HIPAAcomply News & Infomation Archive

HHS Secretary Donna E. Shalala today released the nation's first-ever standards for protecting the privacy of Americans' personal health records. This new regulation will protect medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.

For complete information on the final privacy rule click on the links below:

HHS Press Release

HHS Fact Sheet on the Final Privacy Rule

Download the text of the Final Rule (in PDF) - Beware!! It is quite large!!!

DHHS Administrative Simplification Page

TOP

Posted to HIPAAcomply 12/21/00

Clinton to Issue New Rules on Medical Data Privacy
By ROBERT PEAR, N.Y. Times
(This article originally appeared in the N.Y. Times, November 20, 2000)

WASHINGTON, Nov. 19 � The Clinton administration will soon issue sweeping new rules to protect the privacy of medical records. But under pressure from the health care industry, officials say, they are backing off a proposal to give patients a broad new right to sue and recover damages for the improper disclosure of confidential information.

Chris Jennings, the health policy coordinator at the White House, said President Clinton would issue the final rules, with the force of law, in the next few weeks.

The administration is "going full steam ahead, with a full commitment" to the goal of protecting privacy, Mr. Jennings said.

As President Jimmy Carter did 20 years ago, Mr. Clinton is leaving office with a burst of regulatory activity that he hopes will leave an imprint on the nation long after his term ends. Last Monday, the government issued rules intended to protect millions of workers against repetitive stress injuries.

The privacy rules, the first comprehensive federal standards to protect the confidentiality of medical data, will affect virtually everyone who receives or provides health care in the United States. The rules come at a time when insurers and health care providers are making greater use of computers to store and exchange medical information on patients.

The new Congress could alter the rules, but will have great difficulty mustering a consensus for any alternative.

Legislation to set federal privacy standards died this year because of profound disagreements between consumer advocates and the health care industry.

A 1996 law required the secretary of health and human services to set the standards for medical privacy, but gave her little guidance on what the rules should say.

Under the new rules, consumers will for the first time have a federal right to inspect and copy information in their medical records. They will also have the right to request correction of information that they consider inaccurate or incomplete.

The standards will limit the use and disclosure of data by insurance companies, health maintenance organizations and other health care providers, including doctors, nurses, hospitals, nursing homes, pharmacies and medical laboratories.

In proposing the rules for public comment in November 1999, President Clinton lamented the fact that his regulatory authority was limited: he could not directly regulate the conduct of the many people with whom doctors and hospitals share information on patients.

"To fill this gap in our legislative authority," the government said, it will hold health care providers responsible for the activities of their "business associates," including lawyers, auditors, accountants, consultants, billing companies and other contractors.

Health care providers would have to rewrite contracts with these business partners to guarantee that information on patients is kept confidential. Business partners would have to promise to follow the federal privacy standards, just as doctors and hospitals do.

The 1996 law did not give patients a new right to sue for violations of their privacy.

"The statute does not provide for a private right of action for individuals," the administration said in a preamble to the proposed rules last year.

But federal officials tried to overcome the limits of the law. In the proposed rules, they said that patients must be named as the "intended third-party beneficiaries" of contracts between health care providers and their business partners.

This would have given patients a powerful new tool to enforce their rights. Patients could have sued in state court for violation of the contract if their medical records were improperly disclosed.

But federal officials said they had recently decided to back away from this proposal after receiving a torrent of criticism from the health care industry, which complained that the administration had exceeded its legal authority.

The American Association of Health Plans, a trade group for H.M.O.'s, said its members and their business partners would have faced "significant new legal liability" if the federal government had authorized patients to sue for violations of their privacy rights.

The Health Insurance Association of America said the Clinton proposal could have led to "excessive litigation, including class action lawsuits, that would drive up health care costs."

Employers said that health insurers would drag them into such litigation, and that the risk of new lawsuits would discourage companies from providing health benefits to employees.

Jackie M. Huchenski, a health lawyer in New York City, said: "The rule on business partners is very controversial. It imposes new obligations on health care providers and health plans, making them responsible for someone else's mistakes."

Paul G. Sherwood, senior vice president of Halifax Regional Medical Center, a 206-bed hospital in Roanoke Rapids, N.C., said it was unrealistic to hold him responsible for what his business partners might do.

"I have very little control over my contractors," Mr. Sherwood said. "The proposed rule appeared to be inviting a plethora of litigation."

Doctors, hospitals and their business partners will still have to comply with the rules, officials said, but patients will not get any new right to sue.

Even without an explicit new right to sue, Ms. Huchenski said, patients may be able to recover damages by filing suit under certain existing state laws that protect consumers or regulate health care.

TOP

Posted to HIPAAcomply 11/21/00

HIPAA: A Practical Implementation Guide
An Audio Conference Series Sponsored by HIMSS

To meet the needs of healthcare professionals for immediate, affordable education on HIPAA, HIMSS is offering two series of "how-to" audio conferences with industry experts who will provide insight, strategy, and practical tips for successful HIPAA implementation.

Choose any or all of the six scheduled conferences below.

Series #2: HIPAA Information Security
Presented by: David Tubbs, Chief Technology Officer, Talon Technology International, Inc.

Conference 4: Survivor: Replace or Update Your Information System?
January 11, 2001

Conference 5: Friend or Foe: Contractor and Business Partner Security
January 25, 2001

Conference 6: Finding Your Weakest Links: Reassessing and Addressing Vulnerabilities
February 15, 2001

Click here for more detailed information on this HIMSS sponsored educational series

TOP

Posted to HIPAAcomply 10/13/00

Link to Final Rule on National Standards for Electronic Transactions

The Final Rule on National Standards for Electronic Transactions was published in Federal Register on Aug. 17, 2000 and is effective October 16, 2000. The compliance date is October 16, 2002 (2003 for small health plans).

Click here to link to the FINAL RULE ONLINE

TOP

Posted to HIPAAcomply 10/5/00

Does HIPAA Supercede State Law?

For an excellent, in-depth treatment of the issue of preemption of state law as it applies to the HIPAA standards for transactions, code sets, identifiers, and security click below for a paper (in PDF format) by Tom Gilligan, Executive Director & Washington Representative for AFECHT.

