| HIPAAdvisory > HIPAAnews > Archives |  |
|
|
July 2002 News Archives:July 29, 2002 New Guide Released on Top Ten InfoSec Practices The Internet Security Alliance (ISAlliance) last week released its "Common Sense Guide for Senior Managers: Top Ten Recommended Information Security Practices." The guide identifies 10 of the highest priority and most frequently recommended security practices such as policy, process, people and technology. The guide also asks senior managers to consider questions such as: What is their role in ensuring security polices are followed? What is the responsibility of senior management to safely operate systems? What assurances does senior management have that physical security access restrictions are being followed and how violations reported are reported to them? Do companies have a mission assurance plan that addresses business continuity and operation and disaster recovery and is this plan regularly tested and found effective? Register for a complimentary PDF copy of the Common Sense Guide. July 29, 2002 Lilly Settles Case over Prozac Email Drugmaker Eli Lilly and Co. will pay $160,000 and tighten consumer privacy protections over allegations the drug maker unintentionally released the email addresses of approximately 670 people taking Prozac. Lilly released the email addresses of subscribers to its prozac.com reminder service when it sent out a mass emailing to all subscribers last year with a complete list of recipients' email addresses at the top. Lilly, which had promised to maintain the confidentiality of consumer information, blamed the mailing on a programming error. July 26, 2002 New NIST Guides on Wireless Security and Security Training Federal Computer Week reports the National Institute of Standards and Technology (NIST)'s Computer Security Division released its two latest draft guides in the past week, this time taking aim at wireless security and security training. The first draft, "Special Publication 800-48: Wireless Network Security," is a much more technical document than the other. Wireless networks not only have the standard set of security vulnerabilities, but also the problem that the network itself is inherently insecure. NIST developed the guide to focus on that problem. The second draft guide, "Special Publication 800-50: Building an Information Technology Security Awareness and Training Program," is designed for the chief information officers and program managers within an organization. The guide outlines four steps toward establishing a security training and awareness program. July 26, 2002 New Report Looks at How Hackers Hit Healthcare A new report by data security vendor Riptech Inc. (recently acquired by Symantec Corp.) shows healthcare organizations were attacked by hackers an average of 667 times in the period from January 1 to June 30, 2002. Fortunately, healthcare suffered the lowest percentage of malicious attacks or security breaches than any other industry. Request a copy of the Riptech Internet Security Threat Report. July 24, 2002 Advocacy Group: Privacy Best Protected by States' Existing Laws IHealthBeat reports litigation based on states’ existing privacy laws, not federal regulations such as HIPAA and the Gramm-Leach-Bliley Act, offers the best chance for protecting privacy in the technology age, according to a report released yesterday. The report, “The Privacy Torts: How U.S. State Law Quietly Leads the Way in Privacy Protection,” by the advocacy group Privacilla.org, maintains that federal privacy legislation has been “particularly disastrous” because of provisions that enable government access to personal information. July 24, 2002 Injury Reporting Rules Will Change World of Sports Athletic trainers and officials of the National Collegiate Athletic Association (NCAA) and professional teams say a new federal health-privacy law will open a Pandora's box of ethical and legal problems. At the University of Tennessee, the new world dawns in early August, even though federal compliance is not required until April 2003. UT's athletic department recently adopted sweeping policy changes to comply with HIPAA, according to an article in The Knoxville News-Sentinel. An online poll running alongside the article asks, "What's your take on the new federal health-privacy law?" Of the respondents, most feel the law will cause more harm than good, while the remaining are split over the public's right to know versus athletes' private health matters. July 24, 2002 Security Rule Delayed In an exclusive interview this month with Theresa Defino, Editor of Ingenix's "Practical Guidance on HIPAA and E-Health for the Physician Practice" newsletter, Karen Trudel, director of the Centers for Medicare and Medicaid Services' (CMS) HIPAA project staff, says the final security rule will not be published in August as promised. Asked when she expects the final security rule to be released, Trudel said, "It is probably going to be in the fall. It will be on the regs [publication] agenda for October. One of the things we are doing is making sure that privacy and security are linked. We definitely need to take another look at it, in light of the private [sic] rule modifications, before it goes out the door." Speaking with Health Data Management on July 22, Stanley Nachimson, senior technical advisor in CMS, said, “I would not expect to see it in August.” Nachimson is part of the team within HHS responsible for promulgating HIPAA administrative simplification rules. Nachimson declined to say when the rule would be published or why it could be further delayed. The rule remains in the clearance process, he adds. In the interview with Defino, Trudel said that CMS had not yet filed its ASCA extension as of the time of the interview, but they expect to file it this month. Trudel also offered how CMS plans to help physicians comply with HIPAA: "We've instituted a series of HIPAA roundtables. We give people updates and places they can go for assistance, and then we open the mike and let people ask questions. We will be doing more of them, possibly with a regional focus." "We've made two educational videos available free of charge in a VHS format. We have provided a framework and funding for our regional offices to get into outreach. The target there is the provider, especially the small rural providers." "We also have a help line. The phone number is 410-786-4232." July
19, 2002 Arguments Expected on HIPAA Privacy Lawsuit
Oral arguments are expected early next month in a suit filed last
year challenging the medical privacy rule, reports Health Data Management.
