s uncle for case management or utilization review and therefore disclose the restricted information to the patient’s uncle.  The patient may be unaware of the relationship between the uncle and payer; and the payer would be unaware of the restrictions agreed to by the patient’s provider, therefore leaving the payer in potentially liable for an unauthorized disclosure.  WEDI recommends that the final rule clarify that any covered entity agreeing to restrictions of information requested by an individual be required to make that individual aware of the potential of disclosure by other non-restricted entities in the chain of treatment, payment or health care operations.  Further, WEDI recommends that any covered entity in the chain of payment, treatment or health care operations that has not specifically agreed to any individual’s restrictions of disclosure not be held liable for any disclosure of such restricted information that was agreed to by another covered entity.

4)      Page 59925, Sec. I.E.4 – Uses and disclosures with individual authorization

WEDI agrees with the provision in the proposed rule prohibiting covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes.  WEDI still has concerns that patients may sign such forms without noticing the voluntary component.  After examining the model release form, WEDI recommends that in the final rule the model form make the voluntary component more prominent and be presented in bold face type of a font size larger than the rest of the text in form or in some other way highlighted and require the patients full signature.  WEDI further recommends that covered entities be prohibited from seeking such releases before initial treatment.

5)      Page 59926, Sec. I.E.10 – Enforcement

DHHS comments that their intent would be to work with covered entities to achieve voluntary compliance with the proposed standards.  WEDI is concerned that using “voluntary” in this context may be misinterpreted to mean lack of enforcement.  WEDI recommends that in the final rule “voluntary” be either removed or clarified to ensure that covered entities understand that there will be enforcement of the rule.

WEDI further wishes to comment that there is a great deal of anxiety and confusion in the industry in regards to enforcement of the rule.  WEDI supports DHHS intention to issue an enforcement regulation for privacy and security and urges that this be accomplished expeditiously.

WEDI also asks that DHHS provide a “good faith” standard of enforcement where covered entities would not be prosecuted if they had been making “good faith” efforts to comply with the privacy regulations.

6)      Page 59927, Sec. II.A.1 – Covered Entities – Clearinghouse definition

While it is uncertain whether or not these new entities will be termed “clearinghouses”, WEDI recommends that language be added stipulating that all entities engaging in the electronic exchange of protected health information for purposes of treatment, payment or health care operations, are bound by the non-disclosure provision of the privacy regulation.  For example, entities may evolve that receive a standard transaction (e.g. 835 or 834), perform some process on the data therein (e.g. aggregation and distribution), and forward it on in the same standard format, never having performed a translation to or from a non-standard format, even though they have access and may be storing the data.  WEDI recommends that the clearinghouse definition be expanded to include entities that do not perform translation but may receive protected information in a standard format and have access to that information.

7)      Page 59927, Sec. II.A.1 – Covered Entities – Other types

WEDI recommends that the definition of covered entity be expanded to include life insurance and casualty carriers that may not fit the definition of “health plan” but in fact may be performing the functions of a health plan in receiving protected patient information and paying for the services of a covered health care provider.  If DHHS determines that it does not have the authority to cover these entities, then WEDI again recommends and urges that legislation be passed that would cover all protected health information no matter the entity maintaining or transmitting such information.

8)      Page 59929, Sec. II.A.3 – Interaction with other standards

In response to DHHS request for comment in this section on how best to protect information in mixed records, WEDI would respond that attempting to segregate covered and non-covered information in a single record and providing different protection methodologies for each is probably a non-workable solution.

9)      Page 59933, Sec. II.B.4 – Designated record set

In the proposed rule sequential files or back up files are specifically excluded from the “designated record set”.  WEDI supports this language because it would be impractical and unreasonable to expect covered entities to provide individuals with access and amendment of these types of records.

10)    Page 59933-34, Sec. II.B.16 – Health care operations

We believe the current concept of “for treatment, payment and health care operations” is an appropriate direction and support the idea that special approvals and tracking should not be required.  However, the definition of “health care operations” is too narrow and static.  The approach of listing what is acceptable is limiting and does not even cover the activities and functions that are appropriate and take place today. 

With the proposed regulations, the Secretary has permitted covered entities to exercise some discretion in deciding how to meet their regulatory obligations.  This philosophy is exhibited, for example, in the "minimum necessary use and disclosure" provision, which does not mandate adherence to strict guidelines, but instead requires covered entities to implement reasonable policies and procedures to achieve the regulations' goals.  This same philosophy should be carried into the definition of "health care operations."  The current attempt to list those functions that fall within the definition of "health care operations" is neither practical nor possible.  For example, routine functions, such as a health plan providing information to a vendor so it can print identification cards for a health plan’s members, certainly is a "health care operation," but it is not encompassed within the current definition.   Moreover, the current definition provides no framework to enable the Secretary, once the regulations become effective, readily to amend the definition to encompass functions that should be deemed "health care operations" but were omitted from the definition.  These practical problems can be solved by deleting from the definition the list of functions that constitute "health care operations" and broadening the definition to permit covered entities to exercise discretion in determining what constitutes a "health care operation."  In this vein, the following definition is suggested:  "health care operations include those activities undertaken by or on behalf of a covered entity that is a health plan or health care provider and is reasonably related to the management function of such entity necessary for the support of treatment or payment."

11)    Page 59936, Sec. II.B.19 – Enforcement and approach related to de-identified information

In response to DHHS request to comment in the section, WEDI supports that the approach to enforcement and de-identified information contains sufficient guidance.  The specifics of detail in the definition of de-identified information leave no doubt to the reader in what constitutes de-identified information.

