to MedChi Privacy Committee
to HIPAAcomply 7/19/00
Sets Up New Hurdles for Healthcare Players
to HIPAAcomply 05/01/00
Concerns May Spark Congressional Intervention - Posted
to HIPAAcomply 03/15/00
Holds Hearing on HIPAA Regulations - Posted
to HIPAAcomply 02/23/00
-Posted to HIPAAcomply 01/12/00
ANNOUNCES FINAL REGULATION ESTABLISHING FIRST-EVER NATIONAL STANDARDS TO
PROTECT PATIENTS' PERSONAL MEDICAL RECORDS
HHS Secretary Donna E. Shalala today released the nation's first-ever standards for protecting the privacy of Americans' personal health records. This new regulation will protect medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.
For complete information on the final privacy rule click on the links below:
Download the text of the Final Rule (in PDF) - Beware!! It is quite large!!!
Posted to HIPAAcomply 12/21/00
to Issue New Rules on Medical Data Privacy
By ROBERT PEAR, N.Y. Times
(This article originally appeared in the N.Y. Times, November 20, 2000)
WASHINGTON, Nov. 19 — The Clinton administration will soon issue sweeping new rules to protect the privacy of medical records. But under pressure from the health care industry, officials say, they are backing off a proposal to give patients a broad new right to sue and recover damages for the improper disclosure of confidential information.
Chris Jennings, the health policy coordinator at the White House, said President Clinton would issue the final rules, with the force of law, in the next few weeks.
The administration is "going full steam ahead, with a full commitment" to the goal of protecting privacy, Mr. Jennings said.
As President Jimmy Carter did 20 years ago, Mr. Clinton is leaving office with a burst of regulatory activity that he hopes will leave an imprint on the nation long after his term ends. Last Monday, the government issued rules intended to protect millions of workers against repetitive stress injuries.
The privacy rules, the first comprehensive federal standards to protect the confidentiality of medical data, will affect virtually everyone who receives or provides health care in the United States. The rules come at a time when insurers and health care providers are making greater use of computers to store and exchange medical information on patients.
The new Congress could alter the rules, but will have great difficulty mustering a consensus for any alternative.
Legislation to set federal privacy standards died this year because of profound disagreements between consumer advocates and the health care industry.
A 1996 law required the secretary of health and human services to set the standards for medical privacy, but gave her little guidance on what the rules should say.
Under the new rules, consumers will for the first time have a federal right to inspect and copy information in their medical records. They will also have the right to request correction of information that they consider inaccurate or incomplete.
The standards will limit the use and disclosure of data by insurance companies, health maintenance organizations and other health care providers, including doctors, nurses, hospitals, nursing homes, pharmacies and medical laboratories.
In proposing the rules for public comment in November 1999, President Clinton lamented the fact that his regulatory authority was limited: he could not directly regulate the conduct of the many people with whom doctors and hospitals share information on patients.
"To fill this gap in our legislative authority," the government said, it will hold health care providers responsible for the activities of their "business associates," including lawyers, auditors, accountants, consultants, billing companies and other contractors.
Health care providers would have to rewrite contracts with these business partners to guarantee that information on patients is kept confidential. Business partners would have to promise to follow the federal privacy standards, just as doctors and hospitals do.
The 1996 law did not give patients a new right to sue for violations of their privacy.
"The statute does not provide for a private right of action for individuals," the administration said in a preamble to the proposed rules last year.
But federal officials tried to overcome the limits of the law. In the proposed rules, they said that patients must be named as the "intended third-party beneficiaries" of contracts between health care providers and their business partners.
This would have given patients a powerful new tool to enforce their rights. Patients could have sued in state court for violation of the contract if their medical records were improperly disclosed.
But federal officials said they had recently decided to back away from this proposal after receiving a torrent of criticism from the health care industry, which complained that the administration had exceeded its legal authority.
The American Association of Health Plans, a trade group for H.M.O.'s, said its members and their business partners would have faced "significant new legal liability" if the federal government had authorized patients to sue for violations of their privacy rights.
The Health Insurance Association of America said the Clinton proposal could have led to "excessive litigation, including class action lawsuits, that would drive up health care costs."
Employers said that health insurers would drag them into such litigation, and that the risk of new lawsuits would discourage companies from providing health benefits to employees.
Jackie M. Huchenski, a health lawyer in New York City, said: "The rule on business partners is very controversial. It imposes new obligations on health care providers and health plans, making them responsible for someone else's mistakes."
Paul G. Sherwood, senior vice president of Halifax Regional Medical Center, a 206-bed hospital in Roanoke Rapids, N.C., said it was unrealistic to hold him responsible for what his business partners might do.
"I have very little control over my contractors," Mr. Sherwood said. "The proposed rule appeared to be inviting a plethora of litigation."
Doctors, hospitals and their business partners will still have to comply with the rules, officials said, but patients will not get any new right to sue.
Even without an explicit new right to sue, Ms. Huchenski said, patients may be able to recover damages by filing suit under certain existing state laws that protect consumers or regulate health care.
Posted to HIPAAcomply 11/21/00
HIPAA: A Practical Implementation Guide
An Audio Conference Series Sponsored by HIMSS
To meet the needs of healthcare professionals for immediate, affordable education on HIPAA, HIMSS is offering two series of "how-to" audio conferences with industry experts who will provide insight, strategy, and practical tips for successful HIPAA implementation.
Choose any or all of the six scheduled conferences below.
Series #2: HIPAA Information
Conference 4: Survivor: Replace or
Update Your Information System?
Conference 5: Friend or Foe: Contractor
and Business Partner Security
Conference 6: Finding Your Weakest
Links: Reassessing and Addressing Vulnerabilities
Posted to HIPAAcomply 10/13/00
to Final Rule on National Standards for Electronic Transactions
The Final Rule on National Standards for Electronic Transactions was published in Federal Register on Aug. 17, 2000 and is effective October 16, 2000. The compliance date is October 16, 2002 (2003 for small health plans).
Posted to HIPAAcomply 10/5/00
HIPAA Supercede State Law?
For an excellent, in-depth treatment of the issue of preemption of state law as it applies to the HIPAA standards for transactions, code sets, identifiers, and security click below for a paper (in PDF format) by Tom Gilligan, Executive Director & Washington Representative for AFECHT.
Posted to HIPAAcomply 10/4/00
Ready for HIPAA
Although costs will be substantial, complex new federal rules could yield savings.
From Internet Health Care Magazine, July/August 2000
Posted to HIPAAcomply 08/24/00
Reasonableness of Your Security Decisions
The following article was published in the June 2000 issue of the Health Information Compliance Insider, and is reprinted with the permission of Brownstone Publishers, Inc.
Posted to HIPAAcomply 08/24/00
Toughens Rules on Medical Privacy, but Some Want More Limits
By ROBERT PEAR
From the New York Times, Sunday, August 20, 2000, National Desk
WASHINGTON, Aug. 19 -- After nine months of blistering criticism from doctors, patients and consumer groups, the Clinton administration says it has decided to beef up protections for the privacy of medical records, beyond what it proposed last year.
But administration officials said the new rules, to be issued before the Nov. 7 election, would not give patients full control of their medical records, as many advocates of privacy rights had recommended.
The rules would, for the first time, set comprehensive federal standards requiring doctors, hospitals, pharmacists and insurance companies to limit the disclosure of medical information about individual patients.
The health care industry and insurance companies must comply with the new rules within two years. The rules, issued under a 1996 statute, would have the force of law; no further action by Congress is required.
The far-reaching, complex rules will touch almost every aspect of the health care system. They will come at a time when large amounts of medical data, including genetic information about a patient's risk of developing specific diseases, can be stored electronically and sent across the country or around the world with the click of a computer mouse.
Administration officials said they saw publication of the rules as a significant achievement that could help Vice President Al Gore, the Democratic candidate for president. Mr. Gore has called for an "electronic bill of rights" to protect people against the misuse of computerized personal information of all types.
Chris Jennings, the health policy coordinator at the White House, said President Clinton was committed to issuing the rules on medical privacy by late summer or early fall. "That's a very high priority," Mr. Jennings said.
Public opinion polls show that Americans are increasingly concerned about privacy in general and want greater protection for medical records, in particular. Some people say they shun testing for cancer, H.I.V. infection and other conditions because they fear discrimination in insurance or employment.
The Republican Party platform promises new rules to protect the privacy of medical information, but gives no details. If Gov. George W. Bush of Texas wins the presidential election, his advisers said, he would probably want to re-examine the rules, rather than rely on the policy judgments of the Clinton administration.
The White House published the proposed rules in the Federal Register on Nov. 3, 1999. After reviewing thousands of public comments, federal officials said, they expect to make these changes:
Under current practice, doctors often ask patients to sign forms authorizing the use and disclosure of medical information for various purposes.
