| HIPAAdvisory > HIPAAnews > Archives |  |
|
|
March 2002 News ArchivesMarch 29, 2002 Model Compliance Extension Form Now Available The Centers for Medicare and Medicaid (CMS) has now published the nine-page-long HIPAA Model Compliance Extension Form of 26 questions, which can be used by covered entities to request a one-year extension to the October 16, 2002 compliance date for standard transactions and code sets. The form (and an electronic submission option which CMS expects will be available within two weeks as of April 9) can be accessed at CMS' Electronic Health Care TCS Standards Model Compliance Plan page. Covered entities must submit an electronic compliance plan for
an extension by October 15, 2002; paper submissions must be postmarked
by that same date. A covered entity does not have to file a compliance
plan if it will be compliant with the transactions rule by October
16, 2002, even if its trading partners are not compliant. March 29, 2002 HHS: Privacy Modifications Will Save Money Health Data Management reports that according to estimates from the Department of Health and Human Services (HHS), four proposed modifications to the medical privacy rule will reduce the cost of rule compliance by $100 million over ten years. HHS originally estimated the business associate provision would cost $103 million over ten years in legal fees and other expenses to modify contracts; it now estimates the model language will cut that cost by $35 million. Simplifying waiver requirements for researchers should save some $146 million of the original estimated compliance cost of $585 million over ten years. Eliminating the consent provision wipes out the previously estimated $103 million in ten-year compliance costs, but getting acknowledgement of notices will add $184 million in costs. March 29, 2002 Rule Change Closes Patient Privacy Loophole While the media last week hammered the Bush Administration for proposing to strip the patient consent provision from the privacy rule, it missed a key change to protect patient information, says Robert Gellman, an independent privacy consultant in Washington, DC, as reported by Health Data Management. The New York Times began its article, "Bush Acts to Drop Core Privacy Rule on Medical Data," with "The Bush administration today proposed dropping a requirement at the heart of federal rules that protect the privacy of medical records." The Times and many other media outlets didn't report, or downplayed, closure of a loophole in the existing privacy rule that permits the use of identifiable information--without patient consent--for marketing purposes. "It's clear the administration made a substantial change that will prevent patient records from being widely disseminated without patient approval," Gellman says. March 29, 2002 Study: Sites Tightening Web Privacy Online privacy practices appear to be tightening, according to new findings from the nonprofit Progress & Freedom Foundation. The findings, based on a survey administered by Ernst & Young, indicate that more Web sites are taking greater steps to safeguard consumer privacy and to offer opting out capabilities -- especially in comparison to a 2000 study conducted by the Federal Trade Commission. The nonpartisan Washington, D.C-based group, which studies the impact of the Internet and its implications for public policy, also found that a greater number of the 100 most-visited sites offered choice regarding whether information can be shared with third parties. March 29, 2002 Yahoo Updates Privacy Policy From Opt-In to Opt-Out The New York Times reports Yahoo changed its privacy policy yesterday to give it more freedom to send email or postal mail and make phone calls to sell its services and those of the companies it works with. Yahoo's policy had strictly prohibited the sale or rental of personally identifiable information. Customers could opt to receive marketing messages from other companies. Yesterday, Yahoo started notifying customers that unless they changed options on its site, they would be agreeing to receive email, phone calls and postal mail on behalf of Yahoo's services, including partners like stores that rent space in Yahoo's shopping channel. Yahoo's new policy also permits itself to transfer personal information if the company is bought. March 26, 2002 Lieberman Quizzes Ridge on Critical Infrastructure, Security Sen. Joseph Lieberman (D-CT), chairman of the Governmental Affairs Committee, this week sent a letter to Tom Ridge, director of the homeland security office, with questions about critical infrastructure, including information sharing between the public and private sectors. He also inquired about securing government information systems and about the organization of homeland security, including concerns regarding first responders, such as those charged with protecting public health. March 26, 2002 Kennedy Vows to Fight Proposed Privacy Changes Sen. Edward Kennedy (D-MA) has vowed to fight the Bush administration's proposed changes to patient privacy regulations. On March 22, Kennedy, chair of the Health, Education, Labor and Pensions Committee, issued the following statement: "There is no right the American people value more highly than the right to privacy. There are few issues of privacy more important than the right to keep information about one's own personal health private. But, by its actions today, the Administration has said that corporate convenience is more important than the people's right to keep personal medical information personal and private." "The Administration knew that medical records privacy was too hot to touch when they first came into office, so they let the Clinton rule stand. But now, when they think the American people are not closely watching, they have once again put the agenda of the insurance industry and medical corporations ahead of the agenda of the American people." "There were some legitimate concerns about the operation of the consent rule in some specific situations, such as the case where a relative was asked to pick up a phoned-in doctor's prescription. But those exceptions could easily have been addressed without bringing down the whole rule. Patients' records belong to patients, and they should remain private unless they consent to release then." "This action must not be allowed to stand. I intend to hold hearings on this issue immediately after the recess and I will be introducing legislation to reverse this ill-considered action." Health Data Management quotes Thomas Grove, a director at Phoenix Health Systems, as saying Kennedy doesn't need legislation to reinstate the provision. "All he has to do is keep this high enough in the public eye that the Bush administration will want to put it back in," says Grove. Furthermore, if there were one privacy issue Congress could agree on, it would be patient consent, so a bill that tightly focuses only on that issue could pass, Grove contends. "I think its chances of coming back are pretty good." Read the text of Kennedy's Senate floor speech on March 22. March 22, 2002 CMS Provides New Update on Status of Pending Rules CMS officials announced on March 22 that the federal guidelines for submitting the compliance plan for a 1-year extension on the implementation of HIPAA Transactions and Code Sets are scheduled to be published Friday, March 29. The following additional HIPAA regulatory updates were also reported in a CMS briefing to the WEDI SNIP Steering Committee: An NPRM for Transactions Addenda, an NPRM concerning NDC and J Codes, and the final rule on Employer ID were submitted to the Office of Management and Budget (OMB) for final clearance on March 20, 2002. Final clearance for publication requires between two weeks and 90 days, though OMB is expected to move the these measures quickly. Other pending regulations -- final rules on Security and the Provider ID and NPRMs on Claim Attachments, PlanID and Enforcement) are still undergoing internal clearance within HHS. March 21, 2002 HHS Releases Fact Sheet on Privacy Modification NPRM The Department of Health and Human Sevices has released the contents of a proposed rule modifaction for the HIPAA Standards for Privacy of Individually Identifable Health Information (NPRM). Publication is anticipated in the Federal Register on Wednesday, March 27th. It is expected that it will include a provision for a 30-day public comment period. The NPRM proposes modifications concerning Consent and Notice, Minimum Necessary and Oral Communications, Marketing, Business Associates, Parents and Minors, Uses and Disclosures for Research Purposes, Uses and Disclosure for which Authorizations are Required, and other sections of the Privacy Rule. The Washington Post reports Janlori Goldman, director of Georgetown University's Health Privacy Project, said the elimination of advance permission "cuts the legs off the privacy regulation." Sen. Edward M. Kennedy (D-MA) said that giving permission before personal medical information is disclosed "is central to protecting people's medical privacy." And Donald Palmisano, the American Medical Association's secretary-treasurer, said, "there is more opportunity for patient privacy to be violated now." The Wall Street Journal reports that industry representatives said they still plan to push for changes, such as an extension of the privacy rule's compliance date. Karen Ignagni, president of the American Association of Health Plans, said health plans want uniformity of privacy rules across states. Read the Washington Post article, Medical Privacy Changes Proposed. Review the HHS Fact Sheet describing the