12)    Page 59933-34, Sec. II.B.21 – Employers receipt of protected health information

In response to DHHS request to comment on the extent to which employers currently receive protected health information about their employees, for what types of activities protected health information is received and whether any or all of these activities could be accomplished with de-identified information.  WEDI’s comment is that employers use protected health information for at least the purposes of eligibility review, enrollment, utilization and billing reconciliation and for those purposes WEDI believes that de-identified information would not be applicable.  WEDI would also like to recommend that there be clarification in the final rule what activities employers would engage in would be conducted in the role of a health plan and therefore place the employers, or at least those activities, under the purview of a covered entity.

13)    Page 59938, Sec. II.B.23 – Psychotherapy notes

WEDI supports the exclusion of psychotherapy notes as part of health care operations.  Psychotherapy notes would not normally be needed for any reason beyond that of the health care provider taking those notes.  Specific individual authorization should be required for the release of any information contained in psychotherapy notes.

14)    Page 59940, Sec. II.C.1 – Use and disclosure for treatment, payment and health care operations

WEDI supports the concept of not requiring specific authorization for the purpose of treatment, payment and health care operations.  This concept provides significant protections to ensure health care providers and health plans the freedom necessary to ensure that patient care is not degraded in the process of protecting information.

WEDI further recommends that the final rule clarify that protected health information could also be exchanged between covered and non-covered entities for the purposes of treatment without the requirement of a business partner agreement.

15)    Pages 59943-45,  Sec. II.C.2 – Minimum necessary use and disclosure

WEDI supports the concept of a covered entity “that reasonably relies on the requests of public health agencies, law enforcement agencies, coroners or medical examiners”.  WEDI recommends that the final rule also provide that a covered entity only be required to “reasonably determine” the minimum necessary information with regards to presenting information to internal employees for the purpose of performing their job functions.

WEDI further recommends that DHHS include clarification and example applications of minimum necessary for small covered health care providers in the guidelines for small business compliance on pages 60003 and 60004.

16)    Pages 59947-50,  Sec. II.C.5 – Application to business partners

WEDI supports the concept and language in the proposed rule providing that a covered entity would have no requirement to proactively monitor and audit a business partner’s performance, but does have a responsibility to act at the time they become aware of a violation of the business partner contract.   Specifically, WEDI supports the language contained in the proposed rule 164.506(e)(2).

17)    Pages 59947-50,  Sec. II.C.5 – Application to business partners

In response to DHHS request for comment concerning automatic termination of business partner contracts, WEDI recommends that there be no requirement for such automatic termination.  Requiring automatic termination of a business partner contract could put a covered entity into a position of severing mission critical services for which there would be no reasonable replacement resulting in seriously injuring the ability of the covered party to continue business.  This type of requirement when applied to providers of computerized equipment facilitating patient monitoring, diagnostic imaging and laboratory equipment could result in serious negative outcomes for patient care.

18)    Pages 59947-50,  Sec. II.C.5 – Application to business partners

In response to DHHS request for response concerning transcription services, WEDI recommends that the final rule should specifically include transcription services as business partners.  The content of the information that is disclosed to transcription services is typically highly sensitive and transcription services present unique risk when the sensitivity of information they handle is coupled with the diversified business practices, which may include transmission of protected health information off shore and out of the jurisdiction of state and federal agencies.

19)    Pages 59947-50,  Sec. II.C.5 – Application to business partners

WEDI supports the concept of prohibiting business partners from aggregating or combining protected health information from multiple sources and using protected health information for purposes for which the covered entity could not have used it and recommends this concept be reflected in the final rule. 

20)    Pages 59953-54,  Sec. II.D.2 – Requirements when the covered entity initiates the authorization

In general, WEDI supports requiring individual authorization for disclosures for marketing purposes.  However, WEDI is concerned that an inappropriate interpretation and inclusion of vital patient care activities into restricted marketing activities could reduce the quality of care that an individual would receive.  The result of which would be to create ethical conflicts, drive up health care costs, reduce treatment efficacy and increase negative patient outcomes.   Vital activities that may be at risk include wellness, preventive care and pro-active patient follow-up.  Examples include, but are not limited to, notifications to patients; (i) reminding them of appointments or immunization requirements, (ii) advise of available procedures, technology and/or pharmaceuticals available to treat their specific disease/condition and (iii) advise available diagnostic procedures recommended for their particular profile which may be age, disease and/or treatment related.  All of the foregoing are examples whereby a health care provider, may develop targeted patient profiles using protected health care information for communication of patient care related information.  WEDI recommends that the final rule include language expanding the treatment definition to include proactive communication with the patient/contract holder for the purposes of promoting wellness, disease management, case management, health management or demand management.

21)    Pages 59965, Sec. II.E.7 – Disclosure of directory information

The proposed rule (164.510(h)) requires individual authorization before inclusion of the individual in the entity’s directory.  WEDI supports this requirement and recommends this language be retained in the final rule.

22)    Pages 59966, Sec. II.E.8 – Banking and payment processes

In the proposed rule financial institutions conducting activities for the purpose of authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting payments are exempted from the rule citing the language in Sec. 1179 of the Act.  WEDI is concerned that these stated exempted activities are too broad range and encompassing which would allow financial institutions, under the guise of this exemption, to freely conduct unprotected activities that would also be conducted by covered entities, but without the protections afforded by the rule.  WEDI believes this interpretation defeats the purpose of the Act and the rule in that it opens the door for the transaction of protected health information without any of the associated protections intended by the Act and the rule. 