The American Civil Liberties Union said, "The proposed regulations are a step backward from current practice because they require only notice and not consent."
Administration officials said the new rules would limit disclosure of medical information to the "minimum necessary" and give patients a right to see their medical records. In addition, the rules would pre-empt weaker state laws.
A person who discloses health information in violation of the rules could be fined $50,000 and imprisoned for one year. If the offense is committed for commercial advantage or personal gain, the rules allow tougher penalties: a $250,000 fine and 10 years in prison.
The 1996 law directed the administration to issue rules on medical privacy if Congress failed to pass legislation by Aug. 21, 1999.
Lawmakers missed that self-imposed deadline. Congress could alter any of the new standards, but has been at an impasse, under pressure from scores of lobbyists with conflicting interests on the issue of medical privacy.
Robert M. Gellman, an expert on privacy and information policy, said the administration was "taking a real gamble" in issuing the rules before the election because they might be criticized as not going far enough to protect privacy.
On the other hand, the Health Insurance Association of America and the Blue Cross and Blue Shield Association said the proposed rules went too far, exceeded the government's legal authority, were unworkable and would impose new costs on patients and employers, who pay for much of the nation's health care.
When the rules were proposed last year, they were praised at first, but then criticized by the American Medical Association, the American Civil Liberties Union and experts like Janlori Goldman, director of the Health Privacy Project at Georgetown University.
After reading the fine print, critics said the proposals were a license to disclose sensitive medical information, rather than a fence restricting access.
In a typical comment, the American Cancer Society said it was concerned that the proposed rules would allow "the total free-flow of information" without input from patients.
"We believe that the individual should retain the ultimate right to decide to whom, and under what circumstances, individually identifiable health information will be disclosed, even in cases of treatment, payment or health care operations," the cancer society said.
Likewise, the American Medical Association said, "Valid consent should be obtained before personally identifiable health information is used for any purpose."
Posted to HIPAAcomply 08/23/00
Biometric technologies not only exist--they work and are now affordable.
By Fred D. Baldwin
Posted to HIPAAcomply 08/22/00
HIPAA Vendors? - A Tool to Measure Critical Capabilities
With the recent adoption of the final HIPAA regulations for transactions and diagnosis/procedure codes, many organizations will be seeking HIPAA help. The attached tool can be used to measure critical capabilities and objectively compare different vendors. Health care organizations may add additional factors relevant to individual circumstances, such as prices and industry reputation.
Posted to HIPAAcomply 08/17/00
data on 858 patients mistakenly e-mailed to others
Medical information was among messages sent out by Kaiser
By M. William Salganik
The Kaiser Permanente Health Plan admitted
yesterday that it had inadvertently e-mailed to 19 of its patients health
information about 858 other patients.including.
The information sent out by mistake was of varying levels of sensitivity, Hayon said.
It ranged from a simple note saying the member would be sent a password for the online system to "answers to medical questions about a particular disease or condition," she said.
Kaiser noticed the problem after about 20 minutes, and shut down its e-mail system to fix it. Hayon said.
The health plan had contacted everyone who received the information by mistake, and all had said they deleted it and had not transmitted it further. She also said it was calling all 858 members whose information had been sent out by mistake, and had already reached most of them.
Both Beth Givens, director of the Privacy Rights Clearing House in San Diego, and Susan Pisano, vice president of the American Association of Health Plans, said that although the World Wide Web and e-mail are being used increasingly to provide health information, they were unaware of any similar problems. Givens said a credit-rating service, Experian, had sent credit reports ordered online to the wrong people a few years ago when "the system sort of blew up." In health, she said, some letters containing health information were stuffed into envelopes addressed to different people.
But while such privacy errors can happen with conventional mailings, she said, "the scale can be grander in the online world." For example, she said, in the case of credit-card numbers, "one dishonest waiter can rip off 20 to 50 people a day, while a hacker can get 100,000 credit-card numbers in a few moments."
While health plans are increasingly using automated methods for "reducing costs and increasing services," Givens said, they should build in safeguards, and when such problems occur, "perhaps they're getting too close to the bone." Pisano said Kaiser "views themselves as leaders" in the area of online health services, "and they see it as part of their leadership role to acknowledge that this happened."
Hayon said about 250,000 of Kaiser's 11 million members use the online information service, and about 20,000 more sign up each month. They can make appointments, order prescription refills and ask health questions to doctors, nurses and pharmacists. They receive answers or confirmations by e-mail. The e-mail system was shut down for installation of new software. Then, Hayon said, "Somebody pushed something and sent off the e-mails." Some members waiting for a response got multiple ones, from a few extra to as many as 400. Soon, Kaiser's technicians noted the unusual size of outgoing e-mail, and shut down the system for a fix. By yesterday evening, Hayon said, 13 people said they had already deleted the information, three others said they would delete it, two said it had never been delivered, and one member could not be reached. Givens said people using any new online service should realize that problems may surface, and might want to "wait until the bugs have been worked out" before offering their own sensitive information. A Kaiser member herself, she said she had not used the online service, not because of privacy concerns but because, "I just haven't found the time to delve into their Web site."
Originally published Aug 10, 2000 on www.sunspot.net.
Posted to HIPAAcomply 08/17/00
OF HEALTH AND HUMAN SERVICES (DHHS) SECRETARY DONNA SHALALA SIGNS FINAL
RULES FOR ADMINISTRATIVE TRANSACTIONS AND DIAGNOSIS AND PROCEDURE CODES
PROMULGATED UNDER THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
OF 1996 (HIPAA)
The two-year compliance clock begins ticking 60 days after the final adoption date and all covered entities must comply by October 2002.
NORWELL, MA (August 14, 2000) - The final rules set the stage for sweeping changes across the health care industry to gain administrative savings through standardization and simplification of electronic health care transactions. The final rules require health plans, providers, and clearinghouses exchanging electronic administrative health care transactions to implement ASC X12 standards for health claims, referral certification/authorizations, claim status inquiries, eligibility requests/responses, remittance advices, and health benefit enrollment/disenrollment. Additionally, the final rules require retail drug claims to comply with the NCPDP standard for batch or telecommunication claims using version 1.0 or 5.1 respectively. Finally, the rules require utilization of ICD-9-CM, CPT, CDT, NDC, and HCPCS coding standards. Local codes are disallowed and redundant codes eliminated.
"With the long anticipated adoption of these final rules, health care organizations are well advised to accelerate preparations in earnest," said Tom Hanks, Practice Director, Enterprise Security and HIPAA Compliance, Beacon Partners. "HIPAA is an enterprise-wide event affecting not only EDI and IT concerns, but also has substantial ramifications on business and operational concerns".
"Some organizations have already undertaken education and assessment activities to better understand the impact of HIPAA," according to Jim Klein, Manager, Enterprise Security and HIPAA compliance, Beacon Partners. "There are many that have not initiated planning and preparation activities and with the clock now ticking, it is imperative that organizations develop a sense of urgency to avoid future expense, risk and penalties".
Recent updates from government officials indicate the remaining HIPAA standards are being prepared for publication later this year, which includes security, privacy, employer and provider unique identifiers, and draft standards for claim attachments.
Publication of the final rules is scheduled for August 17, 2000 and will be available from the Government's HIPAA website at http://aspe.hhs.gov/admnsimp/index.htm and the Federal Register. The HIPAA transaction implementation guides are now available for free download from the Washington Publishing website at http://www.wpc-edi.com/hipaa/. Additional HIPAA information can be found at http://www.HIPAAcomply.com.
Posted to HIPAAcomply 08/14/00
SNIP Initiative continues to Advance
The Workgroup for Electronic Data Interchange (WEDI), with active participation from the Association for Electronic Health Care Transactions (AFEHCT), continues to advance the HIPAA initiative "Strategic National Implementation Process (SNIP)". SNIP has broad industry representation from major market segments including Federal Government, health plans, providers, clearinghouses, and numerous regional organizations. The major emphasis is to identify common industry HIPAA implementation issues and seek ways for health care organizations to minimize such issues through cooperative industry implementation planning and coordination. Three work groups were formed to advance the SNIP initiative including; Transactions/Code Sets/Identifiers, Security/Privacy, and Education/Awareness. The work groups continue to make significant headway and interested parties should check the WEDI website frequently for updates at http://www.wedi.org. Beacon Partners continues to maintain it's long-standing active role in WEDI initiatives. Mr. Tom Hanks, Beacon's Practice Director for Enterprise Security & HIPAA compliance serves as a WEDI board member and Mr. Jim Klein, Beacon's Manager for Enterprise Security & HIPAA Compliance serves on the steering committee for the SNIP Education/Awareness work group.
