HIPAAdvisory > HIPAAction > HIPAAnotes > Archives

glossary
FAQ
search
site map

privacy policy
contribute
advertise
contact us

HIPAAnotes Volume One, Numbers 10-14

No. 10 (1/3/01): HIPAAdetail: Paper or Electronic Records

Under the Proposed HIPAA Privacy Rule, paper records were not necessarily covered. One had to "look to the source" to know if specific records were covered by HIPAA. No more.

The Final HIPAA Privacy Reg was published last week in the Federal Register and included several changes. Likely the single biggest change is that the final reg covers personal medical records in all forms.

The proposed reg had applied primarily to electronic records. Paper records were covered only if they had at some point existed in electronic form.

The final reg extends protection to all types of personal health information created or held by covered entities. Oral communications and paper records (no matter what their source) are now covered.

For more information about the final privacy reg, go to:
http://www.hipaadvisory.com/regs/finalprivacy/

No. 11(1/9/01): HIPAAdetail: How Do We Direct Your Call?

Sometimes private health data may simply be the information that a person is a hospital in-patient. Historically, family and the clergy have been given the "right" to this information. Will this change under HIPAA?

The Final Privacy Rule permits directory information to be given to members of the clergy and to anyone who asks for a person by name. That directory information includes the patient's name, location in the hospital, her condition in general terms and her religious affiliation.

Patients must be allowed the opportunity to be removed from the directory or limit what information is given to whom. The proposed rule had required that a patient "opt-in" to the directory. Now, to be excluded from the directory, a patient must "opt-out" of it -- slightly easing the administrative burden on hospital staff.

For more information on the Final Privacy Rule, go to:
http://www.hipaadvisory.com/action/privacy/
http://www.hipaadviosry.com/regs/finalprivacy/

No. 12 (1/16/01) HIPAAdetail: HIPAA Compliant Technology?

Many organizations are looking for HIPAA "compliant" technology. However, HIPAA was intended to be technology- neutral. Technology state-of-the-art is so fluid today that the framers of HIPAA decided that codifying particular technologies would be too inflexible to be practical. HIPAA requires that covered entities perform a risk assessment. A risk assessment will assess potential risks and vulnerabilities to the individual health data you have.

Appropriate security measures should then be developed and implemented. What will be appropriate is based on the risks and the organization's tolerance of those risks.

No "one-size-fits-all" technology will bring an entity into compliance.

For more information on compliance with the HIPAA regs, go to: http://www.hipaadvisory.com/action/

No. 13 (1/22/01) HIPAAdetail: HIPAA and the EMR

Security, privacy, and confidentiality concerns have become major barriers to widespread implementation of Electronic Medical Record systems and sharing data. Of equal importance to preserving patient privacy is the necessity for institutional privacy. No institution will be willing to share data, if those data can be used to provide a business advantage for a competitor.

HIPAA calls only for recommendations on electronic medical records. There is no authority within the act to require the development of a standard. Furthermore, any means for enforcing compliance with a standard are not specified. However, NCVHS has recommended to DHHS several actions that broadly support all possible means -- legislative, economic, research and policy -- for advancing the standardization of patient medical records. The costs of standardizing the medical record will be great, but so will the long-term benefits.

--Excerpted from HIPAA@IT, an excellent new book by Roy Rada, MD, Ph.D. on HIPAA compliance. For a longer excerpt and more information on Roy's book, go to: http://www.hipaadvisory.com/action/atit/book

No. 14 (1/29/01) TechTerm: Catching a Cold Online

We've all heard of viruses (or, if you prefer, virii) and the damage they can wreck on computer systems. Chances are you have had one. The term "virus" actually means only one subset of malicious software code. However, the term has morphed over time and now nearly all malicious code is popularly called a virus.

Malicious software can alter data, destroy files, bring down an entire network or simply be cute and annoying. Some are set to go off at a certain time, others when you perform a certain action, even others will slowly take over your system resources.

Proposed HIPAA Security standards require a virus check that can identify at least three types of malicious code.

Malicious code which is a stand-alone application and replicates itself (also called a worm).
Malicious code fragment which attaches itself to another program and replicates itself (the original "virus").
Malicious code which causes itself to be inserted in another program (sometimes as a Trojan horse).

All reputable virus checks will scan, identify and disable these types of code. Like any computer program though, the detection software must know what it is looking for. So it is important to keep the "definition" files up to date. Updates are typically included in the price of the software, but usually must be downloaded regularly.

After all, it makes no sense to get a shot for last year's flu.

For more information on security technology, go to: http://www.hipaadvisory.com/tech/

Vol. 01 Archive Index

Go to TOP

Transactions
& Identifiers

E-Health

HIPAA / LAW:
Legal Q/A

HIPAA / SECURE:
Security Q/A

HIPAAnote:
Byte of HIPAA

HIPAAlinks

HIPAAFAQ

Models, Samples
& Templates