It is incongruent that the interpretation of Sec. 1179 of the Act should exempt from protection the very activities that the Act is designed to protect.  While it is reasonable to conclude that Congress intended that this rule not impede the efficient processing of these transactions by financial institutions, conversely it is also reasonable to conclude that Congress did not intend that this rule impede the efficient processing of these transactions by providers, health plans and clearinghouses.  WEDI cannot imagine that Congress intended that only financial institutions would have the ability to conduct efficient processing of these transactions, which would be exclusionary and give financial institutions a competitive advantage over covered entities in processing these transactions.   This interpretation would also infer that Congress meant these rules to be restrictive and impede efficient processing of these transactions by providers, health plans and clearinghouses.

On the contrary, WEDI believes that Congress did intend for all parties processing transactions covered under the Act to have the ability to efficiently process these transactions and intended that all parties processing these transactions be given the same opportunity and be covered under the rule in order to give the individual equal protection of their health information.  Therefore, if Congress did not intend this rule to restrict the efficient processing of these transactions, and if the rule does not restrict efficient processing of these transactions, then application of the rule to financial institutions would not restrict efficient processing of these transactions and conform to Congress’s intent, even in Sec. 1179.

Since protecting health information contained in these transactions is clearly the intent of Congress in the Act, the only way to avoid application of this rule to financial institutions is if application of the rule would, in fact, restrict the efficient processing of these transactions.   Since it would not be Congress’s intent to restrict any entity’s ability to efficiently process these transactions, if the rule does so restrict, then the rule needs to be changed to remove such restrictions and not applied to any entity until such restrictions are removed.

With the above in mind, it becomes evident that the language in 1179 of the Act exempting financial institutions was intended to ensure that credit card and other payment transactions by financial institutions would be not be construed to be covered by the Act.  When taken in such context and applied to credit card and payment transactions the language in 1179 of the Act specifying “authorizing, processing, clearing, settling, billing and transferring” makes much more sense.

It becomes clear to WEDI then, to be consistent with the intent of Congress, that this rule should be applied to any entity performing a role that would make it eligible to be a covered entity under the rule, without exception.

WEDI recommends that the final rule contain language exempting financial institutions from activities that are directly and exclusively associated with credit card and payment processing such as authorizing, processing, clearing, settling, billing and transferring.  Therefore, the language should clarify that any activities by a financial institution that would put them in the role of a health care provider, clearinghouse or health plan would be covered under the rule.

23)    Pages 59976, Sec. II.F.1 – Rights and procedures for a written notice of information practices

The proposed rule requires distribution of a written notice of a health care provider and health plan’s information practices.  WEDI supports such requirement, but recognizes that the methodologies for distribution may be different for a radiologist that never sees the patient than for a primary care physician or health plan.  WEDI recommends that HHS identify the time metrics for notification and clarify in the final rule that the actual methodology for distribution of written notices of information practices would leave to the covered entity.

24)    Pages 59976-80, Sec. II.F.1 – Rights and procedures for a written notice of information practices

In the proposed rule, DHHS requests comment regarding requiring a covered entity to obtain a signed acknowledgement of receipt by the individual.  Covered entities may choose to invoke such a procedure, however there are many covered entities for which it would not be practical or enforceable and the administration of which would be overly burdensome.  An example would be hospital based physicians with external business offices who rarely see their patient in a condition to sign such a release or a health plan that would have to set up extraordinary processes and incur exceptional costs of mailing and administration.  For these and other reasons, WEDI recommends that the final rule not require a covered entity to obtain a signed acknowledgement from the individual.

25)     Pages 59976-80, Sec. II.F.1 – Rights and procedures for a written notice of information practices

The proposed rule does not contain format specifications for the written notice.  In order to accommodate the unique needs of many covered entities, WEDI recommends that covered entities be able to design their own written notice to comply with these requirements.  However, WEDI also recognizes that some covered entities, especially smaller plans and providers, may welcome a format specification and example for written notices.  Therefore, WEDI recommends that the final rule incorporate a suggested format and example of the written notice but give covered entities the freedom to design their own to meet requirements.  (11) Additionally, WEDI asks that DHHS develop a model notice that, although it would not be required to be implemented, a covered entity could choose to implement to attain compliance to this section of the rules.

26)    Pages 59976-80, Sec. II.F.2 – Rights and procedures for access for inspection and copying

In the proposed rule, DHHS requests comment regarding requiring a covered entity to acknowledge a request for access.   While many covered entities may choose to acknowledge requests for access, WEDI recommends that the final rule not require such acknowledgement.

27)     Pages 59976-80, Sec. II.F.2 – Rights and procedures for access for inspection and copying

The proposed rule details notification requirements to the extent that WEDI recommends that the definition and requirements be retained in the final rule without modification.  Furthermore, WEDI supports limiting individual access for inspection and copying to the “designated record set”.

WEDI also recommends that rule recognize and incorporate privileges into the language so that certain information cannot be accessed by individuals.  For example, privileged information pertaining to quality assurance, activities related to medical appeals, peer reviews, attorney-client relationships, clinical trial research activities should be exempt from the requirement for disclosure.

28)     Pages 59985-86, Sec. II.F.3 – Rights and procedures with respect to an accounting of disclosures

The proposed rule requires accounting to the individual for disclosures made outside of treatment, payment and health care operations.   WEDI supports the accounting requirements contained in the proposed rule and recommends that these requirements be retained in the final rule without modification.  WEDI believes that these requirements are sufficient and additional requirements would be excessively burdensome to the covered entities.