Posted to HIPAAcomply 08/14/00
Appointed to MedChi Privacy Committee
Jim Klein, Manager of Enterprise Security and HIPAA Compliance for Beacon Partners, has been appointed as a member of the Privacy and Confidentiality Committee of MedChi for 2000. MedChi is the Maryland state medical society which was formed to unite the medical profession, promote and disseminate medical and surgical knowledge, protect public health and elevate the standards of medical education. The organization continues to actualize its original goals through legislative advocacy, public health programs and the expansion of its membership base. MedChi's mission is to serve as Maryland's foremost advocate and resource for physicians, their patients and the public's health.
MedChi's committees perform an important function through consideration of matters that face today's physicians and help set policy by making recommendations to the Board of Trustees and the House of Delegates.
For more information on MedChi visit http://www.medchi.org
Posted to HIPAAcomply 07/19/00
"I want you to comply with privacy regulations"
Soon the federal government will finalize
privacy rules for electronic transfer of patient records. If you're not
sure how your practice will fare, you should start thinking about it
Posted to HIPAAcomply 07/12/00
HMO Held Responsible for Confidentiality Breach
A New York appeals court has ruled that an HMO can be held liable for a breach of privacy even though the employee who released a patient's records wasn't acting in the normal course of business. The court says Community Health Plan-Kaiser Corp. is liable for a breach of confidentiality that occurred when an employee released the mental health records of an Albany, N.Y., woman that indicated she is gay. Both sides expect the case to be appealed further.
HIPAA Glossary Available from WEDI
The first of several remaining final and proposed rules authorized under the Health Insurance Portability and Accountability Act of 1996 are expected to be published at the end of June by DHHS. This first rule expected is a final rule to establish standard formats and data content for electronic claims and related transactions. This, and the remaining rules, promise to be full of acronyms, abbreviations and other unfamiliar terms.
The Workgroup for Electronic Data Interchange (WEDI) has created a HIPAA Glossary that will make it easier to look up such terms, rather than having to fumble through previous pages to find the first reference. In addition to explaining what provider taxonomy codes are, or the difference between structured and unstructured data, the glossary defines such abbreviations as A/S, DCC, EDIFACT and NASMD. You can access this glossary at http://www.wedi.org. (Please note: this document is in PDF format and requires the use of Adobe Acrobat Reader Software.)
WEDI is an advocacy organization that promotes the use of electronic commerce in healthcare and has advised federal officials in developing HIPAA rules.
Create Security/Privacy Committee to Handle Compliance Issues
(from Health Information Compliance Insider, May 2000, published by Brownstone Publishers, Inc., 1-800-643-8095)
Your health care organization will have to make many changes to ensure its compliance with HIPAA security and privacy regulations when they're finalized. You'll have to create, adopt, and enforce many new security and patient privacy policies and procedures, as well as develop and implement ongoing security and privacy education and training. To make these compliance efforts work, you'll have to make sure that they're "totally integrated" into your organization and that senior management is behind them, says health information consultant Tom Hanks.
How do you accomplish this? A good starting point is to create a security and privacy committee now to oversee development and implementation of your organization's compliance efforts, recommends Hanks. Here's a rundown on how to create an effective committee and what its first steps should be.
SET COMMITTEE MEMBERSHIP
Representatives from every
Who should be a department's representative? The larger your organization, the higher up the person should be in the department. The biggest mistake organizations make, according to Hanks, is to put low-level people on the committee. You don't want committee members who lack the authority to get your organization's senior management on board for compliance efforts, he points out.
Must the representative be the department head? Much depends on the culture of your organization, says Hanks. If department heads typically are educators and managers, then they belong on the committee. But if they typically delegate those functions to someone within the department, then that's the person who should represent the department.
Insider Says: If your organization is small, you may not have many departments or separate people for each senior management role. One person may assume multiple roles. For instance, your general counsel may also be your chief compliance officer. If that's your situation, make sure that the committee has members representing all of the roles in your organization.
HAVE COMMITTEE REPORT TO BOARD
Who on the board of directors should get the committee's reports? A typical board has an executive committee or a risk management or risk avoidance committee. Any of those board committees would be suitable, notes Hanks.
SET COMMITTEE'S FIRST STEPS
Step #1: Conduct security/privacy assessment. The committee should assess your organization's current security and privacy policies and procedures, compare them with what's required by the proposed HIPAA security and privacy regulations, and determine what deficiencies exist, says Hanks.
Step #2: Conduct risk assessment. The committee then should have a risk assessment done that quantifies the risk associated with each security and privacy deficiency in your organization, the methods of eliminating those deficiencies (remediation), and their costs. A risk assessment can be conducted internally or by an outside consultant, says Hanks.
Insider Says: Make sure employees are interviewed as part of the risk assessment, advises Hanks. Employee input will help pinpoint problem areas. It will also provide insight on the level of employee compliance with current policies and how effective those policies are. It's best to get someone from outside your organization to conduct employee interviews, Hanks says. Having an insider conduct the interviews won't provide valid results, he explains, because employees are often reluctant to tell the truth to someone from their own organization.
Step #3: Set strategy. Once
the risk assessment is done, says Hanks, the committee should set
remediation priorities. It should decide how much money to spend on
remediation, what risks the organization is willing to accept, and what
remediation steps should be taken.
(From HFMA WANTS YOU TO KNOW-May 24, 2000, A service of the Healthcare Financial Management Association, http://www.hfma.org )
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) included administrative simplification provisions that will profoundly affect how the healthcare industry handles patient information and claims. By providing nationwide, uniform standards for doing business electronically, administrative simplification standards encourage healthcare entities to automate their claims processes. Once implemented, these standards are expected to streamline business processes, reduce operational disruptions, lower costs, and reduce claims-processing error rates.
Compliance with the HIPAA administrative simplification regulations will be required by Federal law and related regulatory and accreditation bodies within the next two to four years. Failure to comply will result in stiff monetary penalties and, possibly, program exclusion. Of special concern is knowing disclosure of individually identifiable patient information, which will result in criminal penalties against both the organization and the individual responsible for the disclosure. The time to start planning is NOW.
Based on input from an informal group of HFMA members and industry experts, HFMA suggests that providers take the following actions:
LAY THE GROUNDWORK FOR BUY-IN.
LEAD FROM THE TOP.
MAKE HIPAA YOUR TOP PRIORITY.
COOPERATE WITH OTHER ORGANIZATIONS.
STAY THE COURSE.
HFMA has been a long-standing proponent of uniform business standards. HFMA is working with members and other industry experts to develop resources to ensure HFMA members have the tools they need to effectively implement HIPAA's requirements and realize as much benefit as possible from standardized electronic transactions. Comments or inquiries may be directed to Trinita Robinson at (800) 252-HFMA, ext. 610. E-mail: email@example.com.
Learn more about this issue during "HIPAA Is Coming - Are You Prepared for the Challenges the HIPAA Regulation Brings?", part of a 2000 Annual National Institute preconference program, "The 21st Century PFS Professional". Other HIPAA-related ANI sessions include "Compelling Reasons to Start HIPAA Readiness," "Washington Update," and "Functional Compliance - A Hands On Approach to Complying with the Law."
U.S. General Accounting Office Senate Testimony on Privacy Standards
Click here for a PDF file of the GAO Testimony before the Committee on Health, Education, Labor and Pensions, U.S. Senate, on Privacy Standards: Issues in HHS' Proposed Rule on Confidentiality of Personal Health Information. This testimony is the statement of Janet Heinrich, Associate Director, Health Financing and Public Health Issues, Health, Education and Human Services Division of the GAO. For more information on the GAO, visit them at www.gao.gov.
HIPAA Sets Up New Hurdles for Healthcare Players
(From Managed Care News Perspectives issue April 18, 2000)
By Michael Casey, Managed Care Analyst, Medical Data International
ALTHOUGH HIPAA IS NOT JUST A PRIVACY ISSUE, HOSPITALS ARE CONCERNED THAT SECURITY AND CONFIDENTIALITY COULD BE COMPROMISED BY NET TRANSMISSION
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996, but so far only the "portability" portion for an individual to receive continuous health insurance coverage when changing employers has been implemented. Now, however, after spending millions to upgrade computers because of the potential Y2K glitch, hospitals and other healthcare organizations are told they must provide security and confidentiality of all identifiable patient information in the development of electronic data interchange and healthcare information systems. Cost estimates are triple that of Y2K preparedness, but one HIPAA expert prefers to think of the expense as a long-term investment, especially as more electronic-commerce services are developed and implemented in the medical supply world.
The Kassebaum-Kennedy Act, also known as the Heath Insurance Portability and Accountability Act of 1996, was approved by a Senate committee in 1995 to prevent people with chronic health conditions from losing coverage as they changed jobs. Under the law, employees with insurance could keep that coverage at their next job or shorten the waiting period to receive coverage, but there was no guarantee that benefits would not change or premiums would not be higher. In 1996, the General Accounting Office estimated between 1 million and 3.6 million Americans fit that description.
