HIPAAdvisory > HIPAAnews > Archives

glossary
FAQ
search
site map

privacy policy
contribute
advertise
contact us

November 2001 News Archives:

November 30, 2001 Does Student Grading Violate Federal Privacy Law? The mother of an Oklahoma boy who got a 47 on a peer-graded quiz calls the practice of exchanging papers with another student and grading each other's work humiliating and illegal. She's gone all the way to the U.S. Supreme Court to get it stopped. On Tuesday, the Supreme Court heard the case of Kristja J. Falvo, who says her son, Philip, was taunted by his sixth-grade classmates after he scored poorly on a quiz. Falvo sued the school system three years ago. She argued that peer grading violated her three children's right to privacy under a federal law, reports the Washington Post.

The law was intended to make sure that schools do not reveal a student's records without a parent's permission. A quiz, Falvo's lawyers argue, is one of those educational records protected by the law. Full Story.

November 29, 2001 Most Insurers Expect TCS Compliance by June 2002 According to a recent industry report, most health insurers expect to be compliant with the Transactions and Code Sets standards well before the October 2002 deadline. The report, "Health Claims Processing At The Dawn Of HIPAA," is a compilation of responses from a survey conducted this summer by Datacap, a software development company, of nearly 10,000 health insurance professionals representing more than 200 companies. Participants were asked to rate their own organization’s preparations for HIPAA and projected compliance schedule.

The survey found 14% of those polled are already compliant, while 10% expected to be compliant by Oct. 2001, a full year before the compliance deadline. 56% plan to be compliant by June 2002 and the remaining 20% said they would not be compliant until the deadline.

The survey also found a quarter of the respondents didn’t know that the American Hospital Association has requested a new form to replace the UB-92 (called the UB-02), which will help capture more data to fulfill HIPAA requirements. Now, claims managers will have to incorporate the new institutional claim form into their already overworked operations and training schedules.

Additional survey data includes daily volume of paper health claims and how they are processed:

In organizations processing less than 5000 claims a day, nearly 80% are manually processed, the remaining are either processed using ICR/OCR technology and/or outsourced.
But in those processing more than 5000, only 40% are manually processed and nearly 50% are processed using ICR/OCR technology, the remaining are outsourced.

The “Health Claims Processing At The Dawn Of HIPAA” report is available for $195 directly from Datacap. The fee is waived for health claims processing organizations.

November 29, 2001 Research Community Expresses HIPAA Concerns to Thompson AHA News Now reports HIPAA will impede medical and public health research, and will slow medical progress, medical research leaders warn DHHS Secretary Tommy Thompson. In a letter earlier this month, to which AHA is a signatory, the research leaders explain that the medical privacy rule "needlessly" intrudes upon the Institutional Review Board system, which determines case-by-case the physical, procedural, and technical safeguards needed to protect patient privacy and confidentiality. Specifically, the letter addresses concerns that the rule will cause hospitals, health plans and providers to question whether disclosing data for research purposes carries too great a compliance cost and liability risk to justify their continued sharing of data with researchers, even if approved by an IRB. "The locking down of these data bases would paralyze vital public health research," the letter states.

November 27, 2001 New Virus "W32/BadTrans.B" is Spreading Rapidly According to the November 26 issue of Information Week,a new worm that exploits an old flaw in Microsoft's Internet Explorer is spreading across the Internet. As confirmed by Phoenix Health Systems' security partner Fortrex Technologies, the new virus is propogating rapidly, and is especially dangerous because it can infect a user's computer simply if the user previews the message in their Microsoft Outlook E-mail. The virus spreads by replying to the user's unread messages, mailing everyone in the address book, and collecting confidential information like passwords. Since most people use IE and many use Outlook, they should apply the appropriate software patch immediately. Go to the
appropriate Microsoft link for the version of IE that you are using, download, and load the patch. As an example, for those using I.E. 5.01, use the following patch:
http://www.microsoft.com/windows/ie/downloads/critical/q295106/default.asp.

For more information, go to Information Week.

November 26, 2001 CMS Broadcast on Thursday to Highlight TCS & Privacy On November 29, 2001 at 1:00-2:00 PM EST and 3:00-4:00 PM EST, the Centers for Medicare & Medicaid Services (CMS) will broadcast a 60-minute video that presents an overview on the administrative simplification provisions of HIPAA. The broadcast will highlight the HIPAA transaction and code set standards and also provide information on the Privacy rule. More information on the HIPAA Satellite Broadcast.