29)    Pages 59976-80, Sec. II.F.3 – Rights and procedures with respect to an accounting of disclosures

In the proposed rule, this section refers to the audit trail requirements of the Security NPRM with the suggestions that covered entities should monitor all accesses to protected information.  WEDI recognizes that the while the technology to monitor all accesses is present today, the cost and burden associated with deploying such technology would be out of the reach of most covered entities.  The fact that the technology is available does not mean it is reasonable to expect all covered entities to deploy it.  For most covered entities, the cost-risk ratio is too high and it is beyond their financial and technical capabilities.  There is technology available today to protect covered entities from sophisticated surveillance equipment that can capture every key stroke of every computer terminal at their site and running some sophisticated software algorithms to put the keystrokes together be able to capture most of the protected health information that the entity may have.  However, no one is calling for these entities to deploy that technology because of the high cost-risk ratio.

Some covered entities either already have the capability or will deploy the technology that will enable these highly detailed audit trails.  However, most covered entities do not currently have systems that are capable of such tracking.  Requiring small to mid-size health care providers to track such access would require them to upgrade their systems to use enterprise level databases and undergo both the high initial costs of upgrading their systems to enterprise level databases and high on-going maintenance costs.  This would require small-mid size entities to incur close to the same system cost and maintenance as large entities.   The impact could be financially devastating, putting smaller entities in a non-competitive position.   WEDI notes that the cost estimates contained in the proposed rule do not include the massive amounts of funds that would be required to upgrade every covered entity that does not currently have enterprise level databases to systems and software that would support such databases.

Further, that while electronic monitoring of the terminal access is possible, it is not possible to electronically monitor all accesses.  In the treatment process, between health care professionals, it is common to convey oral descriptions of information read from a computer terminal or share printed information (e.g. lab results) that is the progeny of electronic records.  Taking the time to track those types of accesses is impractical and potentially devastating to patient outcome.  While audit trails are required, it should be up to each entity to determine through assessment and risk analysis what level of detail and granularity should be deployed to secure the data according to its unique environment.

Therefore, WEDI recommends any language suggesting a requirement for audit trails that can monitor all accesses be removed from the final rule and that language in the final rule should require audit trails be consistent with the disclosure requirements and require audit trails only for accesses not for the purpose of treatment, payment or health care operations.  The rules should also require that each entity document through assessment and risk analysis, the level of audit trail appropriate to secure the data in its unique environment.

Please note that these recommendations are consistent with recommendations WEDI to DHHS on August 16, 1999, the exact text of which is inserted below:

Tracking of Access and Disclosure:

WEDI recommends that DHHS require the tracking of all access and disclosures of protected health information for those accesses and disclosures that are not for the purpose of treatment, payment or healthcare operations.  This is consistent with the recommendations contained in (2) above.

Requiring the tracking of accesses and disclosures of protected health information for the purpose of treatment, payment and healthcare operations would create significant cost burden and could negatively affect patient care.

30)    Pages 59986-88, Sec. II.F.4 – Rights and procedures for amendment and correction

WEDI supports the language in the proposed rule, which requires the covered entity to include provisions in their business partner contracts that specify how the business partner should respond to requests for access and/or information from an individual.

31)    Pages 59988-89, Sec. II.G.2 – Training

The proposed rule specifies that re-certification of employee training every three years and requires that employees physically sign off on such re-certification.  WEDI believes that this language is too restrictive and should give more discretion to the covered entity.   For example, a covered entity may have several locations with too few employees at each location to cost justify on-site re-certification or travel costs for bringing each employee to a central location.  In this case, the covered entity may provide computer based training and certification that could be delivered through the Internet/intranet or on CD/DVD with the employee sign-off being tracked electronically.   Furthermore, the covered entity may have elected to provide initial training to classes of employees, such as janitorial and other services, that may not need re-certification within the three-year period required in the proposed rule.  Therefore, WEDI recommends that the three-year certification requirement and the requirement for physical signatures on employee sign offs be eliminated from the final rule.

32)    Pages 59989-90, Sec. II.G.3 – Safeguards

The proposed rule provides whistleblower protections for covered entities.  WEDI supports such whistleblower provisions in the proposed rule but also notes that protections for individuals are specific.  WEDI recommends that the final rule specify whistleblower protections for the employees of covered entities and their business partners.  The specific inclusion of individuals in the whistleblower provisions would eliminate any potential hesitation on the part of an individual who has discovered a violation and needs to disclose information in order to report or obtain help in mitigating such violation.

33)    Pages 59994-99, Sec. II.I.1 – Relationship to State laws

The proposed rule provides guidelines on how to determine resolution of conflict between the rule and State law.  In these guidelines, the principal of higher penalty is applied to ascertain whether State law or the rule attains primacy.   WEDI is concerned that a strict interpretation of the language may lead to the recognition of a weaker State law based only the State law having a higher penalty.  WEDI recommends that the language in the final rule apply the higher penalty provision as a “tie breaker” only to conflicts that are otherwise equal.  This would ensure that the highest safeguards are applied, regardless of the penalty imposed.

It is WEDI’s position federal privacy legislation should be passed with the power and authority to preempt all State law.  For that purpose, WEDI has included its recommendation presented to DHHS August 16, 1999 in regards to preemption of State laws.   Please find the exact text of that recommendation below.

Preemption of State Law:

WEDI recognizes that DHHS is not empowered under HIPAA legislation to write regulations that pre-empt state law.  However, WEDI determined that it was important to formally state and present WEDI’s strong position that to be practically effective and not cost prohibitive, any privacy legislation and/or rules must preempt all existing and future state laws and regulations.  It is WEDI’s position that non-preemptive privacy regulations will result in the stifling of the use of electronic technology thereby increasing the administrative costs and reducing the quality of patient care.  All of which is contrary to the intent and purpose of the Administrative Simplification portion of HIPAA.