The other half of the law requires that claims and payments be filed electronically. The law mandates that Congress pass legislation tightening the rules on how a person's private medical information could be used and who would have permission to see it, but Congress missed its August 1999 deadline and continues to work on regulations. The health industry now is pushing for a June 2000 deadline.
The seven provisions that established standards for electronic healthcare transactions and exchanges were intended to improve the flow of information between healthcare organizations while protecting individual privacy and preventing fraud. The Department of Health and Human Services (HHS) estimates the provisions could save health plans, healthcare clearinghouses and providers from $5 billion to $10 billion a year, and HHS projects the five-year cost of compliance to be about $3.8 billion.
However, many healthcare providers claim the actual cost of complying with the new regulations will far exceed the cost of their Y2K preparations. And to date, many providers are unwilling to commit a large portion of their budget during the next two years to comply with HIPAA until all of the rules are known.
The HIPAA requirement considered to be the most troublesome by providers involves the security and confidentiality of all types of patient-identifiable health information, including health claims, eligibility and payments. The standard requires all health plans, healthcare clearinghouses and providers to establish and maintain appropriate safeguards by such means as appointing an information security officer, developing a security plan, providing training for employees and securing physician access to records.
Healthcare providers say they are more concerned about security and privacy issues than any other aspect of HIPAA. Although some security safeguards do exist as part of the provider's standard practice, using the public Internet to transmit patient information represents a much greater risk in confidentiality.
Providers, though, cannot wait for Congress' final ruling before assessing their risk vulnerabilities and planning how to implement specific technical and administrative procedures to ensure the security of electronic health data. Hospitals, physicians and medical groups must start thinking now about their security precautions, warns Dr. Steven Lazarus of the Boundary Information Group, who serves as chair-elect for the Workgroup for Electronic Data Interchange (WEDI) and is an advisor to the Secretary of HHS.
"Hospitals tend to discuss HIPAA as a privacy issue, but we can't dismiss all of HIPAA as privacy. If (the hospitals) don't want to comply, they won't get paid on time," explained Lazarus, in an exclusive interview with Medical Data International, Inc. "The privacy issue is a problem, because no legislation has been passed. It is Congress' fault, and Congress can fix it. But we still can implement HIPAA without those changes. No state preemption is the biggest problem. The AMA (American Medical Association) wants state control. Everyone believes we need to have state uniform access."
WEDI was made an advisor when HIPAA was passed in 1996 and is the only industry-based group that is open to the public to provide input on consensus. Currently, 135 organizations belong to WEDI, but those represent only employer groups and health plans--no providers, Lazarus said in mid-April 2000.
Lazarus acknowledges that many health providers still are reeling from spending considerable amounts of money to exterminate the Y2K bug. He cited a recent Gartner Group study that found HIPAA would cost healthcare organizations three times as much as Y2K. Much like Y2K, HIPAA's cost will depend heavily on how much upgrading a hospital has done on its information system during the past 10 years.
However, Lazarus says HIPAA regulations offer tremendous opportunities for healthcare organizations to become more efficient and achieve significant savings. Some experts believe the industry could save $125 million a week if standards already available today were employed for electronic transactions.
"Some parts of HIPAA will cost a lot of money, but it will be a good investment, especially when more e-commerce services come along and are implemented in the supply world," Lazarus said. "All e-commerce companies that are looking to deliver drugs are online, and all are covered by security regulations. They are not relying on patient authorization. That takes about half the cost away."
The most stringent HIPAA security requirement will cover patient information and transactions that are conducted online. HIPAA likely will require evidence that only the appropriate person can gain access to the information through authentication services such as encrypted codes and digital certificates. Another important component will be the entity that audits and records who accesses a patient's record, and when.
The good news is that more healthcare providers may be listening. In a survey of more than 500 hospital executives, released by the Healthcare Information and Management Systems Society (HIMSS) in April 2000, 70% said they will concentrate during the next two years on complying with HIPAA. Furthermore, 61% of the respondents said developing systems that improve efficiency will matter, 56% said cost-cutting systems are being evaluated and 42% said they are working on specific e-healthcare applications.
Yet, while HIPAA and the Internet remain top priorities for 2000, healthcare information executives will be working with limited budgets. Only 30% of those surveyed say their organizations' information technology budgets will increase in 2000, and proving return on income is on the minds of 22%, up from 15% in 1999.
Lazarus expects the final rules regarding HIPAA's regulations to be released June 29, 2000, which would give healthcare organizations two years and two months to comply. That would apply only to large providers and health plans; small payers, defined as less than $5 million in revenue per year, have an additional 12 months to comply, as do small providers, whose revenue cap has not been determined.
Healthcare providers are well aware that they must comply with HIPAA regulations on time or face penalties of as much as $100 per violation, at a maximum of $25,000 a year per violation. Still, many are content to take a wait-and-see approach, opting to evaluate final HIPAA rules before taking any action.
"It is a two-year program, but it could take considerably longer," Lazarus says. "Most insurers have legacy systems that can't audit and can't do electronic transmissions, eligibility, readmittance and so on. They will have to replace those systems in the next 1½ to two years, but they should be in the planning process now."
Some experts believe the true impact of HIPAA will not be known until the economy takes a substantial downturn again, causing people to be out of work for more than a few weeks and employers to cut benefits to save money. The longest-term impact likely will come from the government's willingness to tinker with various parts of the American healthcare system, including a bipartisan bill covering new patients' rights.
The value of HIPAA, says Lazarus, will be in "reducing the cost of administering healthcare and increasing employer and health plan satisfaction. I see it as finally having the kind of uniform system to protect the data and privacy of people, but not investing so much so that it places an undue burden on someone."
Resource: Medical Data International's "Managed Care IQ Provider & Payer Database," April 2000.
Copyright © 2000 Medical Data
International, Inc. All rights reserved. Reprints mat be obtained by
permission. Contact an MDI Account Representative at 800.826.5759.
Posted to HIPAAcomply 5/1/00
Senate Committee Hears Differing Views on Proposed Privacy Rule
(Information provided by the Department of Governmental Affairs, MGMA)
The Senate Health, Education, Labor and Pensions (HELP) Committee held a hearing on April 26 regarding the Department of Health and Human Services' (HHS) proposed privacy rule. During the hearing, witnesses offered varying viewpoints and reactions to the proposed rule.
Although the committee has held many hearings on the issue of privacy, this was the first hearing the committee has held on the proposed rule. At the request of Chairman James Jeffords (R-VT), the General Accounting Office (GAO) reviewed the proposed rule and the comments submitted in response to it by a selected group of 40 organizations ("stakeholders")--one of which was MGMA. One of the most contentious elements of the proposed rule analyzed by the GAO was the "minimum necessary information" provision. HHS proposed that covered entities be prohibited from using or disclosing more than the minimum amount of protected health information necessary to accomplish the intended purpose of the disclosure. In its formal comments, MGMA expressed concerns over this proposal and the burdens it might place on group practices. In its written testimony, GAO specifically cited MGMA's concerns-"As stated by the Medical Group Management Association, it is likely that the entity requesting information for a particular purpose is in a better position to make the minimum necessary determination."
Posted to HIPAAcomply 5/1/00
CIO Survey says HIPAA Requires Action
(Health Data Management, March 27, 2000, www.healthdatamanagement.com)
Hospital and integrated delivery systems have a long way to go in developing plans for complying with the Health Insurance Portability and Accountability Act of 1996, according to a new survey. More than 45% of 213 CIOs and other top I.T. executives surveyed earlier this year said their organizations had not yet begun to work on detailed plans for complying with HIPAA administrative simplification and data security/privacy rules. Virtually the same percentage report their organizations are working on such plans, while 7% said they already had a plan in place. In addition, only 17% of those surveyed report that the board of directors of their organizations had approved funding to begin HIPAA compliance efforts. On a similar note, 60% report that their CEO does not fully understand the ramifications of HIPAA and the potential costs involved. The survey, sent to a sample of Health Data Management readers, was conducted in January and February. Lawson Software, a St. Paul, Minn.-based company that markets enterprise electronic business applications for the health care industry, provided funding for the survey. A story on the survey results will appear in the April 2000 issue of Health Data Management magazine.
Posted to HIPAAcomply 03/28/00
HHS Sets Firm Goal for Publication of Final Rule for Transactions and Code Sets Standards
(The following information is the text of an e-mail from Dr. William Braithwaite, Senior Advisor on Health Information Policy at DHHS, updating subscribers of DHHS' Administrative Simplification Web Page List Server)
In a March 14th letter to the Workgroup on Electronic Data Interchange (WEDI), the Deputy Secretary of HHS announced the "... goal to publish the final rule for Standards for Electronic Transactions by the end of June. As you can appreciate, this estimate is predicated upon several things, including approval of the rule by the Office of Management and Budget. We understand the importance of this rule to the health care industry and others and will take the steps necessary to make sure that this goal is met."