Court arguments in the case filed by two state medical societies
in U.S. District Court in Columbia, S.C. come as HHS prepares in
August to publish a final rule modifying the privacy rule. Read the complaint filed in U.S. District Court (document file). July 19, 2002 House Leadership Bows to President on Security Dept. The New York Times reports Republican leaders of the House said last week that they planned to give the Bush administration almost all of what it wanted in a new Department of Homeland Security. A draft of the agreed-to bill closely hews to the changes the White House had said it would accept. The White House, however, did not get everything it wanted. House leaders do not agree with an administration proposal for a nationalized driver's license, which could become a national identification card. Conservative and liberal privacy advocates alike opposed this idea. The bill would also block the proposed transfer of the computer security division of the National Institute of Standards and Technology (NIST) to the Homeland Security Dept. The draft generated by the House Select Homeland Security Committee instead establishes a new cybersecurity program. July 18, 2002 National Job Board Opens for Privacy-Related Positions In response to growing consumer and employer concerns about privacy issues, the nonprofit Privacy & American Business (P&AB) announced yesterday the first national online privacy and privacy-related job employment website Corporations, federal and state governments, and other privacy-conscious organizations may target their search for privacy officers and other privacy positions to those qualified candidates who know the privacy arena. Set to launch in early September, the Privacy Job Opportunity Boards will be divided into three levels, one of which will advertise mid to high level positions relating to privacy including HIPAA administration. July 18, 2002 Eckerd Endows FAMU Ethics Chair The Miami Herald reports the Eckerd drug store chain agreed last week to pay $1 million to bankroll an ethics chair at Florida A&M University's (FAMU) school of pharmacy to settle a complaint that it had misled customers about its marketing efforts. An investigation was launched after it was learned that when customers signed a slip acknowledging they were receiving a prescription drug, the fine print included authorization to release information to Eckerd for future marketing purposes. Meanwhile, Bush administration officials are seeking to modify provisions of the healthcare privacy act to make it easier for pharmacies to use customer information for marketing purposes. July 17, 2002 ER Patients' Privacy at Risk in Reality TV Lights, camera, heart attack: Medical "reality" TV shows have some doctors worried about patient privacy, reports USA Today. An article in yesterday's Journal of the American Medical Association entitled "Commercial Filming of Patient Care Activities in Hospitals," calls for improved protection of patient privacy in the face of growing numbers of TV shows that literally film life-and-death trauma in the nation's emergency rooms. July 17, 2002 Kennedy's eHealth Act Would Require CPOE in Hospitals The California Healthcare Foundation's iHealthBeat reports that under the proposed federal eHealth Act, hospitals would be required to use computer physician order entry (CPOE) systems in order to receive payments from federal health plans. The requirement would take effect five years after the bill’s passage, for hospitals that admit more than 20,000 patients annually, and 10 years after the bill’s passage for all hospitals. Sen. Edward Kennedy (D-MA), chair of the Senate Health, Education, Labor and Pensions (HELP) Committee, introduced the Efficiency in Health Care, or eHealth Care, Act on June 18, but details of the bill were not available at the time. The text of the bill, S. 2638, is now available. July 16, 2002 WEDI: Cut Employer ID Hyphen Health Data Management reports the Workgroup for Electronic Data Interchange (WEDI) is asking the Department of Health and Human Services to reconsider use of a hyphen in the recently adopted employer identifier number. The Standard Unique Identifier for Employers final rule, published in May, adopts the Internal Revenue Services' Employer Identifier Number (EIN) as a standard identifier for health care. The nine-digit identifier includes a hyphen after the first two digits. In recently submitted comments, WEDI argues the hyphen could create data transmission problems and cause unnecessary burdens, defeating HIPAA's administrative simplification goals. July 11, 2002 Privacy Officer Is Possibility at Security Department The New York Times reports the Bush administration said this week that it was open to the idea of installing a chief privacy officer in a new Department of Homeland Security to make sure it weighed issues of confidentiality and the secure handling of personal information. Representative Bob Barr (R-GA), who heads the House Judiciary subcommittee