There are two primary and compelling reasons for this position:

A) Jurisdiction Confusion:
The confusion generated by multiple state regulations would serve to limit the use of electronic interstate communication of protected health care information.  Since there is no defined methodology to resolve the jurisdictional issues that individual state laws represent, health care entities would not know which laws may impact them and in order to reduce risk would reduce or eliminate their use of electronic interstate communication of protected health care data. 

There has been a natural evolution of the interstate transmission of protected health care information that has resulted in a natural and beneficial integration and communication between health care entities. This communication is a necessary component of both improved patient care and administrative cost reduction.  For the common good of the U.S. health care system, the growth of interstate communication of protected health care data should be fostered and preserved. 

Health care data is currently communicated interstate for patient care/treatment (e.g. laboratory samples, reports and consultations), payment (e.g. insurance claims, remittance and eligibility requests) and health care operations (e.g. utilization review aggregating and analyzing data for the purpose of improving patient care).  All sizes and manner of health care entities are currently involved in these transactions including small and large clearinghouses, laboratories, single practitioners, multi-state clinics, employers, regional and national insurance carriers, etc.

One fairly common example of such a transaction would be a Florida resident, insured through their employer in Alabama by a carrier in Connecticut presenting to a California clinic for treatment.  Prior to treating the patient, the clinic could electronically request eligibility information through a local California clearinghouse, which may route the request to another clearinghouse in New York who would route it again to yet another clearinghouse in Georgia who finally routes it to the carrier’s eligibility contractor in Tennessee.  The eligibility contractor’s system then generates a response that reverses the path and is delivered back to the clinic, all within 30 seconds of the clinic generating the initial request.   After treating the patient, the clinic would generate an electronic claim that is transmitted to a clearinghouse in Illinois that sends it to another clearinghouse in Ohio that routes it to the insurance carrier in Connecticut.  After processing the claim, the insurance carrier could then deliver the EFT and electronic remittance advice to a clearinghouse in Indiana that routes it to the clinic’s bank in Nebraska who, after balancing with the ERA deposits the EFT and forwards the ERA on to the clinic for posting.

In the above hypothetical example, which is not extreme, these transactions pass through eleven states and none of the trading partners involved in the transactions would be aware of all of the states through which these transactions passed.  This does not take into account the complexities and variables of dial-up, frame relay and other wide area routing through public telephony and data carriers.  Routing these transactions through the fabric of multiple telephony and data carriers that represent the wide area and PSTN (public switched telephone network) could easily add 10 more states to the path that the transaction could follow.  There is no way for the health care entities to know which State laws are applicable to their transactions.

B) Cost of Compliance:
The cost of monitoring various state laws and establishing different administrative and technical procedures for each state that a health care entity sends or receives protected health care information would impose an extreme burden to all of the health care entities.  Even small provider offices that use clearinghouses would be sending protected health information through multiple states and would have the same issues and costs of compliance as large clinics.

Assuming that there was a methodology to establish jurisdiction, without preemption there is nothing in place to prevent states from enacting conflicting laws.  As a result, a health care entity implementing processes and technologies to comply with State A’s law could create non-compliance with State B’s law.  Therefore, the architecture of health care entities systems and processes would have to be extremely complex and cumbersome to allow the kind of diversity that would enable a health care entity the ability to deploy multiple concurrent processes and systems on a state by state basis.  The cost of re-engineering to enable this level of diversity would be prohibitive and if forced on the health care system would raise the cost of every entity in the chain of care and payment.  This would obviously be contrary to the intent of the Administrative Simplification portion of the HIPAA legislation.

34)    Pages 60003-4, Sec. III.1 – Small business assistance

In the first paragraph of page 60004, there is a reference to “small business”, instead of “small plans”.   In the context of the language, this appears to be a typo.  WEDI recommends a correction to replace “small business” with “small plans”.

35)    Pages 60003-4, Sec. III.1 – Small business assistance

WEDI notes that the definition of small plan has been expanded significantly to reflect the Small Business Administration’s definition of small business, (<$5M annual revenue).   This has a significant impact in light of the rules providing small plans with an additional year to comply with the rule.  In practicality, the failure of a small plan to meet the requirements of the rule within the two-year period could have a severe negative impact.  WEDI’s interpretation of the impact of these provisions is that in order to protect themselves and their protected information, covered entities doing business with small plans would necessarily have to include them under the business partner requirements and ensure that they met the provisions of the rule.  Therefore, the effect would be that a small plan would still have to meet the requirements of the rule within the two-year period in order to do business with any other covered entity that is not a small plan.  WEDI’s concern is that there may be small plans that may not realize this impact in time to meet the requirements of the rule within the two-year period and therefore be practically ineligible to conduct business with other covered entities that are not small plans.  Therefore, WEDI recommends that the final rule be worded to clarify the potential impact to small plans alert them to the implications of not complying within the two-year period.

36)    Pages 60006-8, Sec. III.1 – Summary of costs and benefits

While understanding that deriving and quantifying the actual costs of implementation of the rule is a problematical undertaking, WEDI does wish to comment that the cost analyses included in the proposed rule appear to be understated.   One example is the costs of system changes, which at $90M first year and $0 after the first year, could not possibly include the initial upgrades, training, productivity loss and increased annual maintenance costs associated with meeting the audit trail provisions which require an entity to monitor every access to protected health information.  The initial upgrade cost alone would range from $50K to >$1M+ per covered entity.  Also not included are training and productivity costs of the initial implementation that could easily meet or exceed the initial capital investment costs and on-going annual maintenance and support that is conservatively estimated at 15% to 25% of the initial investment.