At this time, the tentative target dates for other
rules have to be updated and the old targets will be removed from the
administrative simplification web site until further notice. In any case,
I am pleased that we have a firm date for the first final rule and I hope
you will all take advantage of this advance notice to start your
implementations of the transaction standards.
Posted to HIPAAcomply 3/27/00
“This delay does not change the basic requirements for protecting patient and business information,” said Hanks. “All health care entities that store and transmit patient identifiable information need to take the first step and completely assess their security capabilities and privacy practices. Getting an assessment started, and even finalized, before the regulations are final, will put an organization in a good position to start the remediation process.” Compliance is required two years from the date of final regulations, which is not considered much time to implement all of the changes that will be required under HIPAA.
any event, we do not foresee a lot of changes in the HIPAA security
regulations. For example, the transactions regulations received 17,000
comments, which accounted for approximately a 3% change in the
regulations. The security
regulations received 2,000+ comments and we anticipate that will result in
fewer than a 5% change in the regulations (most probably in the 2-3%
range), and we have a good idea what those changes will be.
This creates a window of opportunity for organizations to get a
jump on the HIPAA security requirements and lower their overall cost of
compliance. We learned with
Y2K that the sooner you start, the better the outcome and the less it
costs. It doesn’t make sense to sacrifice getting started waiting
for what amounts to a 2-5% change in the regulations.”
Federal Government is pressing the Department of Health and Human Services
(DHHS) to finalize regulations. In a recent letter to DHHS Secretary Donna
Shalala, Congressman David L. Hobson, primary author of the Administrative
Simplification provisions of HIPAA, asks the Secretary for her “personal
involvement to move forward with a final regulation for Standards for
Electronic Transactions and Code Sets.” The delay of regulations for
Transactions and Code Sets is causing delays with all of the final rules.
Representatives from WEDI (Workgroup for Electronic Data Interchange)
recently met with Kevin Thurm, Deputy Secretary of DHHS.
As a result of that meeting, there has been a new emphasis put on
finalizing some of the regulations. DHHS
has announced that the final date for transactions is June 29, 2000 and
the final date for security is July 2000.
DHHS will publish all revised timelines on its web site indicating when the remaining proposed and final rules will be
promulgated. As of now, there
is no final date for privacy regulations.
ABOUT TOM HANKS
Posted to HIPAAcomply 3/27/00
As we previously
communicated, the revised date of June 30, 2000 has been announced
regarding final rules being released through the clearance process at the
Department of Health & Human Services (DHHS) and the Office of
Management & Budget (OMB). The new date for the final rule relates to the implementation
guides for the following transactions:
Health claims or
equivalent encounter information.
Care Claim (837)
and disenrollment in a health plan.
Enrollment and Maintenance (834)
for a health plan.
Care Eligibility / Benefit Inquiry (270)
Care Eligibility / Benefit Information (271)
Care Claim Payment/Advice (835)
Care Claim Status request (276)
Care Claim Status Notification (277)
certification and authorization.
Care Service Review Information (278)
What’s important to
keep in mind is that there are no further technical changes that will
take place with the Implementation Guides prior to the final rule being
released. The reasons for the revised date is to assure that
synchronization of definitions between rules are reconciled to assure
consistency across them. During
this period, prior to the Transaction Final Rule being released, we would
suggest that you take the following actions:
an assessment of the gaps and impacts to implement the transactions.
any translator requirements, if appropriate, and commence the selection
your vendors, clearinghouses and other entities to determine their plans
and any assistance that may be available.
specific plans for implementation of the transactions from both an IS and
testing criteria and identify your trading partners.
“Chain of Trust” language to provide to vendors and others, as
any third party testing to
ols to determine HIPAA compliance with the Implementation Guides.
ols to determine HIPAA compliance with the Implementation Guides.
We are further suggesting
that organizations commence their planning now rather than waiting the
additional 4 months until the final rule is published.
The risks of proceeding are minimal and can potentially provide a
competitive advantage for those that are initially proactive.
As we continue our
partnership with DHHS we will continue to provide information to you for
your planning purposes. WEDI
and the Deputy Secretary, HHS are planning to meet approximately every two
months in the future to facilitate government and healthcare industry
planning for the implementation of HIPAA.
For further information,
please contact Jim Schuping, Executive Vice President of WEDI at
Posted to HIPAAcomply 03/16/00
Braithwaite stated that the final rules have been postponed because they
require further work. HHS hopes to issue final rules for employer
identifiers and data security in the third quarter and for provider ID in
the fourth quarter. The data privacy rule, which is turning out to be the
most controversial, may not come out this year at all, due to the heavy
volume of comments HHS has received, as well as the need to make sure the
privacy rule dovetails with the security rule, Braithwaite says. The
only deadline that HHS has committed to is for the rule setting
for claims and code sets, which will be published by the end of
does expect to issue its first proposed rule for claims attachments in the
third quarter. A proposed rule for physician's first report of
injury--used for workers' compensation--won't come out until next year.
HHS also expects to spell out its proposal for enforcing HIPAA next year,
Dr. Braithwaite says. To view comments received on the privacy
regulations, as well as a revised timeline (which HHS plans to publish
soon) visit the Administrative Simplification website at http://aspe.os.dhhs.gov/admnsimp/.
Posted to HIPAAcomply 03/15/00
concerns may spark congressional intervention
By Susan J. Landers, American Medical News staff. March 6, 2000
Washington -- Congress will likely
re-enter the contentious medical records privacy
debate it had, by default, turned over to the Dept. of Health and
Human Services for resolution last
Subcommittee Chair William Thomas (R, Calif.) said
he had scheduled the hearing
to help determine whether the regulation would "ultimately prove to
be workable or whether additional legislation might be
Even Mary A. Hamburg, MD, HHS assistant secretary for planning and evaluation, called the department's proposal "a foundation." "We continue to believe that legislation is ultimately necessary if we are to appropriately protect the privacy of the health information of all Americans," she said.
Thomas indicated that lawmakers might renew their
push for legislation by pointing
to parts of the proposal in need of fixing. For
example, he said a portion of the proposed rule that holds physicians,
hospitals and health plans liable for
the actions of their "business partners,"
such as lawyers and auditors, might be a likely area for legislative
Congress had tried for three years to draft legislation that would protect medical records privacy while allowing insurers and others sufficient access to patient data. When Congress failed to meet its own deadline for the passage of legislation, statute required that the issue be turned over to HHS for regulation. Lawmakers retained the right to continue to work on legislation and could decide to change the regulation retroactively. Congress had set the stage for several of the most contentious provisions-- including those criticized by Thomas -- by restricting HHS's regulatory power. For example, Congress dictated that state laws should take priority over a federal rule. It also named only physicians, hospitals and health plans as the entities to be covered by HHS and ignored their myriad partners who are also privy to medical data.
As a result, Dr. Hamburg noted that the proposal
exempts certain state laws,
and it follows an indirect course to regulating a host of medical
information handlers by requiring physicians, hospitals and health plans
to monitor their business
The volume and diversity of criticism from
outside groups at the hearing point
to a difficult road ahead for lawmakers interested in forging privacy
groups and privacy advocates generally said the proposal falls
short of protecting personal medical
information in some areas, while insurance
and business groups argued that it overreaches.
Others, including the AMA, called on Congress to take more wide-ranging action to address what they see as major flaws. AMA Trustee William Plested, MD, a vascular surgeon from Santa Monica, Calif., faulted the proposal for failing to require explicit patient consent before personally identifiable health information is disclosed. "My patients assume that the private information they discuss with me will be used to benefit them -- not to benefit anyone else who may find a way to profit from their personal information," Dr. Plested testified. He also criticized the additional administrative burden that would likely be imposed by a regulation. "The physicians of America are buried in paper, with less and less time to spend with our patients," he said.
The American Psychiatric Assn. joined in warning that the proposal doesn't go far enough to ensure privacy. The psychiatrists also urged that additional protections be placed on mental health records.
On the other hand, Mary R. Grealy, president of the Healthcare Leadership Council, testified that the proposal places too many limits on the uses of patient information and could restrict important health care activities, such as disease management programs. The council represents health plans, hospitals, universities and pharmaceutical companies.
Deluge could cause delay
The concerns voiced at the hearing represented only the tip of the iceberg. HHS received more than 50,000 public comments by its Feb. 17 deadline. Given the large volume of responses that must be reviewed, Dr. Hamburg declined to predict to the panel when a final regulation might be ready, although others have made estimates ranging from April to next year. Health care providers would be allowed two years from the publication of a final regulation to comply. Thomas told Dr. Hamburg that he was concerned about the length of time it might take the department to draft a final regulation, given all the comments that must be examined. As an example of a worst-case scenario, he pointed to the agency's failure to draft a rule for implementing the so-called Stark II self-referral law despite seven years of trying.
