| HIPAAdvisory > HIPAAnews > Archives |  |
|
|
August 2002 News Archives:August 26, 2002 CMS Urges Covered Entities to File for HIPAA Extension AHANews reports the Centers for Medicare & Medicaid Services announced yesterday that of all covered entities under HIPAA, less than 3% have filed for an extension to the Transaction and Code Sets Standards compliance deadline of October 16 - just under 50 days away. In a statement, Ruben King-Shaw Jr., CMS chief operating officer, reminded hospitals that the Administrative Simplification Compliance Act (ASCA) allows covered entities a one-year extension, as long as they submit a compliance plan by October 15, "either by paper or, preferably, electronically at: http://www.cms.hhs.gov/hipaa/hipaa2/ascaform.asp." The extension allows hospitals and other covered entities until October 16, 2003, to become HIPAA compliant. Shaw said CMS is encouraging everyone to submit their compliance plans now, and implement and test the new standards as soon as possible, noting that electronic filing is fast, easy, and will inform filers immediately that the extension has been received. August 26, 2002 Privacy Furor Over Subpoena in Baby's Death Seeking leads in the death of a newborn baby found in May, the county attorney for Storm Lake, Iowa subpoenaed the names of hundreds of women who had pregnancy tests at a local Planned Parenthood clinic. On August 7, the Iowa Supreme Court granted Planned Parenthood of Greater Iowa its motion for a temporary stay against the subpoena issued by officials in Buena Vista County. County officials had until August 19 to file a response to the appeal petition. The New York Times reports the county attorney said the questions had to be asked in order to conduct an investigation. The executive director for Planned Parenthood of Greater Iowa calls the subpoena "a horrible assault to a young woman's sense of privacy." Read the New York Times article. Listen to National Public Radio's "Morning Edition" report of August 27 on the court battle over the privacy of pregnancy records. August 26, 2002 Another HIPAA Privacy Lawsuit Dismissed A federal judge has dismissed a lawsuit filed by the South Carolina Medical Association (SCMA) and a Louisiana state medical society challenging the privacy rule's constitutionality. According to the SCMA, the court ruled on August 14 that although Congress did not specify privacy rights and policies in the privacy section of the statute, general congressional intent could be gleaned from the statutory framework as a whole, that HHS was within its discretion to draft a very broad rule, and that a person of normal intelligence could ascertain from the 400-page regulation what was criminally punishable and which state laws would be preempted by the federal regulations. The SCMA is studying the viability of an appeal. Last week, the SCMA Executive Committee voted to appeal the US District Court’s decision in the SCMA’s suit against HHS. August 26, 2002 VA Toughens Security After PC Disposal Blunders Federal Computer Week reports the Department of Veterans Affairs (VA) is tightening its policy on the disposal of old computers following disclosures that 139 computers containing sensitive personal information about veterans, including their medical records, were given away. Although the VA has had security rules since 1997 on purging sensitive data before disposing of old computers, the policy was breached by the Indianapolis VA Medical Center. The facility failed to erase personal information before giving away the computers to educational institutions, the state of Indiana or private individuals. A local TV news team's investigation found patient records on the used computers bought for $10 each at a thrift store. Read
the Federal Computer Week article. August 21, 2002 CA Approves Bill Expanding Medical Privacy to Drug Firms The California Senate this week approved legislation that would hold pharmaceutical companies to the same standards of privacy for patients' medical information as physicians, health insurance companies and pharmacists, reports iHealthBeat. The bill would amend the existing Confidentiality of Medical Information Act, which currently only applies to health care providers and health plans, to include pharmaceutical companies. August 19, 2002 New Privacy Rule Changes Strongly Criticized by Patient and Privacy Groups iHealthbeat reports that the new Privacy Rule modifications are being strongly criticized by many patient and privacy advocacy groups, including The Citizens' Council on Health Care, the Institute for Health Freedom, the American Psychoanalytic Association, and the Health Privacy Project. The groups are particularly concerned over the elimination of the prior consent requirement and new loopholes in the marketing provisions. August 19, 2002 Medical Records Found in the Street in Allentown, PA The Morning Call reports that a temporary employment agency worker is being blamed for scattering confidential medical records of about 100 patients in downtown Allentown, PA, on August 7. The employee took the files home from Easton Hospital on a Tuesday night to organize them without permission. Wednesday morning, after getting into an argument with the person driving her to work, she dropped the files when exiting the car and was so upset she "just ran home." Most of the records were recovered and returned to the hospital. Police agencies are still determining what, if any, criminal charges will be filed. August 15, 2002 Health Privacy Project Releases Revised Summaries of Five More States' Statutes Today, the Health Privacy Project released revised summaries of the health privacy statutes of five states: Indiana, Nevada, New Jersey, South Carolina and Virginia. These updated summaries reflect changes in state health privacy statutes that have been made since the original report, "The State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State Health Privacy Statutes)," was published in 1999. The 1999 report will be available on the Project's Web site until October 1, 2002. View the updated state summaries at the Health Privacy Project Web site. August 14, 2002 Kennedy, House Dems Seek to Amend Privacy Rule