Does HIPAA Supercede State Law Paper (PDF)

TOP

Posted to HIPAAcomply 10/4/00

Getting Ready for HIPAA
Although costs will be substantial, complex new federal rules could yield savings.
From Internet Health Care Magazine, July/August 2000

http://www.internethealthcaremag.com/html/current/f0700b.htm

TOP

Posted to HIPAAcomply 08/24/00

Document Reasonableness of Your Security Decisions
The following article was published in the June 2000 issue of the Health Information Compliance Insider, and is reprinted with the permission of Brownstone Publishers, Inc.

Security Decisions - PDF Format

TOP

Posted to HIPAAcomply 08/24/00

U.S. Toughens Rules on Medical Privacy, but Some Want More Limits
By ROBERT PEAR
From the New York Times, Sunday, August 20, 2000, National Desk

WASHINGTON, Aug. 19 -- After nine months of blistering criticism from doctors, patients and consumer groups, the Clinton administration says it has decided to beef up protections for the privacy of medical records, beyond what it proposed last year.

But administration officials said the new rules, to be issued before the Nov. 7 election, would not give patients full control of their medical records, as many advocates of privacy rights had recommended.

The rules would, for the first time, set comprehensive federal standards requiring doctors, hospitals, pharmacists and insurance companies to limit the disclosure of medical information about individual patients.

The health care industry and insurance companies must comply with the new rules within two years. The rules, issued under a 1996 statute, would have the force of law; no further action by Congress is required.

The far-reaching, complex rules will touch almost every aspect of the health care system. They will come at a time when large amounts of medical data, including genetic information about a patient's risk of developing specific diseases, can be stored electronically and sent across the country or around the world with the click of a computer mouse.

Administration officials said they saw publication of the rules as a significant achievement that could help Vice President Al Gore, the Democratic candidate for president. Mr. Gore has called for an "electronic bill of rights" to protect people against the misuse of computerized personal information of all types.

Chris Jennings, the health policy coordinator at the White House, said President Clinton was committed to issuing the rules on medical privacy by late summer or early fall. "That's a very high priority," Mr. Jennings said.

Public opinion polls show that Americans are increasingly concerned about privacy in general and want greater protection for medical records, in particular. Some people say they shun testing for cancer, H.I.V. infection and other conditions because they fear discrimination in insurance or employment.

The Republican Party platform promises new rules to protect the privacy of medical information, but gives no details. If Gov. George W. Bush of Texas wins the presidential election, his advisers said, he would probably want to re-examine the rules, rather than rely on the policy judgments of the Clinton administration.

The White House published the proposed rules in the Federal Register on Nov. 3, 1999. After reviewing thousands of public comments, federal officials said, they expect to make these changes:

The rules, as originally proposed, would have applied mainly to information transmitted electronically or stored in computers. The final rules will also apply to many paper records. This is an important change because most medical records are still kept on paper.
Under the proposed rules, health care providers and insurance companies were supposed to advise patients of their rights and tell them how personal medical information might be used or disclosed. The new rules are likely to go further, stipulating that doctors should get patients to sign forms acknowledging that they have actually received such notices.
The proposed rules would have permitted the use and disclosure of medical information without a patient's consent for treatment, payment and a wide range of loosely defined "health care operations." They would also have prohibited doctors from asking patients to sign a consent form unless it was required by state law. The new standards will allow doctors to seek the patient's consent, and many doctors said they had an ethical obligation to do so.

Under current practice, doctors often ask patients to sign forms authorizing the use and disclosure of medical information for various purposes.

The American Civil Liberties Union said, "The proposed regulations are a step backward from current practice because they require only notice and not consent."

Administration officials said the new rules would limit disclosure of medical information to the "minimum necessary" and give patients a right to see their medical records. In addition, the rules would pre-empt weaker state laws.

A person who discloses health information in violation of the rules could be fined $50,000 and imprisoned for one year. If the offense is committed for commercial advantage or personal gain, the rules allow tougher penalties: a $250,000 fine and 10 years in prison.

The 1996 law directed the administration to issue rules on medical privacy if Congress failed to pass legislation by Aug. 21, 1999.

Lawmakers missed that self-imposed deadline. Congress could alter any of the new standards, but has been at an impasse, under pressure from scores of lobbyists with conflicting interests on the issue of medical privacy.

Robert M. Gellman, an expert on privacy and information policy, said the administration was "taking a real gamble" in issuing the rules before the election because they might be criticized as not going far enough to protect privacy.

On the other hand, the Health Insurance Association of America and the Blue Cross and Blue Shield Association said the proposed rules went too far, exceeded the government's legal authority, were unworkable and would impose new costs on patients and employers, who pay for much of the nation's health care.

When the rules were proposed last year, they were praised at first, but then criticized by the American Medical Association, the American Civil Liberties Union and experts like Janlori Goldman, director of the Health Privacy Project at Georgetown University.

After reading the fine print, critics said the proposals were a license to disclose sensitive medical information, rather than a fence restricting access.

In a typical comment, the American Cancer Society said it was concerned that the proposed rules would allow "the total free-flow of information" without input from patients.

"We believe that the individual should retain the ultimate right to decide to whom, and under what circumstances, individually identifiable health information will be disclosed, even in cases of treatment, payment or health care operations," the cancer society said.

Likewise, the American Medical Association said, "Valid consent should be obtained before personally identifiable health information is used for any purpose."

TOP

Posted to HIPAAcomply 08/23/00

Believing in Biometrics
Biometric technologies not only exist--they work and are now affordable.

By Fred D. Baldwin
August 2000 - Healthcare Informatics

http://www.healthcare-informatics.com/issues/2000/08_00/baldwin.htm

TOP

Posted to HIPAAcomply 08/22/00

Evaluating HIPAA Vendors? - A Tool to Measure Critical Capabilities

With the recent adoption of the final HIPAA regulations for transactions and diagnosis/procedure codes, many organizations will be seeking HIPAA help. The attached tool can be used to measure critical capabilities and objectively compare different vendors. Health care organizations may add additional factors relevant to individual circumstances, such as prices and industry reputation.

Download HIPAA Vendor Evaluation (PDF format)

TOP

Posted to HIPAAcomply 08/17/00

Health data on 858 patients mistakenly e-mailed to others
Medical information was among messages sent out by Kaiser

By M. William Salganik
Sun Staff
www.sunspot.net

The Kaiser Permanente Health Plan admitted yesterday that it had inadvertently e-mailed to 19 of its patients health information about 858 other patients.including.