Posted to HIPAAcomply 03/15/00
Clinton signed into law the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) on August 21, 1996. Don’t be misled
by the name. This new federal law (P.L. 104-191) applies to many health
care market players, not just health plans and insurance companies. It is
the most sweeping legislation to affect the health care industry in over
thirty years. HIPAA is comprised of two major legislative actions
including health insurance reform and administrative simplification. The
health insurance reform provisions have been in effect for some time and
required implementation of certain practices by health plans and insurers
regarding portability and continuity of health coverage. This article
focuses on the Administrative Simplification (AS) provisions, which may
become effective as soon as the 2nd qtr of 2000.
provides for the establishment of various protections, standards and
requirements for the transmission, storage and handling of certain
electronic health care information. Market players affected include
government and private health plans and insurers, hospitals, physicians,
care providers, employers, clearinghouses, practice management system
vendors, billing agents, and other service organizations. The intent of AS
is to improve the efficiency and effectiveness of the health care system
and is expected by many in the industry to promote long term benefits
through the use of widely adopted standards.
includes provisions for five distinct areas regarding the exchange of
electronic administrative health care information. The five areas include
transaction standards, code set standards, standards for unique health
identifiers, security standards, and privacy protections. The Department
of Health and Human Services (DHHS) is required under HIPAA to promulgate
(adopt) the specified standards. Prior to adoption, the proposed standards
are published in the Federal Register and the public has a sixty-day
period in which to provide comments to DHHS through the Notice of Proposed
Rule Making (NPRM) process.
Sometime after the sixty-day comment period, the DHHS Secretary will adopt
the final standards. Finally, DHHS is required to submit recommendations
to Congress for privacy legislation to protect individually identifiable
health information (submitted on September 11, 1997). Since Congress
failed to enact privacy legislation by August 21, 1999, the DHHS Secretary
is required to issue privacy regulations by February 21, 2000. Draft
privacy regulations were released on November 3, 1999. The final privacy
regulations have been delayed and a new release date has not been
announced. The draft regulations include far-reaching requirements
including: use and disclosure; audit records; patient rights to inspect,
copy, and correct records; policies and procedures; and business partner
with AS must be attained within two years of the standards adoption date,
except for small health plans with annual receipts of $5 million or less.
These small health plans must comply within three years of the standards
adoption date. Those who do not comply may be fined up to a maximum of
$25,000 for any identical requirement violated in a one-year period.
Wrongful disclosure of individually identifiable health data is a felony
offense and punishable by one to ten years imprisonment and fines of
$50,000 - $250,000.
of the initial work to develop the AS standards has been completed by the
DHHS Data Council (website: http://aspe.hhs.gov/datacncl). The following
paragraphs summarize the standards proposed, or in some cases to be
proposed later, for adoption by the DHHS Secretary.
transaction standards, subject to modification through the NPRM process,
include the American National Standards Institute (ANSI), Accredited
Standards Committee (ASC) X12 transaction sets (version 4010) for
claims/encounters, attachments, enrollment, disenrollment, eligibility,
payment/remittance advice, premium payments, first report of injury, claim
status, referral certification/authorization and coordination of benefits.
Under HIPAA, compliance with the ANSI ASC X12 transaction sets may be
achieved through the use of a clearinghouse.
code set standards for diagnosis and procedure codes, subject to
modification through the NPRM process, include those defined under the
International Classification of Diseases - 9th Revision - Clinical
Modification (ICD-9-CM) and the Health Care Financing Administration (HCFA)
Common Procedure Coding System (HCPCS). Pharmacy transactions will use the
code set specified by the National Council of Prescription Drug Programs (NCPDP).
for unique health identifiers include; identifiers for health plans,
providers, employers and individuals. HCFA has established proposed
standards for health plans and providers, the PAYERID and the National
Provider Identifier (NPI), respectfully. Also, the widely used Employer
Identification Number (EIN) is proposed for use as the unique employer
health identifier. The standard for unique individual health identifiers
continues to undergo evaluation and is not ready due to unresolved privacy
concerns. Standards for all unique health identifiers are subject to
change resulting from the aforementioned NPRM process.
the security standards protect the integrity, confidentiality and
availability of health care information through the establishment of
administrative, physical and technical controls. The standards, which are
subject to modification through the NPRM process, include a comprehensive
matrix of security requirements to be implemented, as appropriate, by
organizations involved in the transmission, storage, and handling of the
above listed electronic health care transactions. A list of security
standards is included in the requirement that organizations may choose
from to help implement their security program. The technologies,
techniques and measures that may be deployed are discretionary based upon
the organization’s exposure and risk levels. It is up to each
organization to deploy the appropriate security measures commensurate with
the circumstances and operations of their organization.
AS provisions under HIPAA present important and far-reaching regulations
throughout the health care industry. These regulations extend beyond the
traditional relationships between caregivers and health plans.
Consequently, employers and other organizations exchanging electronic
health care transactions are also a part of the HIPAA landscape. Every
player in the industry affected by these regulations should actively
engage in education and planning activities. Early planning will help
alleviate problems and better prepare those impacted by AS. Additional
details and updates are available on the government’s website at http://aspe.hhs.gov/admnsimp/.
Klein is Manager for Beacon Partner’s Enterprise Security and HIPAA
Posted to HIPAAcomply 03/15/00
HIPAA Privacy Rules Will Be Delayed
At a Feb. 28 meeting, Federal officials from DHHS indicated to industry representatives that there will be further delays in publishing final rules to implement the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996. The original deadline for final rules to be published was Feb. 21, 1998. DHHS was delayed initially in publishing proposed rules and did not publish the first proposed rules until May 1998. The department has yet to publish some proposed rules and has not published any final rules.
Industry representatives from the Workgroup for Electronic Data Interchange, Reston, Va., and the Association for Electronic Health Care Transactions, Washington were present at the Feb. 28 meeting with HHS Deputy Secretary Kevin Thurm and HHS Senior Advisor on Health Information Policy, William Braithwaite. According to Dr. Braithwaite, a final rule for standard electronic transactions and coding sets will not published until late spring or very early summer. This rule, the first due to be published, was originally due in March.
A final rule on the employer identifier is the next rule due and is expected to be published on the heels of the transactions/coding rule. But the delays in these first final rules will likely delay publication of other final and proposed rules. The department indicated that the timetables are predicated upon available resources within the department. There are various initiatives competing for resources within DHHS and the department has stated that it is focusing on getting the transaction/coding rule out first. The department hopes within ten days to have a new schedule for publishing final and proposed rules on its Web site, http://aspe.hhs.gov/admnsimp/.
Prior to the Feb. 28 meeting, Rep. David Hobson (R-Ohio), author of HIPAA's administrative simplification provisions, sent a letter to HHS Secretary Donna Shalala asking her to quickly publish final standards for electronic transactions and code sets. In his letter he requests Secretary Shalala's "personal involvement to move forward with a final regulation for Standards for Electronic Transactions and Code Sets."
Posted to HIPAAcomply 03/01/00
House Holds Hearing on HIPAA Regulations
(From Premier Advocacy - www.premierinc.com/washington)
On February 17th, the final day of the comment period for the proposed privacy regulations, the Health Subcommittee of the Ways and Means Committee held a hearing that focused on industry reaction. Testifying for the Administration was Margaret Hamburg, M.D., assistant secretary for planning and evaluation. Hamburg related that HHS has received 30,000 written comments and another 10,000 comments via the Website. She reviewed the Secretary's five recommendations for legislation and the proposed regulation: boundaries, security, consumer control, accountability, and public responsibility. HHS estimates the regulation's implementation cost at $3.8 billion over five years. Subcommittee Chairman Bill Thomas (R-CA), as well as other witness', challenged that estimate as being greatly underestimated.
Discussed at great length was the desire by many, including Thomas, forfederal rules that would preempt state confidentiality laws. The draft regulations only preempt weaker state laws. At the conclusion of Hamburg's testimony, Thomas asked that the history of the implementation of the Stark II regulations, still not final after seven years, not be used as a model for the HIPAA regulations. Citing the IOM study, Thomas also expressed his concern that attempts to gather data to correct medical errors not be impeded.
Mary Grealy, president of the Healthcare Leadership Council, outlined boththe aspects of the standards they support, as well as those where they felt the regulations fall short. Of concern were the attempt to restrict all uses of patient information, as opposed to disclosure of information, the cumbersome task of individual authorizations for research unrelated to treatment and the tremendous underestimation of the costs involved.
