HIPAA news HIPAA dvisory
HIPAAdvisory > HIPAAnews > Archives Phoenix Health Systems

December 2002 News Archives:

December 30, 2002 Security Rule Delayed for Fine-Tuning The Federal Register of Friday, December 27, made no mention of the final security rule nor the transactions modifications which were due to be published on that date. As of the 28th, the security rule had not been submitted to the Office of Management and Budget, the White House panel that reviews federal regulations for budgetary impact. OMB review generally takes a minimum of two weeks, longer on massive rulemakings like the security piece of HIPAA.

Modern Physician reports that the final security rule could be delayed more than a couple of weeks in part because of the holidays and also because HHS has called in additional staff to fine-tune the language, according to Robert Tennant, Washington representative for the Englewood, Colo.-based Medical Group Management Association. "I would be absolutely shocked to see (the rule) in January," Tennant says.

Read more.

December 27, 2002 OCR to Automate Privacy Complaint Submittals Comments are being requested on a proposed project of the Office for Civil Rights (OCR) to automate its forms for discrimination and medical privacy complaints. Effective April 14, 2003, OCR has jurisdiction over certain health plans, health clearinghouses and healthcare providers with respect to enforcement of the standards for privacy of individually identifiable health information rule issued pursuant to HIPAA. OCR wants to develop an automated complaint submittal process for individuals to file written complaints with OCR when they believe that on or after April 14, 2003, their right to the privacy of protected health information has been violated. OCR estimates that there will be approximately 21,710 complaints concerning medical privacy (16,283 burden hours annually).

Send comments, which should be received within 60 days of this notice, via email to Geerie.Jones@HHS.gov or mail to:

OS Reports Clearance Office,
Room 503H, Humphrey Building,
200 Independence Avenue SW
Washington, DC 20201

December 27, 2002 New Workgroup to Assess Impact of Information Security Requirements on Healthcare Under the auspices of URAC (also known as the American Accreditation HealthCare Commission) and the National Institute of Standards and Technology (NIST), the Security Healthcare Certification and Accreditation Workgroup will bring together members of the public and private sectors to develop a uniform approach to the identification and implementation of best practices in healthcare information security. The Workgroup intends to serve as a resource for the healthcare community by developing white papers, drafting crosswalks, and participating in educational programs. Ultimately, the Workgroup hopes to promulgate a common set of healthcare security standards that will cover security policies, procedures, controls, and auditing practices.

The Workgroup will have its next meeting on January 10, 2003 at NIST in Gaithersburg, MD, where the Workgroup will facilitate a healthcare sector review of the recently released draft NIST Special Publication 800-37, Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems.

Read more.

December 26, 2002 NCQA Releases Privacy Certification for BAs Draft Standards The National Committee for Quality Assurance (NCQA) released on December 16 draft standards for its new Privacy Certification for Business Associates (PCBA) program. The program will certify that business associates have processes in place for handling protected health information (PHI) that are in compliance with HIPAA. Proposed program requirements relate to: privacy protections for oral, written, and electronic PHI; processes and practices for the storage, use, and disclosure of PHI; employee training in PHI protections; consumer access to PHI; and contracting between covered entities and their business associates.

Read more.

December 26, 2002 X12N Draft Guides Review Period Extended According to the WEDI SNIP X12N Insurance Subcommittee, most of the draft X12N implementation guides currently available for public review were posted without meeting one of the process requirements. As a result, these implementation guides will not be brought forward for a publication vote at the February 2003 X12 trimester meeting in Denver, as previously expected. Instead, X12N will finalize the necessary changes at the February meeting, then by April 2003, revised drafts will be made available for another public review period. It is expected that the impacted guides will then be moved forward for a publication vote at the June 2003 X12 trimester meeting.

The affected implementation guides, some of which are missing Appendix D, commonly referred to as the Change Log, are:

  • 834, Benefit Enrollment and Maintenance (004050X125)
  • 820, Payroll Deducted and Other Group Premium Payment for Insurance Products (004050X137)
  • 270/271, Health Care Eligibility/Benefit Inquiry and Information Response (004050X138)
  • 276/277, Health Care Claim Status Request and Response (004050X139)
  • 278/278, Health Care Services Request for Review and Response (004050X140)
  • 837, Health Care Claim: Institutional (004050X141)
  • 837, Health Care Claim: Dental (004050X142)
  • 837, Health Care Claim: Professional (004050X143)
  • 277, Health Care Claim Acknowledgment (004040X167)

The current online conferences for these guides will be kept open and comments received during this period may be considered in the development of the next draft. The deadline for comments has been extended by one week for all implementation guides to January 8, 2003 except for the X167 – Health Care Claim Acknowledgement. The end date for the X167 guide public review will remain January 13, 2003.

Review the Draft X12N Implementation Guides.

