|
|
H I P A A L E R T Volume 1 No. 9 August 17, 2000
> From Phoenix Health Systems -- HIPAA Knowledge...HIPAA
Solutions <
HIPAAlert is published monthly as a service to the healthcare industry to help managers and professionals stay on top of current issues related to HIPAA security and privacy. Current subscribers total just under 7000. Do you have interested associates? They can subscribe free at: http://hipaalert.com IF YOU LIKE HIPAALERT, YOU'LL LOVE HIPAAdvisory.com, the most comprehensive HIPAA resource site on the web -- and THE industry "place" to begin your HIPAA implementation efforts. http://www.HIPAAdvisory.com T H I S I S S U E 1. From the Editors: Today the Clock Starts 1 / F R O M T H E E D I T O R S:Per Bill Braithwaite of the Department of Health and Human Services (DHHS), "The HIPAAs are coming, the HIPAAs are coming!" Finally, late last Friday, word came that the Final Rule for Transactions and Code Sets had been released to the Federal Register. Publication occurred today, Thursday, August 17th. For most organizations, this sets a compliance deadline of October 16, 2002. Small health plans have 12 additional months to comply. In response, the Healthcare Information and Management Systems Society (HIMSS) has announced two Flash Web Audio Conferences next week, focusing on the final rule. In addition to reviewing specifics of the rule, Phoenix has been asked by HIMSS to analyze how the final and proposed versions differ, and to offer specific compliance planning recommendations. Don't miss this special opportunity to jump-start Transactions and Code Sets compliance; just visit http://www.himss.org to register online for either August 22nd or August 24th. Incidentally, each 1-hour conference will offer the same content; if one date won't work, the other surely will. On other fronts, consumer concerns continue to drive additional legislative and industry initiatives on information privacy and security. Congress is considering no less than 16 bills that affect privacy in the healthcare industry. Some of the bills deal exclusively with electronic issues, while others do not draw distinctions. Read more about two of these bills in HIPAAnews. Also below: a recent report to DHHS that the government take a leadership role in addressing standards issues... Steve Fox covers encrypting e-mail transmissions in HIPAAdvisor... and read about a centralized, national effort to support HIPAA compliance. Next month, we will be conducting our quarterly HIPAA compliance progress survey. If we can use your suggestions and ideas, we will - so let us know now what issues are most important to you! Diane Boettcher, Editor D'Arcy Guerin Gue, Publisher 2 / H I P A A n e w s*** Transactions and Codes Sets Final Rule Published. *** The Final Rule on Transactions and Code Sets was published today in the Federal Register. The rule will be final in sixty days; healthcare industry organizations will have 24 months in which to comply (October 16, 2002). We have published the full text of the rule, with keyword search capability, at: http://www.hipaadvisory.com/regs/finaltrans/index.htm See Section 4 below for our summary of the differences between
the proposed rule and the final rule on Transactions and Code Sets.
*** Internet Privacy Bill Introduced in Senate. *** Introduced July 26th, the Consumer Internet Privacy Enhancement Act (S- 2928), would require commercial web sites that collect personally identifiable information to provide consumers with "clear and conspicuous notice" about their information collection practices. Sites would be required to describe entities collecting information via the web site; how the information will be used; the types of information collected; if the provision of information is required to use the site; and the methods taken to secure personal information. The bill would give consumers the option to limit the use of personally identifiable information by commercial web sites. Senators McCain (R-AZ), Kerry (D- MA), Abraham (R-MI) and Boxer (D-CA) are sponsoring the bill.
*** Organizations Weigh in on Medical Financial Privacy Act. *** The Medical Financial Privacy Act (HR-4585), which passed the House Committee on Banking and Financial Services on July 20th, proposes to prohibit financial institutions from sharing medical financial records, and from using a consumer's medical information in providing credit, without customer consent. This bill would not limit or supersede medical privacy standards to be established under HIPAA. The American Bankers Association (ABA) has issued a statement opposing the bill. The ABA has expressed general support for medical financial privacy legislation. However, the current bill is considered "so vague" that "a customer can demand that virtually every file in the institution be searched." The Independent Insurance Agents of America has endorsed the bill, following inclusion of a change that clarified how it applied to group health plans up for renewal or change.