"There was a glitch" when new software was installed Aug. 2 to speed up e-mail responses to patients, according to Beverly Hayon, director of national media relations for the HMO, which has headquarters in Oakland, Calif.

The information sent out by mistake was of varying levels of sensitivity, Hayon said.

It ranged from a simple note saying the member would be sent a password for the online system to "answers to medical questions about a particular disease or condition," she said.

Kaiser noticed the problem after about 20 minutes, and shut down its e-mail system to fix it. Hayon said.

The health plan had contacted everyone who received the information by mistake, and all had said they deleted it and had not transmitted it further. She also said it was calling all 858 members whose information had been sent out by mistake, and had already reached most of them.

Both Beth Givens, director of the Privacy Rights Clearing House in San Diego, and Susan Pisano, vice president of the American Association of Health Plans, said that although the World Wide Web and e-mail are being used increasingly to provide health information, they were unaware of any similar problems. Givens said a credit-rating service, Experian, had sent credit reports ordered online to the wrong people a few years ago when "the system sort of blew up." In health, she said, some letters containing health information were stuffed into envelopes addressed to different people.

But while such privacy errors can happen with conventional mailings, she said, "the scale can be grander in the online world." For example, she said, in the case of credit-card numbers, "one dishonest waiter can rip off 20 to 50 people a day, while a hacker can get 100,000 credit-card numbers in a few moments."

While health plans are increasingly using automated methods for "reducing costs and increasing services," Givens said, they should build in safeguards, and when such problems occur, "perhaps they're getting too close to the bone." Pisano said Kaiser "views themselves as leaders" in the area of online health services, "and they see it as part of their leadership role to acknowledge that this happened."

Hayon said about 250,000 of Kaiser's 11 million members use the online information service, and about 20,000 more sign up each month. They can make appointments, order prescription refills and ask health questions to doctors, nurses and pharmacists. They receive answers or confirmations by e-mail. The e-mail system was shut down for installation of new software. Then, Hayon said, "Somebody pushed something and sent off the e-mails." Some members waiting for a response got multiple ones, from a few extra to as many as 400. Soon, Kaiser's technicians noted the unusual size of outgoing e-mail, and shut down the system for a fix. By yesterday evening, Hayon said, 13 people said they had already deleted the information, three others said they would delete it, two said it had never been delivered, and one member could not be reached. Givens said people using any new online service should realize that problems may surface, and might want to "wait until the bugs have been worked out" before offering their own sensitive information. A Kaiser member herself, she said she had not used the online service, not because of privacy concerns but because, "I just haven't found the time to delve into their Web site."

Originally published Aug 10, 2000 on www.sunspot.net.

TOP

Posted to HIPAAcomply 08/17/00

DEPARTMENT OF HEALTH AND HUMAN SERVICES (DHHS) SECRETARY DONNA SHALALA SIGNS FINAL RULES FOR ADMINISTRATIVE TRANSACTIONS AND DIAGNOSIS AND PROCEDURE CODES PROMULGATED UNDER THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

The two-year compliance clock begins ticking 60 days after the final adoption date and all covered entities must comply by October 2002.

NORWELL, MA (August 14, 2000) - The final rules set the stage for sweeping changes across the health care industry to gain administrative savings through standardization and simplification of electronic health care transactions. The final rules require health plans, providers, and clearinghouses exchanging electronic administrative health care transactions to implement ASC X12 standards for health claims, referral certification/authorizations, claim status inquiries, eligibility requests/responses, remittance advices, and health benefit enrollment/disenrollment. Additionally, the final rules require retail drug claims to comply with the NCPDP standard for batch or telecommunication claims using version 1.0 or 5.1 respectively. Finally, the rules require utilization of ICD-9-CM, CPT, CDT, NDC, and HCPCS coding standards. Local codes are disallowed and redundant codes eliminated.

"With the long anticipated adoption of these final rules, health care organizations are well advised to accelerate preparations in earnest," said Tom Hanks, Practice Director, Enterprise Security and HIPAA Compliance, Beacon Partners. "HIPAA is an enterprise-wide event affecting not only EDI and IT concerns, but also has substantial ramifications on business and operational concerns".

"Some organizations have already undertaken education and assessment activities to better understand the impact of HIPAA," according to Jim Klein, Manager, Enterprise Security and HIPAA compliance, Beacon Partners. "There are many that have not initiated planning and preparation activities and with the clock now ticking, it is imperative that organizations develop a sense of urgency to avoid future expense, risk and penalties".

Recent updates from government officials indicate the remaining HIPAA standards are being prepared for publication later this year, which includes security, privacy, employer and provider unique identifiers, and draft standards for claim attachments.

Publication of the final rules is scheduled for August 17, 2000 and will be available from the Government's HIPAA website at http://aspe.hhs.gov/admnsimp/index.htm and the Federal Register. The HIPAA transaction implementation guides are now available for free download from the Washington Publishing website at http://www.wpc-edi.com/hipaa/. Additional HIPAA information can be found at http://www.HIPAAcomply.com.

About Beacon
Beacon Partners is a national health care management consulting firm with offices in Boston and Chicago serving over one hundred healthcare facilities in the United States. Since 1989, the consultants of Beacon Partners have provided healthcare organizations with a wide range of client-focused consulting services, including strategic planning, business operations management, clinical solutions, information systems and technical solutions. Beacon Partners is a recognized leader in the HIPAA arena with over fours years of HIPAA experience, including numerous educational and HIPAA assessment engagements. Beacon provides a full range of services for HIPAA compliance from initial education and assessment through remediation, implementation and on-going monitoring. Beacon's HIPAA experts have contributed to the underpinnings of the HIPAA regulations and are sought by many industry organizations to address HIPAA's scope and implications on healthcare. To learn more about Beacon Partners, call 1-800-4BEACON or visit http://www.beaconpartners.com.