According to iHealthBeat, CongressDaily reports Sen. Edward Kennedy (D-MA) and House Democrats are considering a legislative response to the final HIPAA privacy rule. Democratic members of Congress have criticized the Bush administration's changes to the final privacy rule, particularly the elimination of the prior consent requirement, which would have required patients' written consent for use or disclosure of personal health information before treatment, payment or health care operations. August 14, 2002 Senators Seek to Balance Privacy, Security Matters Two senators are proposing a privacy commission that would examine new surveillance technology with the goal of balancing security and privacy concerns, reports the Washington Times. Sen. Charles E. Schumer, (D-NY), and Sen. John Edwards, D-NC), say the commission won't have the power to prevent any technology from being used, but it would be a place to discuss the proper role for new machines and methods in the war on terrorism. "Unfortunately, the administration seems to put out these broad dictates - here's what we're going to do on this issue, here's what we're going to do on that issue, military tribunals, American citizens arrested as foreign combatants - and then the discussion occurs," Mr. Schumer said. "It would be so much better for the country, for us and for the administration if the discussion would come first." August 14, 2002 Leagues Gain a Measure of Relief From Privacy Laws The New York Times reports buried deep in the 412-page HIPAA Final Privacy Rule are a couple of paragraphs that could provide enormous relief to major sports leagues. The final rules appear to provide wriggle room - if not outright exclusion - for professional sports teams, which are mentioned on Pages 50 and 51 of the document. "Professional sports teams are unlikely to be covered entities" under the law, according to the Department of Health and Human Services (HHS) in response to a comment written on behalf of the Cincinnati Bengals. "Even if a sports team were to be a covered entity, employment records of a covered entity are not covered by this rule." The document goes on to state, "nothing in this rule prevents an employer, such as a professional sports team, from making an employee's agreement to disclose health records a condition of employment." August 12, 2002 AHA: Revise JCAHO's Proposed BA Agreement The American Hospital Assocation (AHA) is recommending several changes to the Joint Commission on Accreditation of Healthcare Organization's proposed business associate agreement, reports AHANews. Under the HIPAA privacy rule, JCAHO cannot receive protected health information from a hospital it is surveying for accreditation unless it enters into a business associate agreement with the hospital. JCAHO has proposed adding such an agreement as a uniform addendum to its accreditation agreements for all health care organizations. However, according to AHA, some of the proposed provisions in the JCAHO model associate agreement are outside the scope of privacy rule requirements and "would impose unwarranted burdens and needless liabilities in hospitals." AHA also expressed concern that pending final changes to the privacy rule may impact the rule's business associate agreement requirements. It urged JCAHO to reexamine the model agreement and revise it with those final changes in mind. Read AHA's letter to JCAHO (PDF). Read AHA's red-lined draft of JCAHO's uniform BA addendum (PDF). August 12, 2002 Industry Pleased with Final Privacy Rules, Patient Advocates Not According to the Washington Post, the final HIPAA privacy rule issued Friday offers weaker safeguards than those sought by consumer advocates. The final regulations omit a requirement that patients' written consent must be obtained before their personal health information can be handled by doctors, hospitals, pharmacies and insurance plans -- a protection that lawmakers and two White Houses have contemplated for years. The rules go further than the administration previously considered to rein in the use of medical information for the marketing of products, particularly prescription drugs, by companies that gain entree into individuals' records. Critics in Congress and elsewhere said, however, substantial marketing loopholes remain. August 9, 2002 Final Privacy Rule Filed Today The final HIPAA Privacy Rule 400-page document was filed at 2:00 PM today at the National Archives; the "Privacy Standards for Individually Identifiable Health Information" are scheduled for publication in the Federal Register on Wednesday, August 14. By law, the rule had to appear in the Federal Register by Wednesday, eight months ahead of the April 14, 2003, HIPAA privacy compliance date. Read the final changes to the Privacy Rule: Read the HHS Press Release and Fact Sheet. August 9, 2002 Microsoft Agrees to Privacy & Security Safeguards The New York Times reports Microsoft acknowledged yesterday that it had not properly protected the privacy and security of people who provided personal information through the company's online identification services. According to the Washington Post, Microsoft in its privacy policies and corporate literature made false claims that it took "reasonable" measures to protect the personal information of millions of Passport users, the Federal Trade Commission (FTC) said in a complaint that was prompted by concerns raised in July 2001 by a coalition of consumer groups. Microsoft also misled consumers, telling them that Passport transactions were more secure than other online transactions, according to the complaint. Settling charges in the landmark case, the company agreed to shore up the security of its system, known as Passport, as well as to be more truthful with users about what it does with their personal data, and to be monitored for 20 years. Read the New York Times article. Read the Washington Post article. August 9, 2002 Clinic Can Keep Names Confidential for Now Health Privacy News reports that on August 7, the Iowa Supreme Court granted Planned Parenthood of Greater Iowa its motion for a temporary stay against a subpoena issued by officials in Buena Vista County. In an attempt to find the mother of a newborn baby found dead on May 30, a lower court ordered Planned Parenthood to turn over by August 17 the names and addresses of all women who had positive pregnancy tests at one of its clinics from August 15, 2001 through May 30, 2002. Planned Parenthood appealed to the Iowa Supreme Court. County officials have until August 19 to file a response to the appeal petition. Read