*** NCVHS Report on Patient Medical Record Data Standards. *** The National Committee on Vital and Health Statistics (NCVHS), the Public Advisory Body to the Secretary of Health and Human Services, has released its report on Uniform Standards for Patient Medical Record Information (PMRI) to DHHS. NCVHS was directed by HIPAA to report to DHHS on "issues related to the adoption of uniform data standards for PMRI and the electronic exchange of such information." The report addresses the protection of confidentiality of medical records information; reducing barriers to the electronic exchange of information caused by diverse state laws; increasing the participation of underrepresented groups in the standards development process; and coordinating the development of patient information standards within the broader context of a National Health Information Infrastructure (NHII). It recommends that the government take the lead in addressing these issues by accelerating the development, adoption and coordination of PMRI standards. Further, it addresses the related issues of protecting the confidentiality of PMRI, reducing barriers to the electronic exchange of PMRI caused by diverse state laws, and coordinating the development of PMRI standards within the broader context of NHII. To view the executive summary, go to: http://www.hipaadvisory.com/regs/ncvhsexecsum.htm To view the full report in PDF format, visit: http://www.hipaadvisory.com/regs/Regs_in_PDF/hipaa000706.pdf
*** Privacy a Major Concern for Online Healthcare Consumers. *** Successful development of the online healthcare field will depend upon companies adequately handling consumers' concerns about privacy, security and ethical issues, according to a new Cyber Dialogue Health Practice report, "Protecting Consumer Privacy in Online Healthcare". Among the 37 million online users who do not currently use online health information, the report found that 6.3 million don't primarily because of privacy and security concerns. The report, based partly on a survey sponsored by the California HealthCare Foundation and the Internet Healthcare Coalition, recommends that healthcare companies build consumer loyalty and propel industry growth by responding to consumer demand for a more trustworthy, ethically sound online environment. 3 / H I P A A d v i s o r : Legal Q/A with Steve Fox, Esq.*** E-MAIL TRANSMISSIONS ***--------------------------- QUESTION: I work for a hospital that routinely sends patient records to various third party contractors via email. To my knowledge, this information is not encrypted or password protected. Does HIPAA forbid these types of transmissions? I keep reading about the HCFA Internet Security Policy; what is HCFA and what relationship and/or relevance, if any, does it have to HIPAA? Is there anything we should be doing relative to e-mail communications while we wait for HIPAA regulations on the issue? ANSWER: While the proposed HIPAA regulations do not forbid electronic transmission of such information, they do require the information to be encrypted. The answer to your question has implications that extend far beyond compliance with HIPAA's security standards. The broader and perhaps more important issue is your hospital's patients' comfort level with the hospital's current, rather lax, Internet security protocol if it were made public. Even assuming that the hospital's current approach is not uncommon, the hospital's patients may feel their trust has been misplaced. What the hospital does when HIPAA takes effect won't be able to repair the damage to the hospital's reputation. One of the most important issues facing our society in this "electronic information age" is how to reap the benefits of instant data transmission and at the same time protect the privacy of the individual. There are currently no fewer than 16 bills pending in Congress that address this issue. In fact, a recent article cites consumer's enormous privacy concerns as a hindrance to more widespread use of the Internet for online health care and health education http://www.hipaadvisory.com/views/Patient/online071200.htm. HIPAA confronts this issue by imposing minimum-security standards on health care providers, clearinghouses, plans, and other entities that electronically maintain or transmit health information (as defined by the Act). Electronic transmissions include, among others, transmissions over the Internet and extranets (using Internet technology to link to a business with information only accessible to collaborating parties). The proposed rules require protection of electronically transmitted health information so that it cannot be, "intercepted [or] interpreted by parties other than the intended recipient and [can be] protect[ed]... from intruders trying to access systems through external communication points." The proposed HIPAA regulations recognize that information transmitted over the Internet is especially vulnerable to compromise and interference, and accordingly require such information to be encrypted. It is advisable for the hospital to follow the Health Care Financing Administration (HCFA) Internet Security Policy guideline until the final HIPAA security regulations are released. HCFA is the DHHS agency responsible for Medicare and parts of Medicaid. HCFA's Internet Security Policy applies to HCFA contractors, state agencies acting as HCFA agents, other government organizations, and any entity that has been authorized by HCFA to access HCFA information resources. HCFA's policy authorizes use of the Internet for transmission of individually identifiable and other sensitive information as long as:
The HCFA Internet Security Policy is relevant to HIPAA because it lists acceptable approaches to complying with the authentication and identification requirements of the policy. DHHS is likely to take these approaches into account and could potentially use them as a model when making final determinations on the comparable HIPAA regulation. This article was co-authored by Rachel H. Wilson, an associate at Pepper Hamilton. --------------------------- Steve Fox, Esq. is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues.http://www.pepperlaw.com/ Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice. 4 / What's So New about the Final Rule?Gaining a better understanding of the final Transactions and Code Sets rule is a critical step towards compliance. Let's examine the differences between the proposed rule and today's final rule, review some key points that were clarified, and identify remaining unresolved issues: 1. Elimination of the on-line interactive transaction exception In the proposed rule, interactions between server and browser, direct data entry, and fax back were exempt from the standards. In the final rule, these transmissions must now comply with the data content, but not with the data format. For example, with "dumb" terminals, where the provider directly keys data into a health plan's computer, the format need not comply with the standard, but the data elements or content must comply. The final rule makes it clear that a health plan may not offer an incentive for a healthcare provider to conduct a transaction under the direct data entry exception. 