NPRM provisions. March 19, 2002 Privacy Rule on OMB Target List for Repeal or Change On March 13, the Office of Management and Budget (OMB) received the Notice of Proposed Rulemaking (NPRM) making modifications to the HIPAA Privacy Rule. Coincidentally, the House Committee on Government Reform, Subcommittee on Energy Policy, Natural Resources and Regulatory Affairs, recently held a hearing on the costs and benefits of federal regulations, citing a December 2001 report to Congress - "Making Sense of Regulation: 2001 Report to Congress on the Costs and Benefits of Regulations and Unfunded Mandates on State, Local, and Tribal Entities" (PDF) - that included a target list of 23 federal regulations being considered for rescission or revision -- including the HIPAA medical privacy rule. According to the Health Privacy Project, the report was presented by the White House Office of Management & Budget, Office of Information and Regulatory Affairs (OMB/OIRA). March 19, 2002 Privacy Group Seeks DOT National ID & Database Plans Computerworld reports the Electronic Privacy Information Center (EPIC) filed a lawsuit last week in federal court, asking the court to force the Department of Transportation (DOT) to comply with EPIC's Freedom of Information Act (FOIA) requests submitted early last month. In its lawsuit, EPIC cites articles written in the Washington Times and Washington Post in January and February. EPIC says the Times published articles outlining DOT plans to have transportation workers carry biometric ID cards and to set up a "Trusted Traveler" national ID card system for airline passengers. EPIC also cites a Post article in which DOT sources said the department planned to set up a computer network for screening passengers. The network was to be created by linking government and private computer systems and databases. "Where the basis of the request comes from is that the government
itself has revealed nothing about these initiatives," said
EPIC general counsel David Read EPIC's lawsuit (PDF). March 19, 2002 Survey: Consumers Distrust Business to Protect Privacy Results of a nationwide survey released last month by Harris Interactive shows consumers do not trust companies to properly handle their personal information and want independent verification of company privacy policies. 91% of respondents said they would do more business with companies that have their privacy policies independently verified. Another 58% of respondents said that if they were confident that a company really followed its privacy policies, they would be likely to recommend that company to friends and family. The existing lack of confidence in companies to protect personal information is leading many consumers to shy away from conducting electronic commerce in many industries, including health care, according to the survey. The national survey, conducted online from November 5 - 11, 2001, interviewed 1,529 adults. Only 2% of respondents said they often share health related information, such as medical history or prescriptions, when using the Internet to communicate with a business. Some 67% of respondents said they never share health information; 21% rarely share it and 10% sometimes share. Surveyed consumers are most concerned about the conduct of companies in the health care, telecommunications and financial services industries. Some 96% of respondents said it was "important" or "very important" that financial services companies--including banks, brokerage firms and insurers--establish effective privacy policies and do what they promise in those policies. Huge majorities also felt the same about health care providers (92%), pharmacies (89%) and telecommunications firms (87%). March 18, 2002 CMS Warns States: Don't Delay TCS Compliance Efforts The Centers for Medicare and Medicaid Services (CMS) told state Medicaid directors in a March 7 letter that compliance efforts related to the transactions and code sets rule should not be delayed, despite the one-year extension allowed under the Administrative Simplification Compliance Act (ASCA). The letter states, "(ASCA) requires that your compliance plan include a timeframe for testing that begins not later than April 16, 2003. If your HIPAA activities are stopped or severely curtailed, you may not even be able to meet the new compliance deadlines." CMS listed several reasons to support its position as to why state Medicaid directors should continue compliance efforts. March 13, 2002 Support Waning for National ID Cards Two recent polls show that support for a national ID card is decreasing. The Electronic Privacy Information Center (EPIC) reports that results from a poll on the February 27 Washington Post Federal Page indicated that public opinion was divided on the issue, with 47% of Americans thinking that national ID will improve interaction with government and business and 44% viewing it as "an invasion of people's civil liberties and privacy." A survey released last week by Gartner Inc. found that 26 percent of Americans are in favor of a national ID card, while 41 percent oppose the idea. Read more about the Gartner survey's findings (PDF). March 13, 2002 Physician Groups Ask for HIPAA Changes 45 physician groups sent a letter on March 5 to HHS Secretary Tommy Thompson, stating that the business associates provision of the HIPAA Privacy Rule imposes a burden on physicians and other covered entities, and that covered entities should not be held responsible for the acts of their business associates. The groups asked HHS to remove or modify the Privacy Rule's business associates provision, and to provide the option to covered entities of obtaining self-certification documents from business associates stating they are in compliance. One signatory to the letter, the Medical Group Management Association (MGMA), has also sent a letter to HHS' task force