Contact:

Thomas Hanks
Practice Director, Enterprise Security &
HIPAA Compliance
Beacon Partners, Inc.
(847) 490-5306
tom.hanks@beaconpartners.com

Jim Klein
Manager, Enterprise Security &
HIPAA Compliance
Beacon Partners, Inc.
(410) 721-9144
jklein@beaconpartners.com

TOP

Posted to HIPAAcomply 08/14/00

WEDI's SNIP Initiative continues to Advance

The Workgroup for Electronic Data Interchange (WEDI), with active participation from the Association for Electronic Health Care Transactions (AFEHCT), continues to advance the HIPAA initiative "Strategic National Implementation Process (SNIP)". SNIP has broad industry representation from major market segments including Federal Government, health plans, providers, clearinghouses, and numerous regional organizations. The major emphasis is to identify common industry HIPAA implementation issues and seek ways for health care organizations to minimize such issues through cooperative industry implementation planning and coordination. Three work groups were formed to advance the SNIP initiative including; Transactions/Code Sets/Identifiers, Security/Privacy, and Education/Awareness. The work groups continue to make significant headway and interested parties should check the WEDI website frequently for updates at http://www.wedi.org. Beacon Partners continues to maintain it's long-standing active role in WEDI initiatives. Mr. Tom Hanks, Beacon's Practice Director for Enterprise Security & HIPAA compliance serves as a WEDI board member and Mr. Jim Klein, Beacon's Manager for Enterprise Security & HIPAA Compliance serves on the steering committee for the SNIP Education/Awareness work group.

TOP

Posted to HIPAAcomply 08/14/00

Klein Appointed to MedChi Privacy Committee

Jim Klein, Manager of Enterprise Security and HIPAA Compliance for Beacon Partners, has been appointed as a member of the Privacy and Confidentiality Committee of MedChi for 2000. MedChi is the Maryland state medical society which was formed to unite the medical profession, promote and disseminate medical and surgical knowledge, protect public health and elevate the standards of medical education. The organization continues to actualize its original goals through legislative advocacy, public health programs and the expansion of its membership base. MedChi's mission is to serve as Maryland's foremost advocate and resource for physicians, their patients and the public's health.

MedChi's committees perform an important function through consideration of matters that face today's physicians and help set policy by making recommendations to the Board of Trustees and the House of Delegates.

For more information on MedChi visit http://www.medchi.org

TOP

Posted to HIPAAcomply 07/19/00

HIPAA: "I want you to comply with privacy regulations"

Soon the federal government will finalize privacy rules for electronic transfer of patient records. If you're not sure how your practice will fare, you should start thinking about it now.

By Tyler Chin, AMNews staff. July 10/17, 2000.

http://www.ama-assn.org/sci-pubs/amnews/pick_00/tesa0710.htm

TOP

Posted to HIPAAcomply 07/12/00

HMO Held Responsible for Confidentiality Breach

A New York appeals court has ruled that an HMO can be held liable for a breach of privacy even though the employee who released a patient's records wasn't acting in the normal course of business. The court says Community Health Plan-Kaiser Corp. is liable for a breach of confidentiality that occurred when an employee released the mental health records of an Albany, N.Y., woman that indicated she is gay. Both sides expect the case to be appealed further.

Click here for the full article from Modern Physician

TOP

Posted to HIPAAcomply 06/22/00

HIPAA Glossary Available from WEDI

The first of several remaining final and proposed rules authorized under the Health Insurance Portability and Accountability Act of 1996 are expected to be published at the end of June by DHHS. This first rule expected is a final rule to establish standard formats and data content for electronic claims and related transactions. This, and the remaining rules, promise to be full of acronyms, abbreviations and other unfamiliar terms.

The Workgroup for Electronic Data Interchange (WEDI) has created a HIPAA Glossary that will make it easier to look up such terms, rather than having to fumble through previous pages to find the first reference. In addition to explaining what provider taxonomy codes are, or the difference between structured and unstructured data, the glossary defines such abbreviations as A/S, DCC, EDIFACT and NASMD. You can access this glossary at http://www.wedi.org. (Please note: this document is in PDF format and requires the use of Adobe Acrobat Reader Software.)

WEDI is an advocacy organization that promotes the use of electronic commerce in healthcare and has advised federal officials in developing HIPAA rules.

TOP

Posted to HIPAAcomply 06/20/00

Create Security/Privacy Committee to Handle Compliance Issues
(from Health Information Compliance Insider, May 2000, published by Brownstone Publishers, Inc., 1-800-643-8095)

Your health care organization will have to make many changes to ensure its compliance with HIPAA security and privacy regulations when they're finalized. You'll have to create, adopt, and enforce many new security and patient privacy policies and procedures, as well as develop and implement ongoing security and privacy education and training. To make these compliance efforts work, you'll have to make sure that they're "totally integrated" into your organization and that senior management is behind them, says health information consultant Tom Hanks.

How do you accomplish this? A good starting point is to create a security and privacy committee now to oversee development and implementation of your organization's compliance efforts, recommends Hanks. Here's a rundown on how to create an effective committee and what its first steps should be.

SET COMMITTEE MEMBERSHIP
Make sure the following are on the committee:

Representatives from every department.
Put a representative from every department in your organization on the committee. This will help ensure organization-wide participation in compliance efforts, says Hanks. Include a representative from: Nursing; Pharmacy; Legal; Human resources; Radiology; Lab; Information technology/information security; and Audit and records.

Who should be a department's representative? The larger your organization, the higher up the person should be in the department. The biggest mistake organizations make, according to Hanks, is to put low-level people on the committee. You don't want committee members who lack the authority to get your organization's senior management on board for compliance efforts, he points out.

Must the representative be the department head? Much depends on the culture of your organization, says Hanks. If department heads typically are educators and managers, then they belong on the committee. But if they typically delegate those functions to someone within the department, then that's the person who should represent the department.

Senior management.
Also, have representatives of senior management on the committee. Include your organization's chief information officer, chief compliance officer, and general counsel. Ideally, the chief financial officer should also be on the committee. If not, make sure someone reporting directly to that position is on the committee. While it's a plus to get the chief executive officer's participation, it's not essential, says Hanks. But make sure the CEO gets minutes of the committee's meetings.

Insider Says: If your organization is small, you may not have many departments or separate people for each senior management role. One person may assume multiple roles. For instance, your general counsel may also be your chief compliance officer. If that's your situation, make sure that the committee has members representing all of the roles in your organization.