December 19, 2002 HHS Readying More HIPAA Rules HHS officials, Jared Adair, director of the newly formed Office of HIPAA Standards, and Karen Trudel, deputy director, told Health Data Management in a recent interview that HHS expects to publish the proposed claims attachment rule by mid-2003. The department expects in early spring 2003 to publish the final provider and proposed payer identifier rules.

Anticipated rules publication schedules cited by Adair and Trudel are slightly less ambitious than the semiannual regulatory agenda recently published in the Federal Register. According to the agenda, the provider and payer identifier rules are set for publication in February, with the claims attachments rule following in March. There was no mention of the final security rule or the transactions modifications due out on Dec. 27. HHS has started work on a proposed HIPAA enforcement rule and could publish it during 2003, although no timetable is set.

Read more.

December 18, 2002 NCVHS Urges HHS to Help Industry with HIPAA Implementation The National Committee on Vital and Health Statistics (NCVHS) sent a letter Nov. 25 to HHS, asking for more education, outreach, and technical assistance to the health care industry regarding HIPAA administrative simplification. As part of its responsibilities under HIPAA, NCVHS monitors the implementation of the HIPAA Administrative Simplification provisions. NCVHS' Subcommittee on Privacy and Confidentiality held several hearings this Fall to learn about the implementation activities of covered entities.

Despite finding widespread support for the goals of HIPAA and the Privacy Rule, the committee found "there is an extremely high level of confusion, misunderstanding, frustration, anxiety, fear, and anger as the April 14, 2003 compliance date nears."

NCVHS makes the following recommendations:

  • OCR and CMS need to improve coordination on education, outreach, and technical assistance.
  • OCR should establish covered entity teams to assist the various industries and professions with their unique compliance issues.
  • OCR should enhance its web site and improve its FAQ response process, posting answers to questions within 30 days.
  • OCR should assist in the coordination and publication of state preemption analyses, and should publish an analysis of other federal laws that may overlap with the Privacy Rule (e.g., Gramm-Leach-Bliley, FERPA).
  • OCR should sponsor train-the-trainer programs for the private sector.
  • OCR should prepare a simple, one-page handout explaining the basics of the Privacy Rule for providers to distribute to their patients.
  • OCR should communicate clearly and specifically with providers and other covered entities about its enforcement plan and penalty assessments.
  • OCR should draft and make widely available guidance such as model forms and templates, including state-specific, industry-specific, and profession-specific forms, as well as standardized gap assessment guides, simple checklists, a HIPAA practice management handbook, and time-lines to assist covered entities.
  • Congress and the state Medicaid agencies should make adjustments to Medicaid reimbursement rates to recognize the costs of complying with HIPAA.
  • Congress should fund the $42.5 million for technical assistance authorized under the Administrative Simplification Compliance Act (ASCA), and that some of that funding should be allocated to Privacy Rule implementation and NCVHS' recommendations.
  • Congress should fund HIPAA compliance grants for the states.
  • Congress should provide tax incentives or other mechanisms for HIPAA compliance for providers lacking the resources to comply.

December 17, 2002 Agenda Confirms Security Rule Publication Date The semiannual regulatory agenda describing regulatory actions federal agencies are developing appeared in the Federal Register last week. The agenda published Dec. 9 confirms HHS' affirmation that the security rule remains on schedule for publication this month, giving the projected date for the Security Standards Final Rule as 12/00/02. Other items on the agenda:

  • Modifications to Standards for Electronic Transactions (on two related proposed rules), Final Action 12/02
  • Standard Unique Health Care Provider Identifier, Final Action 02/03
  • National Standard for Identifiers of Health Plans, Proposed Rule 02/03
  • Claims Attachments Standards, Proposed Rule 03/03

December 13, 2002 Despite Rumors, HHS Maintains Security Rule Still Coming Dec. 27 Despite recent rumors that the Final Security Rule will not be published on December 27 as previously indicated, Health Data Management reports that the final HIPAA data security rule remains on schedule for publication on that date. Health Data Management quotes Karen Trudel, deputy director of the new Office of HIPAA Standards in the Centers for Medicare and Medicaid Services (CMS).

Reportedly, HHS officials wish to have further review of certain aspects of the rule and it is still in the clearance process. HHS and CMS have had to wade through several thousand comments on the proposed rule, then ensure the final rule was compatible with the two HIPAA final privacy rules.

A final rule making modifications to the transactions and code sets rule also is scheduled for a Dec. 27 publication in the Federal Register. The final rule will combine two previously proposed rules making modifications, Trudel says.

Read more.

