|
|
HIPAAlert Volume 1 No. 1 October 25, 1999This newsletter is sponsored by Phoenix Health Systems and HealthExecOnline, to keep healthcare managers on top of the latest issues concerning HIPAA security. HIPAAlert is published monthly, or more often as events dictate. Have a question or comment? E-mail us anytime at: info@phoenixhealth.com THIS ISSUE
W E L C O M E to our 1000+ initial subscribers! First issues are tough to assemble-so much to cover, so little reader time. Still, a brief introduction is in order.... HIPAAlert has been created by our HIPAA research and consulting team to help you meet an extraordinary new challenge posed by a law passed over 3 years ago. Its official, unwieldy moniker is The Health Insurance Portability and Accountability Act of 1996. Little in its name implies the bill's sweeping impact on the healthcare industry in the areas of information security and confidentiality. In fact, four of its five Titles deal with other issues of healthcare management, like health insurance access, medical savings accounts, and health insurance for the self-employed. However, because HIPAA also focuses on regulating the collection and use of all individually identifiable electronic health and healthcare-related information and demographic data by virtually every segment of the healthcare industry, it has been dubbed the "Y2K" of the next decade - even "Y2K on steroids!" The Department of Health and Human Services (DHHS) has estimated that the costs of implementing the mandated changes will ``rival and perhaps exceed the cost of fixing the Y2K problem." Most final HIPAA rules are expected to be published by the end of 1999, and in effect 60 days after. Implementation must be complete 2 years later, or approximately early 2002. Throughout this period, HIPAAlert will help you stay abreast of regulatory developments and related news. We'll also report on industry initiatives and reactions, explore HIPAA's real-life impact on your organization, analyze compliance issues, and survey tactical alternatives. You'll receive notices and reports on important HIPAA conferences, and be hooked up to a variety of useful HIPAA resources. And, starting November, we will maintain complete archives of HIPAAlert, along with a variety of full-text articles and other source materials. Your questions, comments and suggestions are always welcome! E-mail us at: info@phoenixhealth.com HIPAAprimerWHAT IS HIPAA?The Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act. Title II includes a section, Administrative Simplification, requiring:
More specifically, HIPAA calls for:
The bottom line: sweeping changes in most healthcare transaction and administrative information systems.
WHO IS AFFECTED?All healthcare organizations. This includes all health care providers, even 1-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.
ARE THERE PENALTIES?HIPAA calls for severe civil and criminal penalties for noncompliance, including:
COMPLIANCE DEADLINES?Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published. In effect, since most final rules will be published by the end of 1999, compliance will be necessary by early 2002. For specifics, see DHHS' Schedule for Publication of the regulations at: http://aspe.hhs.gov/admnsimp/asmiles.htm
HOW WILL WE BE AFFECTED?Broadly and deeply. The fact is,in any environment,19 separate security policies must go into place to meet 61 specific conditions (68, if a computer network is in use). Required compliance responses aren't standard, because organizations aren't. For example, an organization with a computer network will be required to implement one or more security authentication access mechanisms - ``user-based," ``role-based,"and/or ``context-based" access - depending on its network environment. Effective compliance will require organization-wide implementation. Steps will include:
WHAT ABOUT COSTS?It has been estimated that HIPAA compliance will consume 33 cents of every healthcare dollar spent between now and 2002. Whether this number ends up being accurate is beside the point-compliance will be exceptionally costly, and in many organizations has yet to be budgeted.
FROM THE HIPAA'S MOUTH...The National Committee on Vital and Health Statistics (NCVHS), the advisory committee to DHHS on health data issues, recently submitted its report to Congress on DHHS' progress in implementing the Administrative Simplification Provisions, including:
The full text of this definitive report is available at: http://www.ncvhs.hhs.gov/yr2-ltr.htm H I P A A n e w s*** JCAHO Accreditation to Include Security Review ***The Joint Commission on Accreditation of Healthcare Organizations announced September 13 that it intends to look at the strength of security systems in protecting health information, as part of its accreditation process. Paul Schyve, senior vice president of JCAHO, said that JCAHO and other accrediting bodies are addressing how healthcare organizations are implementing laws focused on information security, such as HIPAA. *** DHHS to Draft Final Health Privacy Rules ***Following Congress' Failure to Act DHHS staff are currently drafting final privacy regulations in order to meet the February 1, 2000 deadline set by HIPAA. Though Congress was mandated to pass comprehensive health privacy legislation by August 21, 1999, its failure to do so automatically activated the DHHS' deadline to generate regulations. The department plans to publish its draft by the end of 1999, to allow for the required 60 day comment period prior to issuing final regulations. DHHS indicates that its draft will be strongly based on its Recommendations for Confidentiality of Individually-Identifiable Health Information, submitted to Congress on September 11, 1997. The full text of the Recommendations is available at: http://aspe.hhs.gov/admnsimp/pvcrec.htm *** Industry Security Summit Held to Provide Security Guidance ***On October 12, healthcare industry leaders mounted a 2-day HIPAA Security Summit in Baltimore, MD, in order to define implementation guidelines protecting the confidentiality of electronic patient data. The Summit was sponsored by several healthcare provider organizations, vendors, associations and educational institutions, including Johns Hopkins Medicine and the Workgroup for Electronic Data Interchange (WEDI). The Healthcare Financing Administration (HCFA) and DHHS have encouraged healthcare organizations to convene such meetings to help provide needed security guidance and to assist in the writing of privacy rules mandated by HIPAA. *** ASC X12N EDI Implementation Guides Released ***DHHS announced on June 3 that the final versions of the nine ASC X12N EDI Implementation Guides and the Health Care Element Dictionary are complete. It is expected that the department will adopt these standard guides in the final rule, expected to be published next month. Guides can be downloaded from the Washington Publishing Company's Web site at: H I P A A l i n k shttp://aspe.hhs.gov/admnsimp and http://www.ncvhs.hhs.gov The Department of Health and Human Services - Administrative Simplification site, and The National Committee on Vital and Health Statistics site offer calendars, proposed rules, implementation timetables, news, meeting minutes, full text regulatory documents and FAQs on HIPAA. The Healthcare Financing Administration site provides information on unique identifiers, Medicare EDI and other HIPAA concerns. The Workgroup for Electronic Data Interchange is a broad-based industry association which was designated by HIPAA as an advisor to the Secretary of DHHS regarding EDI standards. Its web site includes conferences, health care EDI info, and resources for standard transactions. The Joint Healthcare Technology Alliance includes AHIMA, HIMSS and other healthcare information groups. Provides variety of HIPAA information including advocacy papers and technology resources. COMMENTS? E-mail us at: info@phoenixhealth.com Copyright 1999 Phoenix Health Systems, Inc. http://www.phoenixhealth.com
Go to TOP |