There is also industry consensus that, while not readily quantifiable, the costs not included (minimum necessary disclosure; monitoring business partners; creation of de-identified information; internal complaint process; sanctions; compliance and enforcement; creation of privacy official and privacy board; additional requirements on research/optional disclosures that will be imposed by the regulation) could easily increase the current stated costs by a factor of 1 to 4 times.

37)    Page 60049 Sec 160.102 – Covered entities definition of covered health care provider

The proposed rule limits coverage of health care providers to those providers who “transmits any health information…”.  WEDI would like to point out that it would be possible for a health care provider to receive a covered transaction such as an 835 without having transmitted a covered transaction.  WEDI recommends that the language be changed to read “transmits or receives any health information…”

38)    Page 60049 Sec. 160.103 – Health care clearinghouse definition

In the proposed regulations, the health care clearinghouse definition assumes a one-way process from health care provider to payers and other clearinghouses.  In reality, a clearinghouse also receives data from the payers and sends to the health care providers.  WEDI recommends that the wording be changed to reflect bi-directional transactions.  It is also possible that a clearinghouse would receive protected information from a payer and transmit it to a non-covered entity, such as a financial institution.  The financial institution may have a business relationship with the payer, but not the clearinghouse.  WEDI recommends that wording be added to the final regulations that would specify that covered entities would be required to have a business partner agreement with any non-covered entity to whom they disclosed protected health information, including financial institutions.

39)    Pages 60051, Sec. 160.203.(c) – General rule and exceptions to business partners

The proposed rule includes child abuse as one of the named reporting procedures under State law.  WEDI recommends including the words “domestic violence” under the named reporting procedures.  This addition would ensure that covered entities understand that individual authorization is not required for reporting of domestic violence if it is included in State reporting requirements.

40)    Page 60053 Sec. 164.504 – Definition of individually identifiable health information

In (1) the proposed rule includes employer in the definition of individually identifiable health information.  Protected health information pertains only to covered entities for which employers are not included.  This represents an apparent incongruity between the definitions.  WEDI recommends removing “employer” from the definition of individually identifiable health information.

41)    Page 60052, Sec. 164.504 – Disclosure definition

WEDI recommends that clarification of disclosure specifically exclude disclosure to the individual and suggests that the definition be amended to read; “Disclosure, other than to the subject of the information, means….”.

42)    Page 60053 Sec. 164.504 – Payment definition

In (2)(iii) the proposed rule uses the words “medical data processing”.   WEDI is concerned that this wording may be interpreted as too constrictive and recommends that “medical data processing” be replaced with “related health care data processing”.

43)    Page 60054 Sec. 164.506(d)(2)(ii)(A) – Standards: Use or disclosure of de-identified protected health information
For a matter of clarification, WEDI recommends that the word “All” be inserted as the first word in the sentence so that (A) reads “All the following identifiers….”.   This would prevent an entity from erroneously interpreting the language to mean only a portion of the identifiers.

44)    Page 60054 Sec. 164.506(e)(1)(i) – Standards: Business Partners

WEDI wishes to support the language in the proposed rule that exempts covered health care providers from the Business Partner requirements for disclosures to another health care provider for consultation or referral purposes.  However, it is WEDI’s understanding that there also may be occasions where a covered health care provider may conduct various diagnostic tests and need to convey the results of those tests to another health care provider, the purpose of which may be necessary for treatment, but not precisely covered under consultation or referral.  An example would be a vacationing patient with a need to have scheduled Coumadin testing performed and those results communicated to their attending physician in their home area.   WEDI recommends that the exemption of covered health care providers from the business partner requirements be expanded to include disclosures of diagnostic testing.

45)    Page 60055 Sec. 164.506(e)(2)(ii)(A) – Third Party Beneficiary

The proposed rule requires that business partners’ contracts include third party beneficiary provisions.  WEDI believes this to be an inadequate provision for patient rights since there are a limited number of states in which this provision could be invoked by the patient.   The result of which would be the requirement of unenforceable language in a majority of the business partner contracts resulting in significant confusion and increased cost of contract negotiation and management for limited benefit.  WEDI recommends deletion of this provision and again joins with HHS is urging Congress to pass privacy legislation that could provide far more inclusive patient rights provisions.

In concluding our comments regarding Privacy-P, WEDI would like to take this opportunity to express our gratitude to the many federal government employees and others outside of the government, including WEDI’s own Policy Advisory Group members, all of whom have worked so long and so hard to prepare the proposed rule on this very complex issue.  We are now eager to take the next steps in this process.  Certainly, that includes clarifying or expanding upon any of these comments during the upcoming review period as well as offering any other assistance that is requested and appropriate to ensure the timely preparation and publication of the final rule.


Lee Barret
Chairman, WEDI

cc.  WEDI Board of Directors
WEDI Policy Advisory Group Co-chairs
James A. Schuping, WEDI Executive Vice President

Posted to HIPAAcomply 02/17/00


Memo from Deputy Attorney General Eric Holder
to Inspectors General Directing Them to Refer Potential Violations of Federal Privacy Statutes to the Department of Justice for Investigation and Prosecution

October 18, 1999

Dear Inspector General:

In the Information Age, many Americans are becoming increasingly concerned about their loss of individual privacy.  Although information technologies bring important benefits, from fostering economic growth to improving health and education, when improperly used, they can infringe upon cherished rights of individual privacy.  This is particularly true with respect to  governmental agencies.  Whether to provide health care, educate our children, protect public safety, or provide assistance to low-income individuals, Federal, state, and local governmental agencies collect, maintain, and share significant amounts of sensitive personal information.  The public shares this data with government with the expectation that it will only be used for appropriate governmental functions and in strict compliance with applicable privacy laws.