Testimony is available at:http://www.house.gov/ways_means/health/106cong/hl-13wit.htm
Posted to HIPAAcomply 02/23/00
Department of Health and Human Services
following represent the comments of the Workgroup on Electronic Data
Interchange (WEDI) on the proposed rule regarding the adoption of the
Standards for Privacy of Individually Identifiable health Information
which is mandated by the Health Insurance Portability and Accountability
Act of 1996 (HIPAA). This
proposed rule is referred to in the Federal Register as 45CFR Parts 160
its publication in the Federal register, the proposed rule was posted to
the WEDI web site. Shortly
thereafter, WEDI scheduled and announced a 2-½ day Privacy PAG session to
be held in Chicago on November 29, 30 and December 1.
This session was conducted, during which the Privacy PAG and other
industry representatives reviewed both the rule in general and the
specific areas within the rule on which comments were directly solicited. The session was open to both WEDI members and
non-members, and it was well attended by representatives of the payer,
provider and vendor communities.
results of that session were a series of recommended comments to the
proposed rule that were presented to WEDI’s Board of Directors.
On December 16, 1999 and again on January 26, 2000, the Board met
to review each such recommendation. The
following comments are the product of the Board’s deliberations and
therefore, represent the organization’s official positions on these
issues. However, there may be
individual organizations represented by members of the WEDI board that
will be submitting separate comments that may differ from the comments
included herein. We believe
that our comments represent the views of the broadest coalition in the
health care industry, and we hope that they can contribute significantly
to the timely preparation of the final rule on Standards for Electronic
August of 1999, WEDI responded by letter to a DHHS request for input prior
to the release of the Privacy NPRM and WEDI wishes to restate the
recommendations contained in that letter and has attached it herein as
regards to the Privacy NPRM, the board of WEDI board has prepared an
Executive Summary representing the majority position of the WEDI board in
regards to key critical issues contained in the privacy NPRM.
first wants to state that all comments contained herein should be assessed
by DHHS with the knowledge that the WEDI board unanimously, strongly
supports the protection of individual health information and the rights of
the individual to the privacy of that information.
Furthermore, those individuals deserve protections of their right
to the privacy of their health information.
WEDI urges, that in the process of providing privacy regulations,
DHHS not stray from the authority granted in the HIPAA legislation and
exercise extreme care and diligence to ensure that the resulting
regulations do not risk degradation of patient care and are not overly
burdensome to the covered entities charged with providing those
has a number of concerns in regards to enforcement.
for covered entities to comply with Privacy Regulations within the
two-year deadline. Therefore,
WEDI asks that DHHS extend the time for criminal enforcement to thirty-six
months to allow covered entities time to implement all of the changes
necessary to comply with time allotted for entities to comply with the
of enforcement of the criminal penalties and ask that DHHS provide a
“good faith” standard of enforcement where covered entities would not
be prosecuted if they had been making “good faith” efforts to comply
with the privacy regulations.
asks that all organizations involved in the enforcement of this regulation
be directed to only respond to complaints in their investigative process
and not be allowed to make random compliance checks.
recommends that covered entities be given 90 days from notification of
complaint to resolve any complaints directly with the individual before
any enforcement process is initiated.
3) WEDI agrees with the DHHS position that all entities that store or use protected health information should be subject to privacy rules and is concerned that DHHS does not have the authority to cover entities outside of providers, clearing houses and payers. However, WEDI does not believe that the Business Partner Agreement in the form currently mandated in the Privacy rules can be an effective substitute for that authority and is overly burdensome to current covered entities. The third party beneficiary language that is intended to make the individual a party to the Business Partner Agreement is onerous and presents cost and risk far exceeding it’s limited ability to enforce privacy rules on non-covered entities. Having the ability to outsource some business functions - requiring access to protected patient information - has become a proven method for covered entities to reduce their costs. WEDI has serious concerns that the impact of the Business Partner Agreement and third party beneficiary language would be to force covered entities to discontinue outsourcing functions that require access to protected information and incur significant additional cost and burden of bringing those functions in-house. This could cause the failure of outsourcing firms, drive up the administrative cost of health care and serve to defeat the purpose of the Administrative Simplification portion of the Act. Current covered entities are not in the position to fill in DHHS gaps in authority and third party beneficiary language should be removed from the final Privacy rule.
4) However, WEDI does agree that, in the absence of DHHS rules covering all entities, a Business Partner Agreement that protects covered information consistent with this Proposed Rule should be required for a covered entity to share protected information. However, this should be presented as a concept and particular language should not be mandated by the regulations. The specific business partner contractual arrangements and the contract terms should be left up to the individual entities.
5) WEDI believes that the minimum necessary disclosure of information concept be defined as a general principal with each covered entity having the freedom to implement minimum disclosure based on that that entity’s assessment and risk analysis. Furthermore, due to the risk of degradation of patient care, WEDI asks that the minimum use concept be excluded from implementation for the purposes of disclosures related to treatment.
6) In regards to pre-emption of State law and regulation, WEDI feels that this issue is extremely critical and wishes to re-state the position it communicated to DHHS in August of 1999 which is included in the detailed comments following the executive summary,
is concerned that the current list based definition of health care
operations may omit valid functions that should be included in health care
operations and cannot take into account valid health care operation
functions that may be developed in the future.
The definition of health care operations should be revised to
eliminate use of a list as the basis for definition.
Instead, the definition should reflect the intent of the current
language but should do so in a manner that is sufficiently precise to
detail the obligations and rights of the affected parties.
In depth comments regarding definition of health care operations
are included in the detailed comments following the executive summary.
has concerns about the how the term “marketing” will be defined in the
regulations. While we support the
concept of requiring specific authorization for the use of health
information for marketing purposes, we do not want covered entities to be
restricted in their ability to communicate information that positively
affects patient care. Following
are a few examples of activities that
we are concerned could be construed as marketing, but the restriction of
which could have a negative impact on patient care.
These examples involve patient population selections based
wellness, current diagnosis or treatment, based on
history, patient profile (e.g. age related) or current prescribed
drugs. (A) Reminder notices for
appointments, diagnostic testing, treatments, lab tests, and physical
exams, (B) Announcing availability of new drugs, diagnosis, treatments or
wellness information, and (C) Notices of formularies, wellness programs, additional (or
restricted) plan coverage and educational materials.
is concerned about the impact of individual authorization on mergers and
acquisitions. There are times
when the consolidation of covered entities through merger or acquisition
results in lower cost and improved patient care.
The requirement for individual authorization would impair the
ability for covered entities to consolidate.
Therefore, WEDI recommends that authorization for release of
information not be required for mergers and acquisitions between covered
entities. Additionally, WEDI
has general concerns about resolution of enforcement in the event a HIPAA
compliant covered entity acquires or merges with a non-HIPAA compliant
ease of reference, each comment is identified as to the page number,
Section in the Federal Register and the issue to which it pertains.
and Purpose Page 59924 Sec. I.E.1 – Applicability
Page 59924, Sec. I.E.1 – Applicability
59924, Sec. I.E.2 – General rules
59925, Sec. I.E.4 – Uses and disclosures with individual authorization
59926, Sec. I.E.10 – Enforcement
59927, Sec. II.A.1 – Covered Entities – Clearinghouse definition
7) Page 59927, Sec. II.A.1 – Covered Entities – Other types
recommends that the definition of covered entity be expanded to include
life insurance and casualty carriers that may not fit the definition of
“health plan” but in fact may be performing the functions of a health
plan in receiving protected patient information and paying for the
services of a covered health care provider.
If DHHS determines that it does not have the authority to cover
these entities, then WEDI again recommends and urges that legislation be
passed that would cover all protected health information no matter the
entity maintaining or transmitting such information.
59929, Sec. II.A.3 – Interaction with other standards
59933, Sec. II.B.4 – Designated record set
Page 59933-34, Sec. II.B.16 – Health care operations
Page 59936, Sec. II.B.19 – Enforcement and approach related to
Page 59933-34, Sec. II.B.21 – Employers receipt of protected health
Page 59938, Sec. II.B.23 – Psychotherapy notes
Page 59940, Sec. II.C.1 – Use and disclosure for treatment, payment
and health care operations
Pages 59943-45, Sec. II.C.2
– Minimum necessary use and disclosure
Pages 59947-50, Sec. II.C.5
– Application to business partners
Pages 59947-50, Sec. II.C.5
– Application to business partners
Pages 59947-50, Sec. II.C.5
– Application to business partners
Pages 59947-50, Sec. II.C.5
– Application to business partners
Pages 59953-54, Sec. II.D.2
– Requirements when the covered entity initiates the authorization
Pages 59965, Sec. II.E.7 – Disclosure of directory information
Pages 59966, Sec. II.E.8 – Banking and payment processes
Pages 59976, Sec. II.F.1 – Rights and procedures for a written notice
of information practices
Pages 59976-80, Sec. II.F.1 – Rights and procedures for a written
notice of information practices
Pages 59976-80, Sec. II.F.1
– Rights and procedures for a written notice of information practices
Pages 59976-80, Sec. II.F.2 – Rights and procedures for access for
inspection and copying
Pages 59976-80, Sec.