2. Elimination of the exception for standard transactions within a "corporate entity" An exception in the proposed rule allowed non-standard transactions to be used within a corporate entity, to minimize the burden of change. The definition of a "corporate entity" caused considerable confusion, especially given the rapid pace of change in the healthcare industry. Under the final rule, covered entities must use a standard transaction when transmitting to another covered entity, whether the transmission is inside OR outside the entity. To help determine when entities must use standard transactions, descriptions of each transaction are now clarified in the final rule. In addition, the preamble in the final rule provides examples of when a standard transaction must be used. However, confusion remains on this issue and further clarification is being sought. 3. Clarification of applicability to health plans The proposed rule was unclear on whether a health plan must comply with a standard if it doesn't currently support that standard electronically. The final rule requires a health plan to accept and/or send a standard transaction that it conducts but does not currently support electronically. Therefore a health plan must be able to electronically transmit a standard that it currently only transmits on paper. Health plans may still choose to use a clearinghouse in order to comply. 4. Clarification of applicability to paper transactions and non-covered entities Many comments suggested that the final rule also cover paper transactions. The decision was made not to include them at this point since many paper forms do not support the data content required. Also, DHHS indicates that applying the standards to both paper and electronic transmission would not support HIPAA's overall objective to encourage standard electronic transmission. Several commenters recommended that the standards should apply to employers/sponsors who use electronic data interchange (EDI), because of their major role in healthcare administration. DHHS has responded that since HIPAA doesn't specifically require employers/sponsors to use the transaction standards, DHHS will not apply the regulation to them. However, health plans may negotiate trading partner agreements with employers and sponsors that require the use of standard transactions. 5. Clarification of "small health plan" definition The proposed rule defined a small health plan as a health plan with less than 50 participants. The final rule uses the Small Business Administration's size standards, specifying a small health plan as one with annual receipts totaling less than $5 million. 6. Addition of case management to regulation In the proposed rule, case management was considered an "atypical service" and therefore not subject to the standards. The final rule reverses this exception. Case management is now considered a healthcare service since it is directly related to the health of an individual and is furnished by healthcare providers. Therefore, organizations that have already set up HIPAA teams should re-think whether case management should join them. 7. Addition of several definitions Several new definitions are included to clarify applicability and scope of the rule. These include trading partner agreement, covered entity, workforce, business associate, and designated standard maintenance organization (DSMO). 8. Addition of suggested implementation timelines Timeline suggestions for implementation are included in the preamble. Given the complex implementation sequencing issues that are anticipated, health plans are encouraged not to require providers to use the standards during the first year after the final rule's effective date. Health plans are also encouraged to give providers at least six months notice before requiring a standard transaction. A number of issues remain unresolved. The final rule addresses these comments, but is deferring resolution to the future. These issues include: 1. Preemption by states 2. Compliance assessment and enforcement 3. Interaction with privacy
5 / WEDI Sponsors HIPAA Implementation Support InitiativeEfforts are underway at a national level to systematically support HIPAA implementation across the industry. Plans include identification of major implementation issues, best practices, and model workflow scenarios; and mitigation of national deployment obstacles. The Workgroup for Electronic Data Interchange (WEDI) has established the WEDI HIPAA Strategic National Implementation Process (SNIP) Task Force. SNIP's goals are to assess industry-wide HIPAA Administrative Simplification implementation readiness and to help bring about the national coordination necessary for successful compliance. SNIP's activities are centered on three internal workgroups. The Transaction and Codes Sets Work Group is focusing on testing implementation coordination deployment protocols. The Security Work Group is working on implementation issues and assessment of industry feedback on pilots such as Internet Interoperability; and the Education Work Group is addressing training objectives, industry awareness and readiness, information gaps and proposed solutions. The first SNIP Forum, held June 15-16 in Alexandria, VA, began laying the groundwork for a long-term approach to collaboration within the industry to address HIPAA. The workgroups are now preparing white papers, best practice models and discussion forums. More information is available at the WEDI web site at http://www.wedi.org. BRING YOUR HIPAA QUESTIONS AND IDEAS TO LIFE AT...H I P A A l i v e! Join nearly 1700 other thinkers, planners, learners and lurkers who are already members of our sister e-mail discussion list. We almost make HIPAA fun! Almost. Subscribe now at: http://www.hipaadvisory.com/live/ COMMENTS? Email us at
Copyright 2000, Phoenix Health Systems, Inc. All Rights Reserved. Reprint by permission only.
Go to TOP |