A number of Federal laws have been enacted to prevent and protect against the inappropriate collection, use, and disclosure by governmental agencies of sensitive personal information.  For example, the Privacy Act (5 U.S.C. §552a) establishes fair information practices governing the collection, use, and disclosure of individually identifiable information by Federal agencies.  Knowing and willful violations of the Privacy Act may be punished by criminal prosecution.

Recently, Congress amended the computer crime statute to provide criminal penalties for governmental employees who knowingly access a computer excess of their authority.  See 18 U.S.C. §1030(a)(2).  This means that the employee accessed a computer with authorization, but used that access to improperly obtain access to or alter information.  18 U.S.C. § 1030(e)(6).  The amendments were passed in response to reports of widespread instances of government employees accessing information in governmental computers (such as the DOJ National Crime Information Center or IRS tax records) for illegitimate reasons.  Under the new provisions, such violations are punishable by fine and up to a year in prison.  Where the violations are for personal financial gain, commercial advantage, in furtherance of any criminal or tortious act, or the value of the information exceeds $5,000, they are punishable by fine and up to 5 years in prison.  Violations which occur after a conviction for another offense under this section are punishable by fine and up to 10 years in prison.

Federal law also protects other specific information from unauthorized access and disclosure by governmental employees.  The unauthorized disclosure of taxpayer information, for instance, violates 26 U.S.C. §7213 and is punishable by a fine of up to $5,000 and up to 5 years in prison.

Although some violations, such as those resulting from mere inadvertence, are appropriately handled through administrative processes, should your agency develop evidence that an employee has violated the criminal provisions of one of these privacy laws, particularly where the violation is committed for personal financial gain, commercial advantage, in furtherance of a criminal or tortious act, or involves a repeat offense or serious abuse of the public’s trust, I would encourage you to refer the matter to the local U.S. Attorney’s Office for appropriate action.  In the event your agency is not able to investigate the matter, please forward the matter to the local FBI office.  In addition, to ensure that the Department of Justice properly focuses on these matters, we request that you forward a copy of any such referral to the appropriate individual listed below:

 For 1030(a)(2) offenses:

  Chief, Computer Crime & Intellectual Property Section
  Criminal Division
  U.S. Department of Justice
  Washington, DC 20530.

 For Tax Offenses:

  Chief, Criminal Enforcement Office
  Tax Division
  U.S. Department of Justice
  Washington, DC  20530

 For Privacy Act Violations:

  Chief, Public Integrity Section
  Criminal Division
  U.S. Department of Justice
  Washington, DC  20530
The Department of Justice is committed to enforcing federal privacy laws, particularly those protecting against the abuse of information collected and maintained by governmental agencies.  If you have any questions about this issue, please do not hesitate to contact John Bentivoglio, Chief Privacy Officer, Department of Justice, (202) 514-2707.

Eric H. Holder, Jr.

Posted to HIPAAcomply 02/02/00


HIPAA Regulation Compliance on Heels of Y2K Headache

Healthcare providers scramble to ensure HIPAA compliance and patient privacy

By M. Joseph Cisna, Marketing Director, Experior Corporation

(January 11, 2000) The healthcare industry, perhaps one of the most essential sectors of our economy, and certainly one of the largest in terms of Gross Domestic Product, is undergoing an evolution. With the proliferation of managed care, declining reimbursements, and national Medicare legislation and compliance, reliable information is critical now more than ever. 

Healthcare information systems have grown and evolved since the 1970s helping hospitals, physician clinics, managed care organizations, and integrated delivery networks to manage their businesses, and more importantly, improve the quality of patient care.

In an era of technological advancement, electronic commerce has emerged as the most important paradigm, not only in healthcare, but also across the spectrum of industries. Software and technology companies - practice management software systems in particular - are capitalizing on e-commerce to offer a number of products and services helping to make practices become more efficient. And, as technology progresses, the Internet and web-based applications will become the preeminent factor in electronic claims, patient records, billing systems, and a host of other related areas. 

With these innovations, however, come a multitude of associated concerns for both healthcare providers and their patients, namely patient confidentiality. Because more and more confidential patient information is being stored, moved, and handled electronically, it is imperative that precautionary steps are in place to ensure that technology is not compromising patient privacy. To that end, as mandated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the U.S. Department of Health and Human Services issued a number of proposed rules including standard EDI formats, standard coding, identifiers, security and privacy. 

HIPAA regulations mandate security and privacy provisions to protect the integrity and confidentiality of patient information, EDI standards and national identifiers for providers, payers, employers, and patients. HIPAA security and privacy regulations focus on policy and procedure, mandating technology only as necessary to enforce those policies and procedures. While 75% of HIPAA security compliance is operational in nature, a close evaluation of computer systems and databases is still vital in determining HIPAA preparedness. Fortunately for Fort Wayne’s medical professionals, once the operational issues are in place, the technology components for enforcement exist today and address many of the core issues involved.

Although these regulations have been public knowledge for some time, the majority of organizations have put all of their energy and resources toward the year 2000 fix, and are now in for the realization that HIPAA may demand even more time and money to ensure compliance.

A number of resources are available on the Internet that highlight the proposed rules and additional information regarding HIPAA. Web sites include the main government source site and the HCFA site at Other organizations tracking HIPAA can be found at,,, and There is also the HCFA site which contains details on the Internet security policy at Implementation guides may also be found at In addition to the Internet, healthcare industry consultants such as Beacon Partners, who devote an entire arm of their practice to security and HIPAA compliance (, may also be an excellent source of knowledge that can help organizations determine where to begin when ensuring HIPAA compliance.