HAVE COMMITTEE REPORT TO BOARD
The smartest move you can make when forming a committee is to make sure that it reports to your organization's board of directors, recommends Hanks. If it does, the committee will be seen organization-wide to have clout, says Hanks. And that will go a long way toward making the committee's efforts successful.

Who on the board of directors should get the committee's reports? A typical board has an executive committee or a risk management or risk avoidance committee. Any of those board committees would be suitable, notes Hanks.

SET COMMITTEE'S FIRST STEPS
Once a committee is formed, you'll want to make sure it takes the right first steps. They should be:

Step #1: Conduct security/privacy assessment. The committee should assess your organization's current security and privacy policies and procedures, compare them with what's required by the proposed HIPAA security and privacy regulations, and determine what deficiencies exist, says Hanks.

Step #2: Conduct risk assessment. The committee then should have a risk assessment done that quantifies the risk associated with each security and privacy deficiency in your organization, the methods of eliminating those deficiencies (remediation), and their costs. A risk assessment can be conducted internally or by an outside consultant, says Hanks.

Insider Says: Make sure employees are interviewed as part of the risk assessment, advises Hanks. Employee input will help pinpoint problem areas. It will also provide insight on the level of employee compliance with current policies and how effective those policies are. It's best to get someone from outside your organization to conduct employee interviews, Hanks says. Having an insider conduct the interviews won't provide valid results, he explains, because employees are often reluctant to tell the truth to someone from their own organization.

Step #3: Set strategy. Once the risk assessment is done, says Hanks, the committee should set remediation priorities. It should decide how much money to spend on remediation, what risks the organization is willing to accept, and what remediation steps should be taken.

Insider Source:
Tom Hanks
Practice Director, Enterprise Security & HIPAA Compliance
Beacon Partners, Inc.
200 Cordwainer Dr., 3rd Fl., Norwell, MA 02061.

TOP

Posted to HIPAAcomply 0/25/00

THE TIME TO START HIPAA PLANNING IS NOW

(From HFMA WANTS YOU TO KNOW-May 24, 2000, A service of the Healthcare Financial Management Association, http://www.hfma.org )

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) included administrative simplification provisions that will profoundly affect how the healthcare industry handles patient information and claims. By providing nationwide, uniform standards for doing business electronically, administrative simplification standards encourage healthcare entities to automate their claims processes. Once implemented, these standards are expected to streamline business processes, reduce operational disruptions, lower costs, and reduce claims-processing error rates.

Compliance with the HIPAA administrative simplification regulations will be required by Federal law and related regulatory and accreditation bodies within the next two to four years. Failure to comply will result in stiff monetary penalties and, possibly, program exclusion. Of special concern is knowing disclosure of individually identifiable patient information, which will result in criminal penalties against both the organization and the individual responsible for the disclosure. The time to start planning is NOW.

Based on input from an informal group of HFMA members and industry experts, HFMA suggests that providers take the following actions:

BUDGET PROPERLY.
For most healthcare organizations, efforts to become HIPAA-compliant will be a multiyear, high-cost, institutionwide effort that likely will exceed the resource outlays that were required for Y2K compliance.

LAY THE GROUNDWORK FOR BUY-IN.
HIPAA-related changes will affect every information system and process that uses or collects patient data, including medical records and electronic business transactions (claims, referrals, and remittance). To implement these significant changes in processes, organization, and staffing, enterprisewide buy-in is critical.

LEAD FROM THE TOP.
Although information technology is a major component of HIPAA compliance, HIPAA initiatives would be managed more effectively as a strategic business issue than an IT issue, since the initiatives affect a wide range of staffs throughout the enterprise. Large- and medium-sized organizations should engage a full-time, senior-level manager to lead the HIPAA compliance effort.

MAKE HIPAA YOUR TOP PRIORITY.
Unless your preparations are already well advanced, you will probably have to either defer other major projects or add staff to meet HIPAA compliance deadlines.

COOPERATE WITH OTHER ORGANIZATIONS.
Like Y2K, HIPAA compliance is, in essence, a noncompetitive issue. You can increase the effectiveness of your implementation effort by working with the others in your healthcare community, especially payers, providers, and IT vendors. Such cooperation will minimize the cost, confusion, and disruption that typically accompany changes of the magnitude HIPAA requires.

STAY THE COURSE.
HIPAA provides for states to enact exceptions to the act's uniformity requirements. While this might be attractive to some entities, in the long run, state by state exceptions will undermine the benefits of national uniformity, especially for organizations that do business across state lines. You should be aware of actions that would affect uniformity, particularly if you do business in more than one state.

HFMA has been a long-standing proponent of uniform business standards. HFMA is working with members and other industry experts to develop resources to ensure HFMA members have the tools they need to effectively implement HIPAA's requirements and realize as much benefit as possible from standardized electronic transactions. Comments or inquiries may be directed to Trinita Robinson at (800) 252-HFMA, ext. 610. E-mail: trobinson@hfma.org.

Learn more about this issue during "HIPAA Is Coming - Are You Prepared for the Challenges the HIPAA Regulation Brings?", part of a 2000 Annual National Institute preconference program, "The 21st Century PFS Professional". Other HIPAA-related ANI sessions include "Compelling Reasons to Start HIPAA Readiness," "Washington Update," and "Functional Compliance - A Hands On Approach to Complying with the Law."

TOP

Posted to HIPAAcomply 0/25/00

U.S. General Accounting Office Senate Testimony on Privacy Standards

Click here for a PDF file of the GAO Testimony before the Committee on Health, Education, Labor and Pensions, U.S. Senate, on Privacy Standards: Issues in HHS' Proposed Rule on Confidentiality of Personal Health Information. This testimony is the statement of Janet Heinrich, Associate Director, Health Financing and Public Health Issues, Health, Education and Human Services Division of the GAO. For more information on the GAO, visit them at www.gao.gov.

TOP

Posted to HIPAAcomply 05/09/00

HIPAA Sets Up New Hurdles for Healthcare Players
(From Managed Care News Perspectives issue April 18, 2000)
By Michael Casey, Managed Care Analyst, Medical Data International

ALTHOUGH HIPAA IS NOT JUST A PRIVACY ISSUE, HOSPITALS ARE CONCERNED THAT SECURITY AND CONFIDENTIALITY COULD BE COMPROMISED BY NET TRANSMISSION

SUMMARY:

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996, but so far only the "portability" portion for an individual to receive continuous health insurance coverage when changing employers has been implemented. Now, however, after spending millions to upgrade computers because of the potential Y2K glitch, hospitals and other healthcare organizations are told they must provide security and confidentiality of all identifiable patient information in the development of electronic data interchange and healthcare information systems. Cost estimates are triple that of Y2K preparedness, but one HIPAA expert prefers to think of the expense as a long-term investment, especially as more electronic-commerce services are developed and implemented in the medical supply world.