November 26, 2001 Bush Authorizes Critical Infrastructure Protection Board - Includes Healthcare Information According to the Joint Healthcare Information Technology Alliance's (JHITA) October 31 "Issues Report," the end pages of the October 18, 2001 Federal Register, under "Presidential Documents" (66FR53063), contains reference to Executive Order 13231 of October 16, 2001. The document states, "The Director of the Office of Management and Budget (OMB)...[will]...oversee the implementation of government-wide policies, principles, standards, and guidelines for the security of information systems that support the executive branch departments and agencies." The new board is to assist and support the OMB director in this function and recommend policies and coordinate programs for protecting information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Read the text of the order.

November 21, 2001 Proposed Privacy Rule Not to be Published Until Early 2002 September 11 has altered DHHS' original timeline in getting out the final privacy rule, pushing the date for publication of the proposed rule (NPRM) for privacy to January or February 2002. "We had been hopeful of having the modifications done by April 2002 so that there would be a full year before the original compliance deadline," said Susan McAndrew, an official in DHHS' Office of Civil Rights (OCR), at a meeting November 15th of the National Committee on Vital and Health Statistics (NCVHS). McAndrew said, "I am not optimistic that we can have a final rule out by that date."

DHHS is still aiming for the late 2001 timeframe for publishing draft rules to revise the Transactions standards. These rules will propose making certain
changes in Designated Standard Maintenance Organizations (DSMOs), and
removing the NDC code as the drug-coding standard for all but retail pharmacy
transactions. The proposed rules have cleared the Centers for Medicare & Medicaid Services (CMS, formerly HCFA) and are now in HHS' review process, according to Karen Trudel, former director of the Division of Health Care Information Standards. Trudel is taking on a new role at CMS with responsibilities specific to HIPAA compliance. "We are trying to get the proposed rules in effect 180 days before the October 2002 deadline," Trudel said.

Before leaving DHHS, Bill Braithwaite indicated a few weeks ago that the healthcare industry should expect to see the final Security rule and Employer Identifier rule by December 31, 2001. The NPRM for Claims Attachments was also planned for publication by the end of the year. The proposed rules for Health Plan Identifiers and Provider Identifiers should be published early in 2002. Trudel stated they are on their way through the review process and that the target goal is to publish the rules during the "January through March period." Although a rule on enforcement is not required by HIPAA, DHHS is working to develop a draft rule in order to clarify the enforcement process for covered entities. "A workgroup has begun to scope out how enforcement might look," Trudel said.

Trudel reported that CMS has developed a new staff position as the liaison for all of CMS' HIPAA undertakings. The former deputy director for CMS's Office of Information Services, Jarad Adair, "will get the message out to providers to make sure they know what they need to do to be HIPAA-compliant," Trudel said. The position was developed after CMS Administrator Thomas A. Scully determined that "there was not enough focus within CMS" on HIPAA compliance.

November 21, 2001 Survey: Data Protection Top Health Care I.T. Issue Health Data Management reports protecting health data has become the top issue for health care information technology executives, according to a survey from Computer Sciences Corp., El Segundo, Calif. The survey reflects the awareness in the industry of fast approaching deadlines under HIPAA, says Christine Malcolm, vice president of the global health solutions consulting practice for Computer Sciences. “Now that the penalties are close to hitting, it’s real,” she says. Full Story.

November 20, 2001 Report Says HIPAA Privacy Reg Doesn't Offer Much to Internet Users The Health Privacy Project released a report yesterday funded by the Pew Internet & American Life Project that examines how the new federal health privacy regulation covers - and does not cover - consumer-oriented health Web sites and Internet-based health care.

The report found that: (1) the regulation does not apply to most health Web sites; (2) different rules may apply to different sites offering the same services; and (3) even at Web sites owned or operated by organizations that are covered by the privacy regulation, it is ambiguous which activities at those sites are subject to the regulation. Full Story.

November 15, 2001 Government Gets 'F' in Computer Security Despite dramatically tighter security at U.S. buildings since the terrorist attacks, a House panel gave the government failing marks for lax protection of federal computer networks against hackers, terrorists and others, reports the Washington Post. The "F" grade was a drop from the "D-minus" the government earned in September 2000. Two-thirds of federal agencies, including DHHS, flunked on the latest "computer security report card" issued by the House Government Reform subcommittee on government efficiency. Full Story.