on reducing the regulatory burdens in health care. The March 5 letter from MGMA President William Jessee asks for changes to both the HIPAA privacy and security rules. The assocation requests changes in the business associates provision, and to make the privacy rule's prior patient consent requirement discretionary. Read more about the MGMA's letter. Read the physician groups' letter to HHS Secretary Tommy Thompson. March 11, 2002 Eckerd Drug's Marketing Practices Possibly Violate Customers' Privacy The Health Privacy Project reports that the Florida Attorney General's office is investigating the marketing practices of Eckerd Drug Company to determine whether or not they violate customers' privacy. According to the St. Petersburg Times, Eckerd insists customers picking up prescriptions sign a log if they don't want the counseling from a pharmacist that drugstores are required to offer. Eckerd then sticks the signature, which is written on a gum-backed sticker, on a form authorizing the chain to use the customer's prescription record for promotions and discount deals bankrolled by drug companies. Clerks put a copy of the form letter authorization in the customer's bag with the prescription. According to the Attorney General's investigation, no customer or store employee interviewed was aware of the fact that the customer had actually signed an authorization for marketing purposes. March 11, 2002 NCVHS Releases Recommendations on Marketing & Fundraising The Privacy and Confidentiality Subcommittee of the National Committee on Vital and Health Statistics (NCVHS) provided its latest recommendations in a letter dated March 1 to HHS Secretary Thompson. In light of the expected publication of the notice of proposed rulemaking (NPRM) on amendments to the final Privacy Rule, NCVHS encourages HHS to consider its recommendations on marketing and fundraising in the rulemaking process. On marketing, the Committee recommends a return to the Privacy NPRM, believing it will be easier to create exceptions to a general prohibition on marketing without individual authorization, than it will be to add restrictions to a general approval of marketing. The Committee's recommendation on fundraising supports the overall approach adopted in the final Privacy Rule. However, it recommends HHS provide safeguards on how information is released and adopt some transitional rules to allow for the continued use of PHI obtained before the effective date of the Privacy Rule. Read NCVHS' Recommendations on Marketing & Fundraising. March 7, 2002 NIST's Latest Security Guide Draft; Over 30 to be Released This Year Federal Computer Week reports the National Institute of Standards and Technology (NIST) released a draft of its new guidance on securing public Web servers March 1. Comments on the draft are due to Wayne Jansen by March 28. NIST's security team will be releasing more than 30 guides over the coming year to help agencies with many crucial technical and policy security concerns. Read NIST's "Guidelines on Securing Public Web Servers" draft (PDF). March 7, 2002 Health Privacy Project Updates State Privacy Summaries Yesterday, the Health Privacy Project released revised summaries of the health privacy statutes of six states: Alabama, Alaska, California, Connecticut, Kentucky, and Vermont. Updated state summaries of the remaining 44 states and DC will be issued in batches of 8-12 states over the next few months. The updated summaries reflect changes in state health privacy statutes that have been made since the Health Privacy Project first published its report, "The State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State Health Privacy Statutes)," in 1999. Additionally, the state summaries have been restructured in light of the HIPAA Privacy Rule. Because the Privacy Rule does not override more stringent state health privacy laws, privacy protections will be a combination of state and federal law. Given that the compliance date for the Privacy Rule is April 14, 2003, it is hoped that the update will serve as an important resource as health care providers, plans and others move forward with implementation of the rule. The Health Privacy Project has restructured the summaries of state statutes so that they more closely mirror the requirements of the Privacy Rule. However, they have not analyzed how these state laws will interact with the federal rule. The updated state summaries are available at the Health Privacy Project web site. March 7, 2002 VIRUS ALERT: Virus Masquerades as Security Update Security firms yesterday warned that another virus began making its rounds on the Net this week, and this one is masquerading as a Microsoft security update. The virus, a mass-mailing worm variously dubbed I-Worm.Gibe, W32/Gibe@mm, WORM_GIBE.A, etc., does not carry a destructive payload, but is capable of installing a backdoor Trojan which allows remote access to an infected system. March 6, 2002 HHS Shares Latest Projections for Next HIPAA Rules HHS staff presented an update at the February, 2002 meeting of the NUCC/NUBC on the department's progress towards publishing the next round of final and proposed HIPAA