SITUATION:

The Kassebaum-Kennedy Act, also known as the Heath Insurance Portability and Accountability Act of 1996, was approved by a Senate committee in 1995 to prevent people with chronic health conditions from losing coverage as they changed jobs. Under the law, employees with insurance could keep that coverage at their next job or shorten the waiting period to receive coverage, but there was no guarantee that benefits would not change or premiums would not be higher. In 1996, the General Accounting Office estimated between 1 million and 3.6 million Americans fit that description.

The other half of the law requires that claims and payments be filed electronically. The law mandates that Congress pass legislation tightening the rules on how a person's private medical information could be used and who would have permission to see it, but Congress missed its August 1999 deadline and continues to work on regulations. The health industry now is pushing for a June 2000 deadline.

The seven provisions that established standards for electronic healthcare transactions and exchanges were intended to improve the flow of information between healthcare organizations while protecting individual privacy and preventing fraud. The Department of Health and Human Services (HHS) estimates the provisions could save health plans, healthcare clearinghouses and providers from $5 billion to $10 billion a year, and HHS projects the five-year cost of compliance to be about $3.8 billion.

However, many healthcare providers claim the actual cost of complying with the new regulations will far exceed the cost of their Y2K preparations. And to date, many providers are unwilling to commit a large portion of their budget during the next two years to comply with HIPAA until all of the rules are known.

ANALYSIS:

The HIPAA requirement considered to be the most troublesome by providers involves the security and confidentiality of all types of patient-identifiable health information, including health claims, eligibility and payments. The standard requires all health plans, healthcare clearinghouses and providers to establish and maintain appropriate safeguards by such means as appointing an information security officer, developing a security plan, providing training for employees and securing physician access to records.

Healthcare providers say they are more concerned about security and privacy issues than any other aspect of HIPAA. Although some security safeguards do exist as part of the provider's standard practice, using the public Internet to transmit patient information represents a much greater risk in confidentiality.

Providers, though, cannot wait for Congress' final ruling before assessing their risk vulnerabilities and planning how to implement specific technical and administrative procedures to ensure the security of electronic health data. Hospitals, physicians and medical groups must start thinking now about their security precautions, warns Dr. Steven Lazarus of the Boundary Information Group, who serves as chair-elect for the Workgroup for Electronic Data Interchange (WEDI) and is an advisor to the Secretary of HHS.

"Hospitals tend to discuss HIPAA as a privacy issue, but we can't dismiss all of HIPAA as privacy. If (the hospitals) don't want to comply, they won't get paid on time," explained Lazarus, in an exclusive interview with Medical Data International, Inc. "The privacy issue is a problem, because no legislation has been passed. It is Congress' fault, and Congress can fix it. But we still can implement HIPAA without those changes. No state preemption is the biggest problem. The AMA (American Medical Association) wants state control. Everyone believes we need to have state uniform access."

WEDI was made an advisor when HIPAA was passed in 1996 and is the only industry-based group that is open to the public to provide input on consensus. Currently, 135 organizations belong to WEDI, but those represent only employer groups and health plans--no providers, Lazarus said in mid-April 2000.

Lazarus acknowledges that many health providers still are reeling from spending considerable amounts of money to exterminate the Y2K bug. He cited a recent Gartner Group study that found HIPAA would cost healthcare organizations three times as much as Y2K. Much like Y2K, HIPAA's cost will depend heavily on how much upgrading a hospital has done on its information system during the past 10 years.

However, Lazarus says HIPAA regulations offer tremendous opportunities for healthcare organizations to become more efficient and achieve significant savings. Some experts believe the industry could save $125 million a week if standards already available today were employed for electronic transactions.

"Some parts of HIPAA will cost a lot of money, but it will be a good investment, especially when more e-commerce services come along and are implemented in the supply world," Lazarus said. "All e-commerce companies that are looking to deliver drugs are online, and all are covered by security regulations. They are not relying on patient authorization. That takes about half the cost away."

The most stringent HIPAA security requirement will cover patient information and transactions that are conducted online. HIPAA likely will require evidence that only the appropriate person can gain access to the information through authentication services such as encrypted codes and digital certificates. Another important component will be the entity that audits and records who accesses a patient's record, and when.

The good news is that more healthcare providers may be listening. In a survey of more than 500 hospital executives, released by the Healthcare Information and Management Systems Society (HIMSS) in April 2000, 70% said they will concentrate during the next two years on complying with HIPAA. Furthermore, 61% of the respondents said developing systems that improve efficiency will matter, 56% said cost-cutting systems are being evaluated and 42% said they are working on specific e-healthcare applications.

Yet, while HIPAA and the Internet remain top priorities for 2000, healthcare information executives will be working with limited budgets. Only 30% of those surveyed say their organizations' information technology budgets will increase in 2000, and proving return on income is on the minds of 22%, up from 15% in 1999.

LOOKING AHEAD:

Lazarus expects the final rules regarding HIPAA's regulations to be released June 29, 2000, which would give healthcare organizations two years and two months to comply. That would apply only to large providers and health plans; small payers, defined as less than $5 million in revenue per year, have an additional 12 months to comply, as do small providers, whose revenue cap has not been determined.

Healthcare providers are well aware that they must comply with HIPAA regulations on time or face penalties of as much as $100 per violation, at a maximum of $25,000 a year per violation. Still, many are content to take a wait-and-see approach, opting to evaluate final HIPAA rules before taking any action.

"It is a two-year program, but it could take considerably longer," Lazarus says. "Most insurers have legacy systems that can't audit and can't do electronic transmissions, eligibility, readmittance and so on. They will have to replace those systems in the next 1� to two years, but they should be in the planning process now."