November 14, 2001 Pharmacy Data Could Be an Early Warning of Public Health Emergency The Wall Street Journal reports that sales data collected from large pharmacy chains could provide a key early indicator of a biological attack or other health crisis. This is because many people try over-the-counter remedies before going to see a doctor. Few public-health agencies, however, currently have the technology to receive this data were it made available.

The top three pharmacy chains in the U.S. (CVS, Walgreen, and Rite Aid) have more than 11,000 stores combined and receive sales data in real time from these outlets. Information from these pharmacies on a sudden spike in sales of aspirin, cough syrup, or diarrhea medicine would be just the kind of information public-health agencies could use in deciding if a public health emergency is at hand. There's only one problem, some public health agencies lack Internet connectivity, and most do not have high-speed Internet connections, making the information generally unavailable to them in realtime, or even close.

While pharmacy data is important, data from hospital emergency rooms is the best indicator of a public health crisis. The Centers for Disease Control and Prevention, for example, is developing guidelines for uniform health information to be entered into emergency department medical records. This would make patterns easier to spot. A few pilot programs already exist that link hospital information systems with health agencies.

It should be noted that current pressures to upgrade public health agency computing and telecommunications capabilities, coupled with implementation of HIPAA security and privacy requirements — including de-identification of personal health information — hold the potential for improving the value of pharmacy databases in public health.

November 14, 2001 Florida Hospitals Opening Patient Mail to Prevent Anthrax The South Florida Sun-Sentinel reports that in the name of security, the three public hospitals in south Broward County now insist upon opening patients' mail to check for threats such as anthrax. If patients refuse to consent to having their mail opened, Memorial Healthcare System will not deliver it, but forward it to their homes. "We do not want them opening mail unless we check it first," Memorial spokeswoman Tara Bauer said. "We don't want to risk them contaminating the whole hospital. When we are opening it ourselves, if something was found, we could at least contain it."

Like most institutions, hospitals across the nation are scrutinizing mail carefully. Memorial appears to be the only one in South Florida and possibly in the nation to go as far as opening it. Opening private mail without permission would be illegal under federal law, Bauer said, so Memorial asks patients for permission.

National and local hospital associations have recommended lengthy lists of increased security and bioterrorism procedures in the wake of the Sept. 11 attacks and the anthrax outbreak, but none have suggested opening mail. "I'm not sure it's necessary," said Linda Quick, president of the South Florida Hospital and Healthcare Association. "It's not our job."

Since Sept. 11, Memorial hired a security consultant to review operations and has beefed up security staff, cameras and procedures. Many other hospitals have taken similar steps, including extra scrutiny for mail. The South Florida hospital association's security committee has discussed mail, but never opening it, committee chairman Ted Welding said.

The American Hospital Association has heard of no institutions opening patients' mail, spokesman Rick Wade said. "It's up to the institution," Wade said. "In places where there have been problems, you might have to do some things you wouldn't have to do in other parts of the country. I can't think of anything that would frighten a community more than to bring a hospital to its knees."

November 9, 2001 DHHS Updates TCS FAQs DHHS has updated its list of frequently asked questions on the HIPAA Transactions & Code Sets rule. Posted on November 2nd, the five new questions and answers cover: effect of standards on transmission requirements, coordination of benefits (COB) with auto insurance companies, transmission of administrative data outside of a claim, assigning responsibility for non-compliant transactions, and COB requirements. Read the TCS FAQs.

November 8, 2001 Providers Set to Spend More on HIPAA in 2002 Than in 2001 According to Phoenix Health Systems’ Fall HIPAA Compliance Survey released in late October, healthcare providers are budgeting significantly more for HIPAA in 2002 than they have spent in 2001. However, the numbers range all over the board for each provider segment; for example, 1/4 of hospitals with 400 or more beds have budgeted over $1 million for compliance next year, but about 40% will spend less than $300,000. The chart below provides a quick industry snapshot:

Providers/Outlays	2001 Spending*	2002 Budget	Change in Share
Hospitals <100 beds
<$100K	70%	71%	+1%
$100K-$300K	18%	14%	-4%
$300K-$600K	12%	0%	-12%
$600K-$1M	0%	7%	+7%
>$1M	0%	7%	+7%
Hospitals 100-400 beds
<$100K	60%	28%	-32%
$100K-$300K	25%	40%	+15%
$300K-$600K	13%	18%	+5%
$600K-$1M	1%	13%	+12%
>$1M	1%	1%	0
Hospitals >400 beds
<$100K	35%	9%	-26%
$100K-$300K	34%	32%	-2%
$300K-$600K	14%	19%	+5%
$600K-$1M	7%	15%	+8%
>$1M	10%	25%	+15%
Practices <31 physicians
<$100K	100%	100%	0
All other providers, including practices >30 physicians
<$100K	69%	54%	-15%
$100K-$300K	9%	11%	+2%
$300K-$600K	13%	12%	-1%
$600K-$1M	0%	4%	+4%
>$1M	9%	18%	+9%
All providers
<$100K	58%	35%	-23%
$100K-$300K	23%	28%	+5%
$300K-$600K	12%	15%	+3%
$600K-$1M	2%	11%	+9%
>$1M	5%	11%	+6%

Data from Phoenix Health Systems, U.S. Healthcare Industry Quarterly HIPAA Compliance Survey Results: Fall 2001. Our thanks to AIShealth.com for chart compilation. Dollar figures are for all areas HIPAA compliance. Sample size is 343 providers. "Change in share" means change from year to year in percentage of providers in given category with outlays in given range.
Read a complete analysis of our Fall HIPAA Compliance Survey Results.

November 8, 2001 Braithwaite & Sanches Announce Departures "Bill" Braithwaite, PhD, MD, and senior advisor on health information policy at DHHS, has left DHHS to join PriceWaterhouseCoopers as director of its healthcare practice in Washington, DC. Linda Sanches, a DHHS senior health policy analyst, is moving to the Office for Civil Rights, the body that has been charged with enforcing HIPAA. Braithwaite and Sanches have been DHHS's most visible advisors on HIPAA-related issues, and have been credited with much of the evolution of HIPAA and its mandated regulations.

November 8, 2001 New Survey Shows Healthcare Industry is "Security-poor" In a new survey published in October by Information Security magazine,the healthcare industry came out on the low side nationally, when it comes to spending on security. Financial institutions, insurance companies, manufacturers and military organizations are seeing healthy increases in security budgets, while universities and health care institutions, among others, remain relatively "security poor." A comparison of this year's survey results with last indicated that the separation between the security "haves" and "have-nots" is widening, not decreasing.

Other survey highlights: Nearly one-third of companies froze security spending sometime in 2001 due to adverse economic conditions. PKI, wireless and enterprise security management will be among the hot technology markets in 2002, but biometrics and managed security services may struggle. Viruses, worms, Trojans and other "malware" infected 90 percent of the organizations in the survey, despite the fact that 88 percent have antivirus protection in place.The
number of organizations hit by Web server attacks doubled from 2000 to 2001. Overall, "insider" security incidents occur far more frequently than "external" incidents. Nevertheless, the number one priority of security professionals is securing the network perimeter against external attack.

The survey, co-sponsored by Trusecure and Predictive Systems, was completed by 2,545 information security professionals drawn from approximately 45,000 subscribers to the magazine's Security Wire Digest newsletter.
View the detailed survey results (PDF).

November 7, 2001 Web Mishap: Kids' Psychological Files Posted According to the LA Times, detailed psychological records containing the innermost secrets of at least 62 children and teenagers were accidentally posted on the University of Montana Web site last week in one of the most glaring violations of privacy over the Internet. The 400 pages of documents describe patient visits and offer diagnoses by therapists of mental retardation, depression, schizophrenia and other serious conditions. In nearly all cases, they contain complete names, dates of birth and sometimes home addresses and schools attended, along with results of psychological testing. Unlike a medical file left open on a counter in a doctor's office, these electronic medical records, once placed on the Internet, were exposed to a potentially vast audience. Full Story.

National Public Radio's "To the Point" program featured the Los Angeles Times' Charles Piller in their "Reporter's Notebook" segment. Piller talks about the source of the inadvertent leak, the content of the profiles, and the issue of privacy, including various unintended PHI leaks by Kaiser, Lilly and others.
Listen to the program segment online.

November 2, 2001 NIMDA-E Raises Its Head A new version of the Nimda worm "Nimda-E" is slowly propogating, both in e-mail and via the web, according to national and international security sources. Discovered Tuesday, October 30, the Nimda variant has now spread across much of the world. It struck the New York Times, leaving the newspaper's editorial staff unable to access the Internet for about four hours on Tuesday. The worm was recompiled so that most anti-virus programs that detected the original Nimda will not detect Nimda-E.