the Washington Post editorial, "A Question of Medical Privacy." August 8, 2002 HIMSS: Kennedy's e-Health Act Needs Fixes The Healthcare Information and Management Systems Society (HIMSS) recently sent a letter to Sen. Edward Kennedy (D-MA) who in June introduced the eHealth Care Act of 2002. In commenting on Kennedy’s legislation, which would require health care payers and providers to increase their use of information technology, HIMSS said the bill, S. 2638, has shortcomings that may prevent Kennedy from achieving his objectives. The Society suggested several changes in the legislation, such as urging Kennedy to require providers and payers to electronically exchange claims transactions to reduce the inefficiency of the current paper-based system. Several comments also address privacy and confidentiality concerns raised by the legislation as it seeks to increase the use of the Internet for carrying health information. August 6, 2002 Privacy Rule Coming Soon; Energy & Commerce Questions Proposed Changes The final rule on privacy could be out as soon as this week, reports Tom Gilligan, Executive Director & Washington Representative for the Association for Electronic HealthCare Transactions (AFEHCT). Gilligan also reports the Democratic leadership of the House Energy and Commerce Committee sent a letter to HHS Secretary Thompson July 23rd on the proposed privacy rule. Reps. Waxman, Dingell, and four others wrote arguing in favor of maintaining the consent requirements for treatment, payment, and operations, and stating they may seek public hearings on the subject. The letter questions the Administration's proposed changes to the medical privacy rule, including the creation of a broad loophole through which drug companies could access patient health records without patient permission. August 6, 2002 CA Lawmaker Wants Medical Privacy Applied to Drug Companies San Francisco, CA Assemblywoman Carole Migden is pushing for state legislation that finally would extend medical-privacy restrictions (now applied to doctors, health insurers and pharmacists) to pharmaceutical companies, reports the San Francisco Chronicle. "People should be able to receive the medicine they need without fear of unwanted exposure or being forced to provide their personal information as a condition for getting treatment," Migden said, adding that her bill was structured so it would "not hamper clinical research." Under her bill, pharmaceutical companies could not force a patient to authorize the release of records as a condition of receiving treatment. Also, pharmaceutical companies would be held responsible for the storage and disposal of confidential records. The San Francisco Chronicle editorial urges the California Senate to approve the Migden bill, and for Gov. Gray Davis to sign it into law. August 1, 2002 Canadian Hospital to Tighten Patient Privacy After Breach The University Health Network of Toronto, Canada plans to take extra efforts to protect patient confidentiality after staffers were caught earlier this year looking at the private medical records of former Canadian prime minister Brian Mulroney and Toronto Maple Leafs coach Pat Quinn. The Province of Ontario's Information and Privacy Commissioner, Ann Cavoukian, conducted an independent assessment of the hospital's privacy protections after the "two well-known individuals" had their privacy breached last May. The hospital's corporate privacy officer discovered the wrongdoing when conducting an audit of staff access to electronic medical records. While most of the accesses were for job-related purposes, it was found that six staffers and three medical residents had accessed the records of the two patients, "even though they did not appear to be involved, directly or indirectly, in the care provided to those patients." Discipline ranged from letters of reprimand to suspensions of up to two weeks without pay. They were also forced to take classes on the importance of patient confidentiality. August 1, 2002 Feds Concerned with Wireless Security Richard Clarke, President Bush's cyberspace security adviser and chairman of the Critical Infrastructure Protection (CIP) Board, speaking at a July 30 wireless security conference in Washington, DC, cited a recent Chicago Sun-Times story in which reporters were able to easily get behind network firewalls, including that of a health care system. "What does it mean to have HIPAA and privacy rights, what does it mean to have firewalls and spending on IT security," Clarke asked according to Federal Computer Week, "if you can for $100 buy a PCMCIA card and get in behind the firewalls?" Because there are few commercial wireless devices that the Defense of Department (DOD) officials feel they can safely rely on, the department soon will issue a directive outlining the rules for its personnel concerning the use of those devices. To address broader concerns, the CIP board has almost completed a new version of the National Plan for Cyberspace Security, which will be a companion to the Homeland Security National Strategy, released July 15. The new cybersecurity plan incorporates input from industry and academia, and will be released September 18. John Stenbit, assistant secretary of Defense for command, control, communications and intelligence, spoke the next day at the annual Black Hat computer security conference in Las Vegas. Stenbit said that he plans to issue new policy guidelines, expected to be announced sometime this month, that will ban most if not all wireless devices, including cell phones and two-way pagers, within military installations, reports Computerworld. Read Federal Computer Week's article, "Feds Look to Secure Wireless Nets." Read Computerworld's article, "Pentagon to Issue Wireless Disconnect Order." News ArchivesGo to TOP |
|
Schedule for Reg Publication/
|