Some experts believe the true impact of HIPAA will not be known until the economy takes a substantial downturn again, causing people to be out of work for more than a few weeks and employers to cut benefits to save money. The longest-term impact likely will come from the government's willingness to tinker with various parts of the American healthcare system, including a bipartisan bill covering new patients' rights.

The value of HIPAA, says Lazarus, will be in "reducing the cost of administering healthcare and increasing employer and health plan satisfaction. I see it as finally having the kind of uniform system to protect the data and privacy of people, but not investing so much so that it places an undue burden on someone."

Resource: Medical Data International's "Managed Care IQ Provider & Payer Database," April 2000.

Copyright � 2000 Medical Data International, Inc. All rights reserved. Reprints mat be obtained by permission. Contact an MDI Account Representative at 800.826.5759.

This article contains all original material developed, researched, and written by Managed Care News Perspectives staff writers for exclusive publication be Medical Data International.

Posted to HIPAAcomply 5/1/00

TOP

Senate Committee Hears Differing Views on Proposed Privacy Rule
(Information provided by the Department of Governmental Affairs, MGMA)

The Senate Health, Education, Labor and Pensions (HELP) Committee held a hearing on April 26 regarding the Department of Health and Human Services' (HHS) proposed privacy rule. During the hearing, witnesses offered varying viewpoints and reactions to the proposed rule.

Although the committee has held many hearings on the issue of privacy, this was the first hearing the committee has held on the proposed rule. At the request of Chairman James Jeffords (R-VT), the General Accounting Office (GAO) reviewed the proposed rule and the comments submitted in response to it by a selected group of 40 organizations ("stakeholders")--one of which was MGMA. One of the most contentious elements of the proposed rule analyzed by the GAO was the "minimum necessary information" provision. HHS proposed that covered entities be prohibited from using or disclosing more than the minimum amount of protected health information necessary to accomplish the intended purpose of the disclosure. In its formal comments, MGMA expressed concerns over this proposal and the burdens it might place on group practices. In its written testimony, GAO specifically cited MGMA's concerns-"As stated by the Medical Group Management Association, it is likely that the entity requesting information for a particular purpose is in a better position to make the minimum necessary determination."

Posted to HIPAAcomply 5/1/00

TOP

CIO Survey says HIPAA Requires Action
(Health Data Management, March 27, 2000, www.healthdatamanagement.com)

Hospital and integrated delivery systems have a long way to go in developing plans for complying with the Health Insurance Portability and Accountability Act of 1996, according to a new survey. More than 45% of 213 CIOs and other top I.T. executives surveyed earlier this year said their organizations had not yet begun to work on detailed plans for complying with HIPAA administrative simplification and data security/privacy rules. Virtually the same percentage report their organizations are working on such plans, while 7% said they already had a plan in place. In addition, only 17% of those surveyed report that the board of directors of their organizations had approved funding to begin HIPAA compliance efforts. On a similar note, 60% report that their CEO does not fully understand the ramifications of HIPAA and the potential costs involved. The survey, sent to a sample of Health Data Management readers, was conducted in January and February. Lawson Software, a St. Paul, Minn.-based company that markets enterprise electronic business applications for the health care industry, provided funding for the survey. A story on the survey results will appear in the April 2000 issue of Health Data Management magazine.

Posted to HIPAAcomply 03/28/00

TOP

HHS Sets Firm Goal for Publication of Final Rule for Transactions and Code Sets Standards
(The following information is the text of an e-mail from Dr. William Braithwaite, Senior Advisor on Health Information Policy at DHHS, updating subscribers of DHHS' Administrative Simplification Web Page List Server)

In a March 14th letter to the Workgroup on Electronic Data Interchange (WEDI), the Deputy Secretary of HHS announced the "... goal to publish the final rule for Standards for Electronic Transactions by the end of June. As you can appreciate, this estimate is predicated upon several things, including approval of the rule by the Office of Management and Budget. We understand the importance of this rule to the health care industry and others and will take the steps necessary to make sure that this goal is met."

At this time, the tentative target dates for other rules have to be updated and the old targets will be removed from the administrative simplification web site until further notice. In any case, I am pleased that we have a firm date for the first final rule and I hope you will all take advantage of this advance notice to start your implementations of the transaction standards.

The link to DHHS Administrative Simplification is http://aspe.os.dhhs.gov/admnsimp/.

Posted to HIPAAcomply 3/27/00

TOP

Beacon Partners Responds to Delays in Final HIPAA Rules

NORWELL, MA. � (March 22, 2000) � Thomas L. Hanks, Beacon Partners� Practice Director of Enterprise Security and HIPAA Compliance, is responding to recent announcements of delays in the finalization of HIPAA regulations by advising clients and health care industry executives that, despite the delays in pending legislative mandates, entities still have an obligation to protect patient information, business information and to protect themselves from litigation.

�This delay does not change the basic requirements for protecting patient and business information,� said Hanks. �All health care entities that store and transmit patient identifiable information need to take the first step and completely assess their security capabilities and privacy practices. Getting an assessment started, and even finalized, before the regulations are final, will put an organization in a good position to start the remediation process.� Compliance is required two years from the date of final regulations, which is not considered much time to implement all of the changes that will be required under HIPAA.

�In any event, we do not foresee a lot of changes in the HIPAA security regulations. For example, the transactions regulations received 17,000 comments, which accounted for approximately a 3% change in the regulations. The security regulations received 2,000+ comments and we anticipate that will result in fewer than a 5% change in the regulations (most probably in the 2-3% range), and we have a good idea what those changes will be. This creates a window of opportunity for organizations to get a jump on the HIPAA security requirements and lower their overall cost of compliance. We learned with Y2K that the sooner you start, the better the outcome and the less it costs. It doesn�t make sense to sacrifice getting started waiting for what amounts to a 2-5% change in the regulations.�

The Federal Government is pressing the Department of Health and Human Services (DHHS) to finalize regulations. In a recent letter to DHHS Secretary Donna Shalala, Congressman David L. Hobson, primary author of the Administrative Simplification provisions of HIPAA, asks the Secretary for her �personal involvement to move forward with a final regulation for Standards for Electronic Transactions and Code Sets.� The delay of regulations for Transactions and Code Sets is causing delays with all of the final rules. Representatives from WEDI (Workgroup for Electronic Data Interchange) recently met with Kevin Thurm, Deputy Secretary of DHHS. As a result of that meeting, there has been a new emphasis put on finalizing some of the regulations. DHHS has announced that the final date for transactions is June 29, 2000 and the final date for security is July 2000. DHHS will publish all revised timelines on its web site (http://aspe.os.dhhs.gov/admnsimp/) indicating when the remaining proposed and final rules will be promulgated. As of now, there is no final date for privacy regulations.