The e-mail attachment sent by the worm presents either as SAMPLE.EML, or SAMPLE.EXE. Otherwise, according to security experts F-Secure, Nimda-E operates like Nimda-A, as a multifaceted network worm using four different propagation methods: 1) Infecting files, 2) Mass mailing, 3) Web worm and 4) LAN propagation.

Computer users are advised to avoid SAMPLE.EXE and SAMPLE.EML e-mail attachments, apply latest Outlook and Internet Explorer patches and download latest anti-virus updates. According to Tru-Secure Corporation, users should help ensure they are not vulnerable by updating their Internet Explorer browsers to either IE 5.01 SP2, IE 5.5 SP2, or IE 6.0.

It is estimated that Nimda-A infected over 2 million computers around the world in mid-September, 2001, making it among the five hardest-hitting virus cases ever seen. Read more.

November 2, 2001 Braithwaite Exits HHS with New Reg Release Predictions In two final public appearances as Senior Advisor to HHS on HIPAA and related healthcare issues, Bill Braithwaite has announced the following expected HIPAA regulatory publication dates. In comments made during the JHITA Conference this week and the HIPAA Summit last week in Washington, DC. Braithwaite indicated that the healthcare industry should expect to see the final Security rule and Employer Identifier rule by December 31, 2001. The proposed rule (NPRM) for Claims Attachments is also planned for publication by the end of the year. The proposed rules for Health Plan Identifiers and Provider Identifiers should be published early in 2002.

HHS is currently reviewing industry recommendations and developing a draft regulation for electronic medical records, which should be available for public review by the end of 2002. An NPRM on Doctors First Report of Injury is also expected in 2002. Braithwaite noted that though a rule on enforcement is not required by HIPAA, HHS is working to develop a draft rule in order to clarify the enforcement process for covered entities. According to Braithwaite, "There is much work left to do" on the enforcement NPRM, which he expects to be released some time in 2002.

No new information has become available to indicate that the recently announced late 2001 timeframe for publishing draft rules to revise the Transactions standards has changed. These rules will propose making certain changes in Designated Standard Maintenance Organizations (DSMOs), and removing the NDC code as the drug-coding standard for all but retail pharmacy transactions. A draft rule modifing the Privacy Rule apparently is also still on schedule for release in December of this year.

November 1, 2001 HIPAA Transactions One-Year Delay Bill Reintroduced Sen. Larry Craig (R-ID), along with Sen. Dorgan (D-ND), reintroduced legislation in the Senate providing a one-year extension of the date for compliance with the HIPAA administrative simplification standards for electronic transactions and code sets. They originally introduced the legislation five months ago and have worked since then with members from both the Finance and HELP committees to negotiate a compromise.

The bill they are now introducing is the product of those discussions. It provides for one additional year for providers, State health programs, health plans and others to implement the transactions and code set provision. The new version of the bill also includes language to clearly differentiate between the HIPAA TCS and Privacy provisions.

It was the senators' intention that the medical privacy regs not be affected by their legislation. Senator Dorgan stated, "Since we are just one year from the scheduled compliance date, we recognize that all those affected need some certainty as they move forward with complying with the transactions and code sets regulation. Given that this bill does provide needed relief for our states and given the time constraints we are facing, we believe this compromise is appropriate and do not feel an additional extension can be acquired."
Read the text of the bill (PDF).

November 1, 2001 Addenda for X12N Implementation Guides Published CMS (formerly HCFA) and the Washington Publishing Company announced today that proposed Addenda to the X12N HIPAA Implementation Guides have been published. Following publication of the Guides in May 2000, items were identified in the post publication review process that could be considered impediments to implementation. These items were referred to the X12N Health Care Work Group that created the original Implementation Guide, for its review. The contents of the draft Addenda consist of appropriate modifications related to these items.

The draft Addenda must go through a Notice of Proposed Rule Making (NPRM) process, just as the original Implementation Guides did, before becoming a final Addenda to the guides published by X12N. According to CMS, a proposed rule to adopt the Addenda as part of the HIPAA standards is in preparation at HHS for publication soon.

Only the modifications noted in the draft Addenda will be considered in the NPRM. Once they are approved for publication by X12N, the values identified for use in GS08 will be valid for use.
More information/download the Addenda.

News Archives

Go to TOP

Current News