rules. Announced projections included: final Employer Identifier -- publication in Spring 2002; final Security Standards and proposed Standard for Claims Attachments -- Spring/Summer 2002; final Provider Identifier and proposed Health Plan Identifier -- Summer 2002; proposed Modifications to Standards for Electronic Transactions (modifies pharmacy transaction standards) and proposed Revision to Transactions and Code Set Standards (adopts recent DSMO-recommended modifications), Spring 2002. For more detailed information, view our updated Compliance Calendar. March 5, 2002 NCVHS Issues First Recommendations for Clinical Data Standards The National Committee on Vital and Health Statistics (NCVHS) has formally recommended specific national standards for electronic clinical messaging formats, according to Health Data Management. The recommendations are the first step toward standardizing the format and content of clinical information under HIPAA. In a Feb. 27 letter to HHS Secretary Tommy Thompson, the committee recommended HHS make the clinical standards voluntary, but use HHS and other government agencies as early adopters. The committee members believe this approach would result in widespread use faster than mandates since HHS has been so slow promulgating rules under HIPAA. Read NCVHS' Recommendations on Medical Information Data Standards. March
6, 2002 VIRUS ALERT: Klez.E Worm
Triggers its Destructive Payload Today March 6, 2002 Lawmaker: Extend Law For Federal Computer Security Tests The Washington Post reports Rep. Tom Davis (R-VA) introduced legislation yesterday to permanently reauthorize the Government Information Security Reform Act (GISRA) of 2000. Under GISRA, agencies are graded on the results of penetration testing and overall security. In last year's round of penetration tests, nearly all federal agencies earned a grade of "D" or lower for computer security. The new bill would force federal agencies to adopt minimum computer security standards as established by the National Institute of Standards and Technology (NIST). Full Story. March 5, 2002 Thompson Stresses Providers' Access to Patient Info in Final HIPAA Regs According to AHA News, HHS Secretary Tommy Thompson told hospital CEOs at the Federation of American Hospitals annual meeting today that allowing provider access to patient information is a key priority in fashioning the final HIPAA regulations, which he said would be coming out "very soon." Outlining other HIPAA priorities, Thompson said the ability for providers to consult with other doctors or experts on patients in delivering care should not be hampered by overly burdensome HIPAA regulations. March 5, 2002 NGA Calls for Increased Funding for HIPAA Compliance AHA News reports the National Governors Association (NGA) today passed health care resolutions calling for increased administrative spending to assist states in complying with HIPAA. A NGA resolution said HIPAA-related data changes "represent one of the largest unfunded federal mandates in recent history." The group praised Congress for the recent delay in HIPAA transaction standards, but expressed disappointment at the lack of coordination between the federal government and the states. NGA said it makes no sense for states to commit to implementing program changes that may not be covered by HIPAA, and urged HHS to provide immediate guidance on which programs are covered by the regulations. March 5, 2002 AHA Issues Structural Options for HIPAA The American Hospital Assocation (AHA) recently issued a Member Advisory entitled, "Structural Options for HIPAA Compliance Under the Medical Privacy Regulation." It outlines options available to hospitals for structuring themselves and their arrangements with certain other entities to ease the burden of HIPAA compliance. The advisory is available to AHA members only through AHA's web site under "What's New." March 4, 2002 Survey: Hospitals Boosting Data Security According to a recent survey of CIOs from 100 hospitals, 93% of respondents listed HIPAA as one of the primary reasons for higher security budgets. Another 52% listed increased security threats, and 10% cited accreditation requirements. The survey, conducted by Porter Research, found 73% of respondents report using some type of security technology for medical records, reports Health Data Management. Full Story. March 4, 2002 AAPS Asks Court to Retain its Suit Against Privacy Rule Health Data Management reports HHS' recent motion to dismiss a lawsuit against the final medical privacy bill does not stand up to legal precedents, according to a rebuttal from the Association of American Physicians and Surgeons. In its rebuttal, the association contends a Supreme Court decision in a New York case confirmed physicians and patients have legal standing to mount challenges to government actions concerning medical records. The association also argues that changes in the final privacy rule, including expanding it to all identifiable medical information, impose a huge burden on small physician practices. Full Story. Read more about the AAPS Privacy Suit. News ArchivesGo to TOP |
|
Schedule for Reg Publication/
|