Diligence in complying with these standards now will help alleviate the universal last minute problems, and let medical practices get back to what is important – providing quality patient care.

# # # #

M. Joseph Cisna is the Marketing Director for Experior Corporation ( Experior is a healthcare information systems developer specializing in physician practice management solutions in the mid- to large-sized single- and multi-specialty clinic environment. Founded in 1978, Experior is an independently owned and operated company with a solid history of annual sales growth and product innovation. At the heart of Experior’s success is its medical management system. This online, integrated software package offers clients complete administrative solutions for patient and financial management. It is a comprehensive suite of more than 20 modules, giving customers instant, enterprise-wide access to information regarding patients and the practice itself. This modular design allows clients the freedom to add functionality as organizational needs grow.    

Posted to HIPAAcomply 01/12/00


DHHS moves on Patient Privacy

From News & Trends section, Healthcare Informatics Magazine, January 2000

Posted to HIPAAcomply 01/04/00


Date for Responses to NPRM is Extended

Due to the massiveness of the Privacy NPRM (Notice for Proposed Rule Making) and the expected time conflicts in dealing with Y2K, responses to the proposed Privacy Regulations have been extended from Jan. 3, 2000 to Feb. 17, 2000.

Publication dates for the final rules for HIPAA regulations have been modified to the following:

1) EDI Transaction formats and codes => January 2000.

2) Security and National Provider Identifier => March 2000

3) Employer Identifier => 1Q2000

Also, the new NPRM's (Notice for Proposed Rule Making) for health plan identifiers and claims attachments are expected to be released 1Q2000.

The reason for the delay essentially rests in the improvements and clarifications that were introduced in the process of developing the Privacy NPRM.  That is, DHHS had used a number of "improved definitions" for terminology that was also in all of the prior NPRM's (security, transactions, codes, etc.).  Therefore, DHHS needs the additional time to align the rest of the NPRM's with changes made in the Privacy NPRM.  

Posted to HIPAAcomply 01/04/00


HHS Proposes First-Ever National Standards To Protect Patients' Personal Medical Records
DHHS Press Release, October 29, 1999

Posted to HIPAAcomply 01/04/00


Clinton Plan Would Tighten Medical Privacy
October 29, 1999

WASHINGTON (CNN) -- Because Congress "failed to act," President Clinton on Friday proposed federal regulations to keep some medical records away from curious employers, marketing firms and others who often see patients' most sensitive information without their consent. The proposed regulations would restrict the use and release of private health information transmitted or maintained by computers, including printouts.

"Every American has a right to know that his or her medical records are protected at all times from falling into wrong hands and yet more and more of our medical records are stored electronically," Clinton said at the White House. As a result, "the threats to our privacy have substantially increased."

"A recent survey showed that more than a third of all Fortune 500 companies check medical records before they hire of promote," the president said.

"One large employer in Pennsylvania had no trouble obtaining detailed information on the prescription drugs taken by its workers, easily discovering that one employee was HIV-positive," Clinton said. "This is wrong."

Health industry groups say it will cost billions of dollars to comply with the proposed measures and could hinder patients' access to their own records.

President acted after Congress didn't
Congress debated the issue for years, but failed to meet a self-imposed August 21 deadline for legislating new protections.

Existing laws protecting medical privacy vary widely from state to state. Currently, there are no federal guarantees that private information won't be passed to employers, sold to pharmaceutical companies or talked about in insurance company offices.

The administration will publish the proposal next week for review. It has until February 2000 to issue a final proposal, with the rules to take effect in 2002.

The new federal rules would go beyond the weaker protections of some states, but would not override those with more restrictive laws.

Only congressional action can protect the large amount of medical information that has existed only on paper. "There are still protections ... we can give our families only if there is an act of Congress passed," Clinton said, asking House and Senate leaders to help enact "a comprehensive medical privacy law."

Written consent required
Under the proposal, doctors, hospitals or health plans would not release a patient's information for purposes unrelated to treatment and payment without written consent. Private information can now be released to financial institutions, direct marketing firms and others without a patient's knowledge or consent.

When required to release medical information, health organizations would have to limit the disclosure to the minimum necessary for each case instead of a patient's entire record. For example, when paying for medical services, no treatment information would be sent to banks or credit card companies.

The proposal would create new civil and criminal penalties for improperly disclosing patient information. Intentionally releasing information would be punishable by a fine of up to $50,000 and one year in jail. Someone trying to sell information could face a $250,000 fine and 10 years in prison.

Patients also would be given the right to see and copy their medical records and to request corrections of any errors.

Under the new rules, law enforcement organizations would be prohibited from obtaining medical records without legal authorization like a warrant or court order. This retreats from the administration's previous position of allowing law enforcement unfettered access to health records.

Patient notification required
The plan would require health care providers to send patients a notice describing how they use electronic medical information and advise patients in advance of any changes.

Health maintenance organizations would also have to establish internal procedures to protect patient records, including limiting access to information and training employees to keep patient information private during their routine operations.

Teen rights
Regarding teen-agers who seek medical care on their own, the plan follows the lead of existing state laws. When a state allows a minor to obtain health care without notifying a parent or getting their consent, the minor's rights would be protected under the proposed plan.

If a state requires a parent to be involved, then the privacy rights would apply to the parent, not the minor.

During congressional debate, Democrats led by Massachusetts Sen. Edward Kennedy pushed to allow teens to keep their records private, even from their parents and even when it involves abortion.

After Congress failed to meet the August 21 deadline it set three years earlier, the 1996 law required the Department of Health and Human Services to write regulations on medical privacy.

Posted to HIPAAcomply 01/04/00