December 13, 2002 New Healthcare Industry Preemption Analysis Resource for States & Territories The Confidentiality Coalition, a 130-member organization representing the health care industry and a part of the Healthcare Leadership Council, announced their sponsorship of a state preemption analysis resource for HIPAA privacy rules. The group recognized the need for an industrywide analysis for covered entities, business associates and other impacted by the rules and all 54 states and jurisdictions. The analysis will cover:

  • Providers, including institutional and professional;
  • Hospitals, clinical labs, long term care and SNFs, clinics, pharmacy, medical groups, physicians, pharmacists, nurses, lab technicians, podiatrists, certified nurse midwives, doctors of osteopathy, nurse practitioners, speech therapists, physical therapists, occupational therapists, physician assistants;
  • Health plans;
  • Third party administrators and utilization review organizations;
  • Business associates and other downstream users: PBMs, device manufacturers, eHealth entities, underwriters;
  • Researchers; and
  • Hospitals, medical colleges, teaching hospitals, pharmaceutical and biotech, medical technology companies.

The analysis is expected to be made available online as soon as February 2003. The tool will allow users to select the states and types of entities covered under the analysis and to subscribe just to the information pertinent to their organization. Updates will be provided annually.

Read more (PDF).

December 9, 2002 CMS Filed Its ASCA Extension; As Enforcer, Now Offers Online HIPAA Complaint Form The Centers for Medicare and Medicaid Services (CMS), charged with enforcing the HIPAA electronic transactions and code set standards, has posted on its site an Online Complaint Submission Form. The form allows complaints to be submitted about covered entities' non-compliance with the HIPAA transaction standards. Complaints can also be submitted on a paper-based form available by download from the site. CMS' form is not to be used to file complaints regarding the privacy of health information, as HHS' Office for Civil Rights (OCR) will enforce the HIPAA privacy standards.

Modern Physician reports CMS officials say the more than 1 million covered entities that missed the October 15 deadline to apply for the ASCA extension will not be actively pursued, but that enforcement will be "complaint driven." In the event a complaint is filed against a covered entity, that entity will either have to demonstrate compliance or be prepared to submit a corrective action plan. Fines for noncompliance can be as high as $100 per offense, with a maximum of $25,000 per year.

One of the over 500,000 groups that applied for a one-year extension was CMS, according to Modern Physician. CMS applied for an extension back in August to give them "the time to space out the implementation" because of the "enormous complexity" of ensuring compliance for both CMS and its numerous private subcontractors overseeing Medicare payments in each state.

View CMS' Complaint Submission Form.

Read Modern Physician's article, "CMS: HIPAA scofflaws will not be hunted."

Read Modern Physician's article, "Even CMS applied for a HIPAA extension."

December 5, 2002 OCR Releases Guidance on Final Modified Privacy Rule Yesterday, the Department of Health & Human Services' (HHS) Office of Civil Rights (OCR) released guidance on the final modified Privacy Rule that explains key elements of HIPAA Privacy Rule requirements. HHS published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002. The guidance is meant to communicate as clearly as possible the privacy policies contained in the Privacy Rule.

For a particular segment in the Privacy Rule, the guidance will provide a brief explanation of the segment and how the Rule works, followed by “Frequently Asked Questions” (FAQ) about that provision. The guidance does not address all of the relevant provisions in the Rule, although OCR anticipates adding segments in the future as it develops guidance on more Privacy Rule standards. OCR will also be adding to the FAQs on an ongoing basis as new questions arise.

The Privacy Rule Standards addressed are:

  • Incidental Uses and Disclosures
  • Minimum Necessary
  • Personal Representatives
  • Business Associates
  • Uses and Disclosures for Treatment, Payment, and Health Care Operations
  • Marketing
  • Public Health
  • Research
  • Workers’ Compensation Laws
  • Notice
  • Government Access
  • Miscellaneous FAQs

Read the entire Guidance document (382K PDF).

December 5, 2002 JCAHO Releases Its Business Associate Agreement The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has released its business associate (BA) agreement for accredited organizations to use in order to release protected health information to the JCAHO during the survey process. Under the regulation accreditors are considered "business associates" of covered entities and are required to have BA agreements to ensure that the business associate will safeguard patients' personal health information (PHI).

Read more.

December 2, 2002 Revised Summaries of More State Health Privacy Laws Released Last week, the Health Privacy Project released the final batch of revised summaries of the health privacy statutes of the remaining six states: Maine, North Carolina, Ohio, Tennessee, West Virginia and Wisconsin. These updated summaries reflect changes in state health privacy statutes that have been made since the original report, "The State of Health Privacy: An Uneven Terrain," was published in 1999. The 1999 version of the report will be available until the full 2002 updated edition is available, which will be posted on the Health Privacy Project's web site later this month.

News Archives

Go to TOP
HIPAAdvisory.com
Phoenix Health Systems
Copyright 2000-2004. All rights reserved.

Current News

Recent News

News Archives

Conference Calendar

Schedule for Reg Publication/
Compliance Calendar