Contact:
Thomas Hanks
Beacon Partners
847-490-5306
tom.hanks@beaconpartners.com

####

ABOUT TOM HANKS
Tom Hanks has 20 years of information systems, management consulting and network experience, with the last eight focusing on health care. He is recognized in the industry as an authority on HIPAA security and standards legislation. Mr. Hanks has used his security expertise to contribute to the development of the HIPAA standards and security regulations and is currently active on a number of industry security and standards workgroups addressing compliance with HIPAA legislation. Mr. Hanks is on the Board of Directors of WEDI (Workgroup for Electronic Data Interchange) as well as co-chair of the WEDI Privacy Policy Advisory Group. He was also recently appointed Commissioner for the Electronic Health Network Accreditation Commission.

ABOUT BEACON PARTNERS
BEACON PARTNERS is a national health care management consulting firm with offices in Boston and Chicago. Since 1989, the consultants of Beacon Partners have provided health care organizations with a wide range of client-focused consulting services, including strategic planning, business operations management, enterprise security and HIPAA compliance, e.Solutions, clinical solutions, information systems and technical solutions. Clients include Integrated Delivery Networks (IDNs), hospitals, managed care organizations, and physician group practices, including academic practice plans. Beacon Partners� highly experienced consultants are backed by a firm with a solid reputation for measurable results. To learn more about Beacon Partners health care consulting services, call 1-800-4BEACON or visit www.beaconpartners.com.

Posted to HIPAAcomply 3/27/00

TOP

WEDI Bulletin on Revised Transaction Final Rule Date & Planning for Implementation

As we previously communicated, the revised date of June 30, 2000 has been announced regarding final rules being released through the clearance process at the Department of Health & Human Services (DHHS) and the Office of Management & Budget (OMB). The new date for the final rule relates to the implementation guides for the following transactions:

� Health claims or equivalent encounter information.

v Health Care Claim (837)

� Enrollment and disenrollment in a health plan.

v Benefit Enrollment and Maintenance (834)

� Eligibility for a health plan.

v Health Care Eligibility / Benefit Inquiry (270)

v Health Care Eligibility / Benefit Information (271)

� Claim Payment

v Health Care Claim Payment/Advice (835)

� Health claim status.

v Health Care Claim Status request (276)

v Health Care Claim Status Notification (277)

� Referral certification and authorization.

v Health Care Service Review Information (278)

What�s important to keep in mind is that there are no further technical changes that will take place with the Implementation Guides prior to the final rule being released. The reasons for the revised date is to assure that synchronization of definitions between rules are reconciled to assure consistency across them. During this period, prior to the Transaction Final Rule being released, we would suggest that you take the following actions:

� Commence an assessment of the gaps and impacts to implement the transactions.

� Identify any translator requirements, if appropriate, and commence the selection process.

� Involve your vendors, clearinghouses and other entities to determine their plans and any assistance that may be available.

� Determine specific plans for implementation of the transactions from both an IS and business perspective.

� Determine testing criteria and identify your trading partners.

� Develop �Chain of Trust� language to provide to vendors and others, as appropriate.

� Utilize any third party testing to ols to determine HIPAA compliance with the Implementation Guides.

We are further suggesting that organizations commence their planning now rather than waiting the additional 4 months until the final rule is published. The risks of proceeding are minimal and can potentially provide a competitive advantage for those that are initially proactive.

As we continue our partnership with DHHS we will continue to provide information to you for your planning purposes. WEDI and the Deputy Secretary, HHS are planning to meet approximately every two months in the future to facilitate government and healthcare industry planning for the implementation of HIPAA.

For further information, please contact Jim Schuping, Executive Vice President of WEDI at 703-391-2716.

Posted to HIPAAcomply 03/16/00

TOP

HHS indicates that HIPAA Final Rules will be Delayed Further

On Monday, March 13th, at the 2000 HIPAA Conference in McLean, Va., the Department of Health and Human Services delivered an update on the status of its timetable for producing final rules, as mandated in the administrative simplification section of the Health Insurance Portability and Accountability Act of 1996. Bill Braithwaite, M.D., senior advisor on health information policy at HHS, indicated that the deadlines for producing final rules have been delayed further.

Dr. Braithwaite stated that the final rules have been postponed because they require further work. HHS hopes to issue final rules for employer identifiers and data security in the third quarter and for provider ID in the fourth quarter. The data privacy rule, which is turning out to be the most controversial, may not come out this year at all, due to the heavy volume of comments HHS has received, as well as the need to make sure the privacy rule dovetails with the security rule, Braithwaite says. The only deadline that HHS has committed to is for the rule setting transaction standards for claims and code sets, which will be published by the end of June.

HHS does expect to issue its first proposed rule for claims attachments in the third quarter. A proposed rule for physician's first report of injury--used for workers' compensation--won't come out until next year. HHS also expects to spell out its proposal for enforcing HIPAA next year, Dr. Braithwaite says. To view comments received on the privacy regulations, as well as a revised timeline (which HHS plans to publish soon) visit the Administrative Simplification website at http://aspe.os.dhhs.gov/admnsimp/.

Posted to HIPAAcomply 03/15/00

TOP

Privacy concerns may spark congressional intervention
Critics of the Clinton administration's records privacy proposal take aim at its patient consent provisions and its requirement that physicians oversee their business partners' practices.

By Susan J. Landers, American Medical News staff. March 6, 2000

Washington -- Congress will likely re-enter the contentious medical records privacy debate it had, by default, turned over to the Dept. of Health and Human Services for resolution last summer.

A recent House Ways and Means health subcommittee hearing showcased a wide range of concerns raised by the department's 600-page proposal to establish federal privacy protections for electronically transmitted medical data. HHS released its proposal last fall.

Subcommittee Chair William Thomas (R, Calif.) said he had scheduled the hearing to help determine whether the regulation would "ultimately prove to be workable or whether additional legislation might be necessary."

He received in reply a chorus of r