II.F.2 – Rights and procedures for access for inspection and copying
Pages 59985-86, Sec.
II.F.3 – Rights and procedures with respect to an accounting of
Pages 59976-80, Sec. II.F.3 – Rights and procedures with respect to an
accounting of disclosures
Pages 59986-88, Sec. II.F.4 – Rights and procedures for amendment and
Pages 59988-89, Sec. II.G.2 – Training
Pages 59989-90, Sec. II.G.3 – Safeguards
59994-99, Sec. II.I.1 – Relationship to State laws
60003-4, Sec. III.1 – Small business assistance
60003-4, Sec. III.1 – Small business assistance
Pages 60006-8, Sec. III.1 – Summary of costs and benefits
Page 60049 Sec 160.102 – Covered entities definition of covered
health care provider
Page 60049 Sec. 160.103 – Health care clearinghouse definition
Pages 60051, Sec. 160.203.(c) – General rule and exceptions to
Page 60053 Sec. 164.504 – Definition of individually identifiable
Page 60052, Sec. 164.504 – Disclosure definition
Page 60053 Sec. 164.504 – Payment definition
Page 60054 Sec. 164.506(d)(2)(ii)(A) – Standards: Use or
disclosure of de-identified protected health information
Page 60054 Sec. 164.506(e)(1)(i) – Standards: Business Partners
60055 Sec. 164.506(e)(2)(ii)(A) – Third Party Beneficiary
In concluding our comments regarding Privacy-P, WEDI
would like to take this opportunity to express our gratitude to the many
federal government employees and others outside of the government,
including WEDI’s own Policy Advisory Group members, all of whom have
worked so long and so hard to prepare the proposed rule on this very
complex issue. We are now
eager to take the next steps in this process.
Certainly, that includes clarifying or expanding upon any of these
comments during the upcoming review period as well as offering any other
assistance that is requested and appropriate to ensure the timely
preparation and publication of the final rule.
Board of Directors
number of Federal laws have been enacted to prevent and protect against
the inappropriate collection, use, and disclosure by governmental agencies
of sensitive personal information. For example, the Privacy Act (5
U.S.C. §552a) establishes fair information practices governing the
collection, use, and disclosure of individually identifiable information
by Federal agencies. Knowing and willful violations of the Privacy
Act may be punished by criminal prosecution.
Congress amended the computer crime statute to provide criminal penalties
for governmental employees who knowingly access a computer excess of their
authority. See 18 U.S.C. §1030(a)(2). This means that the
employee accessed a computer with authorization, but used that access to
improperly obtain access to or alter information. 18 U.S.C. §
1030(e)(6). The amendments were passed in response to reports of
widespread instances of government employees accessing information in
governmental computers (such as the DOJ National Crime Information Center
or IRS tax records) for illegitimate reasons. Under the new
provisions, such violations are punishable by fine and up to a year in
prison. Where the violations are for personal financial gain,
commercial advantage, in furtherance of any criminal or tortious act, or
the value of the information exceeds $5,000, they are punishable by fine
and up to 5 years in prison. Violations which occur after a
conviction for another offense under this section are punishable by fine
and up to 10 years in prison.
law also protects other specific information from unauthorized access and
disclosure by governmental employees. The unauthorized disclosure of
taxpayer information, for instance, violates 26 U.S.C. §7213 and is
punishable by a fine of up to $5,000 and up to 5 years in prison.
some violations, such as those resulting from mere inadvertence, are
appropriately handled through administrative processes, should your agency
develop evidence that an employee has violated the criminal provisions of
one of these privacy laws, particularly where the violation is committed
for personal financial gain, commercial advantage, in furtherance of a
criminal or tortious act, or involves a repeat offense or serious abuse of
the public’s trust, I would encourage you to refer the matter to the
local U.S. Attorney’s Office for appropriate action. In the event
your agency is not able to investigate the matter, please forward the
matter to the local FBI office. In addition, to ensure that the
Department of Justice properly focuses on these matters, we request that
you forward a copy of any such referral to the appropriate individual
Chief, Computer Crime & Intellectual Property Section
Chief, Criminal Enforcement Office
Privacy Act Violations:
Chief, Public Integrity Section
Posted to HIPAAcomply
HIPAA Regulation Compliance on Heels of Y2K Headache
number of resources are available on the Internet that highlight the
proposed rules and additional information regarding HIPAA. Web sites
include the main government source site www.aspe.os.dhhs.gov/admnsimp/
and the HCFA site at www.hcfa.gov/hipaa/hipaaahm.htm.
Other organizations tracking HIPAA can be found at www.wedi.org,
www.ehnac.org, and www.afehct.org.
There is also the HCFA site which contains details on the Internet
security policy at www.hcfa.gov/security/isecplcy.htm.
Implementation guides may also be found at www.wpc-edi.com/hipaa.
In addition to the Internet, healthcare industry consultants such as
Beacon Partners, who devote an entire arm of their practice to security
and HIPAA compliance (www.beaconpartners.com),
may also be an excellent source of knowledge that can help organizations
determine where to begin when ensuring HIPAA compliance.
# # # #
Joseph Cisna is the Marketing Director for Experior Corporation (www.experior.com).
DHHS moves on Patient Privacy
From News & Trends section, Healthcare Informatics Magazine, January 2000
Posted to HIPAAcomply 01/04/00
to the massiveness of the Privacy NPRM (Notice for Proposed Rule Making)
and the expected time conflicts in dealing with Y2K, responses to the
proposed Privacy Regulations have been extended from Jan. 3, 2000
to Feb. 17, 2000.
dates for the final rules for HIPAA regulations have been modified to the
EDI Transaction formats and codes => January 2000.
Security and National Provider Identifier => March 2000
Employer Identifier => 1Q2000
the new NPRM's (Notice for Proposed Rule Making) for health plan
identifiers and claims attachments are expected to be released 1Q2000.
reason for the delay essentially rests in the improvements and
clarifications that were introduced in the process of developing the
Privacy NPRM. That is, DHHS
had used a number of "improved definitions" for terminology that
was also in all of the prior NPRM's (security, transactions, codes, etc.).
Therefore, DHHS needs the additional time to align the rest of the
NPRM's with changes made in the Privacy NPRM.
HHS Proposes First-Ever National Standards To Protect Patients' Personal
Clinton Plan Would Tighten Medical Privacy
October 29, 1999
WASHINGTON (CNN) -- Because Congress "failed to act," President Clinton on Friday proposed federal regulations to keep some medical records away from curious employers, marketing firms and others who often see patients' most sensitive information without their consent. The proposed regulations would restrict the use and release of private health information transmitted or maintained by computers, including printouts.
"Every American has a right to know that his or her medical records are protected at all times from falling into wrong hands and yet more and more of our medical records are stored electronically," Clinton said at the White House. As a result, "the threats to our privacy have substantially increased."
"A recent survey showed that more than a third of all Fortune 500 companies check medical records before they hire of promote," the president said.
"One large employer in Pennsylvania had no trouble obtaining detailed information on the prescription drugs taken by its workers, easily discovering that one employee was HIV-positive," Clinton said. "This is wrong."
Health industry groups say it will cost billions of dollars to comply with the proposed measures and could hinder patients' access to their own records.
President acted after Congress didn't
Existing laws protecting medical privacy vary widely from state to state. Currently, there are no federal guarantees that private information won't be passed to employers, sold to pharmaceutical companies or talked about in insurance company offices.
The administration will publish the proposal next week for review. It has until February 2000 to issue a final proposal, with the rules to take effect in 2002.
The new federal rules would go beyond the weaker protections of some states, but would not override those with more restrictive laws.
Only congressional action can protect the large amount of medical information that has existed only on paper. "There are still protections ... we can give our families only if there is an act of Congress passed," Clinton said, asking House and Senate leaders to help enact "a comprehensive medical privacy law."
Written consent required
When required to release medical information, health organizations would have to limit the disclosure to the minimum necessary for each case instead of a patient's entire record. For example, when paying for medical services, no treatment information would be sent to banks or credit card companies.
Patients also would be given the right to see and copy their medical records and to request corrections of any errors.
Under the new rules, law enforcement organizations would be prohibited from obtaining medical records without legal authorization like a warrant or court order. This retreats from the administration's previous position of allowing law enforcement unfettered access to health records.
Patient notification required
Health maintenance organizations would also have to establish internal procedures to protect patient records, including limiting access to information and training employees to keep patient information private during their routine operations.
If a state requires a parent to be involved, then the privacy rights would apply to the parent, not the minor.
During congressional debate, Democrats led by Massachusetts Sen. Edward Kennedy pushed to allow teens to keep their records private, even from their parents and even when it involves abortion.
After Congress failed to meet the August 21 deadline it set three years earlier, the 1996 law required the Department of Health and Human Services to write regulations on medical privacy.
Posted to HIPAAcomply 01/04/00