on commercial and administrative law, opened a subcommittee hearing by asking the Office of Management and Budget what steps would be taken "to ensure the privacy of personally identifiable information as the new agency establishes necessary databases that coordinate with other agencies of the government." July 9, 2002 Health Privacy Project Releases Updated Summaries on Nine More States Yesterday, the Health Privacy Project released revised summaries of the health privacy statutes of the following nine states: Maryland, Massachusetts, Missouri, Montana, Nebraska, Pennsylvania, Utah, Washington and Wyoming. These updated summaries reflect changes in state health privacy statutes that have been made since the original report, "The State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State Health Privacy Statutes)," was published in 1999. The 1999 report will be available on the Project's web site until October 1, 2002. View the updated state summaries at the Health Privacy Project Web site. July 8, 2002 Unsolicited Prozac Sample Triggers Privacy Lawsuit The South Florida Sun-Sentinel reports a Broward County woman who received an unexpected trial pack of the antidepressant Prozac in the mail filed a class-action lawsuit last week against her doctors, the Walgreen Co. pharmacy chain, and drug manufacturer Eli Lilly & Co. The suit charges invasion of privacy and other alleged violations of Florida law, including the state's unfair-trade law which Lilly sales personnel allegedly violated when they mailed free samples of Prozac to patients taking other depression medicines. The privacy issue comes to the forefront, according to a Fort Lauderdale attorney, because other people could have access to the package and accompanying literature and deduce the kind of illness the recipient has. Lilly issued a statement late Friday saying it was inappropriate to mail medicine to patients without their request. Read the New York Times article, "Free Prozac in the Junk Mail Draws a Lawsuit." July 5, 2002 Sports Leagues Seek Relief From Privacy Law The New York Times reports a Cincinnati law firm, working on behalf of the Cincinnati Bengals, recently filed a two-page comment on the HIPAA Privacy NPRM with HHS. Of the 10,000 comments overall that were filed on the law, it was the only one that dealt with possible implications for professional sports. The firm recommended specific guidelines that would essentially exempt professional sports teams from some language in the Act. July 5, 2002 New HIPAA Compliance Manual for Assisted Living Facilities The National Center for Assisted Living (NCAL) has published a user-friendly manual to aid assisted living facilities’ compliance with the HIPAA privacy regulations. The manual will address assisted living facilities’ operational issues relative to their residents and privacy issues. NCAL says facilities can modify the manual’s “sample implementation guidelines” to achieve compliance with the Privacy Rule. The manual is divided into 28 appendices on topics including Use and Disclosure of Health Information Policy, Consent, Authorizations, Complaints, and Penalties. July 2, 2002 AHA Submits Comments on Transactions NPRMs In its letter of comment to the Department of Health and Human Services (HHS) today, the American Hospital Association (AHA) urged HHS to adopt a set of business rules for use of the standard transactions under HIPAA, reports AHA News. The association also had a number of recommendations on several proposed changes in two Notices of Proposed Rulemaking (NPRMs) on HIPAA published in the May 31 Federal Register. In a letter to HHS Secretary Tommy Thompson, AHA Executive Vice President Rick Pollack said that without the business rules for standard transactions, the administrative efficiencies and cost savings expected to result from implementation of the standard transactions may not be realized. Pollack also wrote that AHA supports repealing the requirement to use the National Drug Code for transactions other than at retail pharmacies. He also urged eliminating the reporting of provider taxonomy codes for institutional claims and clarifying when Healthcare’s Common Procedure Classification System codes must be reported for outpatient claims. Read AHA's comment letters:
July 1, 2002 CMS Announces System for Transaction Testing and Certification The HIPAA Weekly Advisor reports that facilities can now test their inbound and outbound HIPAA EDI transactions for the Medicare program using Claredi's HIPAA testing and certification system. CMS released Program Memorandum A-02-051 June 18, explaining how facilities can use the system to ensure they can send and receive HIPAA-compliant transactions including health care claim, remittance advice, COB, and status inquiry/response regarding claims and eligibility. Facilities cannot transmit patient-identifiable information in the testing and must use the Claredi de-identification software. News ArchivesGo to TOP |
|
Schedule